This China Addendum to the Global Hotel Alliance - Privacy Policy ("Addendum") is a part of the Global Hotel Alliance - Privacy Policy ("Privacy Policy") and should be read in conjunction with it and can be found here.
Please get in touch with us using the information in the "HOW TO CONTACT US" section below if you have any questions about the Privacy Policy or this Addendum.
Protecting your Personal Information is very important to GHA, and this Addendum describes the practices that we follow as a Personal Information Processor to Process Personal Information that is protected by the PIPL. Specifically, this Addendum applies to any activity where we Process the Personal Information of a natural person within China or where we Process the Personal Information of a natural person outside China under the following circumstances:
This Addendum describes:
If the terms of the Privacy Policy and this Addendum conflict in relation to Personal Information protected by the PIPL, this Addendum prevails.
In this Addendum, we use some special words and phrases. The following definitions apply to those special words and phrases:
"Anonymisation" refers to the process in which any Personal Information is Processed to the extent that it cannot identify a specific natural person and cannot be restored to its original state.
"China" for the purposes of this policy refers to mainland China only and does not refer to the Hong Kong Special Administrative Region, Macau Special Administrative Region, or Taiwan China.
"Controller" or "Personal Information Processor" refers to any organisation or individual that independently determines the purpose and method of Processing in their activities of Processing of Personal Information.
"Entrusted Processor" generally refers to any vendor or service provider we engage to Process Personal Information on our behalf under a contract that meets the requirements in Article 21 of the PIPL.
"GHA", "us", or "we" refers to GHA Loyalty DMCC, a legal entity with a place of business at 21st Floor, JBC5 Tower, Jumeirah Lake Towers, PO Box 487771 Dubai, United Arab Emirates.
"Overseas Recipient" refers to an organisation or individual located outside China that receives Personal Information from GHA.
"Personal Information", "Personal Data", or "Data" all bear the same meaning for the purposes of this Addendum and refer to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been Anonymised.
"PIPL" means the Personal Information Protection Law of the People's Republic of China.
"Processing", "Process", or "Processed" includes the collection, storage, use, editing, transmission, provision, disclosure, and deletion of Personal Information.
"Relevant Laws and Regulations" refers to the Personal Information Protection Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Civil Code of the People's Republic of China, and other applicable laws and regulations of the People's Republic of China.
"SDK" refers to Software Development Kit, which is usually a software tool used to assist application development to realise specific functions of the application. Common SDK types include advertising, push, statistics, maps, third-party login, social payment, risk control, identity authorisation, framework, etc.
"Security Incident" refers to the unlawful or accidental destruction, alteration, loss, misuse, access, modification, or disclosure of Personal Information.
"Sensitive Personal Information" refers to Personal Information that, once leaked or illegally used, will easily lead to infringement of the human dignity or harm to the personal or property safety of a natural person, including biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other information of a natural person, as well as any Personal Information of a minor under the age of 14.
"Sites" refers to zh.ghadiscovery.com, the GHA DISCOVERY mobile application, and other websites and applications operated by or on behalf of GHA.
We only Process your Personal Information if there is a legal basis. The legal bases we rely on to Process Personal Information may depend on the specific purposes we are trying to achieve. We typically rely on one or more of the following legal bases:
Where none of the above legal bases apply, we will seek your consent before Processing your Personal Information.
Types of Personal Information we collect
We collect the Personal Information from you as follows:
| Type of Personal Information | Personal Information Elements | Retention Period |
| Browsing the Sites | IP Address Internet Service Provider Login frequency Pages visited within the Sites Operating system Website or mobile apps from which an accessing system reaches Sites* Internet browser | 6 Months |
| Contacting us | Personal Information you voluntarily provide when you send us an enquiry or support request via email* Records of your communications with us* | Indefinitely until deletion is requested |
| Surveys | Survey feedback* | 1 year |
| GHA DISCOVERY Member registration information | Member number Email address Name Phone number Date of birth Preferred communication methods Language preference Preferences and interests Physical address Member password* | Indefinitely until deletion is requested |
| GHA DISCOVERY reservation information | Hotel booked Booking, Arrival and Departure Date Number of room occupants (Adults, Children) Room category booked Price | Indefinitely until deletion is requested |
| GHA DISCOVERY travel purchase information | Billing address of credit cards used to purchase travel* Credit card information, including card number, card type, cardholder name, and expiration date* | 1 year |
| Cookies | Cookies* | 1 Year |
We have marked Sensitive Personal Information that we Process with "*" for your reference. We need to Process your Sensitive Personal Information to achieve the purposes described below. Before we Process your Sensitive Personal Information, we will seek your separate consent in accordance with Relevant Laws and Regulations.
We do not collect Personal Information from minors under the age of 14. Please ensure that minors in your care do not send us their Personal Information without your consent. If we have received the Personal Information of any minor under the age of 14 in your care, you can get in touch with us using the information in the "HOW TO CONTACT US" section below to have such Personal Information deleted.
Our Processing purposes
We Process your Personal Information for the following purposes:
| Purpose | Types of Personal Information |
| Administering your account and calculating DISCOVERY Dollars (D$) | GHA DISCOVERY Member registration information GHA DISCOVERY reservation information |
| Assisting your planning and purchasing of travel | GHA DISCOVERY Member registration information GHA DISCOVERY reservation information GHA DISCOVERY travel purchase information |
| Notifying you of travel changes | GHA DISCOVERY Member registration information GHA DISCOVERY reservation information |
| Sending marketing communications or surveys to you | GHA DISCOVERY Member registration information GHA DISCOVERY reservation information Any other information you may provide in response to the survey |
| Responding to your questions or suggestions | GHA DISCOVERY Member registration information GHA DISCOVERY reservation information Any other information you may voluntarily provide |
| Improving the quality of your visit to our Sites | Cookies information and technical information about your device |
| Amending or updating your profile and preference details | GHA DISCOVERY Member registration information |
When you use our application and WeChat mini program, to ensure the normal, safe, and stable operation of related services and functions, we may seek the following device operating system permissions from you:
| Name of system permissions | Description | Purposes | Applicable platforms |
android.permission.ACCESS_NETWORK_STATE | View network status. | Allows an application to view the status of all networks. | Android |
android.permission.INTERNET | To perform network operations in your application. | Grant permission for your application to access the internet. | Android |
android.permission.ACCESS_FINE_LOCATION | Allows ask for foreground precise location access. Checks Accurate location. | Permits requesting foreground access to precise location. Verifies exact location. | Android |
android.permission.ACCESS_COARSE_LOCATION | Allows ask for foreground location access. Verifies zones geographical areas. | Allows location access. Confirms geographical zones. | Android |
android.permission.WRITE_CALENDAR | Allows an application to write the user's calendar data. | To access Calendar, write permissions. | Android |
android.permission.READ_CALENDAR | Allows an application to read the user's calendar data. | Grants permission for an application to access and read the user's calendar data. | Android |
${applicationId}.permission.RSYS_SHOW_IAM | To show an In-App message or Rich Push message on Android || Responsys. | To receive notifications or messages within an app on their Android device. | Android |
${applicationId}.permission.PUSHIO_MESSAGE | To handle push notifications || Responsys. | To manage incoming push notifications effectively on their device. | Android |
${applicationId}.permission.C2D_MESSAGE | Prevents other applications from registering and receiving the application's messages || Responsys. | Ensures that only the intended application can receive and process its messages, blocking interference from other apps. | Android |
NSUserTrackingUsageDescription | A message that informs the user why an app is requesting permission to use data for tracking the user or the device. | To track user or device data. | IOS |
NSCalendarsUsageDescription | A message that tells people why the app is requesting access to their calendar data. | A notification that clarifies the reason for the app's request to access users' calendar data. | IOS |
NSCameraUsageDescription | A message that tells the user why the app is requesting access to the device’s camera. | To access device's camera. | IOS |
NSLocationAlwaysAndWhenInUseUsageDescription | A message that tells the user why the app is requesting access to the user’s location information at all times. | To have continuous access to the location information, when app is in use. | IOS |
NSLocationAlwaysUsageDescription | A message that tells the user why the app is requesting access to the user's location at all times. | To have continuous access to the location information, when app is in use and also not in use. | IOS |
NSLocationUsageDescription | A message that tells the user why the app is requesting access to the user’s location information. | App needs access to the user's location even when the app is not in use, for example, when the app is running in the background. | IOS |
NSLocationWhenInUseUsageDescription | A message that tells the user why the app is requesting access to the user’s location information while the app is running in the foreground. | Appears in the permission dialog that iOS presents to the user when they first launch the app and it requests permission to access their location. | IOS |
NSPhotoLibraryUsageDescription | A message that tells the user why the app is requesting access to the user’s photo library. | To access users' photo library. | IOS |
Entrusted Processing
In order to provide certain services to you, we may need to engage an Entrusted Processor to Process some of your Personal Information. We will enter into strict confidentiality agreements and include Personal Information protection clauses in other agreements with Entrusted Processors that require them to process and protect your Personal Information in accordance with our own high standards, this Addendum and Relevant Laws and Regulations.
Typical examples of Entrusted Processors that we engage with include:
Domestic Transfers
| Recipient | Contact Details | Processing Purpose | Types of Personal Information | Methods of Processing |
| Capella Tufu Bay, Hainan | For the operation of the GHA DISCOVERY loyalty programme, including recognising and rewarding members for their stays at the hotel | Programme Participant details including travel booking information; identification data (name and surnames, NIF/ID Card, address, telephone, mail, signature, electronic signature); personal characteristics data (civil status, date of birth, place of birth, age, sex, nationality, native language); data relating to social circumstances (interests and lifestyle, membership in the loyalty program, membership number). | Automated and manual input and exchange of Personal Information, using digital systems to interface between the hotels and GHA Loyalty DMCC. | |
| Capella Shanghai, Jian Ye Li | ||||
| Kempinski Hotel Chongqing China | ||||
| Kempinski Hotel Changsha | ||||
| Kempinski Hotel Chengdu China | ||||
| Kempinski Hotel Dalian China | ||||
| Kempinski Hotel Fuzhou | ||||
| Kempinski Hotel Hangzhou China | ||||
| Kempinski Hotel Yinchuan China | ||||
| Kempinski Hotel Guiyang China | ||||
| Kempinski Hotel Nanjing China | ||||
| Kempinski Hotel Beijing Yansha Center | ||||
| Sunrise Kempinski Hotel Beijing | ||||
| Yanqi Hotel Beijing managed by Kempinski | ||||
| Yanqi Island Pavilion Beijing managed by Kempinski | ||||
| Grand Kempinski Hotel Shanghai China | ||||
| Kempinski Hotel Suzhou | ||||
| Kempinski Hotel Shenzhen | ||||
| Kempinski Hotel Jinan | ||||
| Kempinski Hotel Taiyuan China | ||||
| Kempinski Hotel Xiamen China | ||||
| Kempinski Residences Guangzhou | ||||
| Kempinski The One Suites Hotel Shanghai Downtown | ||||
| NUO Hotel Beijing | ||||
| Beijing Hotel NUO | ||||
| Anantara Guiyang Resort | ||||
| Anantara Xishuangbanna Resort | ||||
| NH Zhengzhou Jinshui | ||||
| Oaks Chengdu at Cultural Heritage Park | ||||
| Tivoli Chengdu at Cultural Heritage Park | ||||
| Pan Pacific Ningbo | ||||
| Pan Pacific Beijing | ||||
| Pan Pacific Suzhou | ||||
| Pan Pacific Tianjin | ||||
| Pan Pacific Xiamen | ||||
| The Sukhothai Shanghai | ||||
| Gateway, Hong Kong | ||||
| Marco Polo Hongkong Hotel | ||||
| Marco Polo Jinjiang Hotel | ||||
| Prince, Hong Kong | ||||
| Marco Polo Parkside,Beijing | ||||
| Marco Polo Wuhan | ||||
| Marco Polo Xiamen | ||||
| Maqo Changsha | ||||
| Niccolo Chengdu | ||||
| Niccolo Chongqing | ||||
| Niccolo Changsha | ||||
| The Murray, Hong Kong, A Niccolo Hotel | ||||
| Niccolo Suzhou |
In order to provide you with the best guest experience possible, we need to share your Personal Information with third parties within China. Please see the list below for more information about the third parties within China that may receive your Personal Information: Before we transfer your Personal Information or Sensitive Personal Information, we will seek your separate consent in accordance with Relevant Laws and Regulations.
Transfers outside China
As a result of the global nature of our business, Members' Personal Information will need to be transferred to Overseas Recipients. Please see the list below for more information about the Overseas Recipients that may receive your Personal Information:
| Overseas Recipient | Country | Contact Details | Processing Purpose | Types of Personal Information | Methods of Processing | Retention Period |
| Opera Reservation System | Frankfurt, Germany | https://www.oracle.com/legal/privacy/data-protection-authority/ | Reservations Management Platform | Complete set of customer information, including first name, last name, address information, mobile number, email, language and other preferences, stay history | Collection, Storage, User, Editing, Transmission, Deletion | Unlimited |
| Opera Customer Information Platform | Frankfurt, Germany | https://www.oracle.com/legal/privacy/data-protection-authority/ | Customer Information Platform | Complete set of customer information, including first name, last name, address information, mobile number, email, language and other preferences, stay history | Collection, Storage, User, Editing, Transmission, Provision and Deletion | Unlimited until the consent to participate at GHA DISCOVERY is withdrawn |
| Oracle Responsys | Amsterdam, Netherlands | https://www.oracle.com/legal/privacy/data-protection-authority/ | Campaign management platform | Complete set of customer information, including first name, last name, address information, mobile number, email, language and other preferences, stay history, behavioural and engagement data | Storage Use | Unlimited until the consent to participate at GHA DISCOVERY is withdrawn |
| FusionAuth | Frankfurt, Germany | Hosting of Authentication credentials | Email, Username, First Name, Last Name and Email | Collection, Storage, Use, Editing, Deletion | Unlimited until the consent to participate at GHA DISCOVERY is withdrawn |
If you would like to exercise any of your legal rights over your Personal Information in accordance with Relevant Laws and Regulations against any of the Overseas Recipients named above, please get in touch with us using the information in the "HOW TO CONTACT US" section below.
Before we transfer your Personal Information or Sensitive Personal Information outside China, we will seek your separate consent in accordance with Relevant Laws and Regulations.
SDKs
We may embed third-party SDKs in our website, app, and WeChat mini program to ensure their stable operation and provide services to you. Please see the list below for more information about the SDKs that we rely on:
| SDK Name | SDK Operator | Purpose of Processing Personal Information | Types of Personal Information Processed | SDK Operator Privacy Policy |
| Oracle Responsys Mobile SDK 6.56.1 | Oracle | Marketing Communication & Personalization | 1) Device Information 2) Location Data 3) User Profile Information 4) Behavioral Data 5) Transactional Data 6) Usage Analytics 7) Push Notification Tokens | |
| Singular Flutter SDK 1.2.1 | Singular | Campaign Optimization,User engagement analysis, Performance Tracking & Reporting | 1) Device Information 2) App Installation Data 3) App Usage Data 4) Attribution Data 5) Location Data 6) Advertising IDs | |
| Google Maps flutter SDK 2.7.0 | Google Maps Platform | For Location Services | 1) Device Information 2) Location Data 3) App Usage Analytics 4) Cookies & Third Party data | https://policies.google.com/privacy |
| Firebase core SDK 2.1.1 | To connect to multiple Firebase applications | 1) Device Information 2) Location Data 3) Profile Information - Membership ID | ||
| Firebase Crashlytics SDK 3.0.4 | For Crash Reports Analytics | 1) Device Information 2) Location Data 3) Profile Information - Membership ID | ||
| Firebase Messaging SDK 4.7.9 2:16 | For Push notification functionality | 1) Device Information 2) Location Data 3) Profile Information - Membership ID | ||
| Firebase Analytics SDK 10.7.4 | To process personal information for various purposes related to analytics and improving app performance | 1) Device Information 2) Location Data 3) Profile Information - Membership ID | ||
| Firebase Instance Id SDK 1.0.0 | Device Identification, analytics & push notification delivery | 1) Device Information 2) Location Data 3) Profile Information - Membership ID | ||
| Flutter map SDK 6.1.0 | Flutter ||Google | For Location Services in China | 1) Device Information 2) Location Data 3) Analytics | |
| Facebook SDK 0.18.3 | To Track Facebook events and user interaction | 1) Authentication and Account Management 2) Analytics and Advertising 3) App Usage Analytics | https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0 | |
| CookieYes Consent Management | CookieYes | Consent Collection, cookie management & User right management | 1) IP Address 2) Device information 3) Memebership ID 4) Consent Preferences 5) Google Analytics Data 6) Browser information | |
| Google maps | To provide mapping and location-based services | 1) Device Information 2) Location Data 3) App Usage Analytics 4) Cookies & Third Party data | https://policies.google.com/privacy | |
| Mapbox 2.8.2 | Mapbox | For Location Services | 1) Location 2) Device information 3) Memebership ID 4) Data Usuage | |
| Google Tag Manager | To Analyze tags and tracking deployed onGHA Web and App | 1) Location data 2) Device & Browser information 3) Membership ID 4) USer ID 5) Conversion events 6) IP information | ||
| Yieldify | Yieldify | Digital marketing and conversion optimization | 1) Location data 2) Device information 3) Membership ID 4) Behavioral Data 5) Cookies & Tracking | |
| Lytics Customer Data Platform (CDP) | Lytics | Personalized and targeted marketing experiences | 1) Location data 2) Device information 3) Membership ID 4) Behavioral Data 5) Cookies & Tracking 6) GA4 data | |
| Google Analytics 4 | To Analyze user interactions with GHA Web and App | 1) Location data 2) Device & Browser information 3) Membership ID 4) USer ID 5) Conversion events 6) IP information |
Corporate Transactions
If we need to transfer your Personal Information due to a merger, division, dissolution, bankruptcy or any other reason, we will notify you of the organisational or personal name and contact information of the receiving party.
Foreign Governments
We do not share Personal Information with foreign governments except as Relevant Laws and Regulations permit.
Other Transfers
Because unforeseen situations can occur, we may need to transfer Personal Information in other circumstances not described above. Where this occurs, we will obtain any consent required from you, as required by Relevant Laws and Regulations.
We will take reasonable steps to secure your Personal Information against Security Incidents in accordance with Relevant Laws and Regulations and as described in the Privacy Policy. If you have any concerns about the security of your Personal Information or believe that you have experienced a Security Incident, please get in touch with us using the information in the "HOW TO CONTACT US" section below.
Under Relevant Laws and Regulations, you have the right to:
Please note that if you decide to withdraw your consent, such withdrawal will not affect the validity of any Personal Information Processing already carried out before the withdrawal based on your consent.
If you would like to exercise the rights described above, please get in touch with us using the information in the "HOW TO CONTACT US" section below. We will deal with your requests to exercise your rights under applicable Chinese laws or administrative regulations promptly and within 15 working days.
Additionally, if you use our mobile application, you can also correct, complete or delete some of your Personal Information by clicking on Account/ Profile in the app.
If you have any questions about anything described in the Privacy Policy or this Addendum, or you wish to exercise your rights under Relevant Laws and Regulations, you may get in touch with us using any of the contact details listed below:
GHA Loyalty DMCC (Head Office)
Head office: 21st Floor, JBC5 Tower, Jumeirah Lake Towers, PO Box 487771
Dubai, United Arab Emirates
Phone: +971 4 4214287
Email: [email protected] (available in Chinese and English)
GHA Loyalty DMCC (Representative in China)
Email: [email protected] (available in Chinese and English)
Prof. Dr. Rolf Lauser
Data Protection Officer
Dr.-Gerhard- Hanke-Weg 31, 85221 Dachau, Germany
Email: [email protected]