Generator Hostels Ltd and Generator BCN1 SL
Privacy Notice
Last Updated: 1st December 2022
Introduction
Generator Hostels Ltd and Generator BCN1 SL and their affiliates, subsidiaries and related entities (“Generator”, “we”, “us”, “our”) are committed to protecting the privacy and security of the personal data we collect about end customers and users of our services (“you”, “your”).
The purpose of this privacy notice is to explain what personal data we collect about you when you book with us or visit one of premises, use our services, contact us or where we otherwise have a relationship with you. When we do this, we are the Controller of the personal data, Generator Hostels Ltd is registered in the UK with the Information Commissioner’s Office (“ICO”), registration number ZA071136.
Please read this privacy notice carefully as it provides important information about how we handle your personal information and your rights. If you have any questions about any aspect of this privacy notice you can contact us using the information provided below or by emailing us at dpo@staygenerator.com.
Personal data we collect
The personal data we collect depends on the nature of our relationship with you, as set out below.
Purpose | Lawful Basis for Processing |
---|---|
Responding to correspondence from you. | If you contact us with a general enquiry, we will respond to your enquiry because it is in our legitimate interest to respond to you or your request for information. If you contact us by telephone, we may record the call. It is in our legitimate interest to record telephone calls for the purposes of training, dispute resolution and improving our services. |
Booking and guest administration, including making and amending reservations and preparing for your arrival and departure. | This is necessary for the performance of the agreement to which you are a party. |
Taking payment for your booking by collecting, processing and storing payment and payment card information. | This is necessary for the performance of the agreement to which you are a party. |
Making accessibility or other arrangements for your visit, if you or somebody travelling with you has notified us of a dietary requirement, disability or other medical issue. | It is our legitimate interest to make the visit for every guest as comfortable as possible and to treat all guests in accordance with their needs. |
Registration upon arrival. | This is necessary to comply with legal obligations to which we are subject. Where we collect additional information, we will do so because it is in our legitimate interest to understand more about our guests for the purpose of improving our services and developing our business. |
Providing specific services requested by guests, including making arrangements on your behalf or providing guest services to you when you visit one of our premises. This includes providing guest wireless access. | It is in our legitimate interests to use your personal data to provide the services you have requested and to ensure your needs are met. When processing sensitive personal data, we do so with your explicit consent. This consent may be withdrawn at any time by emailing dpo@staygenerator.com. |
Customer services, including communicating with you about your visit prior to arrival, managing complaints or other issues, and requesting feedback following your visit. | It is in our legitimate interest to ensure you have all the information you might need before your visit, to manage any complaints you might have and to ask you for feedback after you have visited us. |
Ensuring the security and safety of our guests, employees and our premises by operating CCTV and security monitoring at our premises and meeting our health and safety obligations. | It is in our legitimate interest to ensure the security of our guests, employees, premises and business assets. We are also under a legal obligation to ensure the health and safety of individuals on our premises. |
Communicating with you for the purposes of marketing, including contacting you with information about our destinations, services, offers and news and related information, by email, telephone or mail. When you book with us, discuss a potential booking with us or register with us, we will subscribe you for marketing communications unless you have specifically asked not to be contacted at the point at which we have collected your personal data. Where this applies you will have the opportunity to opt-out of marketing in all subsequent marketing communications we send to you. | If you subscribe for marketing communications by opting in at any stage after making your booking, by signing up to our newsletter or to receive offers or event information, or by signing up to use guest wireless at one of our premises, we will send you marketing communications with your consent. You can tell us to stop sending you marketing information at any time by objecting or withdrawing your consent. You can do so by contacting us at dpo@staygenerator.com or by using the “Unsubscribe” link in any marketing email you receive from us. |
Internal management, administrative and organisational purposes, including maintaining internal records and carrying out other business administration tasks. | It is in our legitimate interest to process your personal data to manage our business processes. |
Sharing data with other group entities, including guest information required for the purposes of bookings and for administrative purposes. | Sharing booking information with our group entities and other premises is necessary for the performance of the agreement to which you are a party. |
Improving our website and your visitor experience by using cookies, web beacons and website analytics tools. | It is in our legitimate interest to use the data collected using these technologies to present content to you in the most effective manner for you and your computer, to improve our website and keep it secure. You can learn more in our Cookies Policy. |
To meet our legal obligations, including any laws or regulations which apply to us. | This is necessary to comply with legal obligations to which we are subject in the countries in which we operate premises. |
When you book with us
When you make a reservation, or check-in at one of our premises, we will collect the following personal data:
· Name
· Address
· Telephone Numbers (including mobile number)
· Email Address
· Gender
· Date of Birth
· Bank/Payment Details (when you make a payment)
· Dates of reservation
Sometimes we may collect more sensitive personal data about you, such as information about dietary requirements, disabilities or medical conditions, or if you need us to make special arrangements for your visit.
We collect personal data when you provide it to us or where someone provides it on your behalf, such as where you book through an agent or are included as part of a group booking.
Personal data is collected at the time a booking is made and upon check-in at one of our premises.
When you use guest wi-fi at one of our premises
If you sign up to use the guest wi-fi available at our premises, we will collect your name and email address.
If you are a supplier or other business contact
We collect information about individuals working for current, former and potential suppliers, vendors, contractors and partners.
The personal data we collect typically includes your name, the name of your employer, your work contact details and any other personal information you provide to us during our relationship.
Visitors to our website and persons making contact
When you contact us by telephone, using the contact details on our website or via our social media channels, we collect the personal data you provide to us. This typically includes your name, your contact details and any additional personal data you include in your message.
When you visit our website or open marketing emails from us, we will automatically collect limited personal data through the use of cookies, web beacons and website analytics tools. For more information on these, please see the section on Cookies, Analytics and Social Links below.
Cookies, Analytics & Social Links
Generator uses cookies and web beacons on our website and web beacons in the marketing emails we send. Cookies are small text files and web beacons are small graphic images. They are downloaded to your device when you visit a website or receive marketing emails, unless you have set your browser or email client to stop them.
We use cookies to remember your preferences, display content that is more relevant to you and improve your overall experience on our site. We use web beacons to track the actions of individuals (such as email recipients) and measure the success of our marketing campaigns and response rates.
To learn more about the cookies and web beacons we use, and what you can do to opt out of receiving them, please view our Cookies Policy.
The premises website uses Google Analytics in order to better understand our users’ needs and to optimise their experience on our website. These tools help us understand things like how much time visitors spend on which page, which links they choose to click and what they do and don’t like about the site.
Our website also includes social media sharing buttons and links to enable you to share our content through your preferred social media site or by email direct from one of our web pages. These features may collect your IP address and the page you are visiting on our website and may set a cookie on your device.
When you use one of these buttons or links, you are sharing information to another website or service (such as Twitter or Facebook) and this privacy notice will no longer apply. Please read the privacy notices provided by the particular social media website you are sharing through before posting any personal data using these links.
Purposes for which we use personal data and the legal basis
When providing services to you, we may use your personal data for the following purposes and on the following lawful bases:
Sharing your data
Generator will share your personal data with entities within our group, including those in countries outside the UK and European Economic Area (the 27 EU member states plus Norway, Iceland and Liechtenstein) (“EEA”).
We will also share your personal data with trusted third parties who provide us with services relevant to our provision of services to you. This includes our professional advisers, IT service providers, cloud software provider, and other suppliers and sub-contractors.
All such third parties are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. Our service providers may process your personal data outside the UK and EEA.
Where we transfer personal data to countries outside the UK or EEA, we will only do so where the country we are transferring your data to is recognised by the UK or the European Commission as providing adequate data protection standards, or other appropriate safeguards are in place to ensure protection of your personal data. Appropriate safeguards include the UK International Data Transfer Agreement (“IDTA”) or the EU Standard Contractual Clauses (“SCCs”) with supplementary measures (where appropriate).
It is possible that we may be required to share your data to comply with applicable laws or with valid legal processes, such as in response to a court order or with government or law enforcement agencies.
How long we keep your data
We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.
For more information on our specific retention periods for your personal data, please contact us at dpo@staygenerator.com.
At the end of the retention period, your personal data will be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.
How we protect your data
We implement appropriate technical and organisational measures to protect the personal data we process from unauthorised disclosure, use, alteration or destruction. These measures include internal policies, training, using cryptography where appropriate and implementing least privilege access control.
When collecting payment card information from you we will only collect the minimum information we need for the purposes of confirming or paying for your booking.
Your rights and options
You have the following rights in respect of your personal data:
· You have the right of access to your personal data and can request copies of it and information about our processing of it.
· If the personal data we hold about you in incorrect or incomplete, you can ask us to rectify or add to it.
· Where we are using your personal data with your consent, you can withdraw your consent at any time.
· Where we are using your personal because it is in our legitimate interests to do so, you can object to us using it this way.
· Where we are using your personal data for direct marketing, including profiling for direct marketing purposes, you can object to us doing so.
· You can ask us to restrict the use of your personal data if:
o It is not accurate.
o It has been used unlawfully but you do not want us to delete it.
o We do not need it any-more, but you want us to keep it for use in legal claims; or
o if you have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.
· In some circumstances you can compel us to erase your personal data and request a machine-readable copy of your personal data to transfer to another service provider.
· You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, please contact us at dpo@staygenerator.com.
You can also lodge a complaint in the UK with the ICO by visiting their website here.
Contact us
If you have any questions, or wish to exercise any of your rights, please write to us at:
FAO Data Protection Officer
Generator Hostels Limited
Venture House
27-29 Glasshouse Street
London, United Kingdom
W1B 5DF
Alternatively, you can email us at dpo@staygenerator.com.
For additional provisions applicable to processing the personal data of California residents, please see Appendix A below.
Changes to this privacy notice
We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify of the changes where required by applicable law to do so.
Last modified: 01.12.2022. You can be provided previous versions of this notice by emailing dpo@staygenerator.com.
APPENDIX A
California Consumer Privacy Act (“CCPA”)
This Appendix A (“Appendix”) applies to California residents and outlines your rights regarding the processing of the personal data we hold about you under the California Consumer Privacy Act (“CCPA”).
1. Introduction
Generator Hostels Limited (“Generator”) are responsible for determining the purposes and means of processing your data when:
· You visit our website or make general enquiries with us;
· We communicate with you regarding your booking(s);
· We contact you for sales and marketing purposes; and
· During our standard business practices.
2. Personal data we collect, the purposes and legal basis
Please refer to the ‘Personal data we collect’ and the ‘Purposes for which we use personal data and the legal basis’ sections in our main Privacy Notice to learn more about the personal data we collect and use.
In summary, we collect the following categories of personal data as classified under the CCPA:
· Online identifiers, such as your email address and IP address;
· Personal information categories (Cal. Civ. Code § 1798.80(e)), such as your first name, last name, home address, phone number(s), bank details, social security number and passport details;
· Internet or other similar network activity information, such as information regarding your interaction with our website; and
· Professional or employment-related information, such as your business contact information, job title, and company name if enquiring or booking on behalf of a group or organisation.
Personal data does not include publicly available information. ‘Publicly available’ means information that is lawfully made available from federal, state, or local government records. ‘Publicly available’ does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
3. Sharing your personal data
Generator shares your personal information with service providers such as technology service providers and other business partners as part of our business practices and to provide you with our Services.
Please see the ‘Sharing your data’ section in our Notice for additional details on how we disclose your personal information with selected recipients for specific purposes.
Generator does not sell your personal data to advertisers or other third parties.
In summary, Generator share the following categories of information as classified under the CCPA:
· Online identifiers, such as your email address and IP address;
· Personal information categories (Cal. Civ. Code § 1798.80(e)), such as your first name, last name, home address and phone number(s);
· Internet or other similar network activity information, such as information regarding your interaction with our website; and
· Professional or employment-related information, such as your business contact information, job title, and company name if enquiring or booking on behalf of a group or organisation.
4. Your rights
In addition to the rights mentioned in our main Privacy Notice, the CCPA provides California consumers with the following additional rights:
Right to Opt-out of the Sale of Personal Data – You have the right to opt-out of the sale of the personal data we have collected about you. Although this right is available to you, Generator does not sell your personal data to third parties.
Right to Non-Discrimination – You have the right to not receive discriminatory treatment for exercising any of your CCPA rights. Generator will not treat you differently for exercising any of the rights described in this Appendix or the main Privacy Notice.
You can exercise any of your rights by emailing dpo@staygenerator.com. You may also authorize an individual to submit a verifiable consumer request relating to your personal information.
To help protect your privacy and maintain security, we take steps to verify your identity before responding to requests. To verify your identity and confirm the personal data relates to you, we may ask you to confirm your identity.
If you wish to use an authorized agent to submit a request on your behalf, you must provide the authorized agent written permission signed by you, the customer. We may deny a request from an authorized agent if the agent cannot provide your signed permission demonstrating that they have been authorized to act on your behalf.
Generally, we will respond to your rights request within one month of receipt, however the CCPA allows us to respond within 45 days. Your request and choices may be limited in certain cases, for example, if fulfilling your request is not permitted by law or if we have compelling legitimate interests to refuse your request.
5. Contact us
If you have any questions about this Appendix, this Privacy Notice, your rights, or data protection in general, please contact us at dpo@staygenerator.com.