A. WHO WE ARE
- We are Meritus Hotels & Resorts (“Meritus” or “We” or “Our” or “Us”). We own and/or operate:
- the hotels, Mandarin Orchard Singapore and Meritus Pelangi Beach Resort & Spa, Langkawi and
- website(s) such as meritushotels.com, rewards.meritushotels.com, egifting.meritushotels.com and/or any mobile apps that may be published by us (the said websites and mobile apps may be collectively or individually referred to as the “Website”).
We are a limited company registered in Singapore (Co. Reg. 201002071R) at 50 Collyer Quay, #18-01/02 OUE Bayfront, Singapore 049321.
B. THE PURPOSE OF THIS POLICY
- We are committed to safeguarding the privacy and security of your personal data. We take our responsibilities under Singapore’s Personal Data Protection Act (the “PDPA”) seriously. We also recognise the importance of the personal data you have entrusted to us and believe that it is our responsibility to properly manage, protect, and process your personal data.
- The Website is not intended for use by any person below the age of 18. We do not and do not intend to, transact through the Website directly with anyone we know to be under the age of 18.
C. PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT
- “Personal data” is defined under the Personal Data Protection Act (PDPA) to mean data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which an organisation has or is likely to have access. Meritus collects information about you, such as when you provide your information to us, when you check into our hotel, when you use our Website, when you make a reservation with a restaurant at our hotel, when you interact with us and/or when you enter into a transaction with us.
- We collect personal data/information unique to you as an individual, such as:
- home address
- identification number (such as national ID, passport details, etc.)
- image and/or photograph
- credit card information
- location Information of yourself and/or your computer or device
- contact Information (such as telephone numbers, email addresses)
- transactional information
- usage and preferences
- bank account number
- your purchase and/or your transactions with us
We will collect your personal data in accordance with the PDPA.
- Some instances of when we collect personal data from you are as follows. We collect, use, disclose and/or process your personal data if you make a booking through the Website, stay at any Meritus-managed hotel, purchase Meritus vouchers from Meritus Trove®, or become a member of any of our loyalty programmes such as Meritus Rewards® and Life and Style by Meritus®. We may also collect your personal data through our third-party service providers' use of technologies such as tracking tools, heatmap tools, analytic tools, and other similar technologies. We may also collect and store certain information automatically when you visit the Website. Examples include the internet protocol (IP) address used to connect your computer or device to the internet, connection information such as browser type and version, your operating system and platform, a unique reference number linked to the data you enter on our system, login details, the full URL clickstream to, through and from the Website (including date and time), cookie number, and/or your activity on our Website, including the pages you visit, the searches you make.
- We may receive information about you from third parties if you use any websites or social media platforms operated by third parties (for example, Facebook, Instagram, Twitter, etc.) and, if such functionality is available, you have chosen to link your profile on our Website with your profile on those other websites or social media platforms.
- The purposes for which we collect, use and/or disclose your personal data are set out at section E below. Without limiting the foregoing, one of the key goals in collecting your personal data is to serve you better. This includes communicating with you on relevant products, services, and offers, as well as accommodating your requests and enquiries, whether it is about a room reservation or about our loyalty programmes. We may also contact you for feedback after the provision of our services. Further details at section E below.
D. COOKIES WE USE AND HOW WE USE THEM
- A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer or device.
- You can block or deactivate cookies in your browser settings.
- We use log-in cookies in order to remember you when you have logged in for a seamless experience.
- We may use session cookies to track your movements from page to page and in order to store your selected inputs so you are not constantly asked for the same information.
- Our Website may use Google Analytics which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the Website and ways that we can improve your experience. These cookies may track things such as how long you spend on the Website and the pages that you visit so we can continue to produce engaging content.
- For further information on types of cookies and how they work visit allaboutcookies.org.
E. PURPOSES FOR WHICH WE COLLECT, USE, OR DISCLOSE YOUR PERSONAL DATA
- Meritus, our affiliates, related corporations, and associated companies globally, will/may collect, use, disclose and/or process your personal data for one or more of the following purposes:
- processing and/or dealing with your interest in our products and/or services;
- considering, processing, dealing with, and/or managing your booking, reservation, request/application for or of your purchase of rooms, hotel stay, dining, our products, and/or services (the “Transaction”);
- facilitating, processing, dealing with, administering, and/or managing Transaction(s) by or with you;
- administering, facilitating, managing, processing, and/or dealing with your relationship with us, your stay with us as a hotel guest, your being our dining guest, your being our conference guest, your event with us (such as a wedding, party or other event), your being our gym member, your being our banquet guest, your being our loyalty card member or rewards member or other Meritus programme member (such as Life & Style by Meritus member), your being our season carpark holder, your use of our facilities, any transactions or activities carried out by you on the Website or at our premises/establishments or with us, your requests, including but not limited to dealing with your laundry requirements/requests, dealing with your room service requests, dealing with housekeeping matters, dealing with your adhoc queries, requests or bookings such as with concierge or for transport or porter service etc, dealing with your preferences, dealing with your membership needs, dealing with your transportation needs, dealing with your tour bookings, dealing with your tourist sites visits, dealing with your entertainment bookings (including shows, movies, events etc.), processing your room or dining reservations, processing orders and payment transactions, implementing transactions and the supply of products and/or services to you that you have requested. Without limiting the generality of the foregoing, should you make a reservation or transaction that includes third-party individual(s) or on behalf of third-party individual(s) or for third-party individual(s), you consent to us disclosing personal data that identifies you, to the said third-party individual(s) (such as but not limited to your name);
- administering, facilitating, processing, and/or dealing in any matters relating to your use or access of the Website, including identifying you for login to the Website, our portals, and other online services provided by or on behalf of us. Without limiting the generality of the foregoing, if you:
- gain access to or sign in to the Website, using your login credentials of a Social Networking Site, or
- use any features of a Social Networking Site such as its widgets, plug-ins and browser push notifications, made available to you on our Website,
it may result in information or your personal data being collected or shared between us and the third-party. For example, if you use Facebook’s “Like” feature, Facebook may register the fact that you “liked” a product and may post that information on Facebook. (“Social Networking Site” refers to an online or digital platform owned or operated by a third-party, that is used by people to build social networks or social relations, or to interact, with other people, such as but not limited to Facebook, Instagram, Twitter, WeChat). By your proceeding pursuant to (i) or (ii) above, you consent to such collection, use, or disclosure of your personal data;
- monitoring, processing, and/or tracking your use of the Website in order to provide you with a seamless experience, facilitating, or administering your use of the Website, and/or to assist us in improving your experience in using the Website;
- administering, facilitating, processing, and/or dealing in any transactions, payments, or activities carried out by you on the Website or at our premises/hotels/establishments or with us;
- providing services to you as our hotel guest, as our customer, as a member of our loyalty programme(s)/card programme(s)/rewards programme(s) or when requested by you; dealing with or administering your participation in contests, gamification, social events organised by us;
- registering you as a customer of Meritus and/or to deal with, process and/or administer the account that you may open with us, whether a membership account or otherwise, including to facilitate your transactions or activities on our premises, the Website, or your transactions or activities with us;
- carrying out your instructions or responding to any enquiry given by (or purported to be given by) you or on your behalf including responding to your enquiries and complaints; or responding to or dealing with your interactions with us or your requests; or responding to or dealing with your feedback, comments, or reviews;
- contacting you or communicating with you via phone/voice call, text message, fax message, email, and/or postal mail for one or more of the Purposes stated herein. You acknowledge and agree that such communication by us could be by way of the mailing of correspondence, documents or notices to you, which could involve disclosure of certain personal data about you to bring about delivery of the same as well as on the external cover of envelopes/mail packages;
- sharing or disclosing (at our discretion) your suggestions, comments, feedback, or content (including audio, video etc.) (collectively “Feedback”) that you provide through Social Networking Sites, to the Website or to us (including at our premises), with other users of the Website or with the public, for publicity and/or promotion purposes with a view to marketing or showcasing the business, products or services of Meritus (and/or of any member of the Meritus Group Companies), and/or to acquiring customers, and/or for the purpose of providing the public with your Feedback which may be useful for the public’s patronage decision or for the public’s information or otherwise. This includes us disclosing your name together with your Feedback. Without limiting the generality of the foregoing, in the above regard, your Feedback and name may/will be published or shared by us on public media platforms such as the newspaper, the Internet, in our (including our affiliates’) annual reports (if any) etc., and/or incorporated as part of Meritus’ (and/or of the Meritus Group Companies’) marketing collaterals/materials or corporate video to be disclosed to the public, and you hereby consent to the same. Do not provide us with Feedback if you do not wish for such Feedback to be disclosed to the public. If you wish to give us your Feedback without it being disclosed to the public, please separately email our hotels at the following email addresses and head the subject of your email with the word “Confidential”;
Mandarin Orchard Singapore | firstname.lastname@example.org
Meritus Pelangi Beach Resort & Spa, Langkawi | email@example.com
- understanding and/or managing your interests, concerns, and preferences;
- to comply with or enforce the terms and conditions of any contract or agreement entered into by or on behalf of Meritus (and/or of any member of the Meritus Group Companies) to which Meritus (and/or of any member of the Meritus Group Companies) is otherwise bound or is obliged to observe, and/or to deal with the administration or management of such contract. Without limiting the generality of the foregoing, an example would be where you had made a room booking at our hotel not directly with us but with a third-party hotel reservation operator and in this regard we would need to and you hereby consent to us collecting, using or disclosing your personal data from or to such third-party hotel reservation operator;
- carrying out due diligence, statutorily required activities, or other screening activities (including background checks, anti-money laundering checks, know your client checks) in accordance with legal or regulatory obligations applicable to us (whether Singapore or other countries), the requirements or guidelines of governmental authorities which we determine are applicable to us (whether Singapore or other countries), and/or our risk management procedures that may be required by law (whether Singapore or other countries) or that may have been put in place by Meritus, our affiliates, related corporations, and associated companies globally;
- to prevent or investigate any fraud, unlawful activity, or omission or misconduct, whether or not there is any suspicion of the aforementioned; dealing with conflict of interests; or dealing with and/or investigating complaints;
- complying with or as required by any applicable law, governmental or regulatory requirements of any jurisdiction applicable to us or our affiliates/associated companies, including meeting the requirements to make disclosure under the requirements of any law binding on us or our affiliates/associated companies, and/or for the purposes of any guidelines issued by regulatory or other authorities (whether of Singapore or other countries), with which we or our affiliates/associated companies are expected to comply;
- complying with or as required by any request or direction of any governmental authority (whether Singapore or other countries) which we are expected to comply with; or responding to requests for information from public agencies, ministries, statutory boards or other similar authorities. For the avoidance of doubt, this means that we may/will disclose your personal data to the aforementioned parties upon their request or direction;
- conducting research, (including customer research), surveys, market surveys, analysis, and development activities (including but not limited to data analytics, and/or profiling), obtaining your feedback to our products, services, or facilities, to:
- improve or develop our products, services, and/or facilities in order to enhance any continued interaction between yourself and us connected or in relation to your relationship with us, the Website, or your Transaction(s);
- improve any of our products, services, or facilities, whether now or in the future; or
- improve our understanding of your interests, concerns, and preferences.
Without limiting the generality of the foregoing, we may/will in this regard send you surveys or request a face to face interview survey or request your feedback, by way of email or postal mail;
- the conduct of training or training purpose, so as to develop or improve our products or services and/or our staff’s and agents’ services and/or service quality. Without limiting the generality of the foregoing, such training may involve collection, use, disclosure, or processing of your personal data including your feedback or comments or reviews;
- to facilitate and/or ensure the safety and security of our premises, our guests, our staff and/or visitors to our premises; to deal with, handle and/or conduct disciplinary, security, crime prevention and/or quality assurance processes, matters and/or arrangements. Without prejudice to the generality of the aforesaid, we wish to bring to your attention that there are surveillance cameras installed throughout our premises including at dining establishments and/or our offices, for security, crime prevention, safety, and training reasons and you acknowledge that your personal data will be collected by such cameras and processed by us consequently;
- for marketing purpose and in this regard, Meritus (and/or any member of the Meritus Group Companies) would be providing you with marketing, advertising, and promotional information, materials and/or documents relating to products, contests, services (such as but not limited to hotels, restaurants, and/or loyalty programmes) and/or events (including products, services and/or events of third-party organisations with which Meritus (and/or any member of the Meritus Group Companies), may collaborate with) that we (including our affiliates/related corporations) or such third-party organisations may be selling, marketing, offering, organising, involved in, or promoting, whether such products, services, and/or events exist now or are created in the future,:
- if you have separately expressly consented to one or more of the following 3 DNC Modes, by way of the 3 modes of communications of voice calls, text messages or faxes (the “3 DNC Modes”) to your Singapore telephone number, in compliance with the requirements of the PDPA; and/or
- Notwithstanding (ii) above, regardless that you have not separately provided express consent as aforementioned in (ii) above, Meritus reserves its right to send a specified fax message (as defined in Singapore’s Personal Data Protection (Exemption from Section 43) Order 2013) (the “Exemption Order”) and/or a specified text message (as defined in the Exemption Order) (i.e. a marketing fax message or marketing text message) to your Singapore telephone number, if;
- there is an ongoing relationship between Meritus and you and the purpose of the message is related to the subject of the ongoing relationship, pursuant to the requirements and conditions of the Exemption Order; or
- the law permits.
For the avoidance of doubt, this subparagraph is without prejudice to subparagraph (s) above for which you have hereby consented to us contacting you for a survey, which you may subsequently opt out of by sending our Data Protection Officer notice;
- storing, hosting, backing up (whether for disaster recovery or otherwise) of your personal data, whether within or outside Singapore;
- maintaining and/or developing our IT or business systems and infrastructure including testing and upgrading of these systems;
- creating reports with respect to your Transaction(s) and/or transactions that we have with our customers;
- facilitating, dealing with and/or administering external audit(s) or internal audit(s) of the business of Meritus, our affiliates, related corporations, and associated companies globally, Transaction(s), and/or our transactions with our customers;
- anonymisation of your personal data. In this regard, you acknowledge that personal data that has been anonymised is no longer personal data and the requirements of the PDPA would no longer apply to such anonymised data;
- dealing with and/or facilitating a business asset transaction or a potential business assert transaction, where such transaction involves Meritus as a participant or involves only a related corporation or affiliated company of Meritus as a participant or involves Meritus and/or any one or more of Meritus’ related corporations or affiliated companies as participant(s), and there may be other third-party organisations who are participants in such transaction. “business asset transaction” means the purchase, sale, lease, merger or amalgamation or any other acquisition, disposal or financing of an organisation or a portion of an organisation or of any of the business or assets of an organisation;
- record-keeping purposes and producing statistics and research for internal and/or statutory reporting and/or record-keeping requirements, of Meritus or of our affiliates/related corporations;
- Meritus’ or Meritus Group Companies’ reporting purposes including but not limited to reporting on Meritus’ business performance (“Meritus Group Companies” means Meritus, our affiliates, related corporations, and associated companies globally); and
- to deal with the or as part of a bankruptcy, winding up, reorganisation, restructuring, insolvency, receivership, or an assignment for the benefit of creditors, of Meritus;
- You may withdraw your consent for us to process your personal data for marketing purpose mentioned at paragraph 21(v) above at any time via one the following relevant methods:
- We may/will need to disclose your personal data to third parties, whether located within or outside Singapore, for one or more of the above Purposes, as such third parties, would be processing your personal data for one or more of the above Purposes. In this regard, you hereby acknowledge, agree and consent that we may/are permitted to disclose your personal data to such third parties (whether located within or outside Singapore) for one or more of the above Purposes and for the said third parties to subsequently collect, use, disclose and/or process your personal data for one or more of the above Purposes. Without limiting the generality of the foregoing or of paragraph 21, such third parties include:
- our associated or affiliated organisations or related corporations;
- any of our agents, contractors or third-party service providers that process or will be processing your personal data on our behalf including but not limited to those which provide administrative or other services to us such as mailing houses, telecommunication companies, information technology companies, data centres, hosting and maintenance service providers, analysis services service providers, e-mail messaging services service providers, delivery service provider, handling of payment transactions service providers, marketing service providers;
- third parties to whom disclosure by us is for one or more of the Purposes and such third parties would in turn be collecting and processing your personal data for one or more of the Purposes. Without limiting the generality of the foregoing, such third parties to which we may/will disclose your personal data include third-party hotel reservation operators, transportation or limousine providers, travel agencies; tour booking operators, entertainment operations or venues such as shows, events, movies, or tourist sites operators; payment, finance companies or banks including credit card companies; and
- any actual or proposed assignee or transferee of the business of Meritus, or a merged entity in the event Meritus is merged to create the said merged entity.
- We may share your information with any member of the Meritus Group Companies, which may be based in countries other than Singapore, from time to time for one or more of the Purposes.
- Should you provide us with personal data of your child or children, you confirm, declare and agree that you are the parent and/or legal guardian of such child/children, and that we may collect, use and/or disclose your child’s or children’s personal data for the Purposes set out at paragraph 21 above and in the manner as set out at paragraphs 21 and 22 above.
- You may withdraw your consent for the collection, use and/or disclosure of your personal data in our possession or under our control by emailing us at firstname.lastname@example.org. We will process your request within a reasonable time from such a request for withdrawal of consent being made, and will thereafter not collect, use, and/or disclose your personal data in the manner stated in your request, unless an exception under the law or a provision in the law permits us to. However, your withdrawal of consent could result in certain legal consequences arising from such withdrawal, including us being unable to perform the transactions requested by you or the termination of your relationship with us (depending on the extent of your withdrawal), as the case may be.
- We may collect, use, disclose, or process your personal data for other purposes that do not appear above. However, we will notify you of such other purpose at the time of obtaining your consent, unless processing of your personal data without your consent is permitted by the PDPA or by law.
- To the extent permitted by law, we may/will also be collecting from sources other than yourself, personal data about you, for one or more of the above Purposes, and thereafter using, disclosing and/or processing such personal data for one or more of the above Purposes. We may combine information we receive from other sources with information you give to us and information we collect about you. We may use this information and the combined information for the Purposes set out above (depending on the types of information we receive).
- We take reasonable steps to ensure that any personal data we collect, disclose and use is accurate and complete, if your personal data is likely to be used by us to make a decision that affects you, or disclosed to another organisation. However, it is important that you advise us of any changes to your personal data or if there are any errors in the personal data we hold about you. We will not be responsible for relying on inaccurate or incomplete personal data arising from your not updating us of any changes in your personal data that you had initially provided us with.
F. PROVISION OF THIRD-PARTY PERSONAL DATA BY YOU
- Should you provide us with personal data of any individual other than yourself, you represent, undertake, and warrant to us that:
- for any personal data of individuals that you disclose to us, you would have prior to disclosing such personal data to us obtained consent from the individuals whose personal data are being disclosed, to:
- permit you to disclose the individuals’ personal data to Meritus and the Meritus Group Companies for the Purposes; and
- permit Meritus and the Meritus Group Companies to collect, use, disclose, and/or process the individuals’ personal data for the Purposes;
- at our request, you will use such form(s) or document(s) provided by us in obtaining such consents from the individuals in question (for the avoidance of doubt, we are under no obligation to you to create any such form(s) or document(s));
- any personal data of individuals that you disclose to us are accurate; and
- for any personal data of individuals that you disclose to us, that you are validly acting on behalf of such individuals and that you have the authority of such individuals to provide their personal data to Meritus and the Meritus Group Companies and for Meritus and the Meritus Group Companies to collect, use, disclose and process such personal data for the Purposes.
- for any personal data of individuals that you disclose to us, you would have prior to disclosing such personal data to us obtained consent from the individuals whose personal data are being disclosed, to:
G. HOW WE STORE YOUR DATA
- Security of your personal data is important to us. We will put in place reasonable security arrangements to ensure that your personal data is adequately protected and secured. Appropriate security arrangements will be taken to prevent any unauthorised access, collection, use, disclosure, copying, modification, leakage, loss, damage, and/or alteration of your personal data. However, we cannot assume responsibility for any unauthorised use of your personal data by third parties which are wholly attributable to factors beyond our control.
- We will put in place measures such that your personal data in our possession or under our control is destroyed and/or anonymised as soon as it is reasonable to assume that (i) the purpose for which that personal data was collected is no longer being served by the retention of such personal data; and (ii) retention is no longer necessary for any other legal or business purposes.
- You have the right to access and/or correct any personal data that we hold about you, subject to exceptions under the law. This right can be exercised at any time by emailing us at email@example.com. We will need enough information from you in order to ascertain your identity as well as the nature of your request, so as to be able to deal with your request. With respect to your access request, we may charge a fee in order to process it.
- For a request to access personal data, once we have sufficient information from you to deal with the request, we will seek to provide you with the relevant personal data within 30 days. Where we are unable to respond to you within the said 30 days, we will notify you of the soonest possible time within which we can provide you with the information requested. Note that the PDPA exempts certain types of personal data from being subject to your access request.
- For a request to correct personal data, once we have sufficient information from you to deal with the request, we will correct your personal data within 30 days. Where we are unable to do so within the said 30 days, we will notify you of the soonest practicable time within which we can make the correction. Note that the PDPA exempts certain types of personal data from being subject to your correction request as well as provides for situation(s) when correction need not be made by us despite your request.
- We hold and deal with your personal data in accordance with the PDPA.
I. COMPLAINT PROCESS
- If you have any complaint or grievance regarding about how we are handling your personal data or about how we are complying with the PDPA, we welcome you to contact us at firstname.lastname@example.org.
- Where you are sending an email in which you are submitting a complaint, your indication at the subject header that it is a PDPA complaint would assist us in attending to your complaint speedily by passing it on to the relevant staff in our organisation to handle. For example, you could insert the subject header as “PDPA Complaint”.
- We will certainly strive to deal with any complaint or grievance that you may have speedily and fairly.
J. LEGAL BASIS FOR PROCESSING PERSONAL DATA UNDER THE EUROPEAN UNION GENERAL DATA PROTECTION REGULATION (“GDPR”")
- We may process your personal data for the following reasons:
- We need to perform a contract with you
- You have given us permission to do so
- The processing is in our legitimate interests and it is not overridden by your rights (we explain this below)
- For payment processing purposes
- To comply with the law
- We set out below some of the ways in which your personal data may be used.
For the performance of our contract with you, in order to:
- process your reservations and managing your booking at one of our hotels, including taking payment, responding to enquiries and requests, and providing any after-sales services such as amendments or cancellations;
- fulfill contractual obligations to you, anyone involved in the process of making your travel arrangements (e.g. travel agents, group travel organisers and your employer) and vendors (e.g. credit card companies, airline operators, and other loyalty programmes);
or our legitimate commercial interests, in order to:
- understand how our products and services impact you, provide you with a better, more personalised level of service, and further develop our products and services, including linking or combining with information we get from others to do so;
- measure and analyse the effectiveness of advertising we send to you (such as using your personal information to analyse our marketing practices so that we can provide you with a more personalised marketing experience); and
- provide for the safety and security of guests.
- meet legal and regulatory requirements and administer general record keeping.
- we may use special categories of data (e.g. health data), but only in the circumstances where we have received your consent thereto; and
- for any other purposes for which we have your consent
K. YOUR DATA PROTECTION RIGHTS UNDER GDPR
- If you are located in the EEA, you have certain data protection rights. Meritus aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your personal data.
- If you wish to be informed what personal data we hold about you and if you want it to be removed from our systems, please contact us.
- In certain circumstances, you have the following data protection rights:
- The right to access, update, or to delete the information we have on you. Whenever made possible, you can access, update, or request deletion of your personal data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you.
- The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
- The right to object. You have the right to object to our processing of your personal data.
- The right of restriction. You have the right to request that we restrict the processing of your personal information.
- The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable, and commonly used format.
- The right to withdraw consent. You also have the right to withdraw your consent at any time where Meritus relied on your consent to process your personal information
- Please note that we may ask you to verify your identity before responding to such requests.
- You have the right to complain to a data protection supervisory authority about our collection and use of your personal data. For more information, please contact your local data protection supervisory authority in the EEA.
- For the avoidance of doubt, in the event that Singapore personal data protection law permits an organisation such as us to collect, use, or disclose your personal data without your consent, such permission granted by the law shall continue to apply.
Last Updated on 31 December 2019