Privacy Policy

For your information, a Personal Data corresponds to any information relating to an identified natural person (Data Subject) or who can be identified, directly or indirectly, by reference to an identification number or to one or more elements which are specific to him (name, first name, address, email, telephone, credit card number, etc.). Personal data processing means any operation which is performed on Personal Data (collection, storage, transmission, deletion, etc.), whether on paper or computer.

The Controller is the person who determines the purposes of each processing and the means to achieve these purposes. Oetker Hotels means the Oetker Hotel Management Company GmbH (OHMC), a hotel management company with registered offices at Schillerstraße 4/6, 76530 Baden-Baden, Germany. Affiliate means the companies which have an affiliation with OHMC GmbH via shared management or ownership. Owner means all other companies which Oetker Hotels manage under Oetker Hotels’ hotel activities on behalf of third-party owners.

The data that The Vineta Hotel collects is necessary to enable it to fulfill the following purposes:

• Management of bookings (room);

• Management of stay monitoring and/or activities and other Services;

• Management of payments for reserved products, activities and other Services;

• Management of customer accounts in order to create and use the customer account, update personal information, consult or modify or cancel stay information or book additional services;

• Management of customers’ requests (before or during stay),

• Management and good performing of stays and reserved and/or potential services;

• Management of commercial prospection: concerning similar services to those already provided to the customer in the past; sending of solicitations, promotional and informative messages by post, phone call; sending of solicitations, promotional and informative messages by email, SMS/MMS;

• Organization of contests and all other promotional operations (social networks);

• Carrying out satisfaction surveys after stays;

• Management of video surveillance (CCTV);

• Establishment, exercise, or defense of legal claims against the organization;

• Accounting management (customers files);

• Management of requests to exercise the rights guaranteed to Data Subjects under the legislation applicable to the protection of the Personal Data.

In general, The Vineta Hotel does not process any of your data for purposes incompatible with those for which it was collected, except with your prior consent.

The Vineta Hotel collects different types of personal data about you:

3.1 Personal data that you communicate to us directly:

Identity: surname, forenames, address, telephone number (fixed or mobile), email address, date of birth, title, company affiliation, ID or passport, customer number, bank card number, number of children, date of birth of the children, first name of the children. Personal Data relating to the way of payment: postal or bank identification statement, transaction number, cheque number, credit card number, third-party financing.

Personal Data relating to the commercial relationship: customer number, reservation number, documentation requests, products and services reserved and purchased, quantity, amount, frequency, delivery address, purchase history, origin of the sale (seller, representative) or order, correspondence with the customer and after-sales service, number of children, children name and birthdate.

Communication details and related (meta-)data: the correspondence exchanged, date and time of the messages, your Feedback, etc.

Personal Data relating to newsletter subscriptions: title, surname, first names, e-mail address, country of residence, date of birth.

Other Data: Other types of information that you voluntarily choose to provide to us.The Vineta Hotel takes reasonable steps to ensure that personal data is accurate, complete, and kept up to date. Guests may request corrections to inaccurate or incomplete data at any time.We do not knowingly collect personal data from individuals under the age of 16 without verified parental consent.The communication of your personal data is voluntary. However, certain information is mandatory and essential for The Vineta Hotel to process your request, as indicated in our forms. Without this information, The Vineta Hotel will not be able to process your request.

3.2 Personal data communicated to us:

From Oetker Hotels: We may receive Personal Data collected by Oetker Hotels in connection with the commercial prospection management, the website management, including your Identity, Personal Data relating to newsletter subscriptions.

From the Affiliates: The Personal Data you provide to us in connection with making a reservation, including your Identity, Personal Data relating to the commercial relationship, Personal Data relating to the way of payment, is shared and received with and from the Affiliates you have previously visited for purposes of meeting your reservation requests and preferences in advance.

From other Owners: Oetker Hotels manage hotels and other properties on behalf of third-party owners (“Owners”). If you make a reservation to stay at a property managed by an Owner, we will share and receive Personal Data with and from the Owner of that property, e.g., information about your Identity, Personal Data relating to the commercial relationship, Personal Data relating to the way of payment and any observations about your service preferences. Owners’ use of your Personal Data will be governed by their own privacy practices.

From Social Media: Social media account information, profile pictures or posts.

From Other Sources: We may receive your Personal Data from other sources, like public databases, joint marketing partners that consist with your settings on related services, and other third parties including online booking services, travel agencies, airline, credit card partners and other parties who sell products and services under our brand. Such information usually includes your Identity, Social Media Details, Your Feedback and Other Data that you voluntarily choose to provide to us.

3.3 Personal data that we collect automatically:

Technically required data when using our website: Certain information about you is collect when you access the Oetker Hotels website, in particular, information about your device, your browsing (browser type and the version used, the operating system, the Internet access provider, the IP address of their device, the date and time of access to the website from which users visit this website and the pages they visit on the website). Oetker Hotels uses Cookies and other tracking technologies to collect information about you when you interact with the Oetker Hotels website. To know more about Cookies and how to manage them, please access our Cookies Policy.

Log Details: IP addresses, online user account details or profiles when you log-in to your account.

Wi-Fi and Location-Based Services: In the course and for the purpose of providing Wi-Fi services at our hotels and other properties, we may collect device identifiers (such as your IP address, or other unique identifier). Based upon your consent, we also may collect information about the physical location on your device through use of the Wi-Fi services or other technologies to provide you with personalized location-based services, such as to customized offers and promotions or to find a hotel near you.

CCTV/Surveillance: For your safety and security, images and visual recordings through the use of closed-circuit television systems collected while visiting our property, where permitted by applicable law.We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on guests.

3.4 Sensitive Personal DataWhat is Sensitive Personal Data?

It is information which reveals alleged racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. It is also genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning the health, sex life or sexual orientation of a natural person.You may provide or we may collect what is considered Sensitive Personal Data under the legislation applicable to the protection of the Personal Data. For example, you may provide your health information or dietary restrictions so that we can accommodate you during your stay.Such data is only collected for explicit purposes—such as accommodating health, dietary, or accessibility needs—and is handled with heightened security and strict access controls. It will not be used for any unrelated purpose without your consent. Unless otherwise required by applicable law, you are not required to provide us with any of your Sensitive Personal Data. Should you choose not to, your decision would not prevent you from using our Services.

The Vineta Hotel collects your Personal Data for the purposes described in point 2 of this Policy. In any case, The Vineta Hotel collects your data, only when their collection and processing are based on a legal basis. When relying on legitimate interests, we perform a balancing test (LIA) to ensure our interests do not override your fundamental rights and freedoms.

4.1 Execution of contractual relations with The Vineta Hotel:

Your Data is necessary for the execution of the contract to which you have subscribed, or you wish to subscribe, including to do/complete your reservation, manage your stay, provide goods and services that you requested, etc. On this contractual legal basis, any refusal to communicate your Personal Data will prevent the conclusion and execution of the contract.

4.2 Compliance with a legal obligation to which The Vineta Hotel is subject:

Some of your Data is processed by The Vineta Hotel to comply with its legal obligations, in particular complying with legal processes, responding to requests from public and government authorities around the world, or public-sector bodies/bodies with a public-service mission, in line with applicable legislation, and pursuing available remedies or limit damage we or other third parties may sustain. Also, your Data is processed to manage your request to exercise the rights guaranteed to Data Subjects under the legislation applicable to the protection of the Personal Data.

4.3 Your consent:

Subject to having obtained your prior and valid consent, The Vineta Hotel may process your Data to communicate (e-mail/SMS) with you during your stay, to send you promotional offers, newsletters, information on us, our Services, and other marketing communications, in accordance with your preferences. With your consent, you can participate in contests and all other promotional operations organized by us on social networks. Also, to process Sensitive Personal Data you may have provided to us in connection with your stay (example: any dietary restrictions or special accommodations for physical and medical conditions). Your consent may also be necessary when we use cookies and other tracking technologies under the conditions described in our Cookies Policy. At any time, you can change your choice and withdraw your consent, as described in section 6.2 of this Policy, without however calling into question the legality of the processing based on consent and implemented before the withdrawal.

4.4 Vital Interest:

In certain circumstances when it is not possible to obtain your consent, it may be necessary for us to process your Personal Data, including Sensitive Personal Data you provided through our Services, where it is in your vital interest or in the interest of others, for example in the event of a medical emergency.

4.5 The legitimate interests of The Vineta Hotel:

We may process your Personal Data for the purposes of pursuing our legitimate business reasons, in particular, providing you with superior customer service and a personalized experience when staying with us, keeping our Services safe and secure and to protect our operations or those of any of our affiliates or other third parties, and distributing and responding to surveys regarding your experience, etc. It is also for our legitimate interest to provide you with information that you have requested and responding to your inquiries. Also, for our legitimate interest to ensure your security and the security of our Services, we adopt processes to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, debugging and repairing errors, verify customer information. Subject to applicable law and regulations, it is our legitimate interest to adopt processes for the establishment, exercise, or defense of legal claims against the us, or in the event of a corporate event such as a sale, merger or change in control.

Your Data is kept by The Vineta Hotel for the time necessary to achieve the purposes referred to in point 2 hereof, plus the statutory limitation periods.

For example (this information may be different regarding national laws and regulations):

In terms of business relationship management:

• Personal data relating to customers will not be kept beyond the period strictly necessary for the management of the commercial relationship. However, the data making it possible to establish proof of a right or a contract, or kept for compliance with a legal obligation will be kept for a period not exceeding the period necessary for the purposes for which they are kept, in accordance with the provisions in force (in particular but not exclusively those provided for by the Commercial Code, the Civil Code and the Consumer Code).

• Data relating to bank cards:

• These data will be deleted once the transaction has been carried out (upon payment), which may be deferred upon receipt of the goods, increased, if applicable, by the withdrawal period provided for the contracts concluded at a distance and outside the establishment. In the case of payment by bank card, the card number and its validity date may be kept for the purpose of proof in the event of a possible dispute of the transaction for the duration provided for by law (thirteen months following the debit date; this period may be extended to fifteen months in order to take into account the possibility of using deferred debit payment cards). This data will be used only in the event of a dispute about the transaction.

• This data relating to bank cards may be kept longer, subject to obtaining your express consent, in particular to facilitate the payment of your next orders.

• The data relating to the visual cryptogram will not be kept beyond the time necessary for the completion of each transaction, including in the event of successive payments or retention of the card number for subsequent purchases.

• When the expiration date of the bank card is reached, the data relating to them will be deleted.

In terms of management of commercial prospection:

• Customer data used for commercial prospection purposes will be kept for a period of three years from the end of the commercial relationship (for example from a purchase, from the last contact from the customer).

• Personal data relating to non-customer prospects will be kept for a period of three years from their collection or from the last contact from the prospect (for example, a request for documentation or a click on a hypertext link contained in an email).

Regarding inquiries:

• The data will be kept for a period of one (1) year from the processing of your request for information.

In terms of management of requests to exercise the rights granted to data subjects under the regulations applicable to the processing of personal data:

• The processed data is kept while your request is being investigated, then archived in accordance with the limitation periods in force (example: 5 years);

• Data relating to identity documents will be kept for a period of one (1) year in compliance with the applicable legal deadlines;

• In the event of opposition, the data will be kept for a minimum period of three (3) years for the sole purpose of guaranteeing the effectiveness of your right of opposition.

For more information on the retention periods of your data, you can contact The Vineta Hotel (see Section 6.2 of this Policy).

6.1 Your rights

Right of access: You can obtain confirmation from The Vineta Hotel that your Personal Data is or is not being processed and, when that is the case, access to all Personal Data and information held by The Vineta Hotel.

Right to rectification: You can obtain from The Vineta Hotel, as soon as possible, the rectification of any data concerning you which may be inaccurate or erroneous. You can also request that your data be completed, if necessary. Where applicable, we will notify any third parties to whom the data has been disclosed of any requested corrections, unless this proves impossible or involves disproportionate effort.

Right to erasure: Subject to legal exceptions, you can ask The Vineta Hotel to erase your Personal Data as soon as possible, if in particular you consider that the processing carried out by The Vineta Hotel on your data is no longer necessary with regard to the purposes for which they were collected. Where applicable, we will notify any third parties to whom the data has been disclosed of any requested deletions, unless this proves impossible or involves disproportionate effort.

Right to data portability: You have the right to obtain a copy of certain personal data you have provided to us in a structured, commonly used, and machine-readable format (such as CSV or JSON), where technically feasible. You may also request that we transmit this data directly to another organization. The only data affected by this right are data that you have actively and consciously provided to The Vineta Hotel (for example, data that you have entered in an online form) or data generated when using a service or a device as part of the conclusion or management of your contract, and which are processed automatically, on the basis of consent or the execution of a contract.

Right to object: You can object to your data being used by an organization for a specific purpose. You must then put forward reasons relating to your particular situation, except in the case of commercial prospecting, to which you can object without reason. If your data is processed for commercial prospecting purposes, you can oppose it at any time (See point 6.2 of this Policy), just as you can oppose the deposit of cookies at any time (see Article 10 of this Policy).

Right to restriction of processing: You may request The Vineta Hotel to restrict the processing of your data in any of the following cases: data accuracy is contested, the processing is unlawful, or you require the data for legal claims, but we no longer need it.

Right to withdraw your consent to the processing of your data: When the processing of your personal data is based on your consent, you have the possibility to withdraw your consent at any time (See point 6.2 of this Policy).

Right to lodge a complaint with the competent supervisory authority: If you consider that your rights have not been respected or that the protection of your data is not ensured in accordance with the legislation applicable to the protection of the Personal Data, you can, at any time, lodge a complaint with your local data protection authority.

6.2 Exercise of your rights

To exercise any of your rights, send your request:

By E-Mail: privacy.vineta@oetkerhotels.com

By letter: DPO - The Vineta Hotel, 363 Cocoanut Row, Palm Beach, FL 33480

Any request must specify, the subject, the reason for the request (exercise of the right of access, the right to object, etc.), the address to which the response must be sent, and the company concerned by the request (The Vineta Hotel).

To exercise your rights, you must prove your identity by any means. When

The Vineta Hotel has reasonable doubts about your identity, you may be asked to provide additional information necessary to confirm your identity.The Vineta Hotel will respond to valid data subject requests within one (1) month of receipt. This period may be extended by up to two (2) additional months for complex or multiple requests, as permitted by law.

If you believe, after contacting The Vineta Hotel, that your rights are not respected, you can lodge a complaint with a competent supervisory authority.

Although The Vineta Hotel may not meet the threshold of regulated entities under the Florida Digital Bill of Rights, we are committed to respecting the privacy rights of all guests. Florida residents may contact us to inquire about or exercise available rights regarding their personal data. If you are a Florida resident and have concerns about how we collect or use your personal data, you may contact us at privacy.vineta@oetkerhotels.com for assistance or to lodge a complaint.

Prospecting and targeted advertising: Please note that we only send you commercial prospection when we have obtained your explicit prior consent, except where we have obtained your data during a sale or negotiations for a sale of a product or service and where the commercial prospection are only marketing similar products or services.Once you have accepted to receive commercial offers from The Vineta Hotel, you can, at any time, reconsider your choice and opt-out:

Commercial E-mails: unsubscribe link at the bottom of the email. Please note that even if you unsubscribe from commercial e-mail, we may still e-mail you non-commercial (transactional) e-mails related to your account and your transactions via the Services.In general, for any question relating to this Privacy Policy or for any request relating to the management of your Personal Data by The Vineta Hotel, you can send your request by email or by post, as indicated above.

Your Personal Data is primarily hosted on secure servers located in the European Union (EU), the European Economic Area (EEA), and the United States (U.S.). However, in certain circumstances, your data may be accessed or processed by personnel, service providers, or affiliates operating outside the EU/EEA, including in countries that may not offer an equivalent level of data protection.

When such international data transfers occur—whether to Oetker Hotels affiliates, hotel owners, or external data processors acting on our behalf—we ensure they are carried out in full compliance with applicable data protection laws.

In cases where the destination country does not benefit from an adequacy decision by the European Commission, we rely on Standard Contractual Clauses (SCCs) as approved by the Commission, and we conduct Transfer Impact Assessments (TIAs) to evaluate the local legal landscape. Where needed, we implement additional technical, contractual, or organizational safeguards to ensure your personal data remains protected to standards equivalent to those under GDPR.

The Vineta Hotel implements all technical, physical and organizational measures to ensure the security and confidentiality of your Personal Data during the collection, processing and transfer of your Data.

The infrastructures of The Vineta Hotel are protected against malicious software (viruses, spyware, etc.). Physical and remote access to the servers hosting the Data is controlled. Penetration tests are performed, as well as regular backups with restore tests. The security of your terminal, from which you connect to our website, is your responsibility.

In the event that The Vineta Hotel is likely to call on service providers to process part of your Personal Data, it undertakes to verify that they present sufficient guarantees to ensure the protection of the Personal Data entrusted to them and to make them sign confidentiality clauses in accordance with the legislation applicable to the Protection of the Personal Data.

In case of a Personal Data Breach, that is to say in the event of a security incident, whether malicious or not and occurring intentionally or not, resulting in compromising the integrity, the confidentiality, or the availability of your Personal Data, we undertake to comply with the obligations with the legislation applicable to the Protection of the Personal Data. When applicable, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of it and affected data subjects without undue delay.

To know more about Cookies and how to manage them, please access our Cookies Policy.

The Vineta Hotel is present on Social Media, in particular via Instagram, Facebook, YouTube, WeChat, SINA Weibo, etc.

Access to these Social Media implies your prior acceptance of their contractual conditions, including their commitments under the legislation applicable to the protection of the Personal Data for the processing carried out by them, regardless of our pages on said Social Media. To find out more about the Protection of your Personal Data when browsing these Social Media, The Vineta Hotel invites you to consult their respective Privacy Policies:

• Facebook

• Instagram

• YouTube and YouTube - Google

The Vineta Hotel is able to collect some of your personal information when you browse the pages of our Social Media, when you “like” our pages, share content or follow us on Social Media.

Also, if you choose to log-in, connect with or link to Services using your Social Media account some of your Personal Data is shared with us consistent with your settings within the Social Media service, such as location, check-ins, activities, interests, photos, status updates, as well as Personal Data that may be a part of your profile or friend’s profile.

The Vineta Hotel may be required, within the framework of the organization of contests, to collect your name, first name, date of birth, il necessary profile photograph, gender, networks, Social Media user ID, and any information made public and more generally Personal Data.

The Vineta Hotel undertakes to integrate the protection of Personal Data by Design and by Default of a project, a service or any other tool related to the handling of Personal Data, in particular the minimization of Personal Data, limitation of the purposes of data collection, respect for the integrity and confidentiality of data, and limitation of retention periods.

In order to respect the principle of Accountability, The Vineta Hotel:

• Adopts internal procedures in order to ensure compliance with the legislation applicable to the protection of the Personal Data (IT charter, Personal Data protection charter, etc.);

• Keeps a documentary record of any processing carried out under its responsibility or that of the processor (keeping of the processing register, confidentiality agreements for employees and service providers, company security policy, procedures for managing requests for access, rectification, opposition ...);

• Carries out Privacy Impact Assessments for processing operations presenting particular risks with regard to rights and freedoms.

• Maintains a Record of Processing Activities (RoPA) to document purposes, categories, recipients, and retention for all processing operations.

The aim is to provide rich documentation to demonstrate compliance with Data Protection rules at all times.

The Vineta Hotel has appointed a Privacy Lead who coordinates compliance efforts and liaises with Oetker Hotels. Internal procedures, training, and documentation reviews are conducted to uphold GDPR and Data Protection obligations.