Privacy Policy

Version: 11/05/2023

Thank you for visiting our website https://terrasolisdubai.com/. We welcome your interest in our company.

The protection of your privacy and personal data is of utmost importance to us. We make every effort to protect your privacy and to ensure that you can safely entrust us with your personal data. As such, we always handle personal data securely and discreetly. Furthermore, appropriate security measures have been taken to avoid loss, alteration, access by unauthorised persons and/or any other unlawful processing of your personal data.

We aim to be transparent regarding how we process your personal data and what we do with your personal data. We provide you with more detail on those processes in this privacy policy.

Who are we?

Terra Sol Hospitality Services Mazaya Business Avenue BB2, Office 2308, Dubai (United Arab Emirates) (hereinafter, "TSHS", "we" or "us").

You can contact us via the following contact details:

E-mail: legal@terrasolisdubai.com

Representative details:

Name: Vamshi Krishna
Tel.: 050 446 7621
E-mail: legal@terrasolisdubai.com

We process your personal data in accordance with the applicable legal provisions regarding privacy and the protection of personal data applicable in the UAE and in Dubai (the DIFC DP Law of 2020 (Dubai) and the UAE Personal Data Protection Law (Federal Law No 45 of 2021) (“PDPL”). The legal provisions regarding privacy and the protection of personal data applicable in Dubai and the UAE are consistent with the legal provisions regarding privacy and the protection of personal data appliable in the European Union (including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the "GDPR").

General Data Protection Regulation (GDPR) – European Representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Terra Sol Hospitality Services has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

- by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
- by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium

Some definitions

As far as this privacy policy is concerned, the term "personal data" refers to: all information about an identified or identifiable natural person (the ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular through an identifier, such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In other words, all the information which can be used to identify a person. These elements include, for instance, your surname, first name, date of birth, telephone number and email address, as well as your IP address.

The term "processing" is very broad and covers, among other things, collecting, recording, organising, storing, updating, modifying, retrieving, consulting, using, disseminating, combining, archiving and deleting data.

The term “sensitive data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, as well as any other personal data with a medium to high degree of sensitivity.

Entity responsible for the processing of your personal data (the "Controller").

TSHS is responsible for the processing of your personal data.

We are what the PDPL refers to as the “data controller” of your personal data. In concrete terms, this means that TSHS, possibly, in the circumstances that may prevail, together with other entities, determines the purpose and means for the processing of your personal data.

What categories of personal data do we process, why, on what legal basis and for how long?

In the table below you can read:

column 1: what categories of personal data we process (the “Categories of personal data”);
column 2: why we process your personal data (the “Purposes”);
column 3: on what legal grounds the processing is based (the “Legal basis”); and
column 4: for how long we process your personal data (the “Retention period”).

All processing activities involving your personal data takes place for one or more specific purposes.

In addition, we only process your personal data when we can rely on a valid legal basis. The applicable legal basis, which you can find in the column 'Legal basis', means the following:

'Consent': you have given consent for the processing of personal data for one or more specific purposes;
'Explicit consent': you give an express statement of consent, for instance in a written statement or through other means that ensure your express statement of consent, including but not limited to filling in an electronic form, sending an email, uploading a scanned document carrying your signature, using an electronic signature or through two-staged verification of consent, etc.
'Agreement': the processing is necessary for the performance of an agreement to which you are a party;
'Legal obligation': the processing is necessary for compliance with a legal obligation to which we, as the controller, are subject;
'Legitimate interest': the processing is necessary to protect our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

Categories of personal data	Purposes	Legal basis	Retention period
Identification details (first name and surname, email address, phone number, residential address, nationality, credit card details and financial information (credit or other bank card details, PayPal details)	To facilitate any reservation or booking request we receive from you	Agreement	Until your and our contractual obligations under the booking or reservation are fulfilled
Proof of identification (e.g. Emirates ID or passport)	To comply with legal requirements of identity verification for restaurant reservations and room bookings	Legal obligation	Until your and our contractual obligations under the booking or reservation are fulfilled
Financial information (credit or other bank card details, PayPal details)	To process your payments in compliance with applicable laws (e.g. fraud and anti-money laundering)	Legal obligation (compliance with rules and regulations relating to payments, including but not limited to fraud and anti-money laundering)	For as long as legally required
Such sensitive information as required to comply with your special request (e.g. photograph, passport details when applying for a travel visa, health information to comply with requests for special assistance such as accessible parking and wheelchair assistance, etc.)	To comply with any special requests you may have	Explicit consent	For the period required to comply with your special request
Identification and contact details (first name and surname, email address, telephone number (optional), nationality) and your question/message	To respond to your question, message or query transmitted to us via the contact form on our website or through any other means	Consent	For as long as required to address your question, message or query
Identification and contact details (first name and surname, email address, telephone number (optional)), information you provide to us relating to your interests and preferences	To provide you with information (including newsletters) about any of our future events and latest service offerings and to tailor such communications to your interests and preferences	Legitimate interest (commercial interests: direct marketing) / consent (in case you have not purchased any services from us in the past two years)	Until you unsubscribe, expressing your wish to no longer be kept informed about our services
Identification and contact details (first name and surname, partner issued membership ID) and transaction history with our business partners	To enable you to obtain exclusive offers and benefits from our business partners	Consent	24 Months
Identification and contact details (first name and surname, email address), transaction history and feedback or complaints in the submission form on the website or through a survey after a hotel stay or dining experience with us	To respond to your feedback and complaints	Legitimate interest (commercial interests: to be able to provide you with the best services possible)	3 Months
Identification and contact details (first name and surname, email address, telephone number, employer or company that you are representing, company function, LinkedIn profile information)	To establish and maintain a commercial relationship with your employer or the company that you are representing, and in pursuit thereof, to among others: Share information relating to us to your employer or the company that you are representing; To invite you to our future events, that may be of interest to you, your employer or the company that you are representing.	Legitimate interest (commercial interest: to establish and maintain a commercial relationship with our corporate clients)	24 Months
Identification and contact details (first name and surname, email address, telephone number, employer or company that you are representing, company function, company employee ID)	To enter into, renew or fulfil service contracts with your employer or the company that you are representing (for example to facilitate group bookings, reservations and events)	Legitimate interest (commercial interest: to enter into, renew or fulfil service contracts with our corporate clients)	24 Months
Records and copies of all communications between you and us (including recordings of your telephone conversations with our Customer Services centre)	To monitor and improve our service offerings	Legitimate interest (commercial interests: to be able to provide you with the best services possible)	24 Months
Identification details (email address and IMEI code) and your behaviour (tracking of whenever you receive, open, click a link or download any attachments from an email you receive from us)	To facilitate our sales and marketing email campaigns	Consent	24 Months
Identification and contact details (surname, first name, address, email address, front side of your electronic identity card)	To manage your request to exercise your rights	Legitimate interest (to facilitate the exercise of your rights)	10 years for request (in the event of a judicial procedure: until termination of judicial procedure)
Identification and contact details (surname, first name, address) and any other information relating to you that may be necessary to defend and protect our rights (e.g. your bank account details)	To defend and protect our rights	Legitimate interest (legal defence)	Applicable statute of limitations

Minors

We do not intend to collect any personal data from persons younger than 16 years old. These minors are not allowed to provide us with any personal data or a statement of consent without permission from the person who has parental authority.

Cookies

We also use cookies, primarily to permanently optimise our website for its users. For more specific information about the cookies we use, you can consult our cookie policy.

Opt-out

We understand that you may not prefer for us to contact you any further with any offers, promotions or details of our products and services. In the event you opt-out, we may be required to maintain information such as first name and surname, email address, telephone number and the subscription(s) that you have opted out of to ensure compliance with your requests. Also, in the future, if you wish to hear from us, you may at any time, contact us to opt-in and we would be happy to keep you posted about our latest offers, promotions and/ or details of our products and services.

HOW TO OPT-OUT?

Email: you can click on the unsubscribe link provided in the email you receive from us;
SMS: you can follow the instruction provided in the messages you receive from us;
Contact us: you may contact us using the details provided in Section – ‘Who are we?’

Your privacy rights

To give you more control over the processing of your personal data, you have various rights at your disposal. These rights are laid down, inter alia, in articles 13-18 of the PDPL (the rights to obtain information, to request transfer of personal data, to correction and erasure of personal data, to restrict processing, to stop processing, and to processing and automated processing) and in terms of articles 15-22 of the GDPR (the rights of access, rectification, cancellation (right to erasure [to be forgotten]), restriction of processing, notification of rectification or erasure of personal data or restricting of processing, data portability, objection, automated decision-making and profiling, and restrictions).

You have the following rights (in terms of the GDPR):

The right to access the personal data we process about you (art. 15 GDPR):

You have the right to be informed by us at any time whether or not we are processing your personal data. If we are processing them, you have the right to access these personal data and to receive additional information about:

the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients (in particular, recipients in third countries);
the retention period or, if that is not possible, the criteria for determining that period;
the existence of your privacy rights;
the right to lodge a complaint with the supervisory authority;
the source of the personal data if we obtain personal data from a third party;
whether we are using automated decision-making in respect of you.

If we cannot give you access to your personal data (e.g. due to legal obligations), we shall inform you as to why this is not possible.

You can also obtain a free copy, in an understandable format, of the processed personal data in an understandable format. Please note that we may charge a reasonable fee to cover our administrative costs for any additional copy you may request.

The 'right to be forgotten' (the right to request us to delete your personal data) (art. 17 GDPR):

In certain cases, you can request that we delete your personal data. In this event, however, please note that we shall no longer be able to offer you our services if you exercise this right. Please also note that your right to be forgotten is not absolute. We are entitled to continue to store your personal data if this is necessary for, among other things, the execution of the agreement, compliance with a legal obligation, or the establishment, execution or substantiation of a legal claim. We shall inform you of this in more detail in our response to your request.

The right to rectification (art. 16 GDPR):

If your personal data is incorrect, out of date or incomplete, you can ask us to correct these inaccuracies or incomplete information.

The right to data portability (art. 20 GDPR):

Subject to certain conditions, you also have the right to have the personal data that you have provided to us for the performance of the agreement or for which you have given your consent, transferred by us to another controller. Insofar as technically possible, we shall provide your personal data directly to the new controller.

The right to restriction of processing (art. 18 GDPR):

If any of the following elements apply, you may request us to restrict the processing of your personal data:

you dispute the accuracy of those personal data (in this case, its use shall be limited for a period that allows us to verify the accuracy of the personal data);
the processing of your personal data is unlawful;
we no longer need your personal data for the its purposes, but you need them in establishing, exercising or substantiating a legal claim;
as long as no decision has been taken on exercising your right to object to the processing, you may request that the use of your personal data be restricted.

The right to object (art. 21 GDPR):

You can object to the processing of your personal data on the basis of your particular situation, if we process your personal data on the basis of legitimate interests or on the basis of a task of general interest. In this event, we shall cease the processing of your personal data, unless we can demonstrate compelling and legitimate grounds for processing which outweigh your own, or if the processing of the personal data is related to establishing, exercising or substantiating a legal claim.

The right not to be subject to automated decision-making (art. 22 GDPR):

You have the right not to be subject to a decision made exclusively on the basis of automated data processing that significantly affects you or has legal consequences and that is made without substantial human involvement.

You cannot exercise this right in following three situations:

when automated decision-making is legally permitted (e.g. to prevent tax fraud);
when automated decision-making is based on your explicit consent; or
when automated decision-making is necessary for entering into, or performance of a contract (please note: we always endeavour to use less privacy-intrusive methods for entering into or performing the contract).

The right to withdraw your consent (Art. 7 GDPR):

If your personal data are processed on the basis of your consent, you may withdraw this consent at any time upon simple request.

Exercising your rights

To exercise these rights, you can contact us by using the contact details set out in Section – ‘Who are we’.

In order to verify your identity when you wish to exercise these rights, we may ask you to send us a copy of the front side of your identity card. The image on your electronic identity card shall not be retained by us. We strongly advise you to “blackline” the image before transmitting a copy of your electronic identity card to us.

You can exercise the abovementioned rights free of charge, unless your request is manifestly unfounded or excessive (for instance due to its repetitive nature). In such cases, we shall be entitled to charge you a reasonable fee or to refuse to respond to your request.

Sources of your personal data

We may obtain personal data relating to you through the following sources:

We and any of our partners’ websites relating solely and specifically to the Events concerned: these websites are operated by the identified companies / entities, under their respective domains and web addresses (URLs) and their micro-sites that are part of third-party social media networks. These websites and social media pages may have a link to our website address. Furthermore, these entities and their partners may offer to you certain smartphone applications which link or provide a hyperlink to us;
Email messaging services, text messaging services, and service providers of other electronic messages of, to, and in connection with us. These are the electronic text-based interaction between you and such entities and may have a hyperlink to our website;
For advertising purposes, you might interact with us or any of our partners regarding advertisements on our or their respective websites and applications and in respect whereof we may receive and collect such information;
Our Customer Service centre: any communication between you and our Customer Service centre (e.g., phone, chatbot, email, etc.);
Offline registration forms: we may obtain your personal data through online registration form service providers, which may offer printed registrations, surveys, or questionnaires, contests, events, and various promotions and for tickets to attend our events;
Third party partners: online booking websites or agents;
Other sources: we may obtain your personal data from other sources, including but not limited to social media networks, market research agencies, our promotional partners, public sources, our acquired companies.

Categories of recipients

We shall only disclose your personal data to third parties in accordance with the applicable legal framework, if you have given your consent, if such disclosure is necessary for the performance of our services, based on our legitimate interest or when we are legally obliged to do so (e.g. disclosure to governmental bodies, such as supervisory or law enforcement bodies).

In certain cases, our employees and associates may be assisted in their work by external service providers. With regard to data protection, an agreement has been concluded with all these service providers to ensure that they manage your personal data securely, with respect and with due care and diligence.

In particular, we may (but shall not be under any obligation, in any circumstances whatsoever and howsoever and notwithstanding at whose instance and/or request and/or demand, save and except 7 below):

Share your personal data with any member of the Terra Sol Hospitality Services group, including subsidiaries, affiliates and holding companies, in order to enable you to request our services, to process your payments, understand your preferences, send you information about products and services that may be of interest to you and conduct the other activities described in this privacy policy. These companies and entities are located outside the European Economic Area;
Share your personal data with Tomorrowland and its subsidiaries, for the hosting and maintenance of our website (Tomorrowland is an entity located within the European Economic Area);
use carefully selected third parties to perform services on our behalf or to assist us with the provision of services to you. For example, we may engage cloud service providers, IT service providers and other third parties to provide concierge services, housekeeping and laundry services, marketing, advertising, communications, to personalize and optimize our service, to analyse and enhance data (including data about users’ interactions with our services), and to provide legal, accounting, insurance, audit, and other professional services;
share your personal information with select business partners in sectors including travel, entertainment, lifestyle, and other industries to enable our guests to avail exclusive offers. For example, our partnership with our airline partner enables our guests to earn air miles for every stay, as well as benefit from exclusive offers;
share your personal data with a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which personal information held by us about you is among the assets transferred;
share your personal data with other companies and organizations for the purposes of fraud protection and credit risk reduction, if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of our company, our guests, or others;
We may share your personal data with governmental or regulatory agencies upon their request to comply with any court order, law, regulation, norm or legal proceedings, but where there is a legal obligation on us to share such data, we shall share such data as we are or may be obliged to do.

Transfer to third countries outside of the European Economic Area (“EEA”)

We shall only transfer your personal data to processors or controllers in third countries to the extent we are legally entitled to do so. Your personal data may be transferred to, and stored at, various destinations depending on the requirements of the services provided to you, in particular in the UAE and the European Union (“EU”). Your personal data may also be processed by our vendors’ staff members operating outside of the UAE and the EU.

Insofar as such transfers are necessary, we take the necessary measures to ensure that your personal data are highly protected and that all transfers of personal data outside the UAE and EEA take place lawfully. If a transfer takes place to a country outside the UAE and EEA for which the European Commission has not determined that it offers an adequate level of protection and for which the laws of the UAE deem to have adequate levels of protection, this transfer shall always be subject to an agreement that complies with all requirements for transfers to third countries, such as the relevant safeguards and standard contractual clauses on data protection approved by the European Commission.

The 2021 amended standard contractual clauses of the European Commission will be applicable to the transfer of data outside of the UAE and the EEA.

Furthermore, when transferring your personal data to a non-EU or a non-UAE organisation or country (“Transfer Destination”), a full risk assessment and due diligence on the Transfer Destination concerned and the data protection legislation applicable to that Transfer Destination, on a case-by-case basis, in order to ensure that the personal data will be adequately protected.

Security of your personal data

The security of your personal data is an important concern for us. We have taken all reasonable and adequate technical and organisational security measures to protect your personal data as best as possible against accidental or intentional manipulation, loss, destruction or access by unauthorised persons.

We aim to ensure secure transmission of your personal data from your computer, smartphone, and other electronic devices to our servers. We use industry security standards to safeguard the confidentiality of your information (e.g., firewalls, Transport Security Layer (“TLS”) etc.). All information you provide to us is stored on our secure servers behind firewalls. All payment transactions are encrypted using TLS technology.

Furthermore, we have taken the following measures:

We have imposed confidentiality requirements on our staff and service providers;
We restrict access to your personal data to employees and third parties strictly on a need-to-know basis, for example in case we need to respond to your enquiry or request;
We destroy or anonymize your personal information if it is no longer needed for the purposes for which it was collected; and
We use secure communication channels for transmitting your personal data.

The security of your personal data also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our website, you are responsible for keeping such password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to our website. Any transmission of personal data is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the website.

Complaints?

We make every effort to securely protect your privacy and personal data. If you have a complaint about the way in which we process your personal data, you can notify us thereof via our contact details, as mentioned at the beginning of this privacy policy, so that we can deal with it as quickly as possible.

You can also lodge a complaint with the competent supervisory authority.

Do you have any questions?

You can always contact us by using the contact details set out in Section – ‘Who are we’. We are happy to answer any of your questions.

Amendments

In response to feedback, or to reflect changes in our processing activities, we may amend this privacy policy from time to time. We therefore invite you to always consult the latest version of this privacy policy on our website.