Privacy Policy

1. Who we are?

1. Cotton Bay is found in Rodrigues Island and is a subsidiary of Airport Holdings Ltd and is hereinafter referred to as “Cotton Bay Hotel”, “Company”, “we”, “us”, “our” and “it”).
2. Our contact detail is as follows:
Pointe Coton Resort Hotel Co. Ltd
Pointe Coton, Rodrigues
T: +230 8318 001
F: +230 8318 003
E: reservations@cottonbay.intnet.mu

2. Our privacy statement

1. Cotton Bay Resort & Spa respects your privacy and is committed to protecting your personal data. This Privacy Policy will inform you how we protect the personal data we process and control relating to you (“personal data”) and tell you about your privacy rights. We want to ensure you are aware of our practices for processing your personal data.
2. This Privacy Policy applies to personal data we collect about you, when you visit www.cottonbay.mu.
3. Our Privacy Policy can be viewed on www.cottonbay.mu.
IMPORTANT: This privacy policy supplements other notices that may be provided to you on specific occasions when we collect or process your data. We will inform you accordingly on those specific occasions that are not covered in the present privacy policy.

3. For which purpose we collect your personal data and on which legal basis

3.1 Our use of your personal data is limited to when the law allows us to do so. Your personal
data is most commonly used in the following circumstances:
• During the performance of a contract which includes the process prior to entering into a contract with you;
• Where it is necessary for our legitimate interest (or those of a third party) and it does not conflict with your fundamental rights and interest;
• In the event that we need to comply with a legal or regulatory obligation; and
• When we have your prior consent for marketing purposes.
IMPORTANT: Except with regards to information that is required by law, your decision to provide any personal data to us is voluntary. You will not be be subject to adverse consequences if you do not wish or fail to provide us with your personal data upon our request. However, these may impede our ability to perform some or all of the purposes outlined in this Privacy Policy such as such as complying with our obligation in the contract we have with you(for example, to provide you with services available at Cotton Bay Hotel).
3.2 We will not use your personal data for purposes that are incompatible with the purposes for which we collected it, and of which you have been informed, unless it is required or authorized by law, or it is in your own vital interest (e.g. in case of a medical emergency) to do so.
3.3 We may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. For example, in order to prevent fraud and other illegal activity, and for verification process of any online transaction or payment.
3.4 We have listed out for your convenience the different way we use your personal data and the legal basis for it. Where appropriate, our legitimate interest has been provided. The processing of your data will depend on the specific purpose of it and there may be multiple legal basis for it.
You may wish to contact us in the event you would wish to have further details about the specific purpose for which we use your personal data and the legal ground we are using to process same.
Purpose/Activity
To register you as a new Client through our online booking system, reservation desk, check-in and check-out at our hotels.
To manage our relationship with you which will include
(a) Notifying you about changes to Privacy Policy,
(b) Asking you to leave a review or take a survey.
To administer and protect our business and website. (including troubleshooting, data analysis,
testing, system maintenance, support, reporting and hosting of data)
[ List out all the purposes for which data is collected processed and used, examples have been provided above]
Lawful Basis for processing
The performance of the contract and providing with you with a tailor-made experience.
(a) Performance of a contract
(b) Necessary for our legitimate interest
• to keep our records updated and to study how customers use and appreciate our services
• to define types of customers for services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy Justified on the basis of consent
• In order to run our business, provide administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise
• Compliance with legal and regulatory frameworks.
• ensuring that we offer the best possible service to you.
• Justified on the basis of our legitimate interests to ensure that you remain connected with the affairs of the company.

4. Which categories of data we collect about you

4.1 Our collection of personal data extends to the employees, potential employees, customers, service providers, shareholders and website users of our Hotel. In the event that the data we collect are not listed in this Privacy Policy, we will give individuals (when required by law) appropriate notice of which other data will be collected and how we will be using them.
4.2 In the event that you are providing the personal data of another person, you are deemed to have been given consent by that person to share his or her personal data with us and made him or she aware of the information contained in this Privacy Policy.
4.3 The personal data we collect may include:
• Identity Data (includes first name, maiden name, last name, username or similar
identifier, marital status, title, date of birth and gender)
• Contact Data (includes billing address, delivery address, email address and telephone numbers)
• Financial Data (includes data necessary for processing payments and fraud prevention,
including credit/debit card numbers, payment card details including security code
numbers and other related billing information, bank account and payment card details)
• Transaction data (e.g. details about payments to and from you and other details of
services you have purchased from us)
• Technical Data (if applicable, includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website)
• Profile Data (includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses)
• Usage Data (includes information about how you use our website and services)
• Marketing and Communications Data (includes your preferences in receiving marketing from us and our third parties and your communication preferences)
• [add any other or remove those not collected]
4.4 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
4.5 Your personal data may be anonymised and used in Aggregated Data. For the purposes of statistical or demographical use. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. In the event that the Aggregated Data is combined or is connected to your personal data whereby you are made identifiable, we treat the combined data as personal data, which will be used in accordance with this Privacy Policy.
4.6 We collect ‘sensitive personal data’ also known as Special Categories of Personal Data about you in accordance with data privacy law requirements (this includes scanned copies of your Passport/National Identity Card/Driving License, your allergies, health conditions when using for example our Fitness Centre or any of our facilities, current medication, any physical conditions that affect your mobility, biometric data such as your pictures and CCTV footage).
IMPORTANT: This website is not intended for children, and we do not knowingly collect data relating to a child under the age of 16. By law, parents or guardians of the child have the obligation to provide data related to the child. In this case, we shall make every reasonable effort to verify using any reasonable means (including but not limited to any written supporting evidence) that consent has been given or authorised.
4.7 The above-mentioned categories of personal data are obtained either directly from you (for example, when you register to comment on our website) or indirectly from certain third parties (for example, through our website’s technology). Such third parties include our affiliates, public authorities, public websites and social media, suppliers and vendors.
IMPORTANT: It is of importance that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

5. Whether we use third-party links to websites and programs

5.1 Our website may have links which connects to websites which are not within our control. It further uses third party plug ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.
5.2 We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy/statement of every website you visit.

6. How your personal data is collected

6.1 We use different methods to collect data from and about you. Those are listed below:
a. Direct Interactions
You may give us your personal data when you fill in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
(i) book a stay at one of our Cotton Bay Hotel;
(ii) use and/or purchase services offered at the Hotel;
(iii) create an account on our website;
(iv) subscribe to publications;
(v) request brochures or newsletters to be sent to you;
(vi) enter a competition, promotion or survey;
(vii) contact us, in which case we may keep a record of that correspondence; and
(viii) post comment on our website.
b. Automated technologies or interactions During your interaction with our website, Technical Data about your equipment, browsing patter and actions and traffic data are automatically collected by cookies, server logs and technologies of a similar nature. Please see our Cookie Policy for further details.
c. Third parties or publicly available sources
We may receive personal data about you from a third party.

7. How we use cookies

7.1 If using our website, you can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.
7.2 If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.
7.3 For more information about the cookies we use, please follow the link below

8. How we use your personal data if you visit our hotel

8.1 We use closed circuit television (CCTV) images to provide a safe and secure environment for our guests, employees, suppliers, and service providers and to protect our premises and property.
8.2 Our Privacy Policy includes potential processing of your personal data through CCTV and access management systems in case such CCTV and access management systems are active.
8.3 The Company’s CCTV facility records images only. There is no audio recording i.e.,
conversations are not recorded on CCTV.

9. What your rights are in respect of marketing communications

9.1 We will not process your personal data for direct marketing purposes unless you have given your consent to such processing by ticking the appropriate box on the forms we use to collect your personal data (such as forms used when you have requested information from us or purchased or made a booking with us or when you have entered a competition or registered for a promotion); or by utilizing opt-in mechanisms in e-mails we send to you or opt-in mechanisms which are found
on our website.
9.2 In case you have opted-in to receiving marketing materials, you will receive promotional offers from us. We may then use your Identity Data, Technical Data, Usage Data and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide, which services and offers may be relevant for you. You have the right to withdraw your consent from receiving marketing communications from us at any time by utilizing opt-out mechanisms in forms and emails we send to you or found on our website. You can also object to the processing of your personal data for direct marketing purposes and exercise your right to have your personal data removed from our database at any time by contacting us. When you withdraw your consent or when you object to the processing of your personal data for direct marketing purposes, we shall stop processing your personal data for such direct marketing purposes.

10. Who the intended recipients of your personal data are

10.1 In relation to the purposes for which we collected your personal data, we may have to share your personal data to:
• Employees of [-], and [-] in the [-] or any of our other subsidiaries,
• Employees of our internal audit and compliance functions;
10.2 We may also need to send your personal data to such other third parties as may be required for the purposes of implementation or other third parties such as any public or enforcement authority in Mauritius or elsewhere, or in case of a court, administrative or governmental order to do so. from whom we ask for such warranties as:
(i) they have all the security and organizational measures in place to protect your data, and
(ii) they will only process your personal data in accordance with our instructions, for their own purposes.

11. How long will we use your personal data

11.1 We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
11.2 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
11.3 We wish to draw your attention to the fact that the legal prescription period in Mauritius (i.e., the period during which one party may sue another party or be sued after the happening of an event) is 10 years for non-immovable-property-related matters (actions personnelles). Depending on the nature of our relationship with you, we may, in this context, also choose to keep your personal data after our last transaction with you, for at least the legal prescription period in order to be able to defend or enforce our rights or for such number of years according to the applicable laws.
11.5 In some circumstances, you can ask us to delete your personal data: see Request erasure below for further information.
11.6 In some circumstances, we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

12. Transfer of your personal data

12.1 When sharing your personal data within [-], we ensure your personal data is protected as per the national legislative requirements.
12.2 Whenever we transfer your personal data, we ensure a similar degree of security and protection is afforded to it. For further details, please contact us at [-]

13. How we protect your personal data

13.1 We maintain organizational, physical, and technical security measures:
(i) to prevent your personal data from unauthorized access, alteration, disclosure, accidental loss,
and destruction, and
(ii) based on the nature of the personal data, to protect your personal data from the harm that may result in unauthorized access, alteration, disclosure, destruction of the data and its accidental loss.
13.2 In particular, our preventive and protective measures include:
(i) the encryption of personal data; and(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services through our disaster recovery management procedure.
13.3 We limit access to your personal data to those employees, agents, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
13.4 We maintain procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
13.5 If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact us using the details set out below.
Primary Contact
Full name of legal entity:
[-]
The Data Protection Officer :

14. What rights do you have in respect of the processing of your personal data

14.1 You have the right to, in the circumstances and under the conditions, and subject to the exceptions, set out in applicable laws:
• Request access to your personal data (commonly known as a “data subject access
request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.