Privacy Statement

1. Introduction

When you stay at a Heritage hotel, you're somewhere special. And at Heritage, we also recognise that every one of our guests is someone special.

We are committed to providing our customers with a world-class, modern hospitality experience, and part of that is ensuring the privacy of guests is protected and respected.

To maintain the high service standard that our customers have come to expect from T.H.E. Heritage Experience, we have established a number of key principles.  These guide how we collect and use personal information to provide you ‘T.H.E. Heritage Experience’, this includes products you use and or consume and the service we provide. We have prepared this Privacy Statement to explain how we collect and manage this information.

This Privacy Statement addresses our compliance to privacy laws in New Zealand where we operate; New Zealand’s Privacy Act has been recognised by the European Commission as “EU Adequate” meaning that our privacy regulations are of an internationally recognised standard. We also adhere to the General Data Protection Regulations (GDPR) to protect the privacy of our European Union customers.

2. Some important things to note about this statement

This statement applies to properties owned, managed and franchised by Heritage Hotel Management Limited, including Heritage Hotels, CityLife Hotels and Heritage Collection. In this statement we refer to this group collectively as "Heritage", "we", "us" or "our".

In most cases, Heritage is the data controller. Where the Heritage properties are franchised, they are the data controller. We take all reasonable steps to ensure our franchisees and managed hotels comply with the principles and promises set out in this Privacy Statement.

This Privacy Statement provides a general overview of our privacy practices. When we collect personal information from you as part of a product or service, we may tell you other things about the way we’ll manage that information (for example, where we’re seeking consent to use information in a particular way). It is important that you read and understand this statement and any other privacy notifications. When you use our products and services, you are deemed to have done so.

3. Our key principles for protecting personal data

We've developed the following key principles in order to meet privacy regulations and guide the way in which we handle personal information.

No matter where in the world your journey with us starts, or where you call home, we’ll apply these principles to the information entrusted to us.

  1. Limit the data we collect. We collect and retain only the personal information we need to meet our lawful and legitimate purposes.
  2. Be open and transparent. We collect personal information from you directly or from your authorised agent and we’re open about it. 
  3. Keep data safe and be accountable. We take reasonable steps to protect personal information from harm, wherever in the world it was collected and wherever it is held.
  4. Make sure it’s the right data. We take reasonable steps to make sure your personal information is accurate and up-to-date before using or sharing it.
  5. Limit the way we use data. We use personal information only for the purposes we collected it. If we want to do more with data, we’ll ask for consent.
  6. Share data with care. We will only share your personal information when we must and only within the Heritage Group or with trusted third parties delivering services to us.
  7. Let you see and control your data. You have the right to access, correct and (sometimes) delete your personal information. Where possible, you can also control the way we use it.

This Privacy Statement explains how Heritage puts these principles into action. It explains what personal information we collect about you, how we use and share it, how we protect it, and how you can take some control of the way we manage your information.

4. Basis for collecting and processing personal information

During the process of making an enquiry or booking with Heritage, we will be contractually obliged to ask you for some personal information in order to fairly or accurately respond. This may include contact details, date of birth, nationality or information relating to other guests in your party.

We also need to process some personal information to meet our legitimate interests, including making sure we’re providing the best products and services we can and managing health and safety at our properties. This may include preferences such as preferred floor or dietary requirements.

We rely on your consent to process personal information for marketing purposes.

5. The information we collect about you

Some of the information Heritage collects from you is essential to ensure we can deliver the services you’ve requested, such as arranging your stay at a Heritage property. Without this information, we may not be able to provide what you want.

Some of the information we request is optional, and we ask for this so that we can make your stay more personalised and meaningful. You can decide whether you wish to share this information with us.

5.1 Information we collect when you make reservations

You might arrange your stay yourself via the Heritage website, you might use an online travel or booking agent, or your reservations might be arranged by a travel agent on your behalf. No matter how you choose to book your stay, personal information will be collected and processed so we can arrange your accommodation or other services you’ve requested from us.

This information may include:

  • Full name
  • Contact details, including phone, email and residential address
  • Country of origin
  • Age or date of birth
  • Documents to verify your identity, which include your passport, drivers licence, etc, details
  • Payment information, including credit card number
  • Heritage properties you wish to use
  • Dates of your stay
  • Travel agent details
  • Birthday or other anniversaries or special dates
  • Your room preferences, including style of room or bedding configuration

5.2. Information we collect when you stay at a Heritage property

During your stay, we may collect information about you in addition to 5.1. This is to manage your stay and ensure we can provide the services you request while you’re with us. We collect some of this information directly from you on check in or check out. You will also generate personal information during your stay, by using products or services provided at Heritage properties or on Heritage websites or applications.

This information may include:

  • Car registration
  • Family details, if relevant (please see 5.4 regarding information we collect on minors)
  • Information about your room preferences (such as pillow preferences)
  • Use of in-room WiFi
  • Use of in-room phone
  • Use of minibar
  • Room service requests
  • Activities we have arranged for you
  • Any special access, dietary or other requirements you have shared with us
  • CCTV footage
  • Any other queries or comments you make during your stay

5.3. Information we collect to stay in touch and improve our services

We collect information about you to help us deliver exceptional service. We aim to understand your preferences, the activities you enjoy and the sorts of products you might like. We collect this information from you when you make a reservation, use our website, enter one of our competitions or promotions, or tell us about your stay.

This information is important to us because we want to be able to learn from your experiences and continuously improve the services we offer. We also want to be able to tell you about products, services and offers that may be of interest like in the future.

You can opt out of this process at any time. See 9.1 below, under ‘Managing your privacy preferences.’

This information may include:

  • Name and contact details, if you haven’t already provided these to us when making a reservation.
  • Feedback you provide to us about your stay.
  • The region you come from.
  • The region you’re travelling to.
  • The path you followed to make a reservation with us
  • Cookies, domain name and IP address, when you visit the Heritage website (see below for more information on cookies)
  • Information about your interests
  • Contact preferences
  • Event preferences
  • Social media posts you’ve made about Heritage, including photographs
  • Privacy preferences, such as opt in selections

Our website uses Cookies which identify you from other users. Cookies are small data files that our website sends to your browser, which may then be stored on your system for later retrieval by our website. Cookies are widely used and give websites the ability to provide a good online experience by saving your preferences or customising the content or experience of our website. Cookies track your movements through websites but do not record any other personal information about you. By continuing to use our website, you agree to our use of cookies.

5.4. Information we collect about minors

We take particular care with the collection of personal information about minors. In New Zealand, anyone under the age of 18 is considered a minor.

The law treats personal information about minors differently because of their limited ability to understand the consequences of providing personal information to us. We limit the information we collect about minors to that which is absolutely necessary.

This information may include:

  • Full name
  • Country of origin
  • Age or date of birth

We rely on responsible adults, such as parents or guardians,  to ensure that minors in their care do not send any personal information to us without their consent.

6. How we use your information

We need to use your personal information in certain ways in order to meet our lawful purpose, some of which are obvious (like using your name for a booking) and some less so (like country of origin statistics to Stats NZ).

In general, we will only use your information in the ways outlined in this Privacy Statement. From time to time, we may need to use your information in other ways but will only do so with your permission or if required by law.

6.1. Delivering the services you request from us

Here are the ways in which we use personal information to deliver the services you request from us, including making sure our properties can run safely and efficiently. Heritage cannot deliver these services without carefully and responsibly using the personal information entrusted to us by our guests.

We may use your personal information to:

  • Manage, process or change your reservations for Heritage properties.
  • Communicate with you or your booking agent about your reservations or requests.
  • Process payments for accommodation or other services provided by Heritage.
  • Deliver the specific services you have requested from us, including accommodation, room service, or activities facilitated by Heritage.
  • Manage your membership of our loyalty programme, if you have joined this programme.
  • Ensure that we can meet your special requirements or preferences, including requirements relating to access, diet or room preferences such as pillow type.
  • Investigate and respond to any enquiries or comments you make about Heritage services, properties or employees.
  • Ensure the health and safety of our guests and employees, including managing emergencies or other incidents and taking steps to prevent future similar incidents.
  • Comply with lawful requests from government agencies, including law enforcement agencies or relevant industry regulators.

6.2. Staying in touch and improving our services

We use personal information to continuously improve the services we offer and ensure that the communications we send you are meaningful and relevant. We will only do this with your consent, which you can revoke at any time. See 9.1 below, under ‘Managing your privacy preferences.’

We may use your personal information to:

  • Understand the ways you use our properties, products and services, including our website, or the path you have taken to find us and to make a reservation.
  • Conduct market research into the use of our properties, products and services.
  • Understand public sentiment about our properties, products and services and, where appropriate, respond to comments made about these.
  • Communicate with you about products, services or offers that we think you may like, based on the personal information you have provided to us.
  • Generally improve the products and services we offer, including our website, and ensure that any feedback you have shared with us are addressed.
  • Ensure that we market our properties, products and services effectively and relevantly.

7. Who we share your information with

To use your personal information in the ways explained above, we may need to share your personal information with trusted third parties. We only share personal information where absolutely necessary and we make sure that the third parties providing services to us can be trusted to protect the information.

Sometimes, we may also be required to share personal information in ways we have not anticipated. We’ve indicated below the scenarios where this might occur, including where we receive requests from government or law enforcement agencies. We will only ever share information in these cases if required or permitted by law.

We may share your personal information with:

  • Heritage properties, where necessary to deliver the services you have requested from us or to provide feedback or insights to relevant properties.
  • Travel or booking agents or other service providers, where necessary to confirm or deliver services – such as reservations – that you have requested from us.
  • Information or technology service providers, where we have outsourced information storage, processing or other technology services.
  • Marketing and research service providers, where you have authorised us to use your personal information for the purposes of staying in touch or improving our services.
  • Competition or event partners, where we have provided notice and asked for consent that we may do this as part of the terms and conditions of entry.
  • Government agencies, including law enforcement agencies or relevant industry regulators, where required by law or where we consider it reasonably necessary to protect our properties, employees or guests.

8. Storage and security of personal information

Heritage takes information security and accountability very seriously. We know that we must take responsibility for your personal information, and will take reasonable steps to ensure it is protected, no matter where in the world it was collected or where it is held.

8.1. How we store your information

The personal information we collect about you is held by Heritage, as the data controller, and by our trusted information service providers, as our data processors. We hold personal information in a combination of physical and electronic formats, depending on the ways we may need to use it.

Each Heritage property retains personal information relating to your stay and the services it has provided to you within its Property Management System. Heritage Hotel Management Limited also retains some personal information about our guests as part of the services we provide to our properties, including the management of reservations, service provision and marketing activities (where those have been authorised by you).

The majority of the personal information we retain is stored in New Zealand, either on local servers or by New Zealand-based information service providers.

However, we may from time to time need to transfer personal information to service providers or systems located outside New Zealand. Where we can, we will only transfer personal information to service providers based in countries that have privacy regulations in place that are equivalent or stronger than those we adhere to. Where this is not possible, we will take reasonable steps to ensure that the service provider will meet our privacy and security expectations, including the use of contracts and service agreements that protect information from unauthorised access or use.

We retain the personal information we collect only as long as we need it to meet our reasonable service obligations. For example, we may retain your information for a reasonable period of time after your stay has ended, in order to respond to potential enquiries after your stay. For known regular guests, we will keep personal information for a longer period to ensure a high standard of service for those customers. When we no longer need your personal information, we or our service providers will securely destroy it.

8.2. How we protect your information

We take all reasonable steps to ensure that the personal information you entrust to us is protected against loss, unauthorised use, access or disclosure, and any other misuse. We recognise that information security is an important part of our role in upholding the privacy of your personal information, as well as your trust and confidence. We also recognise that security is about more than just the technical measures. We’ve taken steps to ensure that our people and processes are also fit for purpose.

Technical security measures include:

  • Core networks are protected by firewalls, and we conduct regular penetration tests and vulnerability scans to make sure these are up to date and functioning.
  • Systems are password protected, and our staff or contractors need a username and password to access personal information for legitimate business purposes.

Security processes include:

  • A strict set of guidelines are in place for the management of credit card information, which is some of the most sensitive personal information we collect. Our comprehensive PCI DSS (Payment Card Industry Data Security Standard) Security Policy applies to all staff and protects PCI data across all Heritage systems.
  • A data breach notification plan that ensures our staff and managers can identify and respond quickly and effectively to a data breach, including notifying regulators and affected guests about data breaches that may cause harm.
  • Continuous improvement of our processes to ensure that the third-party service providers we use can meet our privacy and security expectations, including developing contractual agreements aimed at protecting the personal information we need to share with them.

We make sure our people can be trusted by:

  • Requiring our staff to agree to our Code of Conduct, which states that the misuse of personal information, or the deliberate breach of our policies and procedures (including those relating to the management of personal information) constitutes serious misconduct.
  • Providing all our staff and managers with comprehensive training on privacy and information security.

9. Accessing and managing your personal information

We want to make sure you feel confident about the ways we collect and use your personal information. Where possible, we want to make sure you can control this. Privacy regulations all over the world focus on ensuring that individuals can access the information businesses hold about them, and can change their minds about how that information is used.

To exercise any of the rights listed below, please email us at privacy@heritagehotels.co.nz.

You can only access, correct or manage personal information about yourself, unless you have the consent of another person to do so on their behalf, so we may need to verify your authority or identity before responding to your request. We do this to protect your privacy and the privacy of other guests. Once we’ve verified your request, we’ll respond within 20 working days.

9.1. Managing your privacy preferences

We deliver our services and make sure our properties can run safely and efficiently by carefully and responsibly using the personal information you entrust to us.

You may also have authorised us to use your personal information in other ways not directly related to the services you’ve requested. This may include using your information to generally improve the services we offer and ensure that the communications we send you are meaningful and relevant. We respect that you might change your mind, and we certainly don’t want to use information in ways that might make you uncomfortable.

You can revoke your consent at any time. If you believe we’re using your personal information in ways that are not directly related to the provision of a product or service you have requested, and you have not specifically authorised us to do this, you can also object to this data processing.

9.2. Finding out what information we hold about you

You have the right to request a copy of your personal information, and we’ll be as open as we can. On occasion we might need to withhold personal information, for example, where the information is legally privileged or includes personal information about other guests. If we ever need to withhold information from you we will tell you why.

9.3. Correcting or deleting your information

If you think any of the personal information we hold about you is wrong, you can ask us to correct it.

Where we’ve retained your personal information for purposes that are not directly related to the provision of a product or service you have requested – such as for marketing purposes – you can ask us to delete it. If we are unable to correct or delete your information (for example, where we do not agree that it is wrong, or we need the information in order to deliver a service you have requested), we’ll tell you why. You can ask us to attach your correction request to the information as a statement of correction.

9.4. Questions and concerns

Where we have refused a request you’ve made to us about your information – whether you’ve sought to revoke consent, access your information, or have it deleted – or where you have any other concerns about the way we’ve handled your information, you can get in touch with us to make a complaint.

In the first instance, please contact our Privacy Officer by emailing PrivacyOfficer@heritagehotels.co.nz. We’ll do all we can to resolve your complaint and ensure that your privacy experience lives up to the Heritage promise.

If we can’t resolve your complaint for you, then you have the right to make a complaint to the Office of the NZ Privacy Commissioner, using either of the following channels:

  • Completing an online complaint form at www.privacy.org.nz
  • Writing to the Office of the Privacy Commissioner, PO Box 10-094, The Terrace, Wellington 6143

We may update our Privacy Statement from time to time to reflect changes to privacy regulations or our business operations. This privacy statement was last updated in May 2018.