Privacy policy

PREAMBLE

The SOCIETE HOTELLIERE DE LA HAUTE SAVOIE undertakes to ensure that the collection and processing of your data are carried out in a lawful, fair and transparent manner, in accordance with the General Data Protection Regulation (GDPR) and Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms.

The collection of personal data of its customers is limited to what is strictly necessary, in accordance with the principle of data minimisation, and indicates the purposes pursued by the collection of such data, whether providing these data is optional or mandatory to manage requests, and who may have access to them.

I. About Us

The SOCIETE HOTELLIERE DE LA HAUTE SAVOIE is a simplified joint-stock company (SAS) with its registered office located at 69 avenue de France – 74000 ANNECY and registered in Annecy under SIRET number 32215129100026. APE Code 5510Z.

The Company offers the following services:

• Hotel accommodation service (3 stars) and catering service

II. Definitions

“Site” means the Company’s website, namely, hotelannecy.fr
“Cookies” : A cookie is a piece of information deposited on the hard drive of an Internet user by the server of the site they are visiting. It contains several data: the name of the server that deposited it, an identifier in the form of a unique number or a text and possibly an expiration date. This information is sometimes stored on the computer in a simple text file that a server accesses to read and record information.

“Personal Data” means any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or one or more elements specific to that person. For example, the User’s email address.

“Customer” means any natural or legal person who makes a reservation on the Site, with our partner service providers (e.g. Booking.com) or directly with the receptionist on duty at the establishment whose address is indicated in Article I;

“Reservation” means any reservation made by the User, Client, Professional, Consumer in order to benefit from the Company’s Services;

“General Terms and Conditions of Sale and Use” or “GTC/CGU” means the general terms and conditions of sale and use of the Company;

“Consumer” means the buyer who is a natural person who is not acting for professional purposes and/or outside their professional activity;

“Professional” means the buyer who is a legal or natural person acting in the course of their professional activity;

“Services” means all services and/or products offered to Users, Customers and Professionals by the Company through the Sites owned by the Company;

“Company” means the SOCIETE HOTELLIERE DE LA HAUTE SAVOIE, further described in Article I herein;

“User” means any person who makes use of the Site.

“Account” means the client’s personal space with the Company’s partner service providers.

“Quote” means a quote produced by the Company for a specific tailor-made service requested by the Client.

“GDPR” means the General Data Protection Regulation applicable since 25 May 2018.

“Processing of personal data” means any operation or set of operations concerning such data, regardless of the method used (collection, recording, organisation, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or other means of making available, alignment or combination, blocking, erasure or destruction…).

III. Protection of Personal Data

In accordance with the law known as “Informatique et Libertés” of 6 January 1978 and the General Data Protection Regulation 2016/679 (GDPR), the information concerning you is intended for the Company, which is responsible for processing. You have the right to access, rectify and delete data concerning you (details in Article 7). You may exercise this right by sending an email to [email protected].

By connecting to the site hotelannecy.fr of the Company, you access content protected by law, notably by the provisions of the Intellectual Property Code. The Company authorises only strictly personal use of the information or content you access, limited to saving it on your computer for display on a single screen, as well as reproduction, when authorised (link or download button) for copying or printing on paper. Any other use is subject to our express prior authorisation. By continuing your visit, you agree to respect the above restrictions.

The Company commits its Clients, Users, Consumers, Professionals to respecting the laws in force and the ethical rules necessary to establish a relationship of trust between the Company and its Clients, Users, Consumers, Professionals.

The Company commits its Users to respect a set of obligations through its GTC/CGU.

Any breach of these obligations may result in the cancellation without notice of a reservation made on the Company’s website or directly with the Hôtel Novel Annecy.

PLEASE NOTE THAT THE COMPANY DOES NOT EXCHANGE OR RENT ANY CLIENT OR PROSPECT FILES.

The Company’s website is not intended for minors. We do not knowingly collect or process personal data relating to minors. Should we become aware of the collection of personal data of minors without prior authorisation from the holder of parental authority, we will take appropriate measures to delete such personal data from our servers.

1. Data Controller

2. Nature of Data Collected

User Information and Rights
The Company hereby clearly informs you about the processing of personal data it carries out as part of its activity, how data is collected, used and protected.

Any User, Client, Consumer, Professional has the right to request from the data controller, namely Mr and Mrs BAIO, access to the personal data provided;

• Rectification or deletion of such data;
• Restriction of processing relating to them;
• Opposition to processing;
• Data portability;
• Filing a complaint with the CNIL.

Subcontracting
The Company undertakes to ensure that any subcontractor provides sufficient contractual guarantees regarding the implementation of appropriate technical and organisational measures, so that processing complies with the European data protection regulation (see the list of data recipients in Article 6).

Data collected on the site (contact form)
When a Client, User, Consumer, Professional makes a booking request on the site via our contact form, the following data are collected and processed by the Company: email, first name, last name, phone, country, arrival date, departure date, number of adult(s), number of child(ren), and additional information that the Client, Professional, User, Consumer deems necessary for their booking request.

Data collected on the site (via our subcontractor D-Edge)
When a Client, User, Consumer, Professional makes a booking request on the site, the following data are collected and processed by our subcontractor D-Edge: email, first name, last name, country, phone number, IP address, room type, booking rate, stay dates, credit card number (16 digits + expiration date) and any additional information that the client, consumer, professional or user may provide if deemed useful for the booking.

The data are then sent to us by email except for the credit card number (16 digits + expiration date), which remain securely accessible on the servers of D-Edge and Medialog (our PMS). This data is only accessible with a password and an ID via the intranet between the Company, D-Edge and Medialog.

Data collected at the Company’s Establishment
Upon arrival, the following data are collected and processed: arrival and departure dates, room number, number of breakfasts, order history, complaints, incidents, information relating to correspondence on our site or directly with the Company (emails sent directly).

Some data is collected automatically due to user actions on the site (see the paragraph on cookies in Article 8).

Data collected by a Partner Service Provider
A customer, consumer or professional may book a service from the Company through a partner provider. The data collected through such means (e.g. Booking.com) is subject to the GTC/CGU and Privacy Policy of these Partner Providers as well as those of the Company.

Submitted data shall not include sensitive personal data such as government identifiers (e.g. social security number, driver’s license number, taxpayer identification number), full credit card numbers (except as requested specifically during the booking process by filling in the dedicated form field), personal bank account numbers, medical records or health care claims associated with individuals, without limitation.

Regarding Identity Data Collection

Prior identification for service provision
Provision of a room requires prior identification of the client by means of their identity card or any other document allowing identification. The nominative data (name, surname, postal address) on the identity document are used to fulfil legal obligations related to the provision of service as specified in the booking. The client, consumer or professional must not provide false nominative information nor make a reservation for another person without their permission. Provided contact details must always be accurate and up-to-date.

Terminal Data Collection
Collection of profiling and technical data for service provision purposes.

Some technical data from your device are collected automatically by the Site and server. This includes your IP address, Internet service provider, hardware and software configuration, browser type and language… This data collection is necessary for proper navigation on the Company’s website.

The Company also offers a personalised experience using automated decision making through newsletter email messages.

Collection of technical data for commercial and statistical purposes
Technical data from your device is automatically collected and stored by the server and our subcontractors for advertising, commercial and statistical purposes. This helps personalise and improve your experience on our Site. We do not collect or keep any personally identifiable information attached to technical data.

3. Purpose of Processing
The main goal of collecting your personal data is to offer you a safe, optimal, efficient and personalised experience within the establishment. To this end, you agree that we may use your personal data to:

• Provide our services and facilitate their operation, including performing checks;
• Resolve issues to improve the use of our site and services;
• Personalise, evaluate and improve our services, content and documentation;
• Analyze the volume and history of your use of the Company’s services;
• Inform you about the Company’s services;
• Prevent, detect and investigate potentially prohibited or illegal activities or those contrary to good practices, and ensure compliance with the Company’s GTC/CGU;
• Comply with legal and regulatory obligations;
• For clients booking directly on the site, by phone or via partner providers, process data for contract execution;
• For our newsletter, process data based on your explicit consent.

VII. Recipients of Data

Personal data concerning you collected on the site, at the establishment and through partner providers are intended for use by the Company and may be transmitted to subcontractors engaged by the Company for service execution. The Company ensures all subcontractors comply with data protection requirements. The Company does not sell or rent your personal data to third parties for marketing purposes. In line with our values, we do not engage in strategic partnerships for data sharing to promote third party services or products.

The Company only discloses your data to third parties if:

• You request or authorise the disclosure;
• Disclosure is necessary to process transactions or provide requested services (e.g. credit card verification with issuers);
• The Company is legally compelled by government or regulatory authorities (judicial requests, subpoenas, etc.);
• The third party acts as an agent or subcontractor of the Company in service execution.

Currently, the data recipients are:

• MIXIT7: Server hosting and management
• XXX: Accounting operations
• Mr Jérémy MERENVIELLE: Website editing
• RESERVIT: Payment management
• GOOGLE ANALYTICS: Site statistics and technical analysis
• Microsoft: Email communication between Company and Users, Consumers, Clients, Professionals
• XXX: Hotel Wi-Fi service available to clients, employees, consumers and professionals

VIII. Right of Access, Rectification and Deletion

In accordance with the French Data Protection Act and the GDPR, you have the right of access, rectification and deletion of your personal data which you may exercise by sending an email to

your request will be processed within 30 days. We may ask that your request be accompanied by a photocopy of proof of identity or authority.

You may also modify your personal data yourself at any time regarding our newsletter, by clicking the link at the bottom of each newsletter email to unsubscribe or update your information.

1. Use of Cookies
Retention period of cookies
In accordance with CNIL recommendations, the maximum retention period for cookies is 13 months from their first deposit on the User’s device, matching the validity of the User’s consent to their use. Cookie lifetime is not extended by visits. Consent must be renewed at the end of this period.

Purpose of cookies
Cookies may be used for statistical purposes to optimise services to the User by processing information on access frequency, page personalisation, and operations and information consulted.

The Company may place cookies on your device. Cookies record information about your site navigation (pages visited and accessible), which we read on subsequent visits.

Cookies allow the Company during the valid period to identify your computer on next visits. Partners or third parties may place cookies subject to your choices.

Two main categories of cookies:

• Technical cookies essential for site navigation and order processing;
• Optional cookies improving user experience, search facilitation, offer targeting, and site optimisation.

This data is stored on your computer for one year. Only the cookie issuer can read or modify the information.

No cookie identifies your civil status.

User’s right to refuse cookies
Disabling cookies may degrade service functioning. You acknowledge being informed and authorise cookie use.

Most browsers allow disabling cookies via settings.

Browser-specific instructions to refuse cookies:

• Chrome: Settings > Advanced > Content Settings > Disable “Allow sites to save and read cookie data”
• Firefox: Tools > Options > Privacy > Cookie settings
• Internet Explorer: Tools > Internet Options > Privacy > Adjust slider
• Edge: Settings > Clear browsing data > Choose what to clear
• Opera: File > Preferences > Privacy

Warning: Refusing or deleting cookies may degrade service performance. The Company disclaims responsibility for such consequences.

2. Data Retention
The Company collects and retains personal data to fulfil contractual obligations and track service use. Data is kept only as long as needed. Bank data is deleted post service delivery. Statistical data older than 13 months is deleted. Other data may be deleted any time in accordance with policy.

Retention of sensitive and personal data
Sensitive data (e.g. bank card) is kept only as long as necessary per legal obligations.

Personal data (name, email, address) is retained for 3 years in the reservation software.

Deletion after account deletion
Data purging mechanisms ensure deletion when retention period ends. You may request deletion anytime by contacting the Company.

Deletion after 3 years inactivity
If you haven’t visited the establishment for over 3 years, personal data will be deleted.

Deletion after 12 months newsletter inactivity
Inactive newsletter users (no opens or clicks for 1 month) receive an email invitation before deletion.

3. Data Storage Location and Transfers
Servers processing and storing your data are located exclusively in the European Union.

The Company will notify you promptly if legally allowed in case of requests from authorities regarding your data.

XII. Security

The Company prioritizes the security and integrity of personal data in accordance with GDPR. Measures include protection against accidental or illicit destruction, loss, alteration, disclosure, access or any unlawful processing.

Industry-standard technical and organisational security measures are implemented, including encryption, noting payments are processed externally by secure subcontractors D-EDGE and VEGA.

Procedures safeguard data accuracy and prevent unauthorized access.

In case of security breaches affecting you, the Company will notify you promptly and take all possible measures to neutralise and minimize impact.

You may receive assistance to assert your rights in case of damages caused by third-party breaches.

Exploiting security flaws is subject to criminal sanctions; the Company will take all legal measures to protect data and rights.

User notification in case of security breach
The Company commits to:

• Notify you promptly if legally required;
• Investigate causes;
• Mitigate adverse effects reasonably;
• Limit liability.

These commitments do not imply admission of fault.

XIII. Responsibilities and Guarantees

Except for force majeure, the Company guarantees proper performance of services in compliance with these Conditions.

Any compensation due to liability is limited to the amount paid for the service(s) causing liability.

The Company does not systematically control use of its services or equipment, which remains the User’s responsibility.

No liability towards third parties for damages caused by User or Client.

User Responsibility
Users are solely responsible for their use of rooms, common areas, and equipment.

Non-compliance with terms, privacy policy or laws may engage User liability.

Users indemnify the Company against claims or damages from breaches of terms or privacy policy.

XIV. Data Portability

The Company offers you the possibility to receive all your data upon simple request, in an open and reusable format, transferable to another data controller if desired and feasible.

1. Data Deletion

Users may delete their data anytime by request or via links in newsletter emails.

2. Deletion of Reservations for Policy Violations
The Company reserves the right to cancel bookings without refund if policy violations occur.

XVI. Data Transfer to Countries with Equivalent Protection Level

The Company complies with applicable regulations on data transfers. Currently, no data is transferred abroad except when necessary for services as follows:

• Transfers to countries recognized by CNIL as having sufficient protection;
• Transfers only as strictly necessary for booking at Hôtel Novel Annecy;

Current relevant processing includes:

• Booking services via subcontractor D-EDGE: client ID, email, purchase amount, product details, phone, postal address (if provided), credit card digits and expiry;
• Ethical personalised commercial management via Facebook “Custom Audience”;
• Questionnaires via Google services with data shared at client discretion.

For a list of countries with sufficient legal protection see: CNIL – Data Protection Worldwide

XVII. Modification of the Privacy Policy

The Company reserves the right to modify this Privacy Policy at any time, notably due to legal or regulatory changes. Changes will be notified on our website and/or by email at least 30 days before implementation when possible. We recommend reviewing the policy periodically.

The Company will not substantially lower privacy standards without prior notice to concerned individuals.

XVIII. Applicable Law and Language

This Privacy Policy is governed by French law. The French text is the authentic version in case of dispute. Invalidity of any clause does not invalidate the whole policy. Non-application of clauses does not imply waiver of others.

XIX. Disputes and Jurisdiction

Any disputes regarding this policy will be submitted to the competent courts within the jurisdiction of the city of Annecy.

1. Contact

Any questions concerning this Privacy Policy may be sent by email to [email protected] or by postal mail at: