Northland Properties Corporation Privacy & Policy
Northland Properties Corporation (“NPC”), doing business as Sandman Hotels, Sandman Signature Hotels, Sandman Inns & Suites, Sutton Place Hotels, RSVP Rewards, NPC RSVP Rewards, is a British Columbia corporation having its head offices at 310-1755 West Broadway, Vancouver, British Columbia Canada. NPC values you as a guest and recognizes the importance of ensuring that your privacy is protected. This Privacy Policy (“Policy”) describes the personal information that NPC, and hotels and resorts managed, franchised or operated by NPC and/or its affiliated companies (“NPC”, “we” or “us”) collects from or about you when you use websites that are owned or controlled by us (the “Sites”) or applications made available by us by third parties, communicate with us, make bookings, participate in our rewards program or inquire about or purchase services from us, how we use that information, and to whom we disclose it.
Please read this Policy carefully and contact us if you have any questions. If you do not agree with this Policy, you should not access or use the Sites.
This Policy was last updated on March 19, 2021. We may amend this Policy from time to time and, as such, you should review its terms each time that you visit our Sites. Any changes to this Policy will be promptly communicated on this page but will not go into effect until at least five (5) days after they are posted.
Meaning of “Personal Information"
“Personal information” as used in this Policy means information about an identified or identifiable individual. An identifiable individual is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Personal information does not include general, statistical, anonymized or aggregated information.
Accountability and Openness / Privacy Officer
NPC is responsible for personal information under our control, and we are accountable to you for its collection, use and disclosure by us. We have established policies and procedures to safeguard any personal information that we have on file or which we collect, and to deal with complaints and inquiries. We will only collect personally identifiable data as described in this Policy.
In this Policy, we have attempted to provide you with manageable, comprehensive and easily understandable information regarding the policies and procedures that we use to manage your personal information. However, we recognize that different individuals require different levels of detail and invite you to contact us directly as set out below should you require further information.
NPC has designated a chief privacy officer (“Privacy Officer”) who is accountable for the protection of data containing personal information and for our compliance with this Policy generally, as well as for ensuring that information about our practices relating to the management of personal information is easily accessible and understood.
All questions or concerns regarding this Policy, our compliance with it, as well as any of our processes and procedures relating to the collection, use and disclosure of your personal information, should be directed to the Privacy Officer in writing, and sent by email to privacy@northland.ca or by post to:
Chief Privacy Officer
Northland Properties Corporation
310-1755 West Broadway, Vancouver, B.C., V3C6R2.
Collection of Information
What Information is Collected and How?
We collect personal information only to the extent that it is necessary for the purposes set out below (see: Purpose – Why We Collect, Use and Disclose Information). In most cases, we will collect personal information directly from you when you interact with us with respect to our hotels and resorts, events, or any other product or service that we offer. Interaction may be through our central reservation office, the front desk of one of our properties, through third party booking websites, or through our Sites. Occasionally, we may collect personal information from a third party based on your consent or as otherwise permitted by law. Personal information will always be collected using means that are transparent, fair and lawful.
A. Direct Collection
Examples of personal information that we may collect, use and disclose include your name and email address, telephone number, and home address; and other government-issued identification information; nationality and date of birth; car license and description; credit card details (type of card, credit card number, name on card, expiration date, and security code); NPC Rewards loyalty program details; employer or other relevant details, if you are an employee of a corporate account holder; preferred language; gender; guest stay information, including date of arrival and departure, special requests, and observations about your service preferences (including room preferences, facilities and other services used); information regarding your past stays at our properties; information that you provide regarding your marketing preferences; “guest type” information, such as transient, meeting/group, contract, corporate, tour or complimentary; and any other information that you may provide to us in conjunction with your use of our facilities and services.
If you provide comments or other feedback to us, you agree that such comments or other feedback become the property of NPC, and we may use, disclose and share them with our partners for any purpose provided that we do not associate them with your personally identifiable information without your express consent.
“Sensitive personal information” includes information regarding health, religious or philosophical beliefs, racial or ethnic origin, and sexual orientation. We endeavour to limit the circumstances under which we collect and process sensitive personal information, and request that sensitive personal information not be disclosed when it is not necessary to do so. Examples of situations where we may collect and process sensitive personal information include those in which you have requested specific assistance from us, such as wheelchair accessible facilities or meals that are compliant with religious or other dietary guidelines, or where you have chosen to provide such information to us, or it has been provided to us by a third party such as a travel agent through which you have made a booking, in order to accommodate your needs or preferences.
B. Information Collected Through Automated Means
Users may visit the Sites without telling us who they are or revealing any information about themselves. However, like many organizations’ websites, our web server automatically logs certain information related to a user’s visit to the Site, including the Internet Protocol (IP) address of the user’s computer, the user’s Internet service provider (ISP), the type and version of the browser that the user is using, the date and time the user accessed the Site, the Internet address of the website from which the user linked directly to the Site, the operating system that the user is using, and the pages of the Site that the user has visited.
We may, however, review server logs and traffic for system administration and security purposes, for example to detect intrusions into our network, for planning and improving web services, and to monitor and compile statistics about website usage. The possibility therefore exists that server log data, which contains users’ IP addresses, could in instances of criminal malfeasance be used to trace and identify individuals. In such instances, we may share raw data logs with the appropriate authorities for the purpose of investigating security breaches.
We also use cookies, analytics, pixels and other technologies in order to improve our service, your user experience, and to analyze how the Sites are used to assist with our business and marketing.
Cookies: “Cookies” are small text files that are placed on your computer by websites that you visit. They are used to identify you to the web server and will tell the server who you are when you return to a page on the same website. Your browser will only send a cookie back to the domain that originally sent it to you. A cookie cannot run any programs, deliver any viruses, or send back information about your system. There are different types of cookies: Session cookies expire when you close your browser. Persistent cookies remain on your device until they are deleted or expire.
We use cookies:
- to optimize your user experience and to facilitate browsing;
- to determine, facilitate and authenticate your access privileges on our Sites;
- to complete and support a current activity, to track website usage;
- to implement security features;
- to remember your language and other preferences;
- to allow you to access your personal pages more efficiently, by storing log-in details and other information that you have previously provided;
- for advertising purposes, to offer you relevant targeted offers and other content that may be of interest to you;
- to identify third party websites that may have redirected you to our Sites; and
- to generally improve your experience.
When you visit our Sites for the first time a pop-up banner informs you of the use of cookies, seeks your express consent to their use, and provides a direct link to this information page. Although the banner will not normally appear on subsequent visits to our Sites, you may withdraw your consent to the use of cookies at any time by following the instructions below.
Most web browsers automatically accept cookies, but if you do not wish to have cookies on your system, you should adjust your browser settings to decline them or to alert you when cookies are being sent. The management of cookies varies for each browser, and you should consult the “Help” menu of your browser. Certain professional adverting platforms also provide users with the option to accept or block cookies used by their clients.
If you decline cookies, you may still be able to use the Sites but your ability to access certain pages, features and functions may be affected. To find out more about cookies, including how to see what cookies have been set and how to manage and remove them, please visit AboutCookies.org.
Pixels: Pixel tags (also known as web beacons and clear GIFs) are tiny snippets of JavaScript code that we have placed on the Sites. They may be used in connection with some online services to track the actions of users of the online services, measure the success of our marketing campaigns and compile statistics about the usage of online services and response rates. For example, we use pixels to measure the return on investment of Facebook Ads by reporting on the actions people take after viewing those ads. We also use them to show you more relevant advertisements on Facebook based on your traffic on our Sites. Facebook may use cookies, beacons and similar technology placed on our Sites as part of this process. You may opt out of Facebook’s Custom Audience ads here: http://optout.aboutads.info.
Google Analytics: We use Google Analytics, which uses cookies, UTM (Urchin Tracking Module) tags, and similar technologies to collect, track and analyze information about the use of the Sites, and to report on activities, trends and user behavior patterns. We do this to obtain an overview of how people are accessing and using the Sites, as well as to provide marketing services to you. Information that we use from Google Analytics includes: IP address; time per page; pages per session; bounce rate; device information; frequency of use; language; demographic; geographic and interests. You can learn about Google’s practices by going to www.google.com/policies/privacy/partners. You can opt out by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout.
Sojern: We use Sojern to manage cookies and to track activities on the Sites. Sojern collects and processes pseudonymous data to deliver advertising services. It uses cookie ID and mobile IDs to collect information about travel intent, such as flight searches and travel dates. “Pseudonymous data” is defined as personal information that has been processed in such a manner that the personal information can no longer be attributed to a specific individual without the use of additional information. You can learn about Sojern’s practices by going to: https://www.sojern.com/privacy/privacy-policy/.
Your browser or device may include “Do Not Track” functionality. At this time, NPC does not respond to browser “Do Not Track” signals.
Consent
Consent for the collection, use or disclosure of personal information may be express or implied, except in the case of sensitive personal information – in which case consent must be explicit. For consent to be meaningful, it must be informed, unambiguous and freely given. Consent will only be valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. Typically, where we rely on consent to process your personal information, we will seek your consent at the time of collection, and efforts will be made to ensure that you understand the purpose(s) for which the information will be used or disclosed.
Part of providing meaningful consent is understanding the risk of harm and other consequences of the disclosure of your personal information. While we endeavour to continually use best practices to minimize the risk of harm (See: Safeguards – How Information is Protected, below), technology is constantly evolving and no safeguards can be guaranteed to be failsafe or to provide absolute protection against malfeasors. Significant harm that may result from the unauthorized use of the personal information that you disclose includes identity theft and credit card fraud.
Withdrawal of consent / objection to processing
You may always choose not to disclose personal information. Also, when we are using your personal information on the basis of your consent, you may withdraw or change your consent at any time. To withdraw or change your consent to our use of your personal information, please send your request in writing, along with details of the use of your information that you wish to change or withdraw your consent for, to the Privacy Officer at the address set out above (see: Accountability and Openness / Privacy Officer). Please note that where our processing of your personal information is not based on your consent (but is based on another legal ground), then we may not be able to comply with your request. We will inform you of this in writing if this is the case.
When we are using your personal information on the basis of our legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground, you may raise your objections to us. To do so, please send details of your objection in writing to the Privacy Officer at the address set out above (see: Accountability and Openness / Privacy Officer).
In some circumstances, particularly where our use of your information is integral to the provision of a product or service, your refusal to provide consent, or a change or withdrawal of consent, may affect your transactions and/or our ability to provide you with information, products or services.
Purposes – Why We Collect, Use and Disclose Information
We will not collect personal information which is not necessary and, except as specified below, will not use or disclose personal information for any purpose other than the purpose(s) for which it was collected without first notifying you or obtaining your consent, as applicable. The information that we collect is used and disclosed only for business purposes. These include:
- to operate and maintain our properties and the Sites, and to respond to your requests, questions and concerns;
- to complete and manage your reservations, including confirmations, billings, and payment processing;
- to provide high quality customer service, including through the establishment of customer profiles which help us to better address your individual needs;
- to assist you in planning meetings and events;
- to provide you with personalized content, and to maximize our ability to provide you with information and services that are useful and relevant to you, and which address your individual needs or requirements;
- to obtain feedback regarding our hotel and services, which may include inviting you by email to write a guest review after your stay. This allows us to continually improve the services that we offer;
- to enable your participation in our NPC Rewards loyalty program, and our administration of that program including: providing you with information about your account, allowing you to access benefits and rewards, and to manage your choices regarding program activity;
- to support our advertising and marketing activities, which may include allowing you to participate in promotions and contests, and to provide you with information and promotional materials, and other marketing communications, regarding NPC and NPC’s related brands and subsidiary businesses;
- to verify that any information submitted by you is accurate and complete;
- to communicate with you for other reasons related to our business, and to create a record of your involvement with us;
- to assist in ensuring your lost and forgotten belongings can be returned to you if they are located;
- for legal purposes, which may include the handling and resolution of claims and legal disputes, or for regulatory investigations and compliance;
- to detect and prevent error, fraud, theft and other illegal or unwanted activities;
- internal business purposes, including data analysis, to administer or improve our services, enhance the user experience, and to improve the functionality and quality of our Sites and online travel services;
- to comply with any legal, accounting and regulatory requirements, including reporting requirements;
- any other reasonable purpose for which you provide consent, or for which consent may be implied in accordance with this Policy and applicable law.
Where personal information that has been collected is to be used for a purpose not previously identified, we will notify you of the new purpose and, where necessary, obtain your consent, prior to the use of that information for the new purpose unless otherwise permitted by law.
We comply with applicable “anti-spam” legislation and will only send you electronic communications as permitted by law. Note that you may always unsubscribe from our electronic communications by following the “unsubscribe” link clearly included in each communication, or by notifying the Privacy Officer at the address set out above (see: Accountability and Openness / Privacy Officer).
Legal Basis for the Use of Your Personal Information (EEA and UK Residents)
NPC will only process your personal information where we have a legal basis to do so. The legal basis will depend upon the reason or reasons for which we collected and require the use of your information. The legal basis will generally be one or more of the following:
- The performance of the contract that we have with you, for example, for the purpose of making, managing and completing reservations, creating customer accounts, processing payments, participating in our NPC Rewards loyalty program, the purchase of gift cards, returning lost or forgotten items, and providing our services to you.
- Our legitimate interests (or those of a third party) in conducting and managing our business to enable us to give you the best service and the best and most secure experience, such as providing you with the best appropriate content for the Sites, emails, newsletters, and rewards programs; to enhance customer experience; and to improve and promote our products and services and the content on our Sites. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting the Privacy Officer at the address set out above (see: Accountability and Openness / Privacy Officer).
- To comply with legal obligations.
- To protect your vital interests, or those of another natural person.
- Where you have consented to our use of your personal information for particular purposes, such as direct marketing. Where we process personal information based on your consent, you may withdraw your consent at any time by contacting the Privacy Officer at the address set out above (see: Accountability and Openness / Privacy Officer).
Where we collect and use ‘sensitive’ personal information as described above (see: Collection of Information), we need to have further justification for collecting, storing and using this type of personal information. We have in place appropriate safeguards which we are required by law to maintain when processing such data. We process special categories of personal information in the following circumstances:
- In limited circumstances, with your explicit written consent.
- Where we need to carry out our legal obligations or exercise rights in connection with employment.
- Where it is needed in the public interest, such as for disability and accessibility.
- Where it is needed to protect the vital interests of individuals.
- Where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent.
- Where you have already made the information manifestly public.
Disclosure to Third Parties
Except as specifically provided in this Policy or permitted by law, your personally identifiable information will not be shared with third parties unless we provide you with both prior notice and choice.
In the course of our supply of products and services to you, or your participation in our rewards program, we may delegate our authority to collect, access, use, and disseminate your information to franchisees and subcontractors. If you do not agree to our disclosure of your information to these parties, we may not be able to provide you with the products, services or programs that we engage them to provide, and this may impact your ability to access or use our services generally.
We may disclose your personal information to franchisees in connection with the services, including with respect to reservations that you book through our central reservations line or the Sites.
Subcontractors to which we disclose your personal information may include payment processors, property management systems, booking engines, direct booking platforms, login authentication services, analytical support services, web hosts, customer relationship management systems, and parties that we engage to send out marketing materials. If we transfer any personal information to a third-party subcontractor, we will provide the subcontractors only with the information needed to perform the subcontracted service and will use appropriate contractual means to provide a comparable level of protection while the information is being used by them.
We have in place contracts with our subcontractors to make sure that they keep your personal information safe, secure, confidential and in line with applicable laws. Details regarding the personal information that we make available to our third-party contractors, and how it is used, is available by contacting the Privacy Officer at the address set out above (see: Accountability and Openness / Privacy Officer). Any request made by you to correct, change or erase your personal information will be promptly communicated to any third-party subcontractors in possession of that information (see: Accuracy / Individual Access / Erasure).
We may collect, use or disclose your personal information without your knowledge or consent where we are permitted or required to do so by applicable law, government request, request of a law enforcement agency, search warrant, subpoena or court order, or based upon our good faith belief that it is necessary to do so in order to comply with such law, request, warrant, subpoena or court order, or enforce our rights or to protect our assets, the users of our websites, products or services, or the public.
We may transfer to another entity, or its affiliates or service providers, some or all information about you in connection with, or during negotiations of, any merger, acquisition, sale of assets or any line of business, change in ownership control, or financing transaction. In each such case, NPC and the other part(ies) to the transaction or proposed transaction will enter into a written agreement limiting the period and purposes for which your personal information may be used and disclosed.
Retention of Personal Information
Subject to any legal or accounting requirements, we will retain personal information only as long as necessary to fulfill the purposes for which it was collected. Personal information that is no longer required will be destroyed, erased or made anonymous, although copies of deleted information may continue to exist on back-up media. In certain circumstances, you may request the erasure of your personal information, which we will endeavor to do without undue delay as required by applicable law. Written requests should be sent to the Privacy Officer at the address set out above (see: Accountability and Openness / Privacy Officer). Any third-party subcontractors to which we disclose your personal information (see: Disclosure to Third Parties) must return or destroy the information when it is no longer required for the purpose of the subcontracted services.
PLEASE NOTE: We are currently working on a Records Retention Schedule that clearly outlines the information we attain, maintain, and for how long. We are working with our third-party partners, including Amadeus IT Group, to complete needed development work on data purging. We expect to update this element of our Privacy Policy by March 31, 2022.
Safeguards – How Information is Protected
We have implemented physical, organizational, contractual and technological security measures to protect personal information in our possession or under our control from loss or theft, and from unauthorized access, disclosure, copying, use or modification, regardless of the format in which the information is held. The safeguards applied will depend on the sensitivity of the personal information, with the highest level of protection given to the most sensitive information. Staff permission to access personal information is role-based and is determined in accordance with the purpose for which the information has been disclosed (see: Purpose – Why We Collect, Use and Disclose Information), and the staff member’s role in fulfilling that purpose. Our data systems use user IDs, passwords, and encryption technology. We store our data with third party cloud providers, secure on-site property management systems and remote servers hosted by reputable companies in Canada, USA and The UK. Staff and contractors who have access to personal information are bound by confidentiality obligations in order to ensure that information is handled and stored in a confidential and secure manner. Any credit card information that you submit will not be stored on our servers, but rather will be sent to a PCI Level 1-compliant payment processor for storage. When destroying personal information, we delete electronically stored personal information. While we will endeavour to destroy copies of personal information, you acknowledge that deleted information may continue to exist on back-up media but will not be used unless permitted by law.
We will continually review and update our security policies and controls as technology evolves. However, no security technology can be guaranteed to be failsafe. Using the Internet or other public means of communication to collect and process personal information may involve the transmission of data on an international basis and across networks not owned and/or operated by us. Accordingly, we cannot guarantee that personal information will not be lost, or that it will not be altered, intercepted or stored by an unauthorized third party.
Accuracy / Individual Access / Erasure
Personal information contained in our records or which is disclosed to third parties for the purposes described above shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is used. You may request access to the personal information that we hold about you by submitting a written request to the Privacy Officer at the address set out above (see: Accountability and Openness / Privacy Officer). Including “Request personal information” in the subject line of your email or letter will facilitate compliance with your request. We will inform you of your personal information held by us and provide an account of the use that has been made of the information, as well as identify any third parties to whom we have disclosed the information. In some instances, you may also be entitled to receive a copy of your personal information in a structured, commonly-use, machine-readable format (or request that this be transferred to a third party where technically possible). In certain circumstances, NPC may not be able to provide you with access to all or some of your personal information, in which case you will be advised in writing of the reasons for our inability to provide you with the information.
You also have the right to request that we correct or rectify any information that we hold about you which is out of date or incorrect. If you demonstrate the inaccuracy or incompleteness of your personal information, the information will be amended as appropriate. You should advise us immediately if you discover inaccuracies in our data or if your personal information changes. All notices and requests regarding inaccuracies or changes should be in writing and sent to the Privacy Officer at the address set out above (see: Accountability and Openness / Privacy Officer).
In certain circumstances, you have the right to require that we erase, limit, or cease processing your personal information. All notices and requests asking us to erase, limit or stop processing your personal information should be in writing and sent to the Privacy Officer at the address set out above (see: Accountability and Openness / Privacy Officer).
International Transfer and Storage of Information
Your personal information may be transmitted, transferred, processed, backed-up and/or stored outside of Canada, including in the United States and UK. In particular, many of the third parties that we work with and certain of our subcontractors to which we disclose your personal information (see: Disclosure to Third Parties) may use and store that information at their facilities outside of Canada. We will use reasonable means to ensure that your information is protected, including written agreements with our third-party subcontractors, but cannot guarantee that the laws of any foreign jurisdiction will accord the same degree of protection as the laws of Canada.
EEA and UK Residents: When we transfer the personal information of individuals from the European Economic Area or the United Kingdom to a country or organization that is outside of the European Economic Area or the United Kingdom, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following transfer solutions is implemented:
- We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries;
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries; and
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
- You may make a request in writing if you would like further information on the specific mechanism used by us when we transfer personal information to countries or organizations that are outside of the European Economic Area or the UK by contacting the Privacy Officer at the address set out above (see: Accountability and Openness / Privacy Officer).
Links to other Websites
The Sites may contain optional links to services and other third party Internet sites that we believe may be of interest to you. These include links to sites belonging to our parent company, Northland Properties Company; Twitter; Facebook; and others. If you click on these links, you will leave the NPC website, and these third parties may collect data from you or your electronic devices in connection with your visit to their websites. The accessing and use of third party websites is at your own risk, and we cannot assume responsibility for the privacy practices, policies or actions of the third parties who operate those websites. This Policy applies only to NPC websites, and we encourage you to review the privacy policies contained on each Internet site that you access.
Compliance
Inquiries, requests and complaints regarding our compliance with this Policy should be directed to the Privacy Officer (see: Accountability and Openness / Privacy Officer).
Every complaint or challenge regarding our compliance with this Policy will be investigated, and where a deficiency is found to exist, we will take appropriate measures to address it. This may include amending our policies and procedures as necessary. We will also cooperate with regulatory authorities to resolve any complaints that cannot be resolved between us and an individual.
If you are entitled to data protection rights under European Union law or the law of the United Kingdom, you are also be entitled to lodge a complaint with the relevant supervisory authority that deals with data protection matters in your jurisdiction.
~Published: March 19, 21