Last Updated: Mar 2024

At the COMO Group we take your privacy very seriously and we are committed to protecting your personal data.

This privacy statement and cookies policy (together with any terms of use or terms and conditions, which you can find on the relevant COMO Group Website (as defined below)) explains how the members of the COMO Group manage your personal data. It includes details of how we collect, store, use, record, hold, transfer and disclose your personal data. If you wish to contact us regarding this privacy statement and cookies policy, please see the contact details set out below.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

ABOUT THE COMO GROUP
DISCLAIMER – COMO GROUP MEMBERS ARE NOT LIABLE TO YOU
DATA WE COLLECT FROM YOU OR ABOUT YOU AND OUR SOURCES OF THAT DATA
HOW WE USE YOUR PERSONAL DATA AND THE LAWFUL BASIS FOR PROCESSING YOUR PERSONAL DATA
MARKETING AND YOUR CHOICES
HOW WE SHARE AND DISCLOSE YOUR PERSONAL DATA
WHERE WE STORE YOUR PERSONAL DATA
LINKS TO THIRD PARTY WEBSITE
RETENTION OF PERSONAL DATA
HOW WE STORE AND SECURE YOUR PERSONAL DATA
YOUR LEGAL RIGHTS
COOKIES
CHANGES TO THIS STATEMENT
QUERIES, COMMENTS, REQUESTS AND COMPLAINTS
CONTACT US
LANGUAGES

ABOUT THE COMO GROUP

This Privacy Statement and Cookie Policy is issued by the COMO Group, but applies to the handling of personal data by each member of the COMO Group. The members of the COMO Group who could be “data controllers” in relation to your personal data are here.

The websites and applications of the COMO Group are here.

There will typically be one member of the COMO Group to whom you have given your personal data. (From a UK/ EU perspective, this entity would be a “data controller” in relation to your personal data. The term “data controller” broadly means the person who determines the purpose and means for which your data is processed. It is possible that you have given your data directly to more than one member of the COMO Group in which case each such member could be a data controller of your data in that context.)

If you are a member of the COMO Club Recognition Programme, which is the loyalty scheme administered on behalf of the COMO Group, the relevant data controller is COMO Club Pte Ltd.

Members of the COMO Group may have separate privacy notices that they provide to you either to replace or supplement this privacy statement and cookies policy.

DISCLAIMER – NO OVERARCHING LIABILITY OF COMO GROUP MEMBERS

EVEN THOUGH THIS PRIVACY STATEMENT AND COOKIES POLICY IS ISSUED ON BEHALF OF THE COMO GROUP, YOU ARE NOTIFIED THAT THE MEMBERS OF THE COMO GROUP ARE SEPARATE AND INDEPENDENT. YOUR USE OF ANY WEBSITE IS SUBJECT TO THE RELEVANT TERMS AND CONDITIONS ISSUED BY THE RELEVANT COMO GROUP MEMBER IDENTIFIED AS TRANSACTING WITH YOU ON THAT PARTICULAR COMO GROUP WEBSITE. MEMBERS OF THE COMO GROUP SHALL NOT HAVE ANY LIABILITY WHATSOEVER FOR ANY LOSS OR DAMAGE HOWESOEVER CAUSED WHETHER TO YOU OR ANYONE ELSE BY REASON ONLY THAT THEY ARE MEMBERS OF THE COMO GROUP AND/OR THAT THEY ARE IDENTIFIED AS A MEMBER OF THE COMO GROUP IN THIS PRIVACY STATEMENT AND COOKIES POLICY OR ELSEWHERE ON THE RELEVANT COMO GROUP WEBSITE.

DATA WE COLLECT FROM YOU OR ABOUT YOU AND OUR SOURCES OF THAT DATA

Your personal data, or personal information, means any information about you that may be used to identify you. It includes information that you provide to us, that we collect or that we are provided with by third parties and that identifies you, or from which you are identifiable, whether directly or indirectly. It does not include data where the identity has been removed so that it can no longer be associated with you (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have categorised as follows:

Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, nationality, passport number and country of residence.

Contact Data includes billing address, delivery address, email address and telephone numbers.

Financial Data includes bank account and payment card details.

Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us. If you participate in a loyalty programme operated by a member of the COMO Group, we would process your information in order to administer the loyalty programme.

Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses. For our hotels and properties and family club, this could include the age and special requirements of children, where we need this information to provide services to you.

Usage Data includes information about how you use our website, products and services.

Accessibility Data includes personal data related to health which you provide to us in order to access our facilities or services (for example if wheelchair access is required or information on allergens).

Wellness and Health Data includes information related to our wellness services, including when you visit one of our spas or restaurants. This may include medical data relevant to your treatment or dietary requirements relevant to your visit to our restaurants.

Marketing Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

Children’s Data includes Identity Data, Profile Data, Accessibility Data and Wellness Data relating to individuals under 18 years of age.

This includes:

Data that we may collect from you:

when you place an order, make a booking, cancel or modify a booking on a COMO Group Website or otherwise;

when you create an account on a COMO Group Website;

when you join a COMO Group loyalty program;

when you stay at one of our COMO Hotels & Resorts. Where a booking is made which includes persons under the age of 18, we may also collect Children’s Data;

when you use any COMO Group wellness services, such as our spa or wellness mobile application, we may additionally collect Wellness Data and, where relevant, Children’s Data;

when you visit our COMO Group Hotels & Resorts or any of our COMO Group restaurants or properties, we may additionally collect Accessibility Data;

when we provide you with babysitting, childcare and other activities and services for individuals under 18 years of age, we may collect Children’s Data;

by filling in forms on a COMO Group Website;

by downloading or registering with a COMO Group mobile app;

when you use a COMO Group Website;

when you sign up to receive email updates from us;

when you ask us to provide you with marketing communications such as newsletters, updates or information about special events or promotions;

if you ask us to keep in touch with you or provide you with personalised content (such as targeted advertising);

if you contact us or correspond with us (for example, by phone, email, social media platforms or otherwise) for any reason; or

when you provide us with comments, opinions and/or feedback about the COMO Group.

We may collect “Technical Data” when you visit or use any COMO Group Websites: technical information, including the type of device (and its unique device identifier) you use to access the COMO Group Websites, the Internet protocol (IP) address used to connect your device to the Internet, your unique device identifier (UDID) or mobile equipment identifier (MEID) for your mobile device, your device and component serial numbers, your login information, browser type and version, time zone setting, browser plug in types and versions, operating systems, mobile network information and platform and details of any referring website or application; and

information about your visit to the COMO Group Websites including full Uniform Resource Locators (URL), clickstream to, through and from the COMO Group Websites (including date and time), pages you viewed, page response time, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.

Data other COMO Group members collect about you. Information you provide to a member of the COMO Group may be shared between us (for example, when you stay at one of our COMO Hotels & Resorts this information could be shared with the other COMO Hotels & Resorts). We will also share your personal data for the purposes of the COMO Club Recognition Programme, and any other of our loyalty schemes you may have signed up to (though will only do so with your consent, where consent is legally required).

Data we collect from or are provided with by third parties. We may be given information about you from third parties, such as social media platforms or anyone making a booking on your behalf at one of our COMO Hotels & Resorts, restaurants or wellness retreats and spas. This may include personal data from third parties who are affiliated members of the COMO Club Recognition Programme, and any other loyalty schemes we may operate. We may also collect information that is publicly available, for example, when we interact with you through social media.

We will require you to share certain personal data with us (such as Identity, Contact, Financial Data and such other information as may be indicated by the COMO Group) in order for the COMO Group to perform the relevant services you have requested. The COMO Group may not be able to perform the relevant services if you fail to supply the relevant personal data.

Where Children’s Data is submitted by you, you confirm that you have authority to provide such data to us on behalf of that minor to enable us to process their personal data as described in this privacy statement and cookies policy.

Certain categories of personal data receive particular protection under the laws of certain countries. For example, in the UK/EU, special categories of personal data (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data) as well as data relating to criminal convictions and offences receive enhanced protection. We will comply with applicable laws when processing such personal data.

HOW WE USE YOUR PERSONAL DATA AND THE LAWFUL BASIS FOR PROCESSING YOUR PERSONAL DATA

The COMO Group uses the personal data for relevant purposes where we have a lawful basis to use your personal data without consent, this privacy statement and cookies policy fulfils our duty to process personal data fairly and lawfully and in a manner that you would expect given the nature of our relationship with you, by giving you appropriate notice and explanation of the way in which your personal data will be used. We may use the following lawful basis when we process your personal data:

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

Consent. Where consent is required for our use of your personal data as described above, we will request your consent. Typically, we would collect your consent by you performing an action such as ticking the appropriate consent box or otherwise communicating your consent to us (for example, by email or by you providing us with non-mandatory information). In circumstances where you provide consent, our use of that personal data will be as set out in this privacy statement and cookies policy. For example, we will only process your personal data for marketing purposes if we have your consent to do so or we are otherwise legally permitted to do so. We may also need your consent when we process special category personal data. Please also see the “Marketing and Your Choices” section below for further information on this. Where we rely on your consent to process your personal data, you may withdraw that consent at any time by contacting us using the details set out below.

Protection of Vital Interests. To protect your vital interests or those of another person, for example to disclose your personal data to emergency services where we believe it is necessary to protect your vital interests or the vital interest of another person or where you (or someone acting on your behalf) provides us with dietary or other personal health data such as allergies.

We also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy statement and cookies policy.

MARKETING AND YOUR CHOICES

We will, if you have given us your consent and in line with your choices, provide you with information by post, telephone, email, app notifications and SMS or other direct messaging services, which may be of interest to you in respect of the COMO Group. Where you have consented to receiving our direct marketing online this means that you could be presented with our advertisements while using the COMO Group Websites or the services of our online partners. For example, if you have given us this consent we may run a Facebook advertisement campaign, which could include our advertisements being presented to you while you are on Facebook. We may also personalize the content that you see using analytical or profiling tools. We will only provide you with marketing communications if you would like us to. You will have the opportunity to clearly set out whether you wish to receive marketing messages from us by ticking the relevant boxes.

Where we rely on your consent to process your personal data, you may withdraw that consent at any time by contacting us using the details set out below.

HOW WE SHARE AND DISCLOSE YOUR PERSONAL DATA

We may share or disclose your personal data in connection with the purposes described in this privacy statement and cookies policy. This may include sharing your personal data with the following:

all companies within the COMO Group for marketing, business, administrative and legal purposes (for example, payment, verification or membership awards and points);

Facebook, Twitter, Instagram, Tik Tok or any other social media platforms that the COMO Group may use from time to time (if you use your account with them to sign up / in with us), if applicable;

service providers, business partners, suppliers, subcontractors or agents (for example, fitness, medical and healthcare professionals providing assessments for treatments, IT services, travel planning, reservation, booking, rewards management, customer relationship management, business development and marketing support services) who perform functions such as marketing, payment, fulfilment and delivery of orders, administration and processing of payments, as well as bookings and reservations;

professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services;

vendors who provide services to us, such as fulfilling orders, providing data processing and other information technology services, managing promotions, carrying out research and analysis, and personalizing individual COMO Group customer experiences. We do not allow these vendors to use this information or to share it for any purpose other than to provide services on our behalf;

government or other law enforcement agencies, in connection with the investigation of unlawful activities or for other legal reasons (this may include your location information;

third parties, who acquire us or substantially all of our assets, in which case your personal data (including any sensitive personal data) will be one of the transferred assets (however, we will let you know before this happens); and

analytics and search engine providers that assist us in the improvement and optimization of the COMO Group Websites.

WHERE WE STORE YOUR PERSONAL DATA

We share the personal data that we collect from you within the COMO Group. This will involve transferring, processing and storing your data outside of the country in which you are located depending on the circumstances. This includes any country where the COMO Group companies are located or operate in including in Singapore, Bhutan, Malaysia, Fiji, France, Hong Kong, Indonesia, Italy, Philippines, Thailand, Taiwan, Vietnam, United Kingdom, the United States and Australia, but also countries where our external service providers are based or hosting your personal data on our behalf.

If you are located in the UK or European Economic Area (“EEA”), when we transfer your personal data outside of the EEA or UK in this way, we take steps to ensure that appropriate safeguards, required by law, are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Privacy Statement and Cookies Policy. You can obtain further details about the transfer safeguards we use by contacting us at the contact details set out below.

If we transfer your personal data, we will always do so under strict conditions of confidentiality and similar levels of security safeguards.

As mentioned above, please note that the rights of governmental and law enforcement authorities to access your personal data may also differ depending on where your personal data is held. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or EEA, using the details set out below.

LINKS TO THIRD PARTY WEBSITE

The COMO Group Websites may contain links to other third party websites and microsites, whose privacy practices may differ from those of the COMO Group. If you submit personal data to any of those sites, your personal data is not subject to this privacy statement and cookies policy.

We encourage you to review the privacy statement of any site you visit. By clicking on or activating such links and leaving the COMO Group Website, the COMO Group does not exercise control over any data or any information which you give to any other entity after leaving the COMO Group Websites. Any access to such other sites or pages is entirely at your risk.

RETENTION OF PERSONAL DATA

Your personal data will only be retained for as long as it is necessary to fulfil the purposes for which it was collected as outlined in this privacy statement and cookies policy and for the purpose of satisfying our business (accounting and reporting) or legal requirements, but also to properly resolve disputes or to troubleshoot problems.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In addition, certain information may be stored indefinitely due to technical constraints, and will be blocked from further processing for purposes which are not mandatory by law.

Details of retention periods for different aspects of your personal data are available in the COMO Group Data Retention Policy, which you can request from us by contacting us using the contact details set out below.

If you choose to unsubscribe from our mailing list or should your access to any of your COMO Group memberships expire, your personal data will still be retained on our database to the extent permitted by law and in accordance with the COMO Group Data Retention Policy.

HOW WE STORE AND SECURE YOUR PERSONAL DATA

We are committed to taking appropriate measures designed to keep your personal data secure. Our technical and organizational procedures are designed to protect your personal data from accidental, unlawful or unauthorized loss, access, disclosure, use, alteration, or destruction. While we make efforts to protect our information systems, no website, mobile application, computer system, or transmission of information over the Internet or any other public network can be guaranteed to be 100% secure. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorized access or inadvertent disclosure.

The personal data that we hold about you will be stored either on our physical or cloud servers or using third party data storage providers in the countries where the relevant data controller operates or if elsewhere, in compliance with applicable data protection laws.

YOUR LEGAL RIGHTS

If you are located in the UK or EEA, you have the following rights with regard to your personal data:

• Access. You have the right to access data we hold about you. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

• Rectification or erasure. You have the right to request that we rectify or delete any personal data that we hold about you (unless we have the legal right to retain it). This right does not extend to non-personal data. Please note that your rights to request erasure may be limited by applicable law.

• Restriction. You also have the right to restrict us from processing your personal data if the data is inaccurate, the processing is unlawful or we no longer need to your personal data for the purposes for which we hold it.

• Data portability. You have the right to obtain personal data we hold about you, in a structured, electronic format, and to transmit such data to another data controller if the lawful basis for processing such personal data is consent or performance of a contract.

• Object /change of preferences. You have a right to request that we stop processing your personal data where we are relying on a legitimate interest (or those of a third party). You have the right to object where we are processing your personal data for direct marketing purposes. For example, if you have given your consent to receive updates or other marketing communications, but have changed your mind, you have the ability to opt out from receiving such communications going forward by contacting us using the details provided below or by clicking the relevant link in any communications you receive.

• Complaints. If for any reason you are not happy with the way that we have handled your personal data, please see below for further information and to contact us. If you are still not happy, you have the right to make a complaint to the relevant data protection authority. In the UK the data protection authority is the Information Commissioner’s Office. To exercise any of the rights mentioned above, please contact us using the contact details below. Where available, you may also be able to access, rectify, request the erasure, export and restrict the use of your personal data, as well as update your preferences by signing into your account and selecting “Update Profile”.

If you are located in other countries, you may have other rights under applicable data protection laws. We will comply with your request to exercise the above mentioned rights, to the extent required by applicable law. However, if you ask us to stop processing your personal data in certain ways or erase your personal data, and this type of processing or data is needed to facilitate your use of the COMO Group Website or is required for us to provide you with a service (such as to manage your account), you may not be able to use the COMO Group Website or the service as you did before.

This does not include your right to object to the processing of your personal data for the purposes of direct marketing. You can exercise this right at any time without restrictions. Please allow at least 3 working days for your request to be actioned.

To protect your confidentiality and to comply with applicable data protection laws, we may need to confirm your identity before we can action your request (for example, we will respond to a request as long as the email address is identical to that you have registered with us or otherwise provided to us, we may ask for a scanned copy of your photo ID or for you to confirm details of your transaction history with us). When contacting the Data Privacy Office (details of which you can find below), please state your name and provide valid contact details. As mentioned above, protecting your confidentiality and complying with applicable data protection laws is important to us, the COMO Group may therefore refuse to comply with any request unless it is supplied with such information as it may reasonably require to verify your identity. We will respond to your requests within a reasonable time and in accordance with the applicable data protection laws.

COOKIES

A “cookie” is a small text file that is placed onto an Internet user’s web browser or device and is used to remember and/or obtain information about the user and a “web beacon” is a small object or image that is embedded into a web page, application, or email and is used to track activity, which are also sometimes referred to as pixels and tags.

We use the following cookies:

• Strictly necessary cookies. These are cookies that are required for the operation of the COMO Group Websites. They include, for example, cookies that enable you to log into the COMO Group Websites.

• Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the COMO Group Websites when they are using it. They also enable us to see how users use the COMO Group Websites. This helps us to improve the way the COMO Group Websites work.

• Functionality cookies. These are used to recognize you when you return to the COMO Group Websites. This enables us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

• Targeting cookies. These cookies record your visit to the COMO Group Websites, the pages you have visited and the links you have followed. We will use this information to make the website and the advertising displayed on it more relevant to your interests.

Please note that there may also be third party cookies used on our websites, over which we have no control. These named third parties may include, for example, advertising networks and providers of external services like web traffic analysis services. These third party cookies are likely to be analytical cookies or performance cookies or targeting cookies.

We also use Google analytic tools to measure and understand how you use the COMO Group websites. More information on the types of cookies used may be found at https://www.google.com/intl/en/policies/privacy/ and opt out by downloading the Google Analytics opt out browser add-on, available at https://tools.google.com/dlpage/gaoptout.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of the COMO Group Website. You can easily accept or reject the cookies on our website and/or mobile application by accessing the link here.

CHANGES TO THE PRIVACY STATEMENT AND COOKIES POLICY

This privacy statement and cookies policy is in effect as of the date noted at the top of the statement. We may change our privacy statement and cookies policy from time to time. Any changes we may make to our privacy statement and cookies policy in the future will be posted on this page and, where appropriate, notified to you by e-mail.

Please check back frequently to see any updates or changes to our privacy statement and cookies policy. By continuing to use a COMO Group Website or continuing to allow us to retain or process your personal data following any such changes to our privacy statement and cookies policy, you are deemed to have accepted such changes unless you expressly notify us otherwise in writing (except to the extent we are required to make such changes in accordance with applicable law).

Where we need to seek updated, additional or different consents from you, we will, of course, do so.

QUERIES, COMMENTS, REQUESTS AND COMPLAINTS

If you have any questions, comments, requests or complaints about our collection, use or disclosure of personal data, or regarding this privacy statement, please contact us using the details below. Please also contact us if you would like to update or amend any of your personal data which you have provided to us or if you believe our records relating to your personal data are incorrect. When contacting us please provide as much detail as possible in relation to your question, comment, request or complaint. We would like to reassure you that we will take any privacy complaint seriously and such complaint will be assessed by an appropriate person with the aim of resolving any issue in a timely and efficient manner. We request that you cooperate with us during this process and provide us with any relevant information that we may need (for example, your name and valid contact details, as well as proof of identity such as a scanned copy of your photo ID or details about your transactions with us). If we cannot reasonably satisfy ourselves of your identity, we may not be able to deal with your query, comment, request or complaint.

CONTACT US

COMO Group

Data Privacy Office

Club 21 (Thailand) Co., Ltd.

17th Floor Times Square Building

246 Sukhumvit Road, Khlongtoey,

Khlongtoey, Bangkok 10110

privacy.th@th.club21global.com

OR

Contact us through our online request forum here

LANGUAGES

This privacy statement and cookies policy is published in the English Language (English Version) and in such other languages as used on the individual websites. In the event of any inconsistency in the terms of the privacy statement and cookies policy between the English Version and the other relevant versions, the terms of the privacy statement and cookies policy in the English Version shall prevail to the extent of such inconsistency.

GO TOP