It is very important for us to ensure the privacy, security and protection of your personal data, both during their collection and processing.
In this sense, we have created this privacy, cookies and data protection policy to explain what information is collected by the HF Hotels when you visit/use our website or make a reservation and how this information is used.
Data ControllerThe company Expotel - Exploração e Administração Hoteleira, Lda., with headquarters in Rua de Serralves No. 124, 4150-702 Porto, who owns the following brands: HF Ipanema Park, HF Ipanema Porto, HF Fénix Porto, HF Tuela Porto, HF Tuela Porto Ala Sul, HF Fénix Urban, HF Fénix Lisboa, HF Fénix Garden, HF Fénix Music, HF Hotels and HF Hotéis Fénix.
The HF Hotels, in addition to the commitment to continuously improve its services, control and management of risks associated with cyber security and privacy of information, strives to have good practices, knowledge and tools to create value and meet the needs of the citizens.
Therefore, we comply with the principles contained in the GDPR (General Data Protection Regulation), such as the "limitation on processing" of personal data, instituting inside our organisation a rule of "data minimisation" (minimisation of the data collected according to the requirements for processing purposes) and effective accountability of the data controller (principle of responsibility).
The HF Hotels take into account the privacy risks from the initial moment of creation of a given project, instead of only considering these risks subsequently - privacy by default and privacy by design.
Personal data: the rights of the subject
The right to rectification or updating personal data may be exercised by the client at any time by sending an e-mail to firstname.lastname@example.org or by changing the client profile on our website.
The HF Hotels ask their clients to include their name, postal address, date of birth and email address when contacting us, as this helps us ensure that we accept rectifications and updates requested by the correct person. We also ask that any change in the personal data be readily communicated using the same method.
The HF Hotels keep data during the time that is reasonably necessary for the fulfilment of the contract and always in accordance with applicable law.
If the client wishes to delete his/her data, the HF Hotels ask him/her to send a message to the email address mentioned above or via the portal www.hfhotels.com
The client has the right to access the personal data that the HF Hotels have on him/her and receive a copy of it. If the client wishes to exercise this right, he/she must contact the HF Hotels through the email address email@example.com
If the client has subscribed to any service to receive promotional and commercial information about products and services of the HF Hotels and its partners, he/she may withdraw his/her consent at any time, using through the email address firstname.lastname@example.org
In cases where the HF Hotels base the processing of the client?s personal data in a legitimate interest, the client may also object to this processing, and, to this end, contact the email address email@example.com
Personal data is specific information about personal or factual characteristics related to an individual that can be identified from this data. This includes information such as the name, address, telephone number and date of birth.
Information that does not allow the individual's identification or that may not be directly connected to the individual's identity is not considered personal data.
Holders of a YOU card, guests and other HF Hotels clients are required to provide certain personal information to ensure that we identify them in a clear manner.
This data is requested at the time of the client's registration and may include the surname, name, postal address, email address and/or telephone number and date of birth (to ensure that the user is not a minor). The user will also be questioned about what kind of information and which notifications we can send him/her.
Collection and processing of personal data
We collect your personal data when you make a reservation in one of our hotels, check-in, and fill out satisfaction forms.
The data collected during the reservation process, stay or provision of service may include:
- Name, email address, postal address, telephone number, nationality and credit card data;
- Information related to loyalty programmes;
- Information relating to preferences and requests made in previous stays.
This information may be collected directly by us, when the contact request or the reservation is made through our website, or by a third party, when the client makes the reservation through other channels of communication, such as Booking.
For what purpose is your personal data used?
- Management of processes for reserving rooms and/or other services;
- Client management;
- Historical and statistical analysis;
- Compliance with legal obligations;
- Quality control.
If the client consents, his/her contact will also be used for sending promotional and commercial information about products and services that we believe to be of interest to him/her.
There may also be automated decisions, such as the definition of profiles, in order to design our offers in accordance with the needs of our clients and allow the clients subscribed to the YOU card to receive specific promotions and benefits.
There may be other moments in which we collect and process personal data, namely in the context of the participation in a contest or drawing.
The collection and processing of data in this context will be the object of specific regulation, fulfilling, even so, the general data protection regulation.
Disclosure of information to third parties
The HF Hotels only disclose personal data of clients to third parties who provide them with services in the context of the website management, reservations and publication of commercial and promotional information, ensuring, however, that they maintain the confidentiality of the data and that they comply with the general data protection regulation.
What is a cookie: A "cookie" is a small text file that is placed in the browser or device of the internet user and is used to remember, as well as to obtain, information about the user. The user of our website may receive a cookie when he/she visit our websites or uses our mobile apps. In some cases, when permitted by applicable law, cookies may also be used for purposes of email campaigns.
What types of cookies we use and how we may use them: We use three main types of cookies, which include:
Performance cookies - these cookies collect information necessary to support the website and our apps and allow us to improve our website and to identify any problems that the client may have had while visiting us. For example, performance cookies can provide us with information about how the client arrived at our website and how he/she browsed through it during his/her visit. We also use these cookies to provide us with certain statistical and analytical information, such as the number of visitors to our website or the effectiveness of our advertising.
Targeted cookies - these cookies are used to collect information about the client to help us improve our products and services, as well as to display targeted ads that we believe are relevant to the client. We use targeted cookies in all our websites and apps for several marketing initiatives and campaigns. For more information, see the section "Targeted advertising" below.
To learn more about cookies and their use, visit: http://www.allaboutcookies.org/
Third party cookies - As described above, we use several external service providers to help us manage, execute and improve our advertising. These third parties may define cookies in accordance with our instructions that help us collect information and display ads that we believe will be relevant to the client. In some cases, these third parties may also help us by providing certain statistical and analytical information related with our marketing practices. We may also share information collect through cookies (and other tracking technologies) with third parties so they can use them for their own analysis and marketing purposes.
Management of cookies and cancellation - the client can opt to visit our websites without cookies, but in some cases, certain services, features and functionalities may not be available. To visit the websites without cookies, the client can configure his/her browser to reject all cookies or to be notified when a cookie is defined. Each browser is different, so the client must check the "Help" menu of his/her browser to learn how to change his/her cookie preferences.
Targeted advertising - we (and our partners) may display ads directed using own or third-party
cookies, pixels and web beacons when the client visits our website. In some
cases, these cookies may be persistent cookies. To learn more about the
exclusion of certain types of targeted advertising, see the section "Management of cookies
and cancellation" above.
Security of information
The HF Hotels take all appropriate technical and organisational security measures to protect your personal data against loss and misuse. For example, your data is stored in a secure operating environment that cannot be accessed by the public. Your personal data is encrypted using Secure Socket Layer (SSL) technology during transmission, which means that an approved encryption procedure is used for the communication between your computer and the servers of the HF Hotels, if your browser is compatible with SSL (ex.: Microsoft Internet Explorer, Google Chrome, etc.). You can verify that you are in secure mode if a padlock or key icon is shown in the upper-left corner of your monitor. Additionally, you can check if the first characters of the website's url is "https", indicating that you are accessing a secure server.
We review our practices for collecting, processing and storing information, including physical security measures, to protect against unauthorised access to the systems.
We restrict access to
personal information to employees, contractors and agents of the HF Hotels who
need to know such information for the purpose of processing, and which are
subject to strict contractual confidentiality obligations and may be subject to
disciplinary proceedings or contract termination in case of breach of these
GDPR: General Data Protection Regulation
Personal data: Any information, of any nature and regardless of the respective media, including sound and image, relating to an identified or identifiable natural person ("data subject); it is considered to be identifiable a person that can be identified, directly or indirectly, in particular by reference to an identifier such as the name, identification number or one or more elements specific to his/her physical, physiological, mental, economic, cultural or social identity.
Processing of personal data (processing): Any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of provision, comparison or interconnection, as well as limitation, deletion or destruction.
Data controller: The natural or legal person, public authority, agency or any other body which, individually or together with others, determines the purposes and means of processing of personal data.
Data processor: The natural or legal person, public authority, agency or any other body which processes personal data on behalf of the body responsible for the processing of personal data.
Third party: Natural or legal person, public authority, service or any other body which, without being the data subject, the agency responsible for the processing, the subcontractor or another person under the direct authority of the controller or the subcontractor, is authorized to process the data.
Recipient: The natural or legal person, public authority, agency or any other body to whom personal data are disclosed, regardless of whether it is a third party or not.
Consent of the data subject: Any expression of will, free, specific, informed and explicit, in terms of which the data subject accepts, by declaration or clear positive act, that his/her personal data is object of processing.
Privacy by design: It means taking the risk of privacy into account throughout the process of designing a new product or service, instead of considering the privacy issues only later. This means carefully assessing and implementing appropriate measures and technical and organisational procedures from the start to ensure that the processing is in accordance with the GDPR and protects the rights of the data subjects concerned.
Privacy by default: This means ensuring that, within an organisation, mechanisms to ensure that, by default, only the required amount of personal data will be collected, used and stored for each task, are put into practice. This obligation applies to the extension of its processing, the period of storage and its accessibility. These measures ensure that personal data will not be made available without human intervention to an indefinite number of persons.
Limitation of processing: Insertion of a mark on the stored personal data with the objective of limiting its processing in the future.
minimisation: This means that the personal data collected should be limited to
what is necessary in relation to the purposes for which it is processed.