Privacy Statement

This citizenM (“we”, “our” or “us”) Privacy Policy (“Policy”) applies to the processing by citizenM of personal information of (potential) guests, bookers and other customers (“Guests”) and visitors to our websites (see Annex I for a full list of our domains), mobile application, and social media accounts and pages (“Visitors”), including our job applicants. citizenM takes the privacy of its Guests and Visitors very seriously and treats their personal information with great care. citizenM acts in accordance with applicable data protection legislation. Your personal information is processed by or on behalf of:  

• citizenM Operations Holding B.V. (hereinafter referred to as, “citizenM Operations”), a limited liability company registered under the laws of the Netherlands, having its statutory seat in Amsterdam, the Netherlands and its offices at Leidseweg 219 (2253 AE) Voorschoten, the Netherlands. citizenM Operations Holding B.V. is registered with the Dutch Chamber of Commerce under registration number 34218994; and,

• in the context of your stay or booking regarding one of our hotels, the entities operating the relevant citizenM branded hotel, whether owned or licensed by citizenM Operations B.V. and its wholly and partially owned affiliates (each hereinafter referred to as a “citizenM Hotel”).  See the full list of our citizenM hotels, and the legal entities that operate these hotels here. 

In the context of our hotel services and related products and services, citizenM Operations is the data controller and the point of contact for all your questions regarding the processing of your personal data.

A printable copy of this Policy can be found here.

citizenM collects the personal information of its Guests and Visitors for specified, explicit purposes only and will not process this personal information in a manner that is incompatible with those purposes. In some instances we must collect your personal information in order to enter into an agreement for services with you as a Guest.  Where you do not provide this personal information, we may be unable to provide you with services as a Guest. 

We process (e.g. collect, use, disclose, store) the personal information of our Guests and Visitors for the purposes of legal and regulatory compliance, personnel management, operations management, marketing, analytics, recruitment, security management and legal and regulatory compliance, as defined below:

1. Operations management includes the normal business practices related to our day-to-day business activities including facilitating Guests’ stays, guest support and guest identification, planning and budgeting, financial reporting, resource management (assignment of offices, meeting rooms, IT appliances), mergers & acquisitions including due diligences, audits or the establishment, exercising or defending against a legal claim.
2. Marketing includes the sending of newsletters containing relevant information and offers about our hotels, products and services, through different information channels, such as e-mail or our other (digital) channels. We may also obtain your feedback through for instance customer surveys that give you the opportunity to influence the range of products and services we provide and we may also communicate personalised and relevant information and offers to you about our hotels, products and services.
3. Analytics includes the processing of your personal data in anonymous, aggregated form for analytical purposes to improve our business operations, including our marketing activities, and enhance your experience in our hotels, to predict and anticipate future guest behavior, todevelop statistics and commercial scores and to understand guest preferences. We may analyse the information we collect about you, for instance by dividing customers into different customer categories based on purchase patterns, behavior and interactions with us.
4. If you have a mycitizenM account we may also analyse the information contained in your account profile for marketing and analytical purposes. If you do not have a mycitizenM account but wish to create an account, your personal information may be used to create your account and your previous reservations or data collected by cookies may be associated with your account. If you have created multiple accounts, we may combine those accounts for organizational, analytical, fraud prevention, data minimization and marketing purposes.
5. Legal and regulatory compliance includes any information that citizenM is required to retain based on a legal obligation including administration obligations based on applicable (tax) laws, governmental statistics requirements, etc.
6. Security management includes securing the company IT network and systems, company information, company premises, and our employees, Guests and Visitors and preventing fraud and other illegal or infringing activities.
7. Recruitment includes normal business practices related to the recruitment process. If you submit a job application (general or for a specific role) via our website or our other communication channels, we process your personal information in order to evaluate your application. If you are offered and accept employment with us, some of the personal information we have collected during the recruitment process will form part of your employment contract. As part of our recruitment process, we may, subject to applicable laws, in some countries collect or engage third parties to collect additional information, such as to conduct a background check, reference check or psychological assessment.

Personal information will be processed only if such processing is based on any of the legal grounds listed in section 6(1) of the General Data Protection Regulation (“GDPR”), notably consent (e.g. for profiling, necessary for the performance of a contract, legitimate interest). Where consent to the collection of personal information is revoked, we will stop processing the personal information. 

Depending on whether you are a Guest or Visitor of our website, citizenM may capture the following information about you:

We will never sell your personal information to third parties.  However, we may share your personal information in a limited number of circumstances, including:

• Third-Party Service Providers:  We share personal information with third parties involved in the process of providing services to use or you or performing functions on our behalf (including payment processing). Those third parties are only permitted to use your personal information for the purpose that it has been provided and may not disclose it to any other third party except at our express direction and in accordance with this Privacy Policy.
• Legal & Regulatory Authorities:  We may from time to time make your personal data available to legal and regulatory authorities, to our accountants, auditors, lawyers or similar professional advisers or to other third parties, when this is required by law, necessary to permit us to exercise our legal rights, to comply with our legal obligations, or necessary to take action regarding illegal activities or to protect the safety of any person.
• Business Transitions:  If all or part of our company is sold, merged or otherwise transferred, we may transfer your personal data as part of that transaction.  We may also transfer your personal data to the owners of hotels managed by us.

The following choices and rights with regards to your personal information are available to you:

This section explains which cookies and similar techniques (hereafter simply referred to as "cookies") we use on our websites. citizenM makes use of functional and technical cookies on its website; first party tracking cookies may be used, but only after Visitors have provided their consent thereto. Third parties will only be allowed to place cookies on citizenM’s website if Visitors have provided their consent to the use of such third party cookies.  Visitors can withdraw their consent at any time by setting their browser to disable cookies or to remove all cookies from their browser.

Marketing Cookies: With your consent citizenM places marketing cookies and trackers to advertise our products and services but to you. The marketing cookies also allow us to provide you with relevant offers based on your online browsing, search and booking behaviour. 

 Website Functionality and Optimization: We use cookies that are necessary to provide the requested service. For instance, technical cookies allow you to proceed through different pages of a website with a single login and they remember selections in shopping carts and (order) forms that are filled out on our websites. We also use cookies to measure your behavior on our websites to learn about the online experience of our website visitors and to improve our websites. In doing so, we also collect the technical features of your terminal equipment and software used by you, such as the type of operating system, the browser settings, the installed plug-ins, the time zone and the screen size of your device. 

Cross-Site Tracking:  With your consent, third parties can store tracking cookies on your device if you visit our website. Such cookies enable these third parties to track your online browsing behaviour across different websites (including the citizenM websites). A common purpose of such tracking cookies is to provide you with targeted advertisements across the websites you visit. We do not control or influence the use by third parties of the information collected through these third-party cookies. Please read the privacy policies of these third parties to find out more about how they use cookies and process your personal information. 

Social Media: With your consent, our websites use cookies to interact with social media platforms. These cookies are also used to optimize your experience of the social media websites. Please be aware that these cookies may also allow social media platforms to track your online behavior for cross-site tracking purposes.

Withdrawal of Consent:  You can withdraw your consent at any time by setting your browser to disable cookies or to remove all cookies from your browser.

citizenM has used and will continue to use reasonable endeavors to protect personal data against loss, alteration or any form of unlawful use. Where possible, personal information will be encrypted and stored on a virtual private server that is secured by means of state of the art protection measures. A strictly limited amount of people, i.e. those people that must have access to personal data for the purpose of their job, have access to personal information. If and to the extent personal information will be stored in a cloud infrastructure provided by third party cloud providers, these providers will be bound by written contract to process personal data provided to them only for the purpose of providing the specific service to citizenM and to maintain appropriate security measures to protect these personal information. citizenM strives to make limited use of paper files which contain personal information. If the use of paper files cannot be avoided such paper files are stored in a closed cabinet and are destroyed in accordance with the applicable retention terms.

Data Breaches: citizenM will protect the personal information it processes against loss and unlawful processing.  If despite such protection a data breach occurs, citizenM will report such data breach to the appropriate regulatory authorities where it leads to a considerable likelihood of serious adverse effects on the protection of personal information, if it has serious adverse effects on the protection of personal information, or if otherwise advisable or required by law. The data breach will also be reported to the affected individuals if it is likely to adversely affect their privacy or if otherwise required by law. In order to ensure that a data breach will receive adequate attention and, if required, be reported, we have implemented a Data Breach Policy, which describes the procedure that must be followed in case of a data breach.

Data Processing Register: citizenM will record the details of each data process in a data processing register. All new data processes will undergo a data protection impact assessment (“DPIA”) prior to their implementation. All existing data processes will undergo a DPIA every three years. The purpose of the DPIA is to determine if the relevant data process is likely to result in a high risk to the privacy of Guests or Visitors and, if so, which appropriate measures must be taken to safeguard such personal information.

Data Retention: citizenM will retain personal information only for the period necessary to fulfill the purposes for which it has been collected, i.e. 3 years from the later of the Guest’s stay, opening our citizenM app, visit of citizenM’s website or opening of citizenM’s newsletter or targeted advertisements, unless a longer retention period is required or permitted by law (which is typically the case in the context of citizenM’s obligations under tax law). The personal information of job applicants will become part of your employment record and will be used for employment purposes if the job application is successful.  To the extent any psychological assessment reports are part of a recruitment file, these will be stored in a separate file accessible on a strict need-to-know basis only. Personal information of job applicants that are not successful will be retained in accordance with applicable statutory retention periods unless they provide express written consent to register their name and contact details for a period of one year for the sole purpose of contacting them in case of new job opportunities that may interest them. During this one year period you can always have your details removed from our files by sending an e-mail to privacy@citizenm.com. 

Cross-Border Data Transfers:  As we operate internationally, and provide you with relevant services through resources and servers around the globe, sharing your personal information across borders is essential for you to receive our services. You therefore acknowledge and agree that citizenM may transfer your data globally, so that you can use our services. Your personal information may be transferred to a citizenM hotel or our (support) partners in a country outside of the country where it was originally collected or outside of your country of residence or nationality. For technical and organizational reasons and in the context of our digital cloud infrastructure, personal information is also transferred to servers located in the US, or to servers located in countries outside of the European Economic Area. In this regard, we have entered into so-called EU model clauses  with receiving parties or make use of Privacy Shield  certified partners to ensure compliance with our data protection obligations, or have ensured that a receiving party has in place so-called "binding corporate rules". Please contact us if you wish to receive more information on the specific safeguards we have implemented to ensure an adequate level of data protection regarding such transfers.

Our website, including our job application postings, is not directed to minors. citizenM does not knowingly solicit, collect, use or disclosure personal information from children under 18 years of age. If we become aware that we have unknowingly collected personal information from a child under the age of 18, we will delete such information from our records.

Compliance with this citizenM Privacy Policy will be monitored and audited regularly. The personal data processing register will be updated promptly upon the implementation of a new personal data process. The completeness and accurateness of the personal data processing register will be verified quarterly. The list of partners placing third party cookies on citizenM’s website will be updated monthly.  Compliance with this Privacy Policy will be audited annually.

We have done our best to make sure that this Privacy Policy explains the way in which we process your personal information and rights you have in relation thereto. However, we may change this Privacy Policy from time to time to make sure it is still up to date. When necessary, we will alert you to these changes by posting a prominent notice on our website. 

If you have any questions or comments about our Privacy Policy or would like to exercise any of your rights as outlined in this Policy, please email us at privacy@citizenm.com. Our Data Protection Officer can also be contacted at dpo@citizenm.com. You may also click here to use our online form.

If you are a U.S resident you may also contact us toll-free at + 1 (888) 34 34 752.
If, as an EEA resident, you believe that we have not adequately resolved any such issues, you have the right to contact your EU supervisory authority.

In the Netherlands: 

Autoriteit Persoonsgegevens
P.O. Box 93374
2509 AJ the Hague, the Netherlands

citizenm.com, societym.com

Dasar privacy statements citizenM (“kami”) ini terpakai oleh citizenM untuk pemprosesan maklumat.