Privacy Statement
This citizenM (“we”, “our” or “us”) Privacy Policy (“Policy”) applies to the processing by citizenM of personal information of (potential) guests, bookers and other customers (“Guests”) and visitors to our websites (see Annex I for a full list of our domains), mobile application, and social media accounts and pages (“Visitors”), including our job applicants. citizenM takes the privacy of its Guests and Visitors very seriously and treats their personal information with great care. citizenM acts in accordance with applicable data protection legislation. Your personal information is processed by or on behalf of:
citizenM Operations Holding B.V. (hereinafter referred to as, “citizenM Operations”), a limited liability company registered under the laws of the Netherlands, having its statutory seat in Amsterdam, the Netherlands and its offices at Leidseweg 219 (2253 AE) Voorschoten, the Netherlands. citizenM Operations Holding B.V. is registered with the Dutch Chamber of Commerce under registration number 34218994; and,
in the context of your stay or booking regarding one of our hotels, the entities operating the relevant citizenM branded hotel, whether owned or licensed by citizenM Operations B.V. and its wholly and partially owned affiliates (each hereinafter referred to as a “citizenM Hotel”). See the full list of our citizenM hotels, and the legal entities that operate these hotels here.
In the context of our hotel services and related products and services, citizenM Operations is the data controller and the point of contact for all your questions regarding the processing of your personal data.
A printable copy of this Policy can be found here.
citizenM collects the personal information of its Guests and Visitors for specified, explicit purposes only and will not process this personal information in a manner that is incompatible with those purposes. In some instances we must collect your personal information in order to enter into an agreement for services with you as a Guest. Where you do not provide this personal information, we may be unable to provide you with services as a Guest. We process (e.g. collect, use, disclose, store) the personal information of our Guests and Visitors for the purposes of operations management, marketing, analytics, recruitment, security management and legal and regulatory compliance, as defined below:
Operations management includes the normal business practices related to our day-to-day business activities including facilitating Guests’ stays, guest support and guest identification, enhancing the guest experience based on the Guests’ known preferences, planning and budgeting, financial reporting, resource management (assignment of offices, meeting rooms, IT appliances), mergers & acquisitions including due diligences, audits or the establishment, exercising or defending against a legal claim.
Marketing includes the sending of newsletters containing relevant information and offers about our hotels, products and services, through different information channels, such as e-mail or our other (digital) channels. We may obtain your feedback through for instance customer surveys that give you the opportunity to influence the range of products and services we provide and we may also communicate personalised and relevant information and offers to you about our hotels, products and services. We may provide ad companies, such as Meta (Facebook, Instagram) and Google, with information that allows them to serve you with more useful and relevant citizenM-advertisements. We however never share your name or other information that directly identifies you when we do this.
Analytics includes the processing of your personal data in anonymous, aggregated form for analytical purposes to improve our business operations, including our marketing activities, and enhance your experience in our hotels, to predict and anticipate future guest behavior, to develop statistics and commercial scores and to understand guest preferences. We may analyse the information we collect about you, for instance by dividing customers into different customer categories based on purchase patterns, behavior and interactions with us.
If you have a citizenM account we may also analyse the information contained in your account profile for marketing and analytical purposes. If you do not have a citizenM account but wish to create an account, your personal information may be used to create your account and your previous reservations or data collected by cookies may be associated with your account. If you have created multiple accounts, we may combine those accounts for organizational, analytical, fraud prevention, data minimization and marketing purposes.
Legal and regulatory compliance includes the processing of any information that citizenM is required to retain based on a legal obligation or duty of care including administrative obligations based on applicable (tax) laws, governmental statistics requirements, etc.
Security management includes securing the company IT network and systems, company information, company premises, and our employees, Guests and Visitors and preventing fraud and other illegal or infringing activities.
Recruitment includes normal business practices related to the recruitment process. If you submit a job application (general or for a specific role) via our website or our other communication channels, we process your personal information in order to evaluate your application. If you are offered and accept employment with us, some of the personal information we have collected during the recruitment process will form part of your employment contract. As part of our recruitment process, we may, subject to applicable laws, in some countries collect or engage third parties to collect additional information, such as to conduct a background check, reference check or psychological assessment.
Personal information will be processed only if such processing is based on any of the legal grounds listed in section 6(1) of the General Data Protection Regulation (“GDPR”), notably consent (e.g. for profiling, necessary for the performance of a contract, legitimate interest). Where consent to the collection of personal information is revoked, we will stop processing the personal information.
Depending on whether you are a Guest or Visitor of our website, citizenM may capture the following information about you:
Purpose of Collection | Categories of Personal Information Collected | Specific Personal Information
| Legal Grounds for Collection | Source of Personal Information |
Operations Management | Identifiers | Name, gender, mailing address, email address, telephone number, payment information, preferences and other request needs, health data (in case you book a room adapted for disabled guests or requested admittance of a service animal), other details you provide when making your booking, account information, social media handles and social media details | Necessary for performance of contract | Reservation systems, account creation, communications with us, check-in/check-out |
| Customer Service and Customer Feedback | Queries, comments, feedback | Necessary for performance of contract | Surveys, chatbots, social media, your communication with us |
| Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information
| Recorded telephone conversation, transcript of conversation | Consent | Telephone conversations |
| Internet or Other Similar Network Activity | IP address, information on the use of the room systems (such as lights, blinds, media, climate control and door locks) and other systems (e.g. kiosk use) | Necessary for performance of contract | Website, mobile application, social media, chatbots, room systems |
| Geolocation Data | Location (including whether you are in your hotel room and number of individuals in your room) | Consent | Mobile application, mobile device |
| Commercial Information | Booking details, records of personal property (products) and hotel services purchased, including reservation information and your favorites | Legitimate interest | Purchases made at our hotels, online, or via our mobile application or via third-party websites |
Marketing | Identifiers | Name, gender, mailing address, email address, telephone number, date of birth, place of residence, your profession, preferences and other request needs, other details you provide when making a booking, account information, social media handles and social media details, other details you have added to your account profile | Consent | Reservation systems, account creation, communications with us, check-in/check-out |
| Internet or Other Similar Network Activity | IP address, online behavior on our websites and mobile application and obtained from social media platforms such as LinkedIn and Facebook or data brokers | Consent | Website, mobile application, social media, chatbots |
| Geolocation Data | Location | Consent | Website, mobile application |
| Commercial Information | Booking details, records of personal property (products) and hotel services purchased, including reservation information and your favorites | Consent | Purchases made at our hotels, online, or via our mobile application or via third-party websites |
Analytics | Identifiers | Name, gender, mailing address, email address, telephone number, date of birth, place of residence, your profession, payment information, preferences and other request needs, health data (in case you book a room adapted for disabled guests or requested admittance of a service animal), other details you provide when making your booking, account information, social media handles and social media details, other details you have added to your account profile | Legitimate interest | Reservation systems, account creation, communications with us, check-in/check-out |
| Customer Service and Customer Feedback | Queries, comments, feedback | Legitimate interest | Surveys, chatbots, social media, your communication with us |
| Internet or Other Similar Network Activity | IP address, information on the use of the room systems (such as lights, blinds, media, climate control and door locks) and other systems (e.g. kiosk use) | Legitimate interest | Website, mobile application, social media, chatbots, room systems |
| Geolocation Data | Location (including whether you are in your hotel room and number of individuals in your room) | Legitimate interest | Website, mobile application, mobile device |
| Commercial Information | Booking details, records of personal property (products) and hotel services purchased, including reservation information and your favorites | Legitimate interest. | Purchases made at our hotels, online, or via our mobile application or via third-party websites |
| Protected Characteristics Under California or U.S. Federal Laws | Nationality (where applicable), gender | Legitimate interest | Information you provide to use upon reservation or check-in |
Legal & Regulatory Compliance | Identifiers | Name, gender, date and place of birth, visa information, place of residence, number of your ID (such as passport or driver’s license), ID expiration date | Compliance with legal obligation | Reservation systems, account creation, communications with us, check-in/check-out |
| Commercial Information | Booking details, records of personal property (products) and hotel services purchased, including reservation information | Compliance with legal obligation | Purchases made at our hotels, online, or via our mobile application or via third-party websites |
| Protected Characteristics Under California or U.S. Federal Laws | Nationality | Compliance with legal obligation | Information you provide to use upon reservation or check-in |
Security Management | Identifiers | Name, gender, mailing address, email address, telephone number, and other data relevant to the no stay list | Legitimate interest | Reservation systems, account creation, communications with us, check-in/check-out |
| Education information | Degrees, certifications, education transcripts, diplomas received
| Consent
| Job application, employment assessments and screenings, other communications with us |
| Biometric Information | Images captured via closed circuit television (CCTV) surveillance systems | Legitimate interest | CCTV surveillance systems |
| Geolocation Data | Location (including whether you are in your hotel room and number of individuals in your room) | Legitimate interest | Mobile application, mobile device, CCTV surveillance systems |
Recruitment | Identifiers | Name, gender, mailing address, email address, telephone number, date and place of birth, visa information, place of residence, your profession, ID number | Consent | Job application materials, other communications with us |
| Internet or Other Similar Network Activity | IP address. | Consent | Website |
| Personality, Professional or Employment-Related Information | Traits, resume, diplomas received, references | Consent | Job application, employment assessments and screenings, other communications with us |
| Biometric Information | Photographs, other images captured on video | Legitimate interest | Job application materials |
| Protected Characteristics Under California or U.S. Federal Laws | Nationality (where applicable), gender | Legitimate interest. | Job application materials |
We will never sell your personal information to third parties. However, we may share your personal information in a limited number of circumstances, including:
Third-Party Service Providers: We share personal information with third parties involved in the process of providing services to use or you or performing functions on our behalf (including payment processing). Those third parties are only permitted to use your personal information for the purpose that it has been provided and may not disclose it to any other third party except at our express direction and in accordance with this Privacy Policy.
Legal & Regulatory Authorities: We may from time to time make your personal data available to legal and regulatory authorities, to our accountants, auditors, lawyers or similar professional advisers or to other third parties, when this is required by law, necessary to permit us to exercise our legal rights, to comply with our legal obligations, or necessary to take action regarding illegal activities or to protect the safety of any person.
Business Transitions: If all or part of our company is sold, merged or otherwise transferred, we may transfer your personal data as part of that transaction. We may also transfer your personal data to the owners of hotels managed by us.
Your choices & rights
The following choices and rights with regards to your personal information are available to you:
Access Request Rights
You have the right to request that we provide to you the following information about our collection and use of your personal information:
The (categories of) personal information we have collected about you.
The categories of sources for the personal information we have collected about you (e.g., use of cookies, third party, etc.).
Our business or commercial purpose for collecting that personal information.
The categories of third parties with whom we share or have shared that personal information.
The specific pieces of personal information we collected about you (also called a data portability request), and
Information regarding any disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Deletion, Rectification and Restriction Request Rights
You have the right to request that we delete, restrict or, if you believe that our processing of your personal data is incorrect or inaccurate, change any of the personal information collected from you and retained, subject to certain exceptions. Once your verifiable consumer request is confirmed, we will delete, restrict or change, as the case may be, and direct our service providers to delete, restrict or change your personal information. Your request to delete the personal information collected may be denied if it is necessary for us to retain your information under one or more of the exceptions listed in the GDPR or California Consumer Privacy Act.
Data Portability Rights
In some cases, you may receive your personal data provided by yourself in a structured, commonly used and machine-readable format.
Right to Object
Where we process your personal data based on a "legitimate interest", you may have the legal right to object to the processing of your personal data.
Right to Revoke Consent
Where we process personal data based on your consent, you have the right to revoke such consent at any given time.
Post-mortem Right to Privacy
You have the right to set instructions regarding the storage, deletion or communication of your personal data after your death.
Right to Complain
You have the legal right to lodge a complaint with the competent authority.
When handling any data access, erasure, or correction requests, we will first confirm the identity of the individual making the request or query and consider our obligations under applicable data protection laws and regulations. Such requests are usually provided free of charge, however, a reasonable fee may be applied to cover our administrative costs for requests that are manifestly unfounded, excessive or repetitive. We always aim to provide you with a response within 15 days.
This section explains which cookies and similar techniques (hereafter simply referred to as "cookies") we use on our websites. citizenM makes use of functional and technical cookies on its website; first party tracking cookies may be used, but only after Visitors have provided their consent thereto. Third parties will only be allowed to place cookies on citizenM’s website if Visitors have provided their consent to the use of such third party cookies. Visitors can withdraw their consent at any time by setting their browser to disable cookies or to remove all cookies from their browser.
Marketing Cookies: With your consent citizenM places marketing cookies and trackers to advertise our products and services but to you. The marketing cookies also allow us to provide you with relevant offers based on your online browsing, search and booking behaviour.
Website Functionality and Optimization: We use cookies that are necessary to provide the requested service. For instance, technical cookies allow you to proceed through different pages of a website with a single login and they remember selections in shopping carts and (order) forms that are filled out on our websites. We also use cookies to measure your behavior on our websites to learn about the online experience of our website visitors and to improve our websites. In doing so, we also collect the technical features of your terminal equipment and software used by you, such as the type of operating system, the browser settings, the installed plug-ins, the time zone and the screen size of your device.
Cross-Site Tracking: With your consent, third parties can store tracking cookies on your device if you visit our website. Such cookies enable these third parties to track your online browsing behaviour across different websites (including the citizenM websites). A common purpose of such tracking cookies is to provide you with targeted advertisements across the websites you visit. We do not control or influence the use by third parties of the information collected through these third-party cookies. Please read the privacy policies of these third parties to find out more about how they use cookies and process your personal information.
Social Media: With your consent, our websites use cookies to interact with social media platforms. These cookies are also used to optimize your experience of the social media websites. Please be aware that these cookies may also allow social media platforms to track your online behavior for cross-site tracking purposes.
Withdrawal of Consent: You can withdraw your consent at any time by setting your browser to disable cookies or to remove all cookies from your browser.
citizenM has used and will continue to use reasonable endeavors to protect personal data against loss, alteration or any form of unlawful use. Where possible, personal information will be encrypted and stored on a virtual private server that is secured by means of state of the art protection measures. A strictly limited amount of people, i.e. those people that must have access to personal data for the purpose of their job, have access to personal information. If and to the extent personal information will be stored in a cloud infrastructure provided by third party cloud providers, these providers will be bound by written contract to process personal data provided to them only for the purpose of providing the specific service to citizenM and to maintain appropriate security measures to protect these personal information. citizenM strives to make limited use of paper files which contain personal information. If the use of paper files cannot be avoided such paper files are stored in a closed cabinet and are destroyed in accordance with the applicable retention terms.
Data Breaches: citizenM will protect the personal information it processes against loss and unlawful processing. If despite such protection a data breach occurs, citizenM will report such data breach to the appropriate regulatory authorities where it leads to a considerable likelihood of serious adverse effects on the protection of personal information, if it has serious adverse effects on the protection of personal information, or if otherwise advisable or required by law. The data breach will also be reported to the affected individuals if it is likely to adversely affect their privacy or if otherwise required by law. In order to ensure that a data breach will receive adequate attention and, if required, be reported, we have implemented a Data Breach Policy, which describes the procedure that must be followed in case of a data breach.
Data Processing Register: citizenM will record the details of each data process in a data processing register. All new data processes will undergo a data protection impact assessment (“DPIA”) prior to their implementation. All existing data processes will undergo a DPIA every three years. The purpose of the DPIA is to determine if the relevant data process is likely to result in a high risk to the privacy of Guests or Visitors and, if so, which appropriate measures must be taken to safeguard such personal information.
Data Retention: citizenM will retain personal information only for the period necessary to fulfill the purposes for which it has been collected, i.e. 3 years from the later of the Guest’s stay, opening our citizenM app, visit of citizenM’s website or opening of citizenM’s newsletter or targeted advertisements, unless a longer retention period is required or permitted by law (which is typically the case in the context of citizenM’s obligations under tax law). The personal information of job applicants will become part of your employment record and will be used for employment purposes if the job application is successful. To the extent any psychological assessment reports are part of a recruitment file, these will be stored in a separate file accessible on a strict need-to-know basis only. Personal information of job applicants that are not successful will be retained in accordance with applicable statutory retention periods unless they provide express written consent to register their name and contact details for a period of one year for the sole purpose of contacting them in case of new job opportunities that may interest them. During this one year period you can always have your details removed from our files by sending an e-mail to privacy@citizenm.com.
Cross-Border Data Transfers: As we operate internationally, and provide you with relevant services through resources and servers around the globe, sharing your personal information across borders is essential for you to receive our services. You therefore acknowledge and agree that citizenM may transfer your data globally, so that you can use our services. Your personal information may be transferred to a citizenM hotel or our (support) partners in a country outside of the country where it was originally collected or outside of your country of residence or nationality. For technical and organizational reasons and in the context of our digital cloud infrastructure, personal information is also transferred to servers located in the US, or to servers located in countries outside of the European Economic Area. In this regard, we have entered into so-called EU model clauses with receiving parties or make use of Privacy Shield certified partners to ensure compliance with our data protection obligations, or have ensured that a receiving party has in place so-called "binding corporate rules". Please contact us if you wish to receive more information on the specific safeguards we have implemented to ensure an adequate level of data protection regarding such transfers.
Our website, including our job application postings, is not directed to minors. citizenM does not knowingly solicit, collect, use or disclosure personal information from children under 18 years of age. If we become aware that we have unknowingly collected personal information from a child under the age of 18, we will delete such information from our records.
Compliance with this citizenM Privacy Policy will be monitored and audited regularly. The personal data processing register will be updated promptly upon the implementation of a new personal data process. The completeness and accurateness of the personal data processing register will be verified quarterly. The list of partners placing third party cookies on citizenM’s website will be updated monthly. Compliance with this Privacy Policy will be audited annually.
We have done our best to make sure that this Privacy Policy explains the way in which we process your personal information and rights you have in relation thereto. However, we may change this Privacy Policy from time to time to make sure it is still up to date. When necessary, we will alert you to these changes by posting a prominent notice on our website.
If you have any questions or comments about our Privacy Policy or would like to exercise any of your rights as outlined in this Policy, please email us at privacy@citizenm.com. Our Data Protection Officer can also be contacted at dpo@citizenm.com. You may also click here to use our online form.
If you are a U.S resident you may also contact us toll-free at + 1 (888) 34 34 752.If, as an EEA resident, you believe that we have not adequately resolved any such issues, you have the right to contact your EU supervisory authority.
In the Netherlands:
Autoriteit PersoonsgegevensP.O. Box 933742509 AJ the Hague, the Netherlands
citizenm.com, societym.com
Malay Privacy Statement
Dasar privacy statements citizenM (“kami”) ini terpakai oleh citizenM untuk pemprosesan maklumat.