Skip to main content (Enter)

Privacy Statement

10 / 03 / 2020

This citizenM (“we”, “our” or “us”) Privacy Policy (“Policy”) applies to the processing by citizenM of personal information of (potential) guests (“Guests”) and visitors to our websites (see Annex I for a full list of our domains), mobile application, and social media accounts and pages (“Visitors”), including our job applicants. citizenM takes the privacy of its Guests and Visitors very seriously and treats their personal information with great care. citizenM acts in accordance with applicable data protection legislation. Your personal information is processed by or on behalf of:

  • citizenM Operations Holding B.V. (hereinafter referred to as, “citizenM Operations”), a limited liability company registered under the laws of the Netherlands, having its statutory seat in Amsterdam, the Netherlands and its offices at Leidseweg 219 (2253 AE) Voorschoten, the Netherlands. citizenM Operations Holding B.V. is registered with the Dutch Chamber of Commerce under registration number 34218994; and,

  • in the context of your stay or booking regarding one of our hotels, the entities operating the relevant citizenM branded hotel, whether owned or licensed by citizenM Operations B.V. and its wholly and partially owned affiliates (each hereinafter referred to as a “citizenM Hotel”).  See the full list of our citizenM hotels, and the legal entities that operate these hotels here.

In the context of our hotel services and related services/products, citizenM Operations is the point of contact for all your questions regarding the processing of your personal data.

Information we collect and process

citizenM collects the personal information of its Guests and Visitors for specified, explicit purposes only and will not process this personal information in a manner that is incompatible with those purposes. In some instances we must collect your personal information in order to enter into an agreement for services with you as a Guest.  Where you do not provide this personal information, we may be unable to provide you with services as a Guest. 

We process (e.g. collect, use, disclose, store) the personal information of our Guests and Visitors for the purposes of legal and regulatory compliance, personnel management, operations management and security management, as defined below:


• Legal and regulatory compliance includes any information that citizenM is required to retain based on a legal obligation including administration of statutory leave, administration obligations based on applicable (tax) laws, etc.


• Personnel management includes normal business practices related to the establishment, maintenance and termination of employment relationships, including benefits and (global) compensation programs administration, absence, sickness and leave monitoring, performance management and appraisals, promotion and salary progression exercises, disciplinary proceedings, handling of labor relations and (global) HR support and (global) employee mobility.

o As part of our job application process, we may, subject to applicable laws, in some countries collect or engage third parties to collect additional information, such as to conduct a background check, reference check or psychological assessment.


• Operations management includes the normal business practices related to our day-to-day business activities including facilitating Guests’ stays, guest support and guest identification, planning and budgeting, financial reporting, marketing materials (including personalized advertisements), resource management (assignment of offices, meeting rooms, IT appliances), mergers & acquisitions including due diligences, audits or the establishment, exercising or defending against a legal claim. 


• Security management includes securing the company IT network and systems, company information, company premises, and our employees, Guests and Visitors.


Personal information will be processed only if such processing is based on any of the legal grounds listed in section 6(1) of the General Data Protection Regulation (“GDPR”), notably consent (e.g. for profiling, necessary for the performance of a contract, legitimate interest). Where consent to the collection of personal information is revoked, we will stop processing the personal information. Please note, we do not engage in automated decision-making.


Depending on whether you are a Guest or Visitor of our website, citizenM may capture the following information about you:


Categories of Personal Information Collected

Specific Personal Information

Source of Personal Information

Purpose of Collection

Legal Grounds for Collection


Name, mailing address, telephone number, mobile number, email address, payment information, date and place of birth, visa information, place of residence, your profession, passport number and/or driver’s license number, license plate number (when parking in our garages), passport expiration date. Other data relevant to the “no stay” list.

Reservation systems, account creation, communications with us, check-in/check-out, promotional materials, newsletters, surveys. Job application materials. Post-stay surveys.

Operations Management; Legal & Regulatory Compliance; Personnel Management.

Consent; Necessary for performance of contract; Compliance with legal obligation; Legitimate interest.

Protected Characteristics Under California or U.S. Federal Laws

Nationality (where applicable), sex.

Information you provide to use upon reservation or check-in.  Job application materials.

Legal & Regulatory Compliance; Personnel Management; Operations Management.

Necessary for performance of contract; Compliance with legal obligation.

Internet or Other Similar Network Activity

IP address. Information on the use of the room features (use of lights, blinds, media, climate control, door locks) and other systems (e.g. kiosk use). Use of the systems in the hotel room to ensure that the systems and appliances in our rooms work correctly, such as data regarding the light, entertainment and air-condition systems. Online behavior on our websites and app and obtained from social media platforms such as LinkedIn and Facebook or data brokers.

Website, mobile application, social media, chatbots, room system.

Personnel Management; Operations Management.

Consent; Necessary for performance of contract. 

Professional or Employment-Related Information

Resume, diplomas received, references.

Job application, employment assessments/ screenings. Other communications with us.

Personnel Management.

Legitimate interest. 

Biometric Information

Photographs, other images captured via closed circuit television (CCTV) surveillance systems.

Driver’s licenses, passports, CCTV surveillance systems.

Legal & Regulatory Compliance; Personnel Management; Operations Management; Security Management.

Compliance with legal obligation; Legitimate interest.

Commercial Information

Records of personal property (products) and hotel services purchased, including reservation information and your “favorites”.

Purchases made at our hotels, online, or via our mobile application or via third-party websites.

Legal & Regulatory Compliance; Operations Management.

Consent; Legitimate interest.

Geolocation Data

Location (including whether you are in your hotel room and number of individuals in your room).

Mobile device/application, CCTV surveillance systems.

Operations Management; Security Management.

Consent; Necessary for performance of contract; Legitimate interest. 

Your choices & rights

The following choices and rights with regards to your personal information are available to you: 

Access Request Rights

You have the right to request that we provide to you the following information about our collection and use of your personal information:  

  • The (categories of) personal information we have collected about you.
  • The categories of sources for the personal information we have collected about you (e.g., use of cookies, third party, etc.).
  • Our business or commercial purpose for collecting that personal information.
  • The categories of third parties with whom we share or have shared that personal information.
  • The specific pieces of personal information we collected about you (also called a data portability request), and
  • Information regarding any disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Deletion, Rectification and Restriction Request Rights

You have the right to request that we delete, restrict or, if you believe that our processing of your personal data is incorrect or inaccurate, change any of the personal information collected from you and retained, subject to certain exceptions.  Once your verifiable consumer request is confirmed, we will delete, restrict or change, as the case may be, and direct our service providers to delete, restrict or change your personal information. Your request to delete the personal information collected may be denied if it is necessary for us to retain your information under one or more of the exceptions listed in the GDPR or California Consumer Privacy Act.

Data Portability Rights

In some cases, you may receive your personal data provided by yourself in a structured, commonly used and machine-readable format.

Right to Object

Where we process your personal data based on a "legitimate interest", you may have the legal right to object to the processing of your personal data.

Right to Revoke Consent

Where we process personal data based on your consent, you have the right to revoke such consent at any given time. 

Post-mortem Right to Privacy

You have the right to set instructions regarding the storage, deletion or communication of your personal data after your death.

Right to Complain

You have the legal right to lodge a complaint with the competent authority.

When handling any data access, erasure, or correction requests, we will first confirm the identity of the individual making the request or query and consider our obligations under applicable data protection laws and regulations. Such requests are usually provided free of charge, however, a reasonable fee may be applied to cover our administrative costs for requests that are manifestly unfounded, excessive and/or repetitive. We always aim to provide you with a response within 15 days.

Our Cookies Policy

This section explains which cookies and similar techniques (hereafter simply referred to as "cookies") we use on our websites. citizenM makes use of functional and technical cookies on its website; first party tracking cookies may be used, but only after Visitors have provided their consent thereto. Third parties will only be allowed to place cookies on citizenM’s website if Visitors have provided their consent to the use of such third party cookies.  Visitors can withdraw their consent at any time by setting their browser to disable cookies and/or to remove all cookies from their browser. Please see Annex II for a listing of the third party cookies we use.

Marketing Cookies:  With your consent citizenM places marketing cookies and
trackers to advertise our products and services but to you. The marketing cookies also allow us to provide you with relevant offers based on your online browsing, search and booking behaviour. 

Website Functionality and Optimization:  We use cookies that are necessary to provide the requested service. For instance, technical cookies allow you to proceed through different pages of a website with a single login and they remember selections in shopping carts and (order) forms that are filled out on our websites. We also use cookies to measure your behavior on our websites to learn about the online experience of our website visitors and to improve our websites. In doing so, we also collect the technical features of your terminal equipment and software used by you, such as the type of operating system, the browser settings, the installed plug-ins, the time zone and the screen size of your device. 

Cross-Site Tracking:  With your consent, third parties can store tracking cookies on your device if you visit our website. Such cookies enable these third parties to track your online browsing behaviour across different websites (including the citizenM websites). A common purpose of such tracking cookies is to provide you with targeted advertisements across the websites you visit. We do not control or influence the use by third parties of the information collected through these third-party cookies. Please read the privacy policies of these third parties to find out more about how they use cookies and process your personal information. 

Social Media:  With your consent, our websites use cookies to interact with social media platforms. These cookies are also used to optimize your experience of the social media websites. Please be aware that these cookies may also allow social media platforms to track your online behavior for cross-site tracking purposes.

Withdrawal of Consent:  You can withdraw your consent at any time by setting your browser to disable cookies and/or to remove all cookies from your browser.

Protecting Your Personal Information

citizenM has used and will continue to use reasonable endeavors to protect personal data against loss, alteration or any form of unlawful use. Where possible, personal information will be encrypted and stored on a virtual private server that is secured by means of state of the art protection measures. A strictly limited amount of people, i.e. those people that must have access to personal data for the purpose of their job, have access to personal information. If and to the extent personal information will be stored in a cloud infrastructure provided by third party cloud providers, these providers will be bound by written contract to process personal data provided to them only for the purpose of providing the specific service to citizenM and to maintain appropriate security measures to protect these personal information. citizenM strives to make limited use of paper files which contain personal information. If the use of paper files cannot be avoided such paper files are stored in a closed cabinet and are destroyed in accordance with the applicable retention terms.

Data Breaches:  citizenM will protect the personal information it processes against loss and unlawful processing.  If despite such protection a data breach occurs, citizenM will report such data breach to the appropriate regulatory authorities where it leads to a considerable likelihood of serious adverse effects on the protection of personal information, if it has serious adverse effects on the protection of personal information, or if otherwise advisable or required by law. The data breach will also be reported to the affected individuals if it is likely to adversely affect their privacy or if otherwise required by law. In order to ensure that a data breach will receive adequate attention and, if required, be reported, we have implemented a Data Breach Policy, which describes the procedure that must be followed in case of a data breach.

Data Processing Register:  citizenM will record the details of each data process in a data processing register. All new data processes will undergo a data protection impact assessment (“DPIA”) prior to their implementation. All existing data processes will undergo a DPIA every three years. The purpose of the DPIA is to determine if the relevant data process is likely to result in a high risk to the privacy of Guests or Visitors and, if so, which appropriate measures must be taken to safeguard such personal information.

Data Retention:  citizenM will retain personal information only for the period necessary to fulfill the purposes for which it has been collected, i.e. 2 years from the later of the Guest’s stay, visit of citizenM’s website or opening of citizenM’s newsletter, unless a longer retention period is required or permitted by law (which is typically the case in the context of citizenM’s obligations under tax law). The personal information of job applicants will become part of your employment record and will be used for employment purposes if the job application is successful.  To the extent any psychological assessment reports are part of a recruitment file, these will be stored in a separate file accessible on a strict need-to-know basis only. Personal information of job applicants that are not successful will be retained in accordance with applicable statutory retention periods unless they provide express written consent to register their name and contact details for a period of one year for the sole purpose of contacting them in case of new job opportunities that may interest them. During this one year period you can always have your details removed from our files by sending an e-mail to

Cross-Border Data Transfers:  As we operate internationally, and provide you with relevant services through resources and servers around the globe, sharing your personal information across borders is essential for you to receive our services. You therefore acknowledge and agree that citizenM may transfer your data globally, so that you can use our services. Your personal information may be transferred to a citizenM hotel or our (support) partners in a country outside of the country where it was originally collected or outside of your country of residence or nationality. For technical and organizational reasons and in the context of our digital cloud infrastructure, personal information is also transferred to servers located in the US, or to servers located in countries outside of the European Economic Area. In this regard, we have entered into so-called EU model clauses  with receiving parties or make use of Privacy Shield  certified partners to ensure compliance with our data protection obligations, or have ensured that a receiving party has in place so-called "binding corporate rules". Please contact us if you wish to receive more information on the specific safeguards we have implemented to ensure an adequate level of data protection regarding such transfers.

Sharing Your Information

We will never sell your personal information to third parties.  However, we may share your personal information in a limited number of circumstances, including:

  • Third-Party Service Providers:  We share personal information with third parties involved in the process of providing services to use or you or performing functions on our behalf (including payment processing). Those third parties are only permitted to use your personal information for the purpose that it has been provided and may not disclose it to any other third party except at our express direction and in accordance with this Privacy Policy.

  • Legal & Regulatory Authorities:  We may from time to time make your personal data available to legal and regulatory authorities, to our accountants, auditors, lawyers or similar professional advisers or to other third parties, when this is required by law, necessary to permit us to exercise our legal rights, to comply with our legal obligations, or necessary to take action regarding illegal activities or to protect the safety of any person. 

  • Business Transitions:  If all or part of our company is sold, merged or otherwise transferred, we may transfer your personal data as part of that transaction.


Our website, including our job application postings, is not directed to minors. citizenM does not knowingly solicit, collect, use or disclosure personal information from children under 18 years of age. If we become aware that we have unknowingly collected personal information from a child under the age of 18, we will delete such information from our records.

Monitoring & Audit

Compliance with this citizenM Privacy Policy will be monitored and audited regularly. The personal data processing register will be updated promptly upon the implementation of a new personal data process. The completeness and accurateness of the personal data processing register will be verified quarterly. The list of partners placing third party cookies on citizenM’s website will be updated monthly.  Compliance with this Privacy Policy will be audited annually.

Revisions to this Global Privacy Policy

We have done our best to make sure that this Privacy Policy explains the way in which we process your personal information and rights you have in relation thereto. However, we may change this Privacy Policy from time to time to make sure it is still up to date. When necessary, we will alert you to these changes by posting a prominent notice on our website. 

Contact Information/How to Update Your Personal Information

If you have any questions or comments about our Privacy Policy or would like to exercise any of your rights as outlined in this Policy, please email us at Our Data Protection Officer can also be contacted at You may also click here to use our online form.

If you are a U.S resident you may also contact us toll-free at + 1 (888) 34 34 752.
If, as an EEA resident, you believe that we have not adequately resolved any such issues, you have the right to contact your EU supervisory authority.

In the Netherlands: 

Autoriteit Persoonsgegevens
P.O. Box 93374
2509 AJ the Hague, the Netherlands

Annex I: citizenM Domains,,,,,,, 

Annex II: Third Parties Placing Cookies on Our Websites

AdRoll - privacy policy
AdRoll Pixel - privacy policy
AdRoll Roundtrip - privacy policy
ADTECH - privacy policy
AOL Advertising - privacy policy
AppNexus - privacy policy
BidSwitch (IPONWEB) - privacy policy
Bing Ads (Microsoft Advertising) - privacy policy
DoubleClick - privacy policy
DoubleClick Floodlight (Google) - privacy policy
Facebook Connect - privacy policy
Facebook Custom Audience - privacy policy
Facebook Pixel - privacy policy
Facebook Social Plugins - privacy policy
Flashtalking - privacy policy
GA audiences - privacy policy
Google Adwords User List - privacy policy
Google Analytics - privacy policy
Google Dynamic Remarketing - privacy policy
Google Tag Manager - privacy policy
Google Tag Manager Web Tracking - privacy policy
Google+ Platform - privacy policy
Hotjar - privacy policy
Index Exchange (Formerly Casale Media) - privacy policy
Intercom - privacy policy
LinkedIn ads - privacy policy
LinkedIn Marketing Solutions - privacy policy
LiveRamp - privacy policy
MyFonts Counter - privacy policy
OpenX - privacy policy
PubMatic - privacy policy
Rubicon - privacy policy
Taboola - privacy policy
TripleLift - privacy policy

Twitter Advertising - privacy policy

WisePops - privacy policy
Yahoo Ad Exchange - privacy policy
Yieldr - privacy policy

Last updated: February 24, 2020