1. Introduction

We are Hyatt, one of the world’s leading hospitality groups. We use information about you to fulfil our commitment to providing an unparalleled guest experience in connection with all of your interactions with us. As part of that undertaking, we are committed to safeguarding the privacy of the personal information we gather.

To fulfil our commitment to providing an unparalleled guest experience, we need to collect, use and share personal information. This Privacy Policy (“Policy”) explains how we do that when you book with us, travel with us or otherwise stay at a Hyatt Location (as defined in Section 14) or receive other services from our portfolio of brands described in Section 14.

2. Types of personal information we may collect

We obtain most of your information either directly from you or from booking channels you’ve used to book a stay at a Hyatt Location. The main booking channels people use to travel with us or access our services are Hyatt.com, World of Hyatt, our mobile app and other booking platforms operated by third parties that make available stays at Hyatt Locations, tour operators and travel agents.

The table below contains more details regarding the personal information we may collect and process about you where permitted by applicable law.

3. Biometric, health-related or other sensitive personal information

There may be instances in which the personal information listed above contains information that is categorised as sensitive personal information under the privacy laws of some territories/countries.

Special Categories
Depending on the applicable law, sensitive personal information can mean, for example, personal information from which we can determine or infer an individual’s citizenship, immigration status, or racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, membership in a trade union or professional, religious, philosophical, or political association, physical or mental health or condition, medical treatment, genetic data, biometric information, information about an individual’s sexual orientation, username and password information for your Hyatt accounts, personal information relating to potential crimes or international sanctions, or your precise geolocation.

We may collect sensitive personal information you provide us to fulfil special requests (e.g., requests require specific accommodation or services, or biometric information). For example, if you request accommodations for the purpose of your travel, we may pass such details on to your place of travel so that they can confirm or arrange appropriate access.

On a voluntary basis, we may collect biometric information to enable access to our services at Hyatt Locations. In such cases, we will provide additional disclosures and/or obtain specific consent in accordance with applicable laws.

Financial Information
In some rare instances, financial records, credit card information and location data may constitute sensitive personal information where you are located.

Use of sensitive personal information
We only process sensitive personal information if and to the extent permitted or required by applicable law in your jurisdiction (for example, (i) sanctions or anti-money laundering screening, (ii) so that we can tailor our services to you, (iii) for security purposes or to facilitate access to, or use of, our services, or (iv) to ensure we can process card payments).

Consent
Importantly, where we rely on consent to process your sensitive personal information, you have the right to withdraw that consent at any time.

4. Cookies and other technologies

We and other parties use cookies, tags, pixels, beacons and other technologies on our websites, mobile applications, and email and marketing messages. These technologies are used to enable functionality, track usage, improve products and services, and for marketing and analytics, and they also allow us, advertising networks, social media companies, and other providers to place and serve advertisements and customized content. These technologies may collect information about your online activities over time and across different websites, devices, and browsers so that we or other parties may display interest-based advertising using information gathered about you over time across multiple websites or other platforms. For additional information on the data processed by the cookies, click on the Cookie Center link that may be in the footer of the website.

Some of our websites allow you to manage your cookie preferences by clicking on the Cookie Center link that may be in the footer of those websites. Additionally, you can opt out of certain uses of cookies for advertising purposes by visiting http://www.aboutads.info/choices and you can consult the user instructions for your internet browser for additional controls relating to the use of cookies, including blocking certain cookies by adjusting the settings on your internet browser.

Choices you make regarding cookies are website, device, and browser specific, and are deleted whenever you clear your cookies or your browser’s cache. This means you need to adjust your cookie preferences on each website, device, and browser you use. If you block cookies, you will not be able to use all of the features of our websites, including the customization features associated with creating a user profile. Some browsers have “do not track” features that allow you to tell a website not to track you. These features are not all uniform and we do not currently respond to “do not track” signals. Hyatt recognizes the Global Privacy Control signal as described in Section 10.

Further information about cookies and related technologies and how they work is available at allaboutcookies.org.

Our mobile applications may contain software development kits (“SDKs”) provided by other parties which may collect and transmit information, including for purposes of enabling features in the applications. We may also collect device advertising identifiers. You can configure your mobile device privacy or advertising settings via your iOS or Android device to limit how applications track certain activity for advertising purposes. Choices you make are device specific.

5. How we use your personal information and our lawful reasons for that use

We use your personal information to administer your travel or the services you receive from us. To the extent permitted by applicable law, we also use your personal information for our wider business interests, such as planning, risk management and marketing. We describe that in more detail in the table below.

Lawful reasons for use
When we process your personal information as one of our guests or someone else with whom we do business, we process that information on the basis of one more of the following so called “legal bases” depending on the circumstances:

• Performance of a contract: If you make a booking to travel with or receive services from us, our main lawful basis for using your personal information is the performance of our contract with you.

• Legitimate interests: If you are traveling with or receiving services from us but someone else in your party or family contracted with us to make the booking, our lawful basis is our legitimate interest in administering your travel and services.

Our main lawful basis for using your information for our wider business purposes – such as planning, risk management and marketing – is the legitimate interests in providing, improving, and developing our services. We will not use your information for the purposes of a legitimate interest where this legitimate interest is overridden by your interests or fundamental rights and freedoms.

• Legal obligations: Where necessary, we will use your personal information to meet our tax and other legal obligations.

We and the separate and distinct legal entities that manage, operate, franchise, license, or own properties and/or provide services in connection with the Hyatt Locations and World of Hyatt  also use your personal information as controllers to meet our tax and other legal obligations.

Sensitive personal information
Where we use your special category information or other information that is treated as sensitive personal information in a specific territory/country, certain jurisdictions require that we identify an additional ground to process that information. Such additional ground will mainly be that the use is necessary for compliance with the law or other substantial public interest. However, at times we may also rely on your consent. Where we rely on your consent, we will explain at the time what we need your information for and what we will do with it.

Purpose and lawful basis
The table below sets out in more detail how we use your information and our lawful bases.

6. Disclosures of your personal information

Hyatt, ALG, Playa, and MMS
We may disclose your information to other organisations within Hyatt, ALG, Playa, and MMS, for the purposes described in this Policy, including for providing you with our services, and for administering membership/loyalty programs.

Our service providers and suppliers of goods
Like most international hotel brands, we may outsource the processing of certain functions or the provision of goods and/or information to third parties. When we do outsource the processing of your personal information to third parties or provide your personal information to third-party service providers or suppliers, we oblige those third parties to protect your personal information with appropriate security measures.

Please click here for a list of the third-party service providers or suppliers to which your personal information may be transferred from time to time.

Other booking platforms
We may disclose your personal information to other booking platforms where you have used those platforms to book stays at Hyatt Locations, in order to administer your stay at the relevant Hyatt Location.

Reservations and other requests at third-party locations
Our services, including hyatt.com, allow you to make requests for reservations and other items or services with third parties, including hotels that are not locations we manage, and excursions offered by third parties. This includes booking of MMS properties and bookings on Homes & Hideaways, which properties are operated by third-party property managers and owners. Where you make such a request, you are directing us to pass your information and information about your request that you provide to us, along with information about your World of Hyatt account, to the third party, including third-party property managers and owners. The information we provide to these third parties will be handled in accordance with their own privacy policies and procedures, and not Hyatt’s.

Consumer insights
Where we hold personal information about you, we may disclose this personal information to other companies that may also hold information about you. These companies may combine the information in order to better understand your preferences and interests, thereby enabling them and us to serve you better. If your personal information is used for direct marketing purposes, you have the right to object to that (i.e., opt out) by contacting us using the relevant contact details set out in Section 13 below.

On-property companies
At your direction, we may share your personal information with companies and other organisations that own and manage the spas, restaurants, health clubs, and other outlets at Hyatt Locations so they can send you information about the services you have booked (e.g., scheduling reminders), provide you with those services, charge their services to your room account, and/or send you information and promotions about other services that you may be interested in. 

Business transfers
As we continue to develop our business, we may sell hotels and other assets, or cease being the manager or franchisor of a Hyatt Location. In those circumstances, we may include the personal information collected about you, or control of that personal information, as a business asset in any such transfer. Also, in the unlikely event that we, or substantially all of our assets, are acquired, personal information collected about you, or control of such information, may be one of the transferred assets. In each case we may also transfer information to third-party legal, technical or financial advisers as part of the relevant transaction.

Similarly, we may disclose your personal information to a third party whom we acquire in order to facilitate mergers and acquisitions of our business and for the furtherance of the purposes described in Section 5 above.

Credit authorization
When you request credit, your personal information will be used and disclosed to appropriate third parties in accordance with applicable laws for the purpose of determining whether to grant and maintain a line of credit to you.

Property owners and operators
We will share your personal information with property owners and operators. The property owner or operator will use your personal information on behalf of our brands to administer your travel or provide our services; they do so subject to the limitations set out in this Policy and the contractual obligations we have imposed on them to secure your information. These entities also use your personal information as independent controllers to meet their own tax and other legal obligations.

E-Folio Program
If you are an employee or independent contractor of a company that participates in our E-Folio Program, and you use the corporate credit card that is provided to you by your employer (if you are an employee of such a company) or corporate client (if you are an independent contractor of such a company) to pay for your hotel bill at a Hyatt Location, then you may benefit from our E-Folio Program.

Under the E-Folio Program, an extract of your bill (including the dates of your stay, your credit card details and amounts incurred at the Hyatt Location including room charges and all incidental charges including but not limited to food, beverage and entertainment charges) will be transferred electronically by the Hyatt Location either to Hyatt or to a third-party service provider located in the United States who acts on Hyatt’s behalf to compile the extract and transfer it to:

• the credit card network operator, the credit card issuer and/or their respective subcontractors, who will, in turn, forward that extract to your employer or corporate client (and/or their respective subcontractors) to facilitate the processing and tracking of your travel-related expenses; or
• in some limited circumstances, your employer or corporate client (and/or their respective subcontractors) directly for the same purpose

Once the personal information is transferred to the credit card network operator, credit card issuer, your employer or corporate client and/or their respective subcontractors, it is no longer subject to this Policy, but rather your own arrangements with your employer or corporate client, the relevant credit card network operator and/or the relevant card issuer.

Regulators and official authorities
We reserve the right to disclose any personal information we have concerning you if we are compelled to do so by a court of law or lawfully requested to do so by a governmental entity or if we determine it is necessary or desirable to comply with the law or to protect or defend our rights or property in accordance with applicable laws.

Summary of recipients
Without limiting the disclosures above, further details about what information we share with service providers and third parties is included in the table below. Please note that the table below contains examples of personal information we may share on an occasional or one-off basis as well as personal information we share routinely.

Hyatt, ALG, Playa, and MMS

Our service providers and suppliers

Independent third parties

7. International transfers of personal information

Due to the international nature of our business, we transfer your personal information to other territories/countries. These territories/countries may have different laws and privacy compliance requirements to those that apply in your country of residence.

For example, we transfer your personal information to the property owners and operators that own, lease, franchise, license, or manage the property. We also transfer your personal information to the third-party suppliers responsible for administering your travel and providing our services. You can see all the territories/countries where Hyatt Locations are based by selecting “All” at www.hyatt.com/explore-hotels.

Safeguarding your personal information
When we transfer your personal information to another country, we will ensure that country has been recognised as providing an adequate level of data protection or implement appropriate EU approved standard contractual clauses (or, where applicable, appropriate clauses approved for use in other jurisdictions) or another approved mechanism to safeguard your personal information. Where we have not implemented an appropriate safeguard, we will rely on an exemption, such as your consent or the performance of the contract for our services.

Binding Corporate Rules
When we transfer your personal information between Hyatt entities (other than ALG and MMS), we use an enhanced safeguard called the Hyatt Global Privacy Principles. The Global Privacy Principles act as Hyatt’s “Binding Corporate Rules” under the GDPR. Binding Corporate Rules are recognised as the ‘gold standard’ for safeguarding global data flows.

The Global Privacy Principles ensure we protect your personal information anywhere in the world – in particular, they effectively safeguard personal information we transfer from inside the European Economic Area to countries in the rest of the world, which have not been deemed by the European Commission to ensure an adequate level of protection for privacy and personal information.

We routinely transfer your personal information to all the major locations in which Hyatt Locations operate including, the United States of America, Hong Kong and Germany. We also transfer your personal information to other Hyatt Locations where necessary for your stay or any other services you request. A full list of the locations where your personal information could be transferred can be found by selecting “All” at www.hyatt.com/explore-hotels.

All entities within Hyatt are required to comply, and to ensure their employees comply, with the requirements of these Global Privacy Principles. 

Please contact us using the details in Section 13, if you would like a copy of the Global Privacy Principles and details of any special protections we have implemented in relation to a specific territory/country, or when transferring your personal information.

8. Retention

We will retain your personal information (including your sensitive personal information) for as long as is reasonably necessary for the purpose for which information was collected, or as legally required.

We generally delete your personal information within ten years after our last contact with you subject to: regulatory requirements that we are subject to, including laws and regulations related to tax, employment, accounting, and securities; whether a legal claim might be brought against us, for which the information would be relevant; the necessity of the information to provide our services to our customers; and the types and sensitivity of personal information being processed.

9. Children

We do not sell products or services for purchase by children. You may only use our platforms if you are at least 18 years of age and can form legally binding contracts under applicable law. We do not knowingly solicit or collect information from children under 18 years of age. We will only collect information relating to children with the specific permission of parents or guardians.

10. Choice

You always have certain choices regarding what personal information you wish to provide to us. However, if you choose not to provide us with or allow us to process all personal information that is required for the purposes of your engagement with us, or that is necessary in order for us to comply with our legal obligations, your ability to receive services from us may be affected (for example, we cannot take a reservation without a name). For information on further rights which may be available to you, please see Section 11 below. If you have any further questions, please contact us using the details set out in Section 13 below.

If you provide us with your contact details (e.g., postal address, email address, telephone number or fax number), we may contact you to let you know about the products, services, promotions, and events offered that we think you may be interested in, to the extent permitted by applicable law. We may also share your personal information with certain third parties, who may communicate directly with you, to the extent permitted by applicable law. In some jurisdictions, data privacy laws may require us to obtain a separate consent before we do so. You can choose whether or not to receive any or all of these communications from us by contacting us as described in  Section 13 below or following the “unsubscribe” instructions contained in relevant communications.

11. Your privacy rights and specific territories/countries

You have the right to:

• Access your information
• Object to the use of your information
• Erasure of your information
• Portability of your information to other organisations
• Correct and update your information if it is inaccurate
• Restrict our use of your information while any concerns you raise are resolved
• Withdraw your consent

Please be aware that these rights are not absolute and there may be situations where they cannot be exercised or they are not relevant to you or your personal information.

You can exercise these rights by clicking here, or by sending us a written request by letter or email to the addresses set out in Section 13 below. Please be sure to include your full name, address and telephone number so we can ascertain your identity and whether we have any personal information regarding you, or in case we need to contact you to obtain any additional information we may require to make that determination.

Where you make more than one request in quick succession, we may respond to your subsequent request by referring to our earlier response and only identifying any items that have changed materially.

If you submit a request to correct or update your personal information, and if we agree that the personal information is incorrect, or that the processing should be stopped, we will delete or correct the personal information. If we do not agree that the personal information is incorrect we will tell you that we do not agree, explain our refusal to you and record the fact that you consider that personal information to be incorrect in the relevant file(s). If you are unhappy with the way we have handled your request, you can escalate your concern to the Chief Privacy Officer by sending an email to privacy@hyatt.com. In some cases, you may also be able to complain to a data protection authority. You can find out more information about your rights on the website of your country’s data protection authority.

European Economic Area, Switzerland and United Kingdom
If you are based in the European Economic Area, Switzerland or the UK or receiving services from a Hyatt Location in one of these jurisdictions, you have the right to:

• Access your information
• Object to the use of your information
• Erasure of your information
• Portability of your information to other organisations
• Correct and update your information if it is inaccurate
• Restrict our use of your information while any concerns you raise are resolved
• Complain to your data protection authority
• Withdraw your consent

The relevant contact details to exercise these rights are set out in section 13 below. Please be sure to include your full name, address and telephone number and a copy of a document evidencing your identity (such as an ID card or passport) so we can ascertain your identity and whether we have any personal information regarding you, or in case we need to contact you to obtain any additional information we may require to make that determination. Where you make more than one request in quick succession, we may respond to your subsequent request by referring to our earlier response and only identifying any items that have changed materially. 

Please be aware that these rights are not absolute and there are situations where they cannot be exercised or they are not relevant. You can find out more information about your rights on the website of your country's data protection authority.

Brazil
If you reside in Brazil or are otherwise subject to the Brazilian Federal Law nº 13.709/18 (“LGPD”), you may also exercise the following rights when applicable:

• Confirmation and access – you have the right to obtain confirmation as to whether or not your personal data is being processed. If we are processing personal data concerning you, you have the right of access to the personal data and to certain information regarding the processing, as provided for in the LGPD, including information regarding the public and private entities with which we share your personal data.
• Rectification – you have the right to require the correction of incomplete, inaccurate, or out-of-date personal data concerning you.
• Anonymization, blocking or erasure – you have the right to request the anonymization, blocking or erasure of unnecessary or excessive personal data or personal data processed in non-compliance with the provisions of the LGPD.
• Data portability – you have the right to request that the personal data that we process concerning you is transmitted to another service or product provider, limited to our commercial or industrial secrets.
• Withdraw consent – you have the right, when the basis for processing is consent, to withdraw the consent at any time, through an easy to use and free of charge procedure. This shall be without prejudice to the lawfulness of the processing of your personal data until consent has been withdrawn. You also have the right to request the erasure of personal data concerning you once consent is withdrawn and to be informed about the possibility of denying consent, and the consequences of such denial.
• Object – you have the right to object to the processing of your personal data to the extent that we rely on legal bases other than your consent, in case of violation of the LGPD.
• Right to review of automated decision-making – you may request review of decisions taken solely on the basis of automated processing of your personal data which affect your interests, including decisions intended to define personal, professional, consumer or credit profile or aspects of your personality. You may also request clear and adequate information regarding the criteria and procedures used for an automated decision, subject to our commercial and industrial secrecy.
• Right to Petition – you may petition with the Brazilian regulatory authority as well as consumer protection entities regarding the processing of your personal data.

Brazilian residents can exercise these rights by emailing or calling us using the relevant contact details in Section 13 below.

Hyatt’s Brazilian Data Privacy Officer is Marilia Brackmann, and she can be reached by emailing privacy@hyatt.com with the subject: “Attn: Brazil DPO.”

India
If you are based in India or receiving services from a Hyatt Location in India, the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the rules framed thereunder apply to the collection, use, sharing and processing of your digital personal information. Unless otherwise stated in the following paragraphs, the rules indicated in this India part apply in addition to and, where contradictions exist, replacement of other sections of the Policy.

• Notice
  We will provide you clear notice with or before a request for consent to inform you regarding the purpose of processing your personal data, the manner in which you may exercise their rights under the DPDP Act and make a complaint to the Data Protection Board i.e., regulatory authority constituted under the DPDP Act. You can request for the notice to be provided in any of the 22 languages mentioned in the 8^th schedule of the Constitution of India.

• Legal basis for processing
  We will seek your consent or follow other applicable legal bases to process your personal information for our business and commercial purposes described in Section 5 above. In particular, we rely on your consent for the processing of your personal information for conducting direct marketing activities.

If you are providing personal information to us which relate to another individual (for example, by making a booking on behalf of a family member or colleague), you confirm that they are aware and agree with such personal information being provided to us.

We and other parties use cookies and related technology for advertising purposes, which could constitute “processing” of your personal information under the DPDP Act. We will provide you an opt-in option before processing your personal information for advertising purposes. Your opt-in or opt-out of cookie-based tracking for advertising purposes is specific to the device, website, and browser you are using, and is deleted whenever you clear your cookies or your browser’s cache.

We will not undertake tracking or behavioural monitoring of, or targeted advertising directed at children below the age of 18.

• Further processing
  We will not process your personal information for a purpose that is inconsistent with or differs from the purpose(s) for which we originally collected it, except where such personal information is publicly available, where you give us your consent, where we need to do so in order to comply with applicable law, or where we are processing such information for a ‘legitimate use’ as per the DPDP Act.

• International transfers of your Personal Information
  We will not transfer any of your personal Information to countries specifically subjected to restrictions by the Indian Government.

• Your rights under the DPDP Act
  In addition to other rights outlined in this Section 11 which may be applicable to you, you have the right to nominate any other individual to exercise the above-mentioned rights under the DPDP Act in the event of your death or incapacity (unsoundness of mind or infirmity of body).

Japan
If you are based in Japan or receiving services from one of our Hyatt Locations in Japan, this Policy gives effect to our commitment to protect your personal information and has been adopted by Hyatt International-Asia Pacific, Limited and the legal entities who own and operate Andaz Tokyo Toranomon Hills, Caption by Hyatt Namba Osaka, Fuji Speedway Hotel, Grand Hyatt Fukuoka, Grand Hyatt Tokyo, Hotel Toranomon Hills, Hyatt Centric Ginza Tokyo, Hyatt Centric Kanazawa, Hyatt House Kanazawa, Hyatt House Tokyo Shibuya, Hyatt Place Kyoto, Hyatt Regency Hakone Resort and Spa, Hyatt Regency Kyoto, Hyatt Regency Naha Okinawa, Hyatt Regency Seragaki Island Okinawa, Hyatt Regency Tokyo, Hyatt Regency Tokyo Bay, Hyatt Regency Yokohama, Park Hyatt Kyoto, Park Hyatt Niseko Hanazono, and Park Hyatt Tokyo.

Please see Section 6 above for more information on disclosures of your personal information, including a list of:

• our service providers and suppliers to which we may disclose your personal information for the purposes described in this Policy; and
• the independent third parties to which we may disclose your personal information for the purposes described in this Policy. 

Please click here for a list of the Hyatt, ALG, and MMS organisations to which we may disclose your personal information for the purposes described in this Policy.

Kingdom of Saudi Arabia
If you are based in the Kingdom of Saudi Arabia (the “KSA”), the processing of your personal information is subject to the Personal Data Protection Law issued pursuant to Royal Decree M/19 of 16/09/2021 [Gregorian], as amended pursuant to Royal Decree M/148 of 27/03/2023 [Gregorian] (the “PDPL”) and the regulations accompanying the PDPL, the Regulation on Personal Data Transfer outside the Kingdom (“Transfer Regulation”) and Implementing Regulation of the PDPL (collectively, the “Regulations”). Accordingly, the following specific provisions apply to you and the processing of your personal information, despite anything else in this Policy to the contrary.

• Additional information about our processing of your personal information
  The type of personal information that we may collect about you, the purpose for its collection and subsequent processing by us, the lawful bases for processing and the third parties to whom we may disclose your personal information are described in this Policy in Section 2, Section 3, Section 4 and Section 5 above. Except when we otherwise indicate to you at the time we collect personal information, its provision by you is optional, and where we rely on your consent for its collection and subsequent processing, you have the right to withhold or subsequently withdraw your consent, in whole or in part.

We will generally retain your personal information only for as long as necessary to achieve the purpose(s) for which it was collected, or for any longer period of time that we are required to retain your personal information under applicable law, after which we will securely destroy it.

• Further processing
  We will not process your personal information for a purpose that is inconsistent with the purpose(s) for which we originally collected it, except where such personal information is publicly available, where you give us your consent, where we need to do so in order to comply with applicable law, or where this is necessary to achieve our legitimate interests.

• International transfers of your personal information
  We will not transfer any of your personal Information outside the KSA, except to jurisdictions which are formally recognized by the KSA authorities as having an adequate level of protection of personal information, or otherwise on the basis of one or more of the conditions set out in the Regulations of the PDPL.

• Exercising your rights
  The relevant contact details to exercise these rights are set out in Section 13 below. Please state your name, address and valid ID document details (such as passport, iqama or identification card number) and attaching a copy of that ID document. We will respond to your request within 30 days, however if your request requires unexpected processing, we will inform you of any extension in our response to you. You will be informed in circumstances whereby we may decline to fulfil your request under the Regulations of the PDPL

Mexico
If you are based in Mexico or otherwise subject to the Mexican data protection laws (including the Data Protection Under Federal Data Protection Held By Private Parties Act (“the Act”)), the data controller for the use, processing, and protection of your personal data will be the company with whom you have contracted our services. You can find the relevant contact details in Section 13 below.

In addition to any relevant rights outlined in this Section 11, you have the right to:

• learn how we use this information and the specific terms and conditions governing its use, and
• opt-out of direct marketing.

You can find out more information about your rights on the website of the National Institute of Transparency, Access to Information and Personal Data Protection: www.inai.org.mx.

• Consent
  If you are based in Mexico or otherwise subject to the Mexican data protection laws, where necessary you consent to Hyatt’s use of your personal information as described in this Policy, unless you provide an express objection, by sending an email to privacy@hyatt.com. Consent is not required for any processing that is necessary for a contract between you and Hyatt, or in respect of the matters referred to in Article 10 of the Act.

Where we rely on consent to process your personal information, you have the right to withdraw that consent. However, in certain cases, we may not be able to fulfil your request or immediately stop processing your information due to legal or tax obligations we are subject to. Additionally, withdrawing your consent for certain purposes might result in our inability to provide the service you requested, or terminate the agreement we have with you. Therefore, you may withdraw your consent or object to only those purposes that are not essential for performing the agreement we have with you or for complying with our obligations.

Your consent may be provided by agreeing to this Policy, through a third party, in person or through any other reasonable means used by Hyatt.

By providing any third-party’s personal information to Hyatt, you confirm that you have provided the third party with a copy of this Policy and where necessary have obtained their consent to any handling of their personal data by Hyatt.

The above is without prejudice to your ability to exercise your rights under the Act.

• Limit the use and disclosure of your information
  You may also limit the use and disclosure of your personal information by registering with:
  • the public registry to avoid advertising, managed by the Federal Consumer Protection Agency (“PROFECO”), which prevents your data from being used to receive advertising or offers of goods and services. To do so, please visit the official website of PROFECO; or
  • our exclusion list, which ensures that your personal information is not processed by us for marketing, advertising, or commercial purposes.

• How to make a request
  In order to (i) exercise any of your rights; (ii) withdraw your consent, and (iii) limit the use or disclosure of your personal information or obtain more information about the procedure and requirements to do so, you must submit a request to us using the relevant contact details provided below. Your request should include:
  • full name of the owner of the personal data;
  • a description of the personal data related to your request;
  • a specific reference to the right(s) you want to exercise, if applicable, or if you want to withdraw consent or limit the use or disclosure of your personal data; and
  • your address or other means for delivering our response to your request.

To verify your identity, please attach a copy of your official identification document to your request. If the request is submitted by a legal representative, you must provide proof of their authority to act on your behalf.

Please note that the team in charge of processing your request for exercising your rights or revoking consent will respond to your request within twenty (20) business days, starting from the date you submitted your request.

• Mexican contact details 

Hyatt Hotels & Resorts
9805 Q Street
Omaha NE 68127
United States

privacy@hyatt.com

Privacy Portal

People’s Republic of China
If you are based in the People’s Republic of China (for the purpose of the Policy, excluding the Hong Kong Special Administrative Region, the Macau Special Administrative Region and Taiwan, the “PRC”), the Personal Information Protection Law (the “PIPL”) applies to the processing of your personal information. Unless otherwise stated in the following paragraphs, the rules indicated in this PRC part apply in addition to and, where contradictions exist, replacement of other sections of the Policy.

• Legal basis for processing
  We will seek your consent or follow other applicable legal bases to process your personal information. In particular, we rely on your consent for the processing of your personal information for conducting direct marketing activities.

• Sensitive personal information
  There may be instances in which the personal information that you provide to us or that we collect is considered sensitive personal information under the PIPL (for example, governmental identifiers and financial information). We only process sensitive personal information if and to the extent permitted or required by applicable laws, including after obtaining your separate consent if required. We will seek to protect such information rigorously using the security measures required by the applicable laws and, hence, your sensitive personal information should not be processed in a way that will result in negative implications to your personal rights (for example, harm to your reputation, physical or mental health, personal or property security).

• Sharing and international transfer
  When necessary for the purposes described in the Policy, subject to your consent where necessary, your personal information may be shared to third parties located within or outside of the PRC. We will only share personal information that are necessary for the purposes indicated in Section 5 and Section 6 above.

Please click here for a full list of organisations to whom we transfer personal information and their respective contact details and details on what, how and why such organisations process your personal information.

If required by applicable laws, we will conduct a security assessment, and/or undergo a personal information protection certification or sign standard contracts for cross-border transmission of personal information and take necessary measures to ensure the overseas recipient’s personal information handling meets the relevant personal information protection standards under the PIPL.

• Your rights under the PIPL
  In addition to any relevant rights outlined in this Section 10, you may have certain additional rights related to your personal information. These rights include the right to cancel your account and the right to request explanation.

The relevant contact details to exercise these rights are set out in Section 13 below. To ensure security, we will process your request in a timely manner and within the required timeframe after verifying your identity. We may refuse the requests that are unreasonably repeated, require too many technical methods (for example, need to develop new systems or fundamentally change current practices), raise risks to rights and interests of others, or are very impractical.

South Korea
If you are based in South Korea or receiving services from one of our Hyatt Locations in South Korea, this section provides additional information regarding the processing of your personal information in accordance with the Personal Information and Protection Act (PIPA) of the Republic of Korea. In the event of any conflict between the main body of this Policy and this South Korea section this section shall prevail.

This Policy has been adopted by the legal entities, for their Hyatt related operations, who own and operate Andaz Seoul Gangnam (Owner: KT Estate Inc.), Grand Hyatt Incheon (Owner: KAL Hotel Network Company Limited), Grand Hyatt Jeju (Owner: Lotte Tour Development Co., Ltd), Grand Hyatt Seoul (Owner: Seoul Miramar Corporation), Park Hyatt Busan (Owner: Hyundai Development Company), and Park Hyatt Seoul (Owner: Hyundai Development Company).

• Personal Information Processing Policy
  Hyatt has established and disclosed this Policy in accordance with Article 30 of the PIPA to protect the rights and freedoms of data subjects, and to ensure the prompt and effective resolution of related grievances. 

• Purpose of processing personal information
  Hyatt collects and processes personal information for the following purposes. Personal information will not be used for any purpose other than those specified below. Should the purpose of use change, Hyatt will take necessary measures such as obtaining consent, in accordance with Article 18 of the PIPA.  
  
  
  • Loyalty membership registration and management: To confirm membership registration, verify identity and authenticate users for membership services (e.g., World of Hyatt), maintain and manage membership status, prevent unauthorized or fraudulent use of services, provide important notices, and handle related inquiries or grievances.
  • Provision of accommodation, goods and services: To process and fulfil accommodation reservations, deliver goods, provide various services, issue contracts and invoices, supply content, offer personalized services, verify identity and age, process payments and settlements, and provide concierge and related guest services.
  • Marketing and advertising: To develop new products and services, offer personalized services, provide information on promotional events, tailor advertisements based on demographic characteristics, and analyze service usage statistics and access frequency.
  • Grievance handling, dispute resolution, and exercising data rights Requests: To verify the identity of complainants, confirm the details of complaints, conduct fact-finding communications, and notify individuals regarding the resolution of their concerns and related outcomes.

• Items and retention period of personal information processed
  Hyatt processes and retains personal information only for as long as necessary to fulfil the purposes for which it was collected, or within the period stipulated by applicable laws and regulations.
  
  
  • Personal information processed with the data subject's consent

• Personal information processed without the data subject's consent

• Personal information provided by third parties
  Hyatt receives the following personal information from third parties to provide services and manage memberships. In accordance with Article 37 of the PIPA, you have the right to request the suspension of your personal information processing or to withdraw your consent at any time.

• Retention required by law

• Delegation of personal information processing

To ensure the efficient processing of personal information, Hyatt delegates certain personal information processing tasks as described here.

In accordance with Article 26(6) of the PIPA, if a delegate sub-delegates our personal information processing tasks to another party, it will only be done so pursuant to our agreement with such third party and this Policy.

When entering into a delegation agreement, Hyatt specifies responsibilities in accordance with Article 26 of the PIPA, including prohibiting processing for purposes other than those delegated, implementing technical and administrative safeguards, restricting sub-delegation, and supervising the delegatee, to ensure the safe handling of personal information.

• Provision of personal information to third parties

Hyatt provides personal information to third parties only with the data subject's consent or in circumstances permitted under Articles 17 and 18 of the PIPA.

• International transfer of personal information

Data subjects may refuse the overseas transfer of their personal information by contacting the department as specified below in the “Rights and obligations of data subjects and legal representatives, and methods of exercise” sub-section. However, please note that such refusal may result in the restriction of all or part of our services—including membership registration and reservations—as overseas transfers are essential for the provision of our global hospitality services.

Furthermore, the transfers detailed in the "Provision of personal information to third parties" (Lawful Basis: Article 28-8(1)(1) of the Personal Information Protection Act) and "Delegation of personal information processing(here)" (Lawful Basis: Article 28-8(1)(3) of the Personal Information Protection Act) section above also constitute international transfers of personal information, as all listed recipients and delegatees are located overseas. The timing and method of transfer, the data subject's method and procedure for refusal, and the effects of such refusal are the same as described in this article.

• Destruction of personal information
  Hyatt will promptly destroy personal information without delay when it is no longer necessary, such as when the retention period has expired or the purpose of processing has been achieved. If personal information must be retained in accordance with other laws, it will be transferred to a separate database (DB) or stored in a different location.
  
  
  • Destruction Procedure: Hyatt selects the personal information to be destroyed and proceeds with destruction in accordance with Hyatt’s record retention procedures.
  • Destruction Method: Electronic files are destroyed using technical methods that render the records irrecoverable. Paper documents are destroyed by shredding or incineration.

• Rights and obligations of data subjects and legal representatives, and methods of exercise
  
  
  • Data subjects may exercise the following rights with respect to Hyatt at any time: (1) Request access to personal information; (2) Request correction; (3) Request deletion; (4) Request suspension of processing; and (5) Withdraw consent for the collection, use, and provision of personal information.
  • These rights may be exercised by submitting a request online, by email, in writing, or by phone. Hyatt will respond without undue delay. You may also directly manage your information through the ‘My Account’ section on our website.
  • The exercise of rights may be carried out by the data subject, a legal representative, or an authorized agent. In such cases, a power of attorney must be provided.
  • Please note that requests for access or suspension of processing may be subject to restrictions under Article 35(4) and Article 37(2) of the Personal Information Protection Act (PIPA).
  • Requests should be directed to the following department:
    • Department for Receiving and Processing Requests: Consumer Affairs 
    • Contact:
      • Online inquiries may be submitted here.
      • privacy@hyatt.com
      • (888) 524-9288,
      • Hyatt Hotels & Resorts, Attn: Consumer Affairs, 9805 Q Street, Omaha, NE 68127, United States

• Automated collection of personal information
  Hyatt uses cookies and similar technologies to provide customized services. Cookies are small text files sent to your browser and stored on your device. For more information see Section 4 above.
  
  
  • Purpose of Cookies: To enable functionality, track usage, improve products and services, and for marketing and analytics, including interest-based advertising.
  • Behavioural Data: Hyatt and our partners (e.g., advertising networks, social media companies) may collect behavioural data (e.g., website visit history, search queries) to provide personalized services and targeted advertising. You can opt-out of such tracking via your browser or device settings or by going to the Cookie Center link in the footer when available.

The data subject has the right to choose whether to install cookies. Therefore, you may allow all cookies, require confirmation each time a cookie is saved, or refuse to save any cookies by adjusting the options in your web browser or by using the Cookie Center link in the footer of some of our websites.

However, if you refuse to install cookies, you may experience difficulties using certain services that require them, such as personalized features.

Below are instructions on how to configure your cookie settings in major web browsers. Please note that menu paths may vary slightly depending on the browser version.

    (a) For Google Chrome

1. Click the [More] button (⋮) at the top right of the browser.
2. Go to [Settings].
3. Select [Privacy and security] from the left-hand menu.
4. Click on [Cookies and other site data].
5. You can choose one of the following options:
   • "Allow all cookies"
   • "Block third-party cookies in Incognito"
   • "Block third-party cookies"
   • "Block all cookies (not recommended)"

    (b) For Microsoft Edge

1. Click the [Settings and more] button (...) at the top right of the browser.
2. Go to [Settings].
3. Select [Cookies and site permissions] from the left-hand menu.
4. Click on [Manage and delete cookies and site data].
5. You can toggle "Allow sites to save and read cookie data (recommended)" on or off, and manage "Block" and "Allow" lists for specific sites.

    (c) For Safari

1. From the [Safari] menu at the top left of the screen, select [Settings] (or [Preferences]).
2. Go to the [Privacy] tab.
3. Under "Cookies and website data," you can select "Block all cookies."
4. You can also click [Manage Website Data...] to see and remove cookies for specific sites.

    (d) For Other Browsers Please refer to the help section of your respective browser for instructions on how to manage cookie settings.

• Processing of Online Behavioral Information
  Hyatt and our partners use automated tools such as cookies and SDKs to collect users’ online behavioral information in order to provide personalized services and targeted advertising. Hyatt processes this behavioral information without identifying you as an individual.
  
  
  • Behavioral Information Collected by Hyatt

• Provision of Behavioral Information to Third Parties
  We may provide the collected behavioral information to the following types of online advertising partners for customized advertising purposes.

• Third-Party Collection of Behavioral Information
  We permit the following third parties to collect behavioral information on our website/app for online advertising and analytics.

• Security measures for personal information
  In accordance with Article 29 of the PIPA, Hyatt implements the following security measures to ensure the safe handling of personal information:
  
  
  • Administrative Measures: Establishment of internal management policies and regular training for employees.
  • Technical Measures: Management of access rights, installation of access control systems, encryption of sensitive information, and implementation of security software.
  • Physical Measures: Access restrictions for data centers and information storage rooms.

• Remedies for infringement of rights
  If your personal information rights have been infringed, you may seek dispute resolution or consultation from the following institutions:
  
  
  • Personal Information Dispute Mediation Committee: (Toll-free) 1833-6972 (www.kopico.go.kr)
  • Personal Information Infringement Report Center: (Toll-free) 118 (privacy.kisa.or.kr)
  • Supreme Prosecutors' Office: (Toll-free) 1301 (www.spo.go.kr)
  • National Police Agency: (Toll-free) 182 (ecrm.police.go.kr)
    

• Domestic Representative
  In accordance with Article 31-2 of the PIPA, Hyatt has designated a domestic representative as follows:

            HYGCC KOREA
            Woonghee Kim, Senior Operations Manager
            Address: 4F, 35 Seongsuil-ro 12-gil, Seongdong-gu, Seoul, Korea
            Phone: 02-461-2188
            Email address: marcus.kim@hyatt.com

• Amendments to this Privacy Policy
  This policy (Republic of Korea) will be effective from July 15, 2025.
  

United States and California notice at collection

For purposes of exercising the rights described in this section, please note the following additional details regarding how we collect and use your personal information as described in this policy:

• Depending on the nature of our interactions with you, we may collect, and use for our business and commercial purposes, the following categories of personal information as set forth in applicable California law: Identifiers; California customer records (such as birthdate, contact information, and payment information); characteristics of protected classifications under California or federal law (such as demographic information); commercial information; biometric information; Internet or other electronic network activity information; professional or employment information; education information; geolocation data; audio, electronic or visual information; sensitive personal information (as set forth in Section 3); and inferences.
• We use the above categories of personal information for the business and commercial purposes described in Section 5 above. We may use and disclose sensitive personal information for the purposes described in Section 4 and Section 5 above.
• We collect personal information from the following categories of sources, as more fully described in Section 2 above: directly from you, automatically from your devices, from other booking platforms, from our service providers, from social media, from our business partners, and from our affiliates and subsidiaries.
• We may disclose each of these categories of personal information to the extent permitted by applicable law with the following categories of parties, as more fully described in Section 5 above: affiliates and subsidiaries, service providers, business partners, advertising networks, data analytics providers, social media networks, other booking platforms, credit reporting bodies, with entities for our legal compliance purposes, and with potential acquirers or creditors.
• We may “sell” (as defined in applicable state privacy laws) or “share” (as defined in applicable state privacy laws) for purposes of cross-context behavioral advertising the following categories of personal information: identifiers; customer records; demographic information; commercial information; website data or other electronic network activity; geolocation data; and inferences. We sell and share this personal information with advertisers, advertising networks, and social networks. We do not knowingly sell or share the personal information of consumers under 16 years of age.
• We use or disclose sensitive personal information for purposes specified under applicable California privacy regulations. We retain your personal information as described in Section 8 above.

From time to time, we may collect personal information in connection with a promotion, offer, program, or discount, including the World of Hyatt loyalty program. See here for World of Hyatt terms and conditions. We or our vendors may disclose such personal information in connection with our World of Hyatt alliances, including those listed at here. The offers and incentives made available through them are generally related to the value of the relationships that we have with the individuals who participate. Participation is voluntary, and you may withdraw at any time by contacting us using the information set forth in Section 13 below.

Where you are resident in the United States, depending on the privacy laws in your state of residence and to the extent required by such applicable privacy laws, you may also be able to make some or all of the following requests with respect to your personal information, all of which are subject to certain exceptions, specific definitions, and limitations under applicable law and regulation:

• Access/right to know – You can request to confirm whether we process personal information about you, and you can request that we disclose to you the categories of personal information collected about you (including sensitive personal information), the categories of sources from which the personal information is collected, the categories of personal information sold, shared, or disclosed, the business or commercial purpose for collecting, selling or sharing the personal information, the categories of third parties (or, in certain states, a list of third parties as defined in applicable state law) to whom we disclosed the personal information, the specific pieces of personal information collected about you, and information about the logic involved in any automated decision-making processes used by us (if applicable), as well as a description of the likely outcome of the process with respect to you.
• Deletion – You can request that we delete your personal information that we maintain about you, subject to certain exceptions.
• Do not sell or share my personal information – You can request to opt out of the sale (as such term may be defined in applicable law in your jurisdiction of residence) of your personal information and the sharing (as such term may be defined in applicable law in your jurisdiction of residence) of your personal information for cross-context behavioral advertising. We and other parties use cookies and related technology for advertising purposes, which could constitute a “sale” or “sharing” of your personal information according to some privacy laws. If you would like to opt out of such cookie-based tracking for advertising purposes, you can update your cookie preferences on our websites by clicking on the “Cookie Center” link that may be in the footer of the page you are viewing or by broadcasting an opt-out preference signal recognized by Hyatt, such as the Global Privacy Control signal, on a browser or browser extensions that support such a signal. Additionally, you can opt out of certain uses of cookies for advertising purposes by visiting aboutads.info/choices.

Your opt out of cookie-based tracking for advertising purposes is specific to the device, website, and browser you are using, and is deleted whenever you clear your browser’s cache. This means you need to adjust your cookie preferences on each website, device, and browser you use.

• Opt-out of targeted advertising –  We may use personal information obtained (or in some instances inferred) from your activities across unaffiliated sites to send more relevant advertising to you, including certain categories of personal information in Section 2 above. You can request that we stop using your personal information for such targeted advertising by following the steps below and also updating your cookie preferences by clicking on the “Cookie Center” link that may be in the footer of our websites (e.g., Hyatt.com), or broadcasting an opt-out preference signal recognized by Hyatt, such as a Global Privacy Control signal, on the browser or browser extensions that support such a signal. Additionally, you can opt out of certain uses of cookies for advertising purposes by visiting aboutads.info/choices. Your opt out of cookie-based tracking for advertising purposes is specific to the device, website, and browser you are using, and is deleted whenever you clear your cookies or your browser’s cache. This means you need to adjust your cookie preferences on each website, device, and browser you use.
• Correct or update my personal information –  You may request that we correct, update, or modify the personal information we maintain about you. If you have an account, you can also update your profile information any time by visiting the account settings page within your account.

As is the case for all consumers regardless of residency, we will not deny you any products or services, nor discriminate against you in any other manner, in response to you exercising any of these rights.

Eligible individuals can request to exercise these rights by emailing or calling us using the contact information below or by clicking here: 

• Email –  privacy@hyatt.com
• Phone – (888) 524-9288

We may deny certain requests, or fulfil a request only in part, based on our legal rights and obligations. For example, we may retain personal information as permitted by law, such as for tax or other record-keeping purposes, to maintain an active account, and to process transactions and facilitate customer requests. You may submit an appeal if you are not satisfied with the outcome of your request. To do so, please send us an email to privacy@hyatt.com with “Data Subject Request Privacy Appeal” in the subject line.

Please note that after you opt out of sale, sharing, or targeted advertising, your use of our websites may still be tracked by Hyatt and our service providers.

We will take reasonable steps to verify your identity prior to responding to your requests. The verification steps will vary depending on the sensitivity of the personal information, the nature of your request, and whether you have an account with us.

You may designate an authorized agent to make a request on your behalf. When submitting the request, please ensure the authorized agent is identified as an authorized agent and ensure the agent has the necessary information to complete the verification process.

If you reside in California, you also have the right to ask us one time each year if we have shared personal information with third parties for their direct marketing purposes. To make a request, please write to us using the contact information provided under Section 13 below. Indicate in your correspondence that you are a California resident making a “Shine the Light” inquiry.

If you are a Nevada resident, you can request that we not “sell” your “covered information” (as defined in applicable Nevada law). To make such a request, email us using the information set forth in Section 13 below. Please use “Nevada Do Not Sell” in the subject line.     

12. Updates

This Policy may undergo modifications, changes, or updates resulting from new legal requirements, internal needs, improvements in our privacy practices, or other reasons. Any changes made to this Policy will be available on this website.

13. Contact

General
If you have any questions about this Policy or would like to exercise any of your rights set out in Section 11 above, please click here or contact us by any of the following means:

• by calling one of the toll-free reservation numbers located at the Customer Service page on hyatt.com;
• by mail at the following address:

Hyatt Hotels & Resorts
Attn: Consumer Affairs
9805 Q Street
Omaha NE 68127
United States; or

• by contacting the front desk at any of our Hyatt Locations.

If you are not satisfied with the response that you receive, you can escalate your concern to our Chief Privacy Officer or contact our Data Protection Officer (DPO) team by sending an email to privacy@hyatt.com.

14. The application of this Policy

Hyatt portfolio
This Policy applies to Hyatt Hotels Corporation and its direct and indirect subsidiaries.

This Policy also applies to the reservation information collected when booking through our websites and apps and any location listed on our website (unless excluded below) which includes Homes and Hideaways by World of Hyatt and the following brands (collectively, “Hyatt Locations”).

^{The use of the ® symbol designates marks that are registered with the U.S. Patent and Trademark Office, and such marks may also be registered with the trademark offices of certain other territories and countries.}

Hotel owners and operators
Most Hyatt Locations are operated in cooperation with independent property owners and their operators (as applicable) that own, lease, license, franchise or manage the property. As indicated in Section 6, property owners and operators may use your personal information for the limited purposes of complying with their legal obligations. 

You can ask for the details of the property owner for your Hyatt Location at the front desk or by using the contact details below.

Apple Leisure Group
This Policy does not apply to the Apple Leisure Group companies (“ALG Companies” or "ALG") and their affiliates, including ALG Vacations Corp., Unlimited Vacation Club, Amstar DMC, or Trisept Solutions, LLC. 

• The ALG Vacations Corp. privacy notice is available here.
• The Unlimited Vacation Club privacy notice is available here.
• The Amstar DMC privacy notice is available here.
• The Trisept Solutions, LLC privacy notice is available here.

Mr and Mrs Smith
This Policy does not apply to Mr and Mrs Smith (“MMS”) or properties made available for reservations via MMS. The MMS privacy notice is available here.

Playa Hotels & Resorts
This Policy does not apply to Playa Hotels & Resorts ("Playa"). The Playa privacy notice is available here. 

Further exclusions
This Policy does not apply to:

• Bahia Principe properties and locations,
• UrCove properties and locations,
• The Venetian Las Vegas,
• locations affiliated with the Joie de Vivre brand but not affiliated with Hyatt. This includes the Galleria Park hotel; and
• locations that participate in the World of Hyatt loyalty program through an alliance with the World of Hyatt program, but which are not Hyatt Locations. 
  

In each case, please check for and read the separate privacy policies provided.

Local laws
While this Policy is intended to describe the full range of our information collection, processing and sharing activities globally, some activities may be more limited in some jurisdictions based on the particular laws or regulations in those territories/countries.

For example, the laws of a particular territory/country may limit the types of personal information we can collect or the manner in which we process that information. In those instances, we adjust our practices to reflect the requirements of local law.

Please check Section 11 to see if there are any specific requirements under local law which are applicable to your jurisdiction.

Hyatt personnel
If you:

• are currently, or have been, a staff member of Hyatt; or
• apply, or have applied, to be a staff member of Hyatt,

please see the applicable Privacy Policy for Employees. This Policy does not apply to your personal information, unless collected in your capacity as a guest.