Privacy policy
1. Introduction
As part of the Elancia group, le Luz Grand Hôtel (“we”, “us”, “our”) offers its customers and prospects (“you”, “your”) hotel services, including hotel, restaurant and SPA services, as well as special offers, gift packs and associated newsletters.
This privacy policy describes, for all our activities, our practices for collecting, using and transferring your personal data.
We are committed to ensuring the protection of your data in compliance with the General Data Protection Regulation (n°2016/679) and the French Data Protection Act (n°78-17).
The data controller is le Luz Grand Hôtel, a limited liability company registered in the Montpellier Trade and Companies Register under SIREN number 485.219.307, with registered address for all matters relating to personal data at 265 Avenue des Etats du Languedoc, 34961 Montpellier Cedex 2, CS 99553. The representative of the data controller is the hotel manager, Mrs Véronique Allegre.
2. Collecting your personal data
Your data and that of the people accompanying you may be collected directly from you on the hotel’s website (via information or reservation forms, cookies or chatbot), or during your stay (form filled in, data provided verbally, etc.).
Due to the nature of the services we offer, your data may be collected by other entities for transmission to us, primarily booking sites, providers and platforms. We may also collect data from affiliated entities, business partners, subcontractors and service providers if their personal data protection policies so permit. In any case, your data will not be collected from a publicly accessible source.
Given the above, the purpose of this Privacy Policy is to inform not only those whose data is directly collected, but also those whose data is indirectly collected by and/or for Luz Grand Hôtel, in accordance with Articles 13 and 14 of the General Data Protection Regulation (no. 2016/679).
3. The personal data we process
The term “personal data” refers to any information that directly or indirectly identifies a natural person. This is the case for a first or last name, but also for the language you speak, your booking details, your license plate number, etc.
The term “purpose” refers to the reason why we process your personal data. The term “legal basis” refers to the legal foundation on which the processing of your data is based. All processing must have a legal basis in order to be lawful. No data collected and processed by Luz Grand Hôtel will be used for any purpose other than that indicated in the tables below.
Summary table of categories of data processed, purpose of processing and retention periods :
| Purposes | Categories of data processed | Retention period |
|---|---|---|
| Video surveillance to protect the premises | Images and all data deducible therefrom | 27 days on Luz Grand Hotel servers |
| Booking, provision and payment of services | Identification data and contact details Banking data Health data | 10 years from transaction date (billing data) Data required for payment are stored from the time the CB fingerprint is taken (where applicable) until actual payment The time required to provide the service |
| Newsletter management and dispatch | Identification data, contact details, newsletter follow-up data (e-mail opened, link clicked, etc.) | As long as the person is registered, with an annual purge of “inactive” Deletion from the active database on receipt of a withdrawal of consent or a request to this effect, retention for probationary purposes for 5 years |
| Satisfaction surveys through questionnaires | Identification data and contact details Replies to questionnaires (pre- and post-stay) | These data are anonymized after processing by the service provider and before publication of the notice 3 years from the last service or last contact |
| Complaints management | Identification data, contact details, details of stay, content of claim | During claim processing, then 5 years for probationary purposes |
| Litigation management | All relevant litigation data | At the latest until the corresponding action becomes time-barred Court rulings are kept indefinitely. |
| Digital marketing | Targeting criteria | Data is held by marketing service providers (social networks and search engines) for the periods defined by each of them |
| Management of the Data Controller’s contractual partners | Professional identification data of partner personnel | Duration of contract with contractual partner, then 5 years probationary period |
| Website management and operation | Connection data required for proper operation of the site / necessary cookie Data entered in the Velma chatbot | 13 months maximum 6 months |
| Cookie management | Necessary cookie data, in particular: location, page tracking, clicked links… | 6 months maximum |
| Communication management (social networks) | All public data posted online by social network users, and/or messages exchanged with the Data Controller’s accounts. | Data held and stored by each social network according to its own procedures |
| Creation of a police record | Data required by article R814-2 of the French Code on the Entry and Stay of Foreigners and the Right of Asylum (Code de l’entrée et du séjour des étrangers et du droit d’asile) | Duration imposed by article R814-3 of the code de l’entrée et du séjour des étrangers et du droit d’asile (6 months) |
| General accounting | Items appearing on invoices | Duration imposed by article L123-22 of the French Commercial Code (10 years) |
| Exercise of RGPD rights (listed below) | Identification and contact data, data relevant to the processing of the request | For the time required to process the request, then 5 years for probationary purposes |
Summary table of the legal bases associated with each purpose :
| Legal basis | Associated purposes | Details |
|---|---|---|
| Contract execution | Booking, provision and payment of services Management of contractual partners | N/A |
| Legitimate interest | Protection of the establishment by video surveillance Provision of a Wifi connection on all premises Satisfaction survey Management of cookies required or exempted from consent Management of tracers and similar online tracking technologies (excluding cookies) Management of social networks Management of complaints and disputes Digital marketing | Security of goods and persons Improving the service by providing internet access Seeking to improve the service by collecting feedback Proper operation of the site and audience measurement Managing external communication and carrying out personalised advertising Monitoring, researching and improving the customer experience Defending the interests of the Data Controller in legal proceedings Managing external marketing through the use of targeted advertising |
| Consent | Any health data notwithstanding purpose Cookie management (not required) Newsletter management and dispatch | N/A |
| Legal obligation | General accounting Police record Keeping a single personnel register Exercising the rights of individuals guaranteed by the RGPD. | This includes billing data resulting from certain contractual performances |
4. Cookies and other web technologies
We collect data via cookies and other similar technologies (web beacons).
Cookies” are small text files that are automatically copied to your computer or mobile device when you visit a website. These “cookies” contain basic information about your use of the Internet. Your browser sends these “cookies” to our website each time you visit it, so that your computer or mobile device is recognized and your browsing experience is personalized and enhanced.
Some cookies are said to be “necessary”, meaning that the website cannot function and display on your terminal.
Others are said to be “non-necessary”, and are intended to establish traffic statistics, or to personalize and improve your browsing experience and the targeting of the advertising you see. These will only be deposited on your browser if you expressly accept them.
You can control your consent to non-necessary cookies by means of a drop-down banner displayed on your first visit to the site, and then at any time thereafter by clicking on the “cookie settings” bar displayed at the bottom right of your screen when browsing our site.
The lists of cookies and tracers, as well as their purposes and the partners who install them, are available in the “Configure your choices” and “View partners” tabs of the drop-down menu.
In addition, our website may contain links to third-party websites, applications and plug-ins. If you access other websites from links provided on our website, the operators of these sites may collect or share information about you. This information will be used by these operators in accordance with their privacy policies, which may differ from ours. We invite you to read those privacy policies and to refer directly to those third parties if you have any questions about their practices.
5. Sources and recipients of your data
When we do not collect your data directly, it is transmitted to us by our subcontractors and partners, i.e. essentially the booking platforms that offer our services: travel agencies, tour operators, online travel agencies (in particular online booking platforms)…
Within Le Luz Grand Hotel, your personal data is only accessible to those who have a strict need to know. It may be shared with the following categories of recipients:
- Intragroup: other Elancia Group companies, notably Socri Financière Hôtelière and Elancia, mainly for marketing, accounting, HR and legal aspects.
- Official bodies: in order to fulfill and satisfy our legal obligations, your data may be transmitted to such bodies, such as :
- Law enforcement agencies (e.g. video-protection images handed over to an OPJ, upon request).
- Legal organizations (e.g. all elements required to defend Luz Grand Hotel in court, such as the invoice and details of the stay).
- Control bodies (e.g. billing information for statutory auditors).
- Website: your data may be shared with our service providers who operate our website (e.g. audience measurement) or enable us to offer our online services (e.g. automatic redirection to our online payment service provider).
Satisfaction surveys and newsletters: your contact data will be used by our technical service providers to send you e-mails.
6. Purposes of processing and use of your personal data
We have implemented technical and organizational measures appropriate to the sensitivity of personal data, to ensure data integrity and confidentiality and to protect it against malicious intrusion, loss, alteration or disclosure to unauthorized third parties.
We carry out regular audits to check that data security rules are being properly applied at operational level.
To meet these commitments, our service providers and subcontractors are carefully selected and are required to provide a level of personal data protection at least equivalent to our own.
For example, our Consent Management Platform provider (the banner allowing you to make your choices regarding cookies) has been chosen because it anonymizes the data collected by unnecessary cookies, before communicating it to Google Analytics.
In this way, your data does not transit through the United States (a country considered not to offer a level of data protection equivalent to that of the EU).
For some service providers, data is transferred outside the European Union, to countries that are not subject to adequacy decisions by the European Commission, such as the United States.
In these cases, we only choose service providers who have adopted Standard Contractual Clauses (SCC) or obtained certifications (e.g. Data Privacy Framework) in order to best protect your data.
In addition, we put in place organizational measures to limit and secure data transfers as much as possible.
7. Your rights
In accordance with data protection regulations, you have the following rights concerning your personal data:
- Rights of access, rectification and deletion,
- Right to restrict processing,
- Right to object to processing,
- Right to data portability,
- The right not to be subject to automated processing or profiling. However, none of the processing carried out by (or on behalf of) Luz Grand Hôtel constitutes automated processing or profiling with a significant legal impact on you.
You can exercise your rights or request further information through the following channels:
- By email to contactrgpd@luzgrandhotel.fr
- By post to the following address: 265 Avenue des Etats du Languedoc, CS 99553, 34961 Montpellier Cedex 2, France.
- At the hotel reception
If you would like more information, or if, despite our replies, you feel that they are insufficient, or that data processing is unlawful, you can contact the Commission Nationale Informatique et Libertés(https://www.cnil.fr/fr/plaintes).
8. Changes to the Privacy Policy
We may modify, update and/or replace this privacy policy, particularly in the event of changes in regulations concerning the protection of personal data. We therefore recommend that you consult this privacy policy regularly to ensure that you are aware of the latest version.
