Latest Update and Release Date: June 11, 2025
Playa Management USA, LLC and our affiliates (“Playa”, “we”, “our” or “us”) always attach great importance on the protection of your personal data. When you make use of the websites owned and/or managed by us (collectively, the “Sites”), make bookings, stay at our resorts, and/or otherwise make use of our services, we collect and process your personal data. Our activities regarding the collection and processing of your personal data are set out in this privacy notice (the “Notice”). For Mexico Playa uses a separate privacy notice. A link to this separate privacy notice is provided under the header ‘Mexico’.
As of June 11, 2025, Playa has become part of the Hyatt Group. However, this Notice does not apply to the processing of your personal data by the Hyatt Group outside of Playa and our portfolio. For more information on how the Hyatt Group processes your personal data, please see its privacy policy found here: https://www.hyatt.com/info/privacy-policy.
Before using our Sites, services, and/or staying at our resorts, please read this Notice carefully. We will display this Notice or the link to this Notice on our Sites.
If we materially change this Notice, we will actively inform you about this either via email (if we have your email address), and/or on our Sites by notification through a pop-up. We will at all times publish the up-to-date version on our Sites, together with a summary of key changes.
This Notice contains the following:
2. Information on Who is Responsible for the Processing of your Personal Data
3. Ways of Collecting your Personal Data
4. Processing Purposes and Legal Basis
5. Automated Decision-Making
6. Retention Periods
7. Sharing or Disclosure of Personal Data
8. Cross-border Transfer of Personal Data
9. Data Subjects’ Rights and Requests
10. How we Protect your Personal Data
11. Protection of Personal Data of Minors
12. Disclaimer
13. Complaints
14. Mexico
15. United States
16. Jamaica
16. European Union
Personal data means any information relating to an identified or identifiable natural person. This means information that either directly relates to a natural person, or information that is traceable to a natural person i.e., by combining this with other information.
Please see Section 3 of this Notice to learn what personal data we process about you. In general, examples of personal data include your name, email address, phone number, mailing address, IP address, MAC address, bank account number, credit card details, username, gender, CCTV footage, access information, booking confirmation number and dietary restrictions or other preferences.
The data controller regarding the processing of your personal data is:
· | for the processing in connection with the use of our Sites: | Playa Management USA, LLC |
· | for the processing in connection with your booking and your stay at our resorts: | Playa Management USA, LLC and the management company of the corresponding resort. Please click here for a list of management companies. |
If you have any questions with respect to this Notice or the way in which we process your personal data, you may contact us via email at privacy@playaresorts.com or via mail:
Privacy Matters
Playa Management USA, LLC
1560 Sawgrass Corporate Parkway, Suite 140
Fort Lauderdale, FI, 33323
We collect your personal data in different ways, including but not limited to:
(a) when you provide it to us directly;
(b) through our business partners when you wish to make use of our services;
(c) automatically when you make use of our Sites;
(d) from our service providers;
(e) from our affiliates (including Hyatt Group companies); and
(f) through digital images or surveillance (i.e., CCTV) in line with our standard, automated practices.
You are not under a legal obligation or otherwise obliged to provide us with your personal data, but if you refrain from doing so, we may not be able to provide you with our services. For example, if you do not provide your information during our booking or check-in process, we are not able to proceed with the process and cannot provide your requested accommodation and other resort services.
This Notice solely describes how Playa handles your personal data, including from the moment we receive your personal data through a third party. This Notice does not and is not intended to describe how third parties from which we receive your personal data from, process your personal data.
In connection with the personal data collected during your stay at our resorts, the corresponding management company may designate a third-party to perform this activity.
Please click below to see what information we collect through your use of our Sites.
Personal Data | Special Category Data or Sensitive Personal Data | |
---|---|---|
When you sign up to receive offers and promotions | Name, email address, country and whether you are a travel agent. | N/A |
When you request a brochure delivery (or other hard-copy marketing materials) | Name, email address, mailing address, brand preference and whether you are a travel agent. | N/A |
When you participate in sweepstakes and contests | Information filled out in the sweepstake or contest entry form, usually including name, email address and mailing address, and whether you are a travel agent. | N/A |
When as a travel agent you register for our AgentCash+ preferred agent program | Name, email address, mailing address, home address, phone number, date of birth, registration number with other travel related organizations such as IATA and log-in credentials. | N/A |
Information collected through cookies and similar tracking tools | Please see our Cookie Notice for details, but in general this information will include how you interact with our Sites, including what pages and content you view or click. | N/A |
Please click below to see what personal data we collect when you make a booking for our resorts.
Personal Data | Special Category Data Or Sensitive Personal Data | |
---|---|---|
Via our Sites |
| credit card information (US) |
Via our partners (tour operators, Online Travel Agencies, travel agents and other partners; collectively, “Partners”) and our franchisors (“Franchisors”) |
| N/A |
Via our call center |
We also record calls. | credit card information (US) |
Please click below to see what information we collect when you stay at our resorts. From time to time, we may collect or request additional information upon prior notice to you.
Personal Data | Sensitive Data | |
---|---|---|
When you check-in at the resort | Information included in the registration card to be completed upon check-in, which generally includes: name, email address, mailing address, telephone number, arrival and departure dates and signature. | When checking in guests are asked about any allergies and, if applicable, that information (health related information) is collected. If required by applicable laws, we will also collect a copy of your ID document and/or the number of your ID document. |
When you access your room | Room number and log information (i.e., time and date on which you accessed the room, including entry attempts). | N/A |
When you make a spa reservation | Information included in the spa intake form, which generally includes name, room number, gender and signature. The spa intake form also includes an open field for you to include any other information which you feel we should be aware prior to your spa treatment (i.e., regarding specific physical or health conditions). | Possibly health information, or other special category data you provided in the blank space. |
When you book an activity (such as tours, excursions, or photography service) | Name, email address and other information necessary for the activity, including where applicable, images. | |
When you exchange currency | Name, room number and passport or government issued ID scan or copy | Passport biographical page (from which racial or ethnical information can be retrieved) and passport number/national identification number. |
When you make use of the WiFi-network at our resorts | Depending on the specific resort, information generally includes last name, room number and IP or MAC-address. | N/A |
When you purchase a day pass | We may also require you to fill out a registration card or similar form, containing your name and payment method. | Generally, we collect your passport or government issued ID as a safety deposit, but no copies or scans will be made. We may also collect your payment information (US). |
When you file a loss and accident report | Information provided through the report, including name, age, room number, contact details, signature, and any other information included in the report. | Depending on the nature of the accident or incident, possibly data relating to criminal activity or health information (i.e., physical injury). |
When you make use of our Kids Club services during your stay | Information provided through the Kids Club registration form, generally including: Minors: name, age, and information regarding special requirements (i.e., allergy information). Adults: name, room number, telephone number and signature. We may also request you to sign a waiver. | Possibly health information. |
When you make use of our nanny services during your stay | Information provided through the nanny services request form, generally including: Minors: name, age and information regarding special requirements (i.e., allergy information). Adults: name, room number, telephone number and signature. We may also request you to sign a waiver. | Possibly health information. |
When you enter CCTV surveillance areas | Camera footage. | Possibly data relating to criminal activity or other special category of personal data that can be derived from camera footage. |
When you submit surveys regarding your stay | Name, email address, time and duration of your stay, room number and booking number. We also collect the information you provide when completing a survey (survey input). | We do not collect Sensitive Data, unless you voluntarily disclose it in the survey input. |
For the processing of your personal data, we need a purpose. This purpose differs per processing activity. For example, if you want to make use of our spa services in one of our resorts, we need your information to be able to provide you with the requested services (including registration of your appointment).
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Where required by applicable law, we will seek your consent to process your personal data, including in particular your sensitive personal data.
When we process your personal data as one of our guests or someone else with whom we do business, we process that data on the basis of one more of the following so called “legal bases” depending on the circumstances and applicable laws:
(i) Performance of a contract: If you make a booking to travel with or receive services from us, our main lawful basis for using your personal data is the performance of our contract with you.
(ii) Legitimate interests: If you are traveling with or receiving services from us but someone else in your party or family contracted with us to make the booking, our lawful basis is our legitimate interest in administering your travel and services. Our main lawful basis for using your personal data for our wider business purposes – such as planning, risk management and marketing – is the legitimate interests in providing, improving, and developing our services. We will not use your personal data for the purposes of a legitimate interest where this legitimate interest is overridden by your interests or fundamental rights and freedoms. If you want to learn more about our legitimate interests in processing your personal data, you may contact us via email at privacy@playaresorts.com.
(iii) Legal obligations: Where necessary, we will use your personal data to meet our tax and other legal obligations under applicable laws.
Please find below the purposes for which we process your personal data.
For personal data collected when you make through your Use of our Sites, we process personal data for the purposes described below, in addition to other purposes where allowed or required by applicable law or court order (such as legal compliance, accounting, and reporting).
Purpose | |
---|---|
When you sign up to receive offers and promotions | Sending you our offers and promotions. |
When you request a brochure delivery (or other hard-copy marketing materials) | Responding to your request (i.e., providing you with the requested hard-copy brochures and other marketing materials). |
When you participate in a sweepstakes and contests | Managing your participation in our promotional sweepstakes and contests, including our legal compliance and recordkeeping obligations. Communicating with you about those (including on prizes) and for general marketing when you give us permission to do so. |
When as a travel agent you register for our AgentCash+ preferred agent program | Managing your registration for and membership of the AgentCash+ program |
Information collected through the use of cookies | Please see our Cookie Notice for details, but we use this information to personalize content, enhance your experience, conduct analytics, operate and protect the Sites, and for marketing purposes. |
For personal data collected when you make a booking for our resorts, we process personal data for the purposes described below, in addition to other purposes where allowed or required by applicable law or court order (such as legal compliance, accounting, and reporting).
Purpose | |
---|---|
Via our Sites | Processing bookings and customer management. |
Via our call center | Processing bookings and customer management. Call recordings are made for quality and training purposes. |
When you participate in a sweepstakes and contests | Managing your participation in our promotional sweepstakes and contests. Communicating with you about those (including on prizes). |
For personal data collected when you stay at our resorts, we process personal data for the purposes described below, in addition to other purposes where allowed or required by applicable law or court order (such as legal compliance, accounting, and reporting).
Purpose | |
---|---|
When you check-in at the resort | Providing accommodation and other resort services, customer management, invoicing, contacting you if needed, providing information regarding reservations and handling guest’s requests. |
When you access your room | Protecting the safety and security of the resort, our guests (including their personal belongings), and that of our staff. |
When you make a spa reservation | Registration of your appointment and providing the requested spa services and treatments; customer management and handling requests. |
When you book an activity or request a service (such as tours, excursions, or photography service) | Registration of your requested activity or service, providing the service requested, and customer management. |
When you exchange currency | Providing currency exchange services. |
When you make use of the WiFi-network at our resort | Providing WiFi-services and securing networks. Guest’s room number and last name are collected as WiFi-network users may only register a certain number of devices, allowing us to have control over our network connections, both for security purposes and for connectivity. |
When you purchase a day pass | Providing resort services, processing your payment, and for security purposes. |
When you file a loss and accident report | Safety and security of our resort, associates, guests and visitors; contacting you if needed, insurance purposes and legal purposes (if applicable). |
When you make use of our nanny services during your stay | Providing nanny services and for contacting you if needed. Personal data contained in the waiver is processed for legal purposes. |
When you make use of our Kids Club services during your stay | Providing Kids Club’s services and for contacting you if needed. Personal data contained in the waiver is processed for legal purposes. |
When you submit surveys regarding your stay | Collecting feedback on resort services, improving our resort services and responding to feedback on guest’s experience at our resorts. |
When you enter CCTV surveillance areas | Protecting the safety and security of the resort and its guests and visitors, and our associates. Protecting the personal property of anyone in our resort. |
We do not undertake any automated decision-making activities, including profiling, in furtherance of decisions that produce legal or similarly significant effects concerning you.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for as set out under Section 4, including for the purposes of satisfying any legal, accounting or reporting requirements.
The retention period varies per processing purpose, but in general terms this means that we will retain your personal data for the duration of your relationship with us and for the length of any applicable statute of limitations for claims which might be brought against us later, or for the duration of any legal proceedings brought by or against us.
There are also certain types of information, such as tax related records, which require to be retained for a certain period by applicable law. We will remove your personal data if we no longer need it for this purpose.
In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
We may share your personal data with other parties, including the following:
(a) Group companies: We may share your personal data within our group of companies for administrative, operations, marketing, revenue, legal and accounting purposes, as well as for system maintenance support and hosting of data. Additionally, in the context of a business reorganization or group restructuring exercise, we may transfer your personal data within our group of companies. Please note that as of June 11, 2025, Playa has become part of Hyatt Group. Hence, we may disclose your personal data to other organizations within the Hyatt Group for the purposes described in this Notice, including for providing you with our services, and for administering membership/loyalty programs. The personal data shared with Hyatt Group may include personal information, demographic information, contact information, stay information (including your preferences and inferences made about you), club information, purchase history, consent records, third-party platform information, third-party information, and website data. This personal data may be shared to provide administrative support, group analytics and business planning, commercial services, and World of Hyatt participation. How Hyatt uses your personal data is set out in the Hyatt Privacy Policy for Guests.
(b) Business partners: We may share your personal data with our business partners, including Partners, Franchisors, third party resort owners and their affiliates, membership club operator, insurance brokers, insurance companies and their advisors/third party service providers.
(c) Governmental entities: Upon request from a competent government authority, we share personal data we collect with law enforcement agencies and other governmental bodies.
(d) Companies that process personal data on our behalf: We share personal data with or provide access to vendors and service providers who work on our behalf or provide services to us and perform services on our behalf. We obtain consent for such sharing where legally required. Any such third party that processes personal data on our behalf will have to comply with data protection rules and security measures we set. Where appropriate, we will execute a written data processing agreement with this third party.
(e) In connection with a merger, acquisition, or business transfer: If we sell all or a part of our company, are part of a merger, consolidation, restructuring, and/or sale of assets or other corporate change, your information may be transferred as part of that transaction.
(f) Analytics and advertising partners: We may disclose your personal data to platforms that assist us with our analytics and digital advertising, including social media platforms, advertising networks, and analytics providers.
(g) At your direction: We may disclose your personal data at your direction or with your consent.
We may transfer your personal data to countries other than the country in which your personal data was collected. Those countries may not have the same data protection laws as the country in which you initially provided the information. We will comply with the requirements for cross-border data transfers under applicable law. In addition to the third parties mentioned below, we may also share your personal data within our group of companies, and our Franchisors and their affiliates based in other countries, such as the US.
Where your personal data is shared with the Hyatt Group, it will be transferred to the major locations in which Hyatt or Hyatt Locations (as defined by the Hyatt Privacy Policy for Guests) operate including the US, Hong Kong and Germany (a full list of the locations where your personal data could be transferred can be found by selecting “All” at www.hyatt.com/explore-hotels). Hyatt has implemented Binding Corporate Rules to protect personal information it transfers to other countries. You can find out more about how the Hyatt Group safeguards international transfers of personal data here).
By clicking on the more information links below, you can find out more about the types of parties we share your personal data with and the countries where your personal data is collected, used, stored, or otherwise processed, and the countries to which your personal data may be exported.
Personal data collected in connection with your use of our Sites.
Personal data collected in connection with your use of our Sites.
Transfer (including access, sharing and disclosure) | Countries to which information is exported (including for storage) | |
---|---|---|
When you sign up to receive offers and promotions | For sending marketing communications we use email service providers. Also, your information is uploaded in our centralized customer relationship management database (“CRM”), provided by a third-party service provider. | Personal data is collected, processed and stored in the US |
When you request a brochure delivery (or other hard-copy marketing materials) | For sending marketing materials we provide your information to mailing services providers. Also, your information is uploaded in our CRM, provided by a third-party service provider. | Personal data is collected, processed and stored in the US. |
When you participate in a sweepstakes and contests | For sending communications we use mailing and sweepstakes service providers. Also, if you sign up to receive our direct marketing communications during your sweepstakes registration, your information is uploaded in our CRM, provided by a third-party service provider. | Personal data is collected, processed and stored in the US. |
When you book an activity or request a service (such as tours, excursions, or photography service) | Registration of your requested activity or service, providing the service requested, and customer management. | Personal data is collected, processed and stored in the US. |
When as a travel agent you register for our AgentCash+ preferred agent program | Our online AgentCash+ platform is maintained by a third-party service provider. | Personal data is collected, processed and stored in Mexico, Dominican Republic, Jamaica and the US. |
Information collected through the use of cookies |
Personal data collected in connection with your use of our Sites.
Recipients (including transfer, access and disclosure) | Countries to which information is exported (including for storage) | |
---|---|---|
Via our Sites, call center, Partners and Franchisors | Booking information is disclosed to the relevant resort and payment service providers. Booking information flows through our central reservations system (“CRS”), property management system (“PMS”), and hotel revenue management software (“HRM”). These systems are developed by third parties. If you are enrolled in our membership club program, we will share your name and check-in/check-out date with the membership club operator. For Seadust Cancun Family Resort only, booking information may be disclosed to an affiliate of the third-party resort owner in connection with its vacation club program. | Mexico, Jamaica, Dominican Republic, US, and other locations where Partners or service providers are located. |
Personal data collected in connection with your stay in our resorts.
Transfer (including access and disclosure) | Countries to which information is exported (including for storage) | |
---|---|---|
When you check-in at the resort | Your personal data may be disclosed to payment service providers, and if applicable, to Partners, Franchisors, or third-party resort owners. Your personal data flows through our CRS, PMS, and HRM systems. Franchisors may have access to our PMS. If you are enrolled in our membership club program, we will share your name and check-in/check-out date with the membership club operator. For Seadust Cancun Family Resort only, your personal data may be disclosed to an affiliate of the third-party resort owner in connection with its vacation club program. | US and other locations where Partners, Franchisors or service providers are located. |
When you make a spa reservation | If applicable, your information is uploaded in our spa reservations system. | Canada, US. |
When you file a loss and accident report, or otherwise file a claim | Your information may be shared with our insurance brokers, our insurance companies and any third-party advisors hired by our insurance companies, such as adjuster firms and/or defense counsel. Your information may also be shared with the police or other official authorities upon formal request or if deemed necessary by us. If you need to be taken to the hospital by an ambulance, we may provide information to the medical team for your treatment. | US and other locations where recipients and other service providers are located. |
When you submit surveys regarding your stay | For the processing of surveys, we use an external services provider, which received your name and email address. Survey information and input is uploaded into our CRM, which is provided by a third-party service provider. | US and other locations where Partners, Franchisors or service providers are located. |
In the event of an incident during your stay at our resorts | If there is an incident during your stay at our resorts, we may share your personal data with our insurance brokers, insurance company and any third-party advisors hired by the insurance company in connection therewith (i.e., adjuster firms or defense counsel), and our Franchisors. | US and other locations where these parties are located. |
Subject to applicable law and additional jurisdiction-specific rights further below, you have the right to access your personal data, the right to rectification, the right to erasure, and the right to object to the processing of your personal data for direct marketing. Most of these rights are not absolute and subject to exemptions in the law, and/or may only apply to certain types of information or processing.
Below we set out your rights in more detail. You can exercise any of your rights by sending an email to privacy@playaresorts.com. We will respond to your request within the period of time required by law. We have the right to extend this period (for example if your request is complex), but if we extend the response period, we will let you know promptly.
Please note that to help protect your privacy and maintain security, we may take steps to verify your identity before complying with your request including asking for information about your identity or booking. Some jurisdictions permit you to designate an authorized agent for exercising your data subject rights. If you use an authorized agent for submitting a request based on one of your rights, we will ask your agent to provide information to demonstrate the agent has your authorized consent to submit a request hereunder.
We do not and will not discriminate against individuals who choose to exercise their legal privacy rights, such as by charging higher prices or providing lower quality service.
If your request is clearly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse to comply in such circumstances, unless this is not allowed under applicable privacy laws.
You have the right to appeal a decision that we make regarding a privacy rights request that you have submitted. To exercise this right, you may contact us via email at privacy@playaresorts.com.
Please click “read more” for more information on what these rights mean for you.
Your right | Description |
---|---|
Right to access, Right to know | You have the right to request that we confirm whether we process personal data about you, and to disclose to you the following: (i) the categories of personal data that we have collected about you (including sensitive personal data); (ii) the categories of sources from which we have collected personal data about you; (iii) the business or commercial purpose for collecting your personal data; (iv) the categories of personal data that we have disclosed about you for our business purposes and the categories of vendors to whom the personal data was disclosed; and (v) a portable copy of the specific pieces of personal data that we have collected about you. Please note that data protection rights and/or freedoms of others may stand in the way of us complying or fully complying with your request. |
Right to correction or update | You may request that we correct, update, or complete your personal data if it is inaccurate or incomplete. |
Right to erasure (deletion) | You may request that we delete certain elements of your personal data. There are certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with applicable law or in connection with a claim and/or legal dispute. |
Right to object to direct marketing | You may request that we stop processing your personal data for direct marketing purposes (i.e., opt-out or unsubscribe). |
Right to withdraw consent | You have the right to withdraw your consent at any time if the processing of personal data is based on your consent. Please note that the withdrawal of your consent does not affect the validity of the processing prior to your withdrawal. If you withdraw your consent, we may continue processing your personal data if we need it for another lawful purpose. |
We have adopted administrative, technical, organizational and physical safeguard measures designed to protect your personal data against accidental, unlawful or unauthorized destruction, damage, loss, alteration, modification, access, disclosure or use. Specific measures include, but are not limited to:
(a) technical measures, such as encryption techniques and access control where appropriate;
(b) data security management regulations, such as a data compliance policy, security management regulations, non-disclosure agreements, employee training on personal data and data protection, and legally binding contracts or agreements; and
(c) information security response emergency system, that is, in case of information security event, we will immediately start emergency measures according to provisions of applicable laws and regulations.
Minors (individuals under the age of 18) should not provide us with personal data. If you – as a person with parental responsibility over the minor – notice that your minor has provided us with personal data without your approval (for instance, by submitting an incorrect age), you may contact us via email at privacy@playaresorts.com.
For your convenience and information, our Sites may contain links to third party websites or applications. These third parties may have their own privacy policies to protect the personal data they collect. We are not responsible for the privacy protection of data collected through others. When clicking related links or accessing related Sites, please pay attention to the security of your personal data, and carefully read the privacy policy of the related party.
If you have any complaints or inquiries about the processing of your personal data, or if you have any inquiries in connection with this Notice, you may contact us via email at privacy@playaresorts.com. We will respond within a reasonable time limit (ultimately within the time period required by applicable law).
If the Mexican Federal Law on the Protection of Personal Data held by Private Parties applies, our Mexican Privacy Notice Applies.
For United States residents, the following applies in addition to the Sections 1-13. If there is a conflict between this Section 15 and the remainder of this Notice, the contents of this Section 15 prevail.
In addition to the rights described in Section 9, United States residents have the following additional Data Subjects Rights and Requests:
Right to know about sales and sharing of personal data | You may request that we disclose certain information about how we have sold or shared (for targeted advertising) your personal data, including the categories of personal data sold or shared; the business purpose for selling and sharing your personal data; and the categories of third parties to whom your personal data has been sold or shared. |
Right to opt-out of our sale of your personal data, and the processing or sharing of your personal data for targeted advertising | Our use of certain third-party cookies and online tracking tools might be considered “sales” or “sharing” under the definitions of U.S. state privacy laws. In relation to these tools, you can opt-out of the sale of your personal data and the sharing or processing of your personal data for targeted advertising by clicking the Cookie Settings link in the footer below and clicking ‘Reject All’. Any cookie selections you make are specific to the device, website, and browser you are using. Your selections are deleted whenever you clear your cookies or browser’s cache. Alternatively, you may download and use a browser supporting the Global Privacy Control (GPC) browser signal, or contact us via email at privacy@playaresorts.com. If you choose to use the GPC signal, you will need to turn it on for each supported browser or browser extension you use. More information on the GPC may be found at https://globalprivacycontrol.org/. |
U.S. residents have the right to opt-out of the processing of personal data to create a profile for use in decisions that are legally significant, such as banking services, housing, insurance, education, employment, healthcare, or criminal justice. However, as noted in Section 5 above, we do not process your personal data to create a profile for use in a decision that could produce such a legal or similarly significant effect.
California notice at collection
For purposes of exercising the rights described in this Notice and in this U.S. section, please note the following additional details regarding how we collect and use your personal data:
Depending on the nature of our interactions with you, we may collect, and use for our business and commercial purposes, the following categories of personal data as set forth in applicable California law: Identifiers; California customer records (such as birthdate, contact information, and payment information); characteristics of protected classifications under California or federal law (such as demographic information); commercial information (such as purchases); Internet or other electronic network activity information (such as your browsing behavior); audio, electronic or visual information (such as CCTV footage); sensitive personal data (as set forth in Section 3 above); and inferences.
We use the above categories of personal data for the business and commercial purposes described in Section 4 above.
We collect personal data from the following categories of sources, as more fully described in Section 3 above: directly from you, from our business partners (such as Partners, Franchisors, travel agents, or booking platforms), automatically from your devices, from our service providers, from our affiliates and subsidiaries, and through digital images or surveillance (i.e., CCTV).
We may disclose each of these categories of personal data to the extent permitted by applicable law with the following categories of parties, as more fully described in Section 7 above: affiliates, service providers, business partners, advertising networks, data analytics providers, social media networks, other booking platforms, with entities for our legal compliance purposes, and with potential acquirers or creditors.
We may “sell” or “share” for purposes of cross-context behavioral advertising the following categories of personal data: identifiers; customer records; demographic information; commercial information; website data or other electronic network activity; and inferences. We sell and share this personal information with advertisers, advertising networks, and social networks. We do not knowingly sell or share the personal data of consumers under 16 years of age.
We only use and disclose your sensitive personal information for purposes that are specifically allowed for by the California Consumer Privacy Act and its regulations. Those purposes can be found in the California Consumer Privacy Act Regulations in Section 7027(m), and include things to perform the service or provide the goods you request or to ensure the physical safety of a person.
The Data Protection Act, 2020 and its requirements apply to residents of Jamaica. For residents of Jamaica, the following applies in addition to the paragraphs 1-13. If there is a conflict between this paragraph 16 and the remainder of this Notice, the contents of this paragraph 16 prevail.
(i) You can exercise any of your rights by sending an email to privacy@playaresorts.com. We will respond to your request within thirty (30) days but have the right to extend this period for forty-five (45) additional days (for example if your request is complex). If we extend the response period, we will let you know within thirty (30) days from your request.
(ii) The following additional Data Subjects Rights and Requests apply:
Right to prevent processing | You may require Playa to ensure that no decisions that are fully automated and are based solely on the processing, by automatic means, of personal data in respect of the Data Subject for the purpose of evaluating matters relating to the data subject. Exempted are decisions that are to decide on whether to enter into a contract with a Data Subject, provided safeguards have been taken. Playa currently does not undertake fully automated decision making. |
Right to automated decision making | You may require Playa to ensure that no decisions that are fully automated and are based solely on the processing, by automatic means, of personal data in respect of the Data Subject for the purpose of evaluating matters relating to the data subject. Exempted are decisions that are to decide on whether to enter into a contract with a Data Subject, provided safeguards have been taken. Playa currently does not undertake fully automated decision making. |
Right to appeal | You have the right to appeal a decision that we make regarding a consumer rights request that you have submitted. To exercise this right, you may contact us via email at privacy@playaresorts.com |
The EU General Data Protection Regulation (GDPR) applies to the processing of personal data in the context of our activities in the EU, regardless of whether the processing takes place in the EU or not. If so, the following applies in addition to the Sections 1-13. If there is a conflict between this Section 17 and the remainder of this Notice, the contents of this Section 17 prevail.
(i) You can exercise any of your rights by sending an email to privacy@playaresorts.com. We will respond to your request without undue delay and in any event within one (1) month of receipt of the request. We may extend that period by two (2) further months where necessary, taking into account the complexity and number of the request(s). If we extend the response period, we will let you know within one (1) month from your request, together with the reasons for the extension. If we have reasonable doubts concerning your identity, we may ask for additional documentation and/or information as necessary to verify your identity.
(ii) For the EU, the following Data Subjects Rights and Requests apply:
Right to access | You have the right to request that we confirm whether we process any personal data about you.
If this is the case, you have the right of access to this data and to the following information, among others: (i) the purposes of the processing; (ii) the categories of the personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed; (iv) the storage period or the criteria used to determine that period; (v) the existence of certain data subject rights under data protection law; (vi) the existence of a right to lodge a complaint with a supervisory authority; (vii) where the personal data have not been collected from you, any available information as to their source; and (viii) information about the existence of automated decision-making, including profiling.
You also have the right to receive a copy of the personal data we process about you. However, we may not disclose any data you are not entitled to receive (e.g. data that reveals information about another person). Please note that in such cases we may not provide you with a full copy or we may have to redact it. |
Right to rectification | You have the right to obtain from us the rectification of any inaccurate personal data concerning you and to have any incomplete personal data concerning you completed. This applies regardless of the legal basis on which we process your personal data.
If we agree that the information is incorrect, we will delete or correct the information. If we do not agree that the information is incorrect, we will tell you that we do not agree and record the fact that you consider that information to be incorrect in the relevant file(s). |
Right to erasure | You may request from us the erasure of your personal data without undue delay if one or more of the following cases apply: (i) the personal data are – regardless of the legal ground on which we process them – no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) you have consented to the processing of your personal data and now withdraw such consent, and there is no other legal ground for processing the relevant personal data; (iii) you object to the processing of your personal data pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes pursuant to Article 21(2) GDPR; (iv) personal data are processed unlawfully; or (v) personal data have to be erased for compliance with a legal obligation under EU or EU Member State law to which we are subject. |
Right to restriction of processing | Regardless of the legal ground on which we process your personal data, you may request from us restriction of processing if: (i) you contest the accuracy of the data; (ii) the processing is unlawful and you request, instead of erasure of the relevant personal data, the restriction of the use of such personal data; (iii) we no longer need the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims, or (iv) you have objected to the processing pursuant to Article 21(1) GDPR pending the verification whether our legitimate grounds override yours.
As a result of the restriction of processing, we may only process your personal data, with the exception of storage, as follows: (i) with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest of the EU or of an EU Member State. |
Right to data portability | You have the right to receive your personal data provided to us, in a structured, commonly used and machine-readable format and to transmit such data to a third-party where (i) the processing is based on consent or contract; and (ii) the processing is carried out by automated means. |
Right to withdraw your consent | Where we process your personal data based on your consent, you may withdraw your consent at any time, without giving any reason, by contacting us by using the contact details specified in Section 2 of this Notice. Please note that the withdrawal will only become effective after the date of request. Data processing performed prior to the withdrawal will not be affected. |
Right to lodge a complaint with a data protection authority | You have the right to lodge a complaint with a competent supervisory authority, in particular with the supervisory authority of the Netherlands (Autoriteit Persoonsgegevens). Of course, you are also free to contact any data protection authority within the EU, for example the one competent where you reside. |
(iii) In addition, you have the right to object to the processing of your personal data in the following cases:
Right to object to processing based on legitimate interests | You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you where we process such data on the basis of our legitimate interests pursuant to Article 6(1)(f) GDPR.
If you object to such processing, we will no longer process the personal data concerned, unless: (i) we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or (ii) the processing serves the purpose of establishing, exercising or defending legal claims |
Right to object to direct marketing | You have the right to object at any time to processing of personal data for direct marketing purposes (including profiling to the extent that it is related to such direct marketing).
Where you have objected to processing for direct marketing purposes, we will then no longer process your personal data for such purposes. |