PRIVACY POLICY | CREAL HOTELS【Official】

Creal Hotels Inc. (“Creal Hotels”, “we”, “us” or “our”) understands the importance of personal data in the course of operating our hotels and other businesses, and we will endeavor to use it appropriately and to protect it responsibly. We establish and observe our Privacy Policy (hereinafter referred to as “this Policy”) in the following manner.

In this Policy, personal data refers to any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined in applicable data protection and privacy laws, in particular “personal data” defined in the EU and UK General Data Protection Regulation (“GDPR”) and “personal information” defined in the California Consumer Privacy Act (“CCPA”) and the Personal Information Protection Law of People’s Republic of China ("PIPL”). Depending on the context, personal data refers to either personal data that has been processed within the past 12 months or personal data that is intended to be processed in the future.

Please note that this Policy will only apply to the processing of personal data in relation to the data subject located outside Japan. If the data subject is located Japan, the Japanese version of the Privacy Policy will apply. In the case of any conflict between this Policy and any other policy or terms and conditions, this Policy shall prevail.

1. Identity of the Data Controllers

Creal Hotels will collect and process your personal data as data controllers. The details of Creal Hotels are as follows:

Company Name	Address
Creal Hotels Inc.	8th Floor, Shimbashi 27 MT Building, 2-12-11 Shimbashi, Minato-ku, Tokyo

2. Personal Data Collected by Us

The categories and sources of personal data collected by us shall be as follows:

(a) Information to be Provided by You: This includes information about you that you give us by filling in forms or by communicating with us, whether face-to-face, by phone, e-mail or otherwise. This information may include:

Account registration data, including name, email address, telephone number, profile image, occupation, nationality, postal address, postal number, credit card information (for credit card numbers, the last four digits only), visa, marketing information, and information regarding previous stays; and
Check-in confirmation data, including name, postal address, occupation, nationality, and passport number;

(b) Information We Collect or Generate about You: This includes information about you that you give us by filling in forms or by communicating with us, whether face-to-face, by phone, e-mail or otherwise. This information may include:

Technical data, including device information, log-in information, cookies and anonymous IDs, IP addresses, location information (i.e., geographic dimensions inferred from IP addresses), and unique identification information.

For more details concerning cookies, please refer to our Cookie Policy. You can also refuse to provide your personal data to us. However, if you do not provide your data, we may not be able to provide you with our products and services. This refusal can also have an effect on your use of our websites.

(c) Information to be Collected by Us When You Use the Services: We collect your personal data from third-party service providers, agencies, etc. (travel agencies, group tour operators, your employer, credit card companies, airline companies, and other parties involved in making your travel arrangements) or other publicly available sources where applicable. This information includes:

Reservation data, including name, telephone number, postal address, postal number and nationality.

(d) Sensitive personal information (if applicable): Among the information described in (a)~(c) above, the information that is deemed as the sensitive personal information under the applicable data protection and privacy laws is as follows:

credit card information (for credit card numbers, the last four digits only), visa and passport number.

3. Purpose of Use of Personal Information

Our purposes and legal basis for processing your personal data are as follows:

Purposes	Legal Basis
To accept applications for services provided by our company (including related ancillary services, applications, and tools; hereinafter collectively referred to as the “Services”), and to provide, maintain, protect and improve the Services, including identity verification To use the check-in system, create guest lists, and provide other accommodation services in the operation of accommodation facilities among the Services To exercise rights and perform obligations under contracts with you or laws and regulations	Necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract
To provide information to you and respond to inquiries from you To deal with acts that are in breach of our terms and conditions of the Services To notify you of changes to the terms and conditions of the Services To prevent, investigate, and identify fraud, cyber-attacks, and other illegal or potentially fraudulent activities, and thereby protect our rights and interests and those of third parties To provide your personal information to third parties	Necessary for our legitimate interests (to operate our business)
To improve existing services and conduct R&D for new services (*) We may analyze “2. Personal Data Collected by Us” related to you (attribute information, service usage history, etc.) for the improvement and development of these services	Necessary for our legitimate interests (to improve our Services)
To introduce our products and services and provide campaign information, etc., and to otherwise conduct advertisement, publicity, or marketing activities (*) We may analyze “2. Personal Data Collected by Us” related to you (attribute information, service usage history, etc.) using artificial intelligence or other methods, together with past or present personal information of you or others, and other information (including statistical information and estimated information) (the term “analysis” is used in this context in this Policy), and we may thereby estimate your hobbies, preferences, purchasing trends, attributes, creditworthiness, etc., and use the results of this analysis and estimation for measures such as delivering advertisements to you and conducting marketing activities.	Necessary for our legitimate interests (to conduct marketing activities) Consent (only if required by applicable law)

In some jurisdictions, the personal information listed in 2. (d) falls under “Sensitive personal information.” Once such information is leaked or illegally used, it may easily lead to the infringement of the personal dignity or the harm of personal or property safety of you, in order to reduce the negative impact on the legitimate rights and interests of your sensitive personal information, we will collect, store, use, process, transmit, provide, disclose, and delete the following sensitive personal information within the scope of the following necessity in accordance with the applicable data protection and privacy laws.

Sensitive Personal Information (if applicable)	Necessity of processing sensitive personal information (if applicable)
Credit card information (for credit card numbers, the last four digits only) Visa Passport number	Necessary to accept applications for the Services and to provide, maintain, protect and improve the Services, including identity verification. Necessary to use the check-in system, create guest lists, and provide other accommodation services in the operation of accommodation facilities among the Services. Necessary to exercise rights and perform obligations under contracts with you or laws and regulations

Sensitive Personal Information (if applicable)

Necessity of processing sensitive personal information (if applicable)

Credit card information (for credit card numbers, the last four digits only)
Visa
Passport number

Necessary to accept applications for the Services and to provide, maintain, protect and improve the Services, including identity verification.
Necessary to use the check-in system, create guest lists, and provide other accommodation services in the operation of accommodation facilities among the Services.
Necessary to exercise rights and perform obligations under contracts with you or laws and regulations

4. Retention of Personal Data

We retain your personal data for the purpose of fulfilling our contractual obligations and the purposes set forth in “3. Purpose of Use of Personal Information” above, so as long as the provision of services to you or the transaction with you is ongoing (such as maintaining your membership registration) and for three years after the provision of services to you or the transaction with you has ended. We do not retain your personal data for longer than the foregoing period and will immediately delete or anonymize your personal data thereafter, unless we have a legitimate need to retain your personal data to comply with applicable laws and regulations or to respond to unresolved claims or complaints.

5. Provision of Personal Data to Third Parties

Your personal data may be shared with third parties in certain circumstances, as set forth below:

(a) Disclosure of Personal Data

Our group companies; We may disclose the personal data listed in “2. Personal Data Collected by Us” above (“Personal Data”) to our group companies for the purposes of use described in “3. Purpose of Use of Personal Information” above (“Purposes of Use”). Please note that we jointly use the Personal Data for the Purposes of Use within our group companies ( see here ). The responsible entity for this join use is CREAL Inc. (company’s address and representative can be found at the following link: https://corp.creal.jp/company/).
Service providers / professional advisors; We may disclose the Personal Data to the following categories of service providers and professional advisors for the Purposes of Use:
- ‒ Infrastructure and IT service providers;
- ‒ Marketing, advertising and communications agencies;
- ‒ Credit reference agencies and payment service providers; and
- ‒ Accounting auditors and various advisers.
Third parties permitted by law: In certain circumstances, we may be required to disclose the Personal Data in order to comply with a legal or regulatory obligation (for example, we may be required to disclose personal data to the police, regulators, government agencies or to judicial or administrative authorities). We may also disclose the Personal Data to third parties in cases where disclosure is both legally permissible and necessary to protect or defend our rights, for matters of national security, for law enforcement, to enforce our contracts or to protect your rights or those of the public.
Third parties connected with business transfers: We may transfer the Personal Data to third parties in connection with a reorganization, restructuring, merger, acquisition or transfer of assets, provided that the receiving party agrees to treat your personal data in a manner consistent with this Policy. In this case, we will separately inform you of the name and contact information of the receiving party.

(b) Sharing of Personal Data

Business partners: We may share the Personal Data with advertising distribution business partners to introduce our products and services and provide campaign information, etc., and to otherwise conduct advertisement, publicity, or marketing activities.

(c) Sale of Personal Data

We have not sold personal data to third parties in the past twelve (12) months.

6. Provision of Personal data to Third Parties in Foreign Countries

There may be cases where we need to transfer our customers' personal data to other jurisdictions, including but not limited to, Japan, US and Singapore. For the Purposes of Use, we will transfer data to other jurisdictions upon your separate consent, after taking appropriate measures in accordance with applicable laws and regulations, such as confirming adequacy decisions and entering into standard contractual clauses.

If you would like more details regarding the specific mechanisms we use for transferring personal data outside the country, please contact us via our inquiry form or by mail at the address provided above.

7. Child Data

We do not have actual knowledge that we have sold or have shared the personal data of any persons aged 16 years and younger; however, if we plan to do so in the future, the selling or sharing of personal data will not be done unless such persons or their guardians have affirmatively authorized it in accordance with the applicable data protection and privacy laws.

8. Protection of Your Personal data

In order to prevent unauthorized access to or leakage of your personal data, maintain the accuracy of your personal data, and dispose of it appropriately when necessary, we comply with applicable laws and regulations and strive to process your personal data with a high level of information security. When acquiring or transferring personal data, we encrypt communications and limit access rights to stored personal data, so that only those who need it to carry out business can process it. In addition, we regularly review these efforts to ensure that they are being carried out effectively and properly and at an appropriate level. For details on the security control measures that we are taking, please contact the inquiry desk indicated in “10. Contact Information.”

9. Your Rights

You have the following rights in accordance with applicable laws and regulations:

Access. You have the right to obtain confirmation from us as to whether or not personal data concerning you is being processed, and, where that is the case, to request access to the personal data. You have the right to obtain a copy of the personal data undergoing processing.
Rectification. You have the right to have any incomplete or inaccurate personal data that we process about you rectified.
Erasure. You have the right to request that we delete personal data that we process about you; provided that we are not obliged to do so if we need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.
Restriction. You have the right to restrict our processing of your personal data in cases where you believe that such data is inaccurate, that our processing is unlawful, or that we no longer need to process such data for a particular purpose, unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it.
Portability. You have the right to obtain the personal data which we hold about you, in a structured, electronic format, and to transmit such data to another data controller, where this is (i) personal data which you have provided to us, and (ii) if we are processing that personal data on the basis of your consent or to perform a contract with you.
Objection. Where the legal justification for our processing of your personal data is our legitimate interests, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.
Withdrawing consent. If you have consented to our processing of your personal data, you have the right to withdraw your consent at any time, free of charge. This includes where you wish to opt out from receiving marketing messages.
Complaints: You also have the right to lodge a complaint with the local personal data protection regulatory authority in accordance with applicable laws if you believe that we have not complied with applicable personal data protection laws.

Depending on the case where you are subject to specific laws and regulations (e.g., CCPA), you may also have the following rights:

Know about personal data collected, disclosed, or sold: You have the right to request that we disclose the following data to you regarding our collection and use of your personal data over the past 12 months:
- ‒ Categories of personal data we collect about you;
- ‒ Categories of sources of collection;
- ‒ Business or commercial purposes for collecting or selling personal data;
- ‒ Categories of third parties to which we share personal data;
- ‒ Specific personal data we collect about you; and
- ‒ Categories of personal data sold or disclosed by us and the category of recipients.
Request deletion of personal data: You have the right to request that we delete any of your personal data that we have collected from you. Please note that such right is subject to certain exceptions under the CCPA. When we determine to maintain your personal data after your request, we will inform you of the exception applied to your case.
Correct inaccurate personal data: You have the right to request that we correct inaccurate personal data that we maintain about you.
Opt-out of the sale or sharing of personal data: You have the right to opt-out of sale or sharing of personal data collected about you.
Limit use and disclosure of sensitive personal data: You have the right to instruct us to limit the use of your sensitive personal data to the extent necessary for the performance and provision of the product or service, as reasonably expected by an average consumer seeking such product or service, within the scope of appropriate purposes, and to request that we do not use or disclose it beyond this scope.
Non-discrimination for exercising your rights: We do not discriminate against you due to the exercise of any of your rights under the CCPA.

Where you wish to exercise any of these rights, please send us a request via our inquiry form or by post to our address described above. For your own privacy and security, we may require evidence of your identity or to be provided with additional information before we are able to act on your request when the information we have is insufficient to accommodate your request. We will use our best efforts to provide any requested information or make requested changes in accordance with applicable laws.

10. Contact Information

If you have any comments, questions, complaints or other inquiries concerning the processing of your personal information, please contact us using the inquiry form below.

Creal Hotels Inc. - Personal Information Inquiry Desk
https://hotels.creal.jp/contacts/new

11. Procedures for Changing this Policy

We may update this policy from time to time. We reserve the right to modify, add or remove portions of this policy. If we decide to change this policy, we will post an alert on our website.

This policy was last updated on December 23, 2024.