[Last Updated: April 10, 2023]
(applies to all NYX‑branded websites, apps, call‑centres and hotels operated by the Fattal Group worldwide, including Leonardo Hotels UK & Ireland)
1. Who We Are and Scope
|
Region |
Data‑controller |
Contact e‑mail |
Postal address |
|
Israel & global sites (nyx‑hotels.com, fattal.co.il etc.) |
Fattal Hotels Ltd. Reg. No. 510678816 |
info@fattal.co.il |
94 Yigal Alon St., Tel Aviv 6789139, Israel |
|
UK & Ireland sites (nyx‑hotels.co.uk) |
Leonardo Hotel Management (UK) Ltd. |
DPO@leonardohotels.com |
146 Pembroke Road, Dublin 4, D04 K190, Ireland |
EU representative for Fattal sites: Sunflower Management GmbH & Co KG, Landsberger Allee 117A, 10407 Berlin, info@leonardo‑hotels.com.
This notice explains how we collect, use, store and share personal data when you browse our sites, contact us, join loyalty plans, make or manage reservations, stay at any NYX hotel, attend events, interact on social media, enter promotions or communicate with our contact‑centres.
2. Data We Collect & Why
|
Category |
Examples |
Main purpose & lawful basis* |
|
Identity & Contact |
name, title, date of birth, postal & e‑mail addresses, phone, ID/passport number |
Contract (booking & stay), legitimate interests (service, security), legal duties |
|
Reservation & Stay |
arrival/departure dates, party size, room & rate, purchases on‑site, CCTV |
Contract, legitimate interests (operations, fraud‑prevention) |
|
Payment |
card type, last 4 digits, expiry, transaction record |
Contract, legal obligation (tax, accounting) |
|
Special Requirements |
accessibility needs, dietary or health notes voluntarily provided |
Explicit consent; vital interests in emergencies |
|
Marketing Preferences |
newsletter opt‑in, contact channel |
Consent; legitimate interests (customer relationships) |
|
Technical & Usage |
IP, cookie ID, browser/OS, device, site/app interactions |
Consent (analytics/marketing cookies); legitimate interests (site security, improvement) |
|
Recruitment |
CV, role applied for, interview notes |
Legitimate interests; pre‑contract steps |
*We may also process data to comply with legal obligations or to protect vital interests.
3. How We Collect Data
- Directly from you – booking forms, check‑in, web forms, phone, e‑mail, social media, competitions.
- Automatically – cookies, pixels, server logs, CCTV.
- Third parties – travel agents, corporate bookers, analytics providers, social networks, payment processors.
4. Sharing Your Data
We share only what is necessary and under confidentiality agreements:
- Subsidiaries and franchise hotels for reservation fulfilment and loyalty management.
- Payment gateways, booking engines, CRM, Wi‑Fi, marketing and analytics vendors.
- Professional advisers, insurers, regulators, tax and law‑enforcement agencies.
- Event organisers for group functions you attend.
- Prospective buyers in the event of corporate transactions.
International transfers use EU‑approved mechanisms (Adequacy, Standard Contractual Clauses or Privacy Shield / successor schemes).
5. Cookies & Similar Tech
Our sites use:
- Essential (site functions, security)
- Functional (language & preference saving)
- Performance/Analytics (e.g. Google Analytics)
- Targeting/Advertising (e.g. Facebook pixel, DoubleClick)
- Social plug‑ins (share buttons, logged‑in recognition)
You can control cookies via the cookie banner, browser settings or the “Cookie Settings” link on every page. Rejecting cookies may impair site functionality.
Marketing e‑mails may contain a single‑pixel tag that tells us if the message is opened; you can disable images in your e‑mail client to avoid this.
6. Security & Retention
We apply industry‑standard security (encryption, access controls, monitoring). No system is 100 % secure, but we work to mitigate risks.
Records tied to a financial transaction are kept for seven years (or longer if local law requires). Other data is retained only so long as needed for the stated purposes, after which it is anonymised or securely deleted
7. Your Rights
Subject to local law, you may:
- Access, correct or erase personal data
- Restrict or object to processing
- Port data to another controller
- Withdraw consent at any time (for marketing or special‑category data)
- Lodge a complaint with your supervisory authority
Submit requests via the contacts in Section 1. We may ask for ID and have up to one month to respond (longer for complex requests).
8. Children
Our sites and services are not directed to children under the age defined by local law (13 in the US, 16 in the EEA). We do not knowingly process such data; if notified, we will delete it.
9. Changes & Contact
We may update this notice; the “Last updated” date appears below. Continued use of our services means you accept the revised notice.