PRIVACY POLICY

ResortPass, Inc.

Effective Date: August 12, 2019

Thank you for doing business with ResortPass, Inc. (“ResortPass,” “Company,” “we,” “our,” or “us”). We welcome you and hope you find our websites, applications, professional services, products, and our other subscription services and tools (collectively, the “Services”) helpful and useful. For those of you who are current or potential employees or business partners, we hope your interaction with us is pleasant and helpful. We have adopted this privacy policy (“Privacy Policy”) to help our current and potential customers, clients, their employees, our employees, and other business partners (“you” or “your,”) understand not only what Data we collect, store, share, and use, but how and why.

We always seek to improve our Services to you, and that requires that we collect, store, share, and use information about you and your usage preferences. As we do so, we are absolutely committed to protecting your privacy and the security of your personal information.

In this Privacy Policy, we use the word “Data” to describe all the information we collect that relates to you and your use of our Services. “Data” is broken into different categories, which we may refer to separately, but when we use the word “Data,” we mean all the different categories described in this Privacy Policy. The word “Data” does not include information that Hotels (defined below) may gather about you independently.

When we have a separate agreement with you and that agreement addresses how we handle Data, the terms of that separate agreement will control over any conflicting provisions of this Privacy Policy. The definition of “Data” in that separate agreement, if there is one, may differ from the definition we use in this Privacy policy, since the agreement will address particular interactions with a particular party.

With that exception, this Privacy Policy applies to everybody who interacts with us online or otherwise. Since different portions of the Privacy Policy will apply differently to the various groups who interact with us, we have tried to clearly categorize the types of Data we process and how we do so. If you have any questions about this Privacy Policy or how we handle your Data, please e-mail us at privacy@resortpass.com.

We have also adopted a Data Processing Agreement (“DPA”) that places further restrictions and requirements on how we process Data. We make the DPA available separately to individuals and companies who wish to enter into a DPA with us. If you have entered into such an agreement with us, either by executing the DPA in hard copy or by clicking “I Accept” or similar language online, the DPA will apply to both parties’ actions under this Agreement.

DESCRIPTION OF SERVICES

ResortPass provides a platform through which certain third-party hotels (“Hotels”) sell to site users (“Day Guests”) various day passes giving them access to specific Hotel facilities and promotions (“Inventory”). Hotels are the sellers and issuers of the Inventory and are solely responsible to users for everything the Hotels do or fail to do in their relationship with users, including the data the Hotels gather about users in the course of that relationship. The term Data, as used in this Privacy Policy does not include any information Hotels gather about users, and ResortPass is not responsible in any manner for the conduct or privacy practices of Hotels. In this Privacy policy, all the functions made available by our tools, including the other services and professional services we provide directly, are included in the term “Services.” The term “Services” also includes any of ResortPass’s websites, mobile applications, tools, software, personalized content, and other applications, as well as any other services and tools now known or later developed by ResortPass.

LAWFUL BASIS FOR PROCESSING

By accessing or using any of the Services or by otherwise interacting with us online, you consent to our use of your Data as described in this Privacy Policy. If our processing of your Data is based on your consent, you may withdraw your consent at any time, and we will cease collecting your Data. However, in some cases, this may result in your inability to receive partial or full access to the Services, and your withdrawal of consent does not limit our ability to use the Data that has been aggregated and anonymized for use by us in connection with our legitimate business efforts in the future. In addition, your withdrawal of consent does not prevent us from retaining and processing Data if we are required to do so by applicable law or in order to preserve legal claims. It also doesn’t prevent us from processing Data that has been gathered pursuant to a different lawful basis. For example, if you give your consent for us to process your Data, but we are also required by law to keep your Data, that separate “lawful basis” will still apply, even if you withdraw your consent.

When you enter into an agreement with us, either by accessing the Services, by executing an agreement in hard copy or by clicking “I Accept” or similar language online, we will process your Data for the purposes of fulfilling the terms of our contract with you. In that case, our processing of your Data is based on the contract, so your withdrawal of consent will only be effective after the purposes for processing that Data have been fulfilled and after we no longer have a legal obligation to keep that Data.

In all cases, we will comply with applicable law and we will cease processing your Data after the legal right or obligation or other necessity passes.

INTENDED USERS

The Services are directed solely to persons 18 years of age or older or of children under 18 who are supervised by a parent, guardian, or other caregiver. Other than for Data collected for the specific purpose of providing the Services to users, we do not knowingly collect Data from users who are under 13. If we become aware that we have gathered Data from a person under 13, except to provide the Services to such person, then we will attempt to delete such Data as soon as possible, subject to our obligations under applicable law. If you believe that we have gathered Data from a person under 13 in contravention of this policy, please contact us at privacy@resortpass.com.

INFORMATION WE COLLECT AND HOW WE USE IT

In the course of our relationship with you, we gather different categories of Data. We always have a lawful basis for gathering the Data, but that lawful basis might be different for different categories. Regardless, we never use the Data for any purpose other than the purpose for which we gathered the Data in the first place, unless we get your explicit consent. This section of our Privacy Policy describes the categories of Data we collect, the lawful basis for collecting that Data, and the uses we make of each category of Data.

A. Registration Data

  1. Data Description: Registration Data consists of the name, e-mail address, and other contact information you provide us using the Services, both when you register your account and thereafter. Registration Data also includes your username, client type (e.g., ad-supported or paid membership), and membership end date, if any. Registration Data may also include the names and e-mail addresses of individuals accompanying you as you visit Inventory (“Companion Data”).
  2. Lawful Basis for Processing: Our lawful basis for processing Registration Data is our contract with you. We can only provide certain of the Services to you if we have the Registration Data, so we need to store and access that Registration Data during the term of our contract. Even when the Registration Data is not critically necessary to the provision of the Services, we may still process that Registration Data to facilitate our contractual interactions with you. The lawful basis for us to process Companion Data is our legitimate interest in providing the Services.
  3. How We Use It and Who We Share It With: Registration Data is accessible only to us. We use it only to provide the Services to you. At times, we will share the Registration Data with third parties at your request or to fulfill requests that you make of us. We may use your Registration Data to offer goods or services to you, but only on an opt-in basis after getting your specific consent.

B. Engagement Data

  1. Data Description: Engagement Data consists of all the information you input or record using the Services, other than the Registration Data. It also includes all information that is proprietary to you regarding your use of the Services (other than the data that qualifies as “Usage Data” below) that is collected or processed by the Services. For example, Engagement Data includes the dates you book Hotels, pricing related to those bookings, and the options you select in that process.
  2. Lawful Basis for Processing: Our lawful basis for processing Engagement Data is (1) our contract with you and (2) our legitimate interest in improving our Services based on the Engagement Data we receive from you.
  3. How We Use It and Who We Share It With: Your Engagement Data is accessible only to us, to you, and where it relates directly to a party who either provides services to you or receives services from you, to that party, in which case that party will be obligated to protect the confidentiality of your Engagement Data. We do not share Engagement Data with other third parties, except at your specific request, but we may use Engagement Data to make inferences that help us provide and improve the Services, to prevent or identify fraud or other illegal activities, and to comply with applicable law. Both during the term of our agreement with you and thereafter, we may also use Engagement Data in an anonymized and aggregated format that is not identifiable to any individual, and that anonymized and aggregated information belongs solely to us to use in our sole discretion. To the extent we are required to delete any Engagement Data about you, we may still retain aggregated and anonymized information that may have originated as your Engagement Data.

C. Usage Data

  1. Data Description: Usage Data consists of the following and similar information:
    • Information about your interactions with the Services, most commonly our website, which includes the date and time of any requests you make. This also may include details of your use of Third-Party Applications and any advertising you receive via the Services.
    • The timing of the information you post to the Services including messages you send and/or receive via the Services and your interactions with our customer service team, but not including the content of those interactions and messages, which would be included as Engagement Data.
    • Technical data which may include URL information, cookie data, your IP address, the types of devices you are using to access or connect to the Services, unique device IDs, device attributes, network connection type (e.g. WiFi, 4G, LTE, Bluetooth) and provider, network and device performance, browser type, language, information enabling digital rights management, operating system, and application version.
    • Motion-generated or orientation-generated mobile sensor data (e.g. accelerometer or gyroscope), if any, required for the purposes of providing specific features of the Services to you.
  2. Lawful Basis for Processing: Our lawful basis for processing Usage Data is (1) our contract with you and (2) our legitimate interest in improving our Services based on the Usage Data we receive from you.
  3. How We Use It and Who We Share It With: Usage Data is accessible to us and to you. We do not share it with third parties, except at your specific request, but we may use Usage Data to make improvements to the Services. We may also use Usage Data in an anonymized and aggregated format that is not identifiable to any individual, and that anonymized and aggregated information belongs solely to us. To the extent we are required to delete any Usage Data about you, we may still retain aggregated and anonymized information that may have originated as your Usage Data.

D. Payment Data

  1. Data Description: Payment Data is only collected when your use of the Services is subject to the payment of a fee or other charge. Payment Data is the information necessary for us to process your payments for premium Services. Payment Data will vary depending on the payment method you use (e.g. direct via your mobile phone carrier or by invoice) but may include information such as:
    • Name;
    • Date of birth;
    • Credit or debit card type, expiration date, and certain digits of your card number;
    • Address and postal code; and
    • Phone number
  2. Lawful Basis for Processing: Our lawful basis for processing Usage Data is (1) our contract with you and (2) our legitimate interest in improving our Services based on the Payment Data we receive from you.
  3. How We Use It and Who We Share It With: We only use Payment Data to facilitate payment, and we only communicate it to those parties who are strictly necessary for that purpose.

SPECIFIC INTERACTIONS

A. Current and Potential Employees

We often use the services of third parties to help us to recruit new employees and independent contractors and to manage our interactions with current employees and independent contractors. We do our best to contractually ensure that these third-party service providers comply with the policies we have adopted. However, we can’t guarantee their compliance in every case.

Our lawful basis for processing Data about potential and current employees and independent contractors is our contract with them and our legitimate interest in processing that Data, both to facilitate the formation of a formal relationship and to manage that relationship once it is formed. We only use employment Data for the direct purpose of the employment or independent contractor relationship, and we cease using it as soon as that relationship ends. However, we may keep and process that Data after the relationship ends when we are required to do so by applicable law or to preserve legal claims that may arise.

B. Hotels

When our users use the Services to book Inventory with Hotels, the information that is necessary to initiate that relationship is passed from ResortPass to the applicable Hotel. At that point, the Hotel may engage directly with our users and manage the relationship without any further involvement by ResortPass, except as necessary to ensure payments are correctly made and reporting is accurate. ResortPass. We may also allow you to include booking notes (for example, “celebrating an anniversary”), and that information will be passed along to the Hotel.

C. Affiliates

Certain of our users are affiliates or affiliate networks, who benefit from promoting our Services. Data about our affiliates is categorized and treated in the same manner as Data about our customers. However, our lawful basis for using affiliate Data is our contract with affiliates and our legitimate interest in sharing that Data with third parties for purposes of promoting the affiliates’ relationships with ResortPass.

SHARING YOUR INFORMATION

Except where a specific limitation is noted above, we may share your Data as follows:

  1. At Your Instruction. If you request us to make your Data available to a third party, and such request furthers the purposes of our Services, we will do so.
  2. Sharing with Vendors and Service Providers. In certain cases, we use the services of third-party vendors and service providers, such as Hotels and others, to assist us in providing the Services. We may share your Data with such vendors and service providers solely for that purpose, and we will require those parties to abide by our privacy policies or privacy policies substantially in consonance with ours.
  3. Third-Party Offers. We may allow other companies to offer you their products and services, including offers through our Services, co-branded pages hosted by the third parties, or via email. Whether or not you decide to participate in any such offers is up to you. If you purchase a product or service on a co-branded page or email, or via a third-party offer on our Services that requires you to submit financial and personal information, you are also consenting to our delivery of this information to that party. The offer will notify you if any financial or personally identifiable information will be shared. Such third party will be authorized to use this information in keeping with our contractual relationship with them and in accordance with their own privacy policy and information practices. We do not control these third parties and you agree that we are not liable for their acts, or any failure to act on their part.
  4. Third-Party Advertising. We may use aggregated, statistical information to describe our membership and to establish advertising and other business relationships with third parties. We may serve you with targeted advertisements based on your personal or profile information, but we do not provide any of this personal or profile information to an advertiser or any third party with the exception of those uses expressly disclosed in this policy. However, if you click or view an ad on our Services then you consent to the likelihood that the advertiser will assume that you meet the targeting criteria, if any, used to display such ad, and as described above, you will be subject to the advertiser's privacy policy and information collection practices (if any).
  5. Third-Party Ad Servers. We may allow third-party ad servers or ad networks to display advertisements on the Services. Some of these ad networks may place a persistent cookie on your computer or use other technologies such as JavaScript and web beacons. Doing this allows them to recognize your computer each time they send you an online advertisement. In this way, ad networks may compile information about where you, or others who are using your computer, saw their advertisements and determine which ads are clicked on. This information allows an ad network to deliver targeted advertisements that they believe will be of most interest to you. We do not have access to or control over the cookies that may be placed by these parties on your computer, and we have no control over these parties' privacy policies or information collection practices (if any).
  6. Service Providers. We may sometimes use a third party to provide specific Services on our behalf, including sending e-mails to our members, conducting member surveys, processing transactions or performing statistical analysis of our Services. In these cases, we may provide certain personal information, such as your name and e-mail address and other financial information necessary for the service to be provided. However, these third parties are required to maintain the confidentiality of this information and are prohibited from retaining, sharing, storing or using this information for any other purposes.
  7. Internet Service Providers. We may provide certain portions of your Data, such as your email address or name, back to your internet service provider if we have an existing advertising relationship with them. This is done to allow them to target or discontinue your exposure to our advertisements, once you have become a participating member of our Services. As part of our agreement with your internet service provider, they will be required to maintain this information in a confidential manner and use it solely for the purpose described in this Privacy Policy.
  8. Business Transitions. In the event that we go through a business transition, such as a merger, acquisition, liquidation or sale of all or a portion of our assets, the information we have about you will, in most instances, be part of the assets transferred. We reserve the right to transfer that information in connection with such transactions without notice to you. We will not obtain your consent for such a transfer.
  9. Legal Disclosure. We may disclose your Information if required to do so by law or in the good faith belief that such action is necessary to conform to applicable law, comply with a judicial proceeding, court order or legal process served on us, protect and defend our rights or property, or investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or violations of our terms of service.
  10. Publicly Disclosed Data. Certain items of Data are always publicly available, such as your username, people who follow your playlists, and the playlists you follow.

If we ever plan to use any Data in the future for any other purposes not identified above and we do not have a separate lawful basis for that processing, we will only do so after obtaining your specific consent.

TECHNOLOGIES WE USE

The technologies we use for automatic Data collection may include the following:

  • Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Services. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Services.
  • Flash Cookies. Certain features of our Services may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from and on our Services. Flash cookies are not managed by the same browser settings as are used for browser cookies.
  • Web Beacons. Pages of the Services and our e-mails may contain small electronic files known as web beacons (also referred to as clear gifs. pixel tags and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an e-mail and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

YOUR CHOICES REGARDING OUR USE AND DISCLOSURE OF YOUR DATA

We only use your Data for marketing purposes if you give us your specific consent. If, after giving your consent, you wish to opt-out of our sharing of your information with third parties for the third parties’ direct marketing purposes, or if you wish to stop receive marketing e-mails from us, please follow the instructions below. (Note that if you are a resident of the European Union, we will never use your personal data for third-party marketing purposes unless you have clicked on a box online to expressly give consent for such use.)

  • Receiving electronic communications from us: If you no longer want to receive marketing-related emails from us on a going-forward basis, you may opt-out of receiving these marketing-related emails by sending a request for list removal to privacy@resortpass.com.
  • Our sharing of your Data with unaffiliated third parties for their (or their customers') direct marketing purposes : If you would prefer that we do not share your information on a going-forward basis with unaffiliated third parties for their direct marketing purposes, you may opt-out of this sharing by emailing privacy@resortpass.com from the email that you have signed up or used in receiving the Services.
  • Any other disclosure of your Data: Except as provided in this Privacy Policy regarding anonymized and aggregated Data and except for Data that is processed by us pursuant to a lawful basis based on our legitimate interests and contracts with you or pursuant to our efforts to prevent or identify fraud or other illegal activities or to comply with applicable law, you may instruct us to cease disclosure or use of your Data by contacting us at privacy@resortpass.com.

We will try to comply with your request(s) as soon as reasonably practicable. Please also note that if you do opt-out of receiving marketing-related emails from us, we may still send you messages for administrative or other purposes directly relating to your use of the Services, and you cannot opt-out from receiving those messages.

California’s “Shine the Light” law, Civil Code section 1798.83, requires certain businesses to respond to requests from California customers asking about businesses’ practices related to disclosing personal information to third parties for the third parties’ direct marketing purposes. Alternatively, such businesses may have in place a policy not to disclose personal information of customers to third parties for the third parties’ direct marketing purposes if the customer has exercised an option to opt-out of such information-sharing. If you wish to opt-out of our sharing of your information with third parties for the third parties’ direct marketing purposes offline, please follow the instructions in this Privacy Policy.

California has also adopted the California Consumer Privacy Act (“CCPA”), which will take effect at the beginning of 2020. ResortPass complies with the requirements of the CCPA to the extent they apply to ResortPass. Contact us at privacy@resortpass.com for further information about how we do so.

PRIVACY FOR EU RESIDENTS

The General Data Protection Regulation made effective in Europe on May 25, 2018 (“GDPR”) requires that we clearly describe to data subjects the data we collect and how we use that data. This Privacy Policy does that, and we hope that if you have any questions for us regarding our data collection, you will write us at privacy@resortpass.com.

The GDPR also requires that we have a lawful basis for our processing of any personal data about an individual residing in Europe. For an individual browsing our website or otherwise accessing our Services, our lawful basis is our legitimate interest in providing the Services to you in the manner that you desire, and all the Data that we collect from such individuals will be used only for those purposes, as described in this Privacy Policy. For an individual purchasing products from us, our lawful basis is the contract under which you purchase products, and the Data we collect from such individuals will be used only in connection with our contractual relationship with you and only in a manner that furthers the purposes of that contractual relationship, as set forth in this Privacy Policy.

For employees and other authorized users operating in their role as administrators or users of our services, our lawful basis is the legitimate interest we have in providing the services to their employer.

If you are a client or customer who accesses the Data of third parties in connection with your services rendered to us, you, your employees, and your other authorized users agree to be bound by the provisions of the GDPR with respect to any Data with which you come in contact using Services, including without limitation the personal data belonging to individuals with whom you communicate or whose personal data you access using the Services. Specifically, you agree that you, your employees, or other authorized users will:

A. Never access, process, transfer, view, use, or store any Data of any third party without express authorization, and then only for purposes directly related to fulfilling your contractual obligations under your agreement with any third party (“Data Secrecy”);

B. Keep all Data strictly confidential and disclose Data only on a strict need-to-know basis to other employees or authorized users only as required for fulfilling an individual’s contractual obligations (“Confidentiality”); however, you agree that you shall not disclose or otherwise make accessible Data under any circumstances to anyone who has not been obliged to Data Secrecy and Confidentiality.

C. Ensure that your obligations of Data Secrecy and Confidentiality are observed forever, both during and after the expiration and/or termination of any agreement with us or any contractual relationship you may have with an employer or other party.

D. Upon our request to provide Company with satisfactory evidence that you have complied with your obligations of Data Secrecy and Confidentiality as set forth in this agreement.

The GDPR also requires us to take appropriate technical and organizational measures to protect the security of Data belonging to residents of Europe. We make commercially reasonable efforts to ensure the privacy and security of the Data of our European visitors and customers, and we are happy to give you a complete description of our most current efforts, if you will write us at privacy@resortpass.com.

Pursuant to the GDPR, residents of Europe have the right to obtain our confirmation of whether we maintain personal information relating to them in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States should direct their query to privacy@resortpass.com. If requested to remove data, we will respond within a reasonable timeframe.

SECURITY

The security of your Data is important to us. We use commercially reasonable efforts to store and maintain your Data in a secure environment. We take technical, contractual, administrative, and physical security steps designed to protect Data that you provide to us. We have implemented procedures designed to limit the dissemination of your Data to only such designated staff as are reasonably necessary to carry out the stated purposes we have communicated to you.

THIRD-PARTY POLICIES

You may be able to access third-party websites and other tools and services or products via a link, or via our other tools. The privacy policies of these third parties are not under our control and may differ from ours. The use of any Data that you may provide to any third parties will be governed by the privacy policy of such third party or by your independent agreement with such third party, as the case may be. If you have any doubts about the privacy of the information you are providing to a third party, we recommend that you contact that third party directly for more information or to review its privacy policy.

This Privacy Policy does not address, and we are not responsible for, the privacy, information or other practices of any third parties, including any third party operating any offering, site or other products and Services used in connection with the Services. The inclusion of a link does not imply endorsement of the linked site or service by us or by our affiliates.

RETENTION

We will keep your information for as long as it remains necessary for the identified purpose or as required by law, which may extend beyond the termination of our relationship with you. We may retain certain data as necessary to prevent fraud or future abuse, or for legitimate business purposes, such as analysis of aggregated, non-personally-identifiable data, account recovery, or if required by law. All retained information will remain subject to the terms of this Privacy Policy. Please note that if you request that your information be removed from our databases, it may not be possible to completely delete all of your information due to technological and legal constraints.

AMENDMENT OF THIS PRIVACY POLICY

We reserve the right to change this Privacy Policy at any time. If we decide to change this Privacy Policy in the future, we will post or provide appropriate notice. Any change to this Privacy Policy will become effective on the date that is 30 days from their posting on the Services or sent via email to your listed email address. Unless stated otherwise, our current Privacy Policy applies to all Data that we have about you and your account. The date on which the latest update was made is indicated at the top of this document. We recommend that you print a copy of this Privacy Policy for your reference and revisit this policy from time to time to ensure you are aware of any changes. Your continued use of the Services signifies your acceptance of any changes.

ACCESS AND ACCURACY

You have the right to access the information we hold about you in order to verify the information we have collected in respect to you and to have a general account of our uses of that information. Upon receipt of your written request, we will provide you with a copy of your information, although in certain limited circumstances we may not be able to make all relevant information available to you, such as where that information also pertains to another user. In such circumstances we will provide reasons for the denial to you upon request. We will endeavor to deal with all requests for access and modifications in a timely manner.

We will make every reasonable effort to keep your information accurate and up-to-date, and we will provide you with mechanisms to update, correct, delete or add to your information as appropriate. As appropriate, this amended information will be transmitted to those parties to which we are permitted to disclose your information. Having accurate information about you enables us to give you the best possible service.

CONTACT US

You can help by keeping us informed of any changes such as a change of your personal contact information. If you would like to access your information, if you have any questions, comments or suggestions of if you find any errors in our information about you, please contact us at privacy@resortpass.com. If you have a complaint concerning our compliance with applicable privacy laws, we will investigate your complaint and if it is justified, we will take appropriate measures.