Privacy Policy

Introduction

Mahaweli Reach Hotels PLC (“MRH”, “we”, “us”, “our”) respects your privacy and is committed to protecting the privacy, confidentiality and security of the personal data you provide to us or that we collect about you when you use our website www.mahaweli.com or our mobile application and other online products and services (“Site”), when you contact guest services, or when you otherwise interact with us. We are aware of our responsibilities to protect your personal data and comply with applicable privacy and data protection laws.

This Privacy Policy explains the manner in which your personal data is used. This Privacy Policy gives effect to our commitment to protect your personal data. Your use of the Site will constitute your agreement with the terms of this Privacy Policy.

Please contact us if you have any queries in respect of this Privacy Policy.

Data Protection Officer

Mahaweli Reach Hotels PLC

35; P.B.A. Weerakoon Mawatha

Kandy

Fax: +94 81 2232068

Email: dpo@mahaweli.com

Types of Personal Data We Collect

We may collect the following types of personal data (including where applicable sensitive personal data)

Personal Information: such as your full name and contact information, passport and visa information;
Accommodation Information: such as guest stay information, date of arrival and departure, goods and services purchased, special requests made, your service preferences;
Payment Information: your credit card, mobile payment and other payment details;
Loyalty and Rewards programs: your membership information, account details, any frequent flyer or travel partner programme affiliation;
Feedback: your reviews, feedback and opinions about our hotel, programmes and services;
Security systems: information collected through the use of closed circuit television systems and other security systems; and any other personal data you choose to provide to us.
Technical Information: such as IP Address, Geographic data, browser and computer system, operating system and application version, language settings, pages viewed and mobile network information

We limit the information collected in respect of children under 18 years of age. Any information should be provided by an adult. We kindly request that parents ensure that children do not send us any Personal Data without parental consent and if such information has been sent, please let us know and we will delete such information.

When Information May Be Collected

Personal data may be requested or generated in different circumstances including but not limited to the following:

Reservations and purchasing activities such as room or table reservations, check –in and check-out, payment, submission of complaints or requests.
Through Marketing and communication activities such as participation in promotional offers, surveys and competitions, social media and SMS campaigns, newsletter subscription, loyalty program registration or feedback forms.
Information Collected From Other Sources: third party service providers such as tour operators, online reservation systems, marketing partners or other third parties such as information provided by your travel agent, airline, credit card and others
Internet activities such as social media platforms, questionnaires etc;
Information Collected by Cookies and Other Tracking Technologies: we and our service providers use various technologies to collect information, including cookies and web beacons. Cookies are small data files stored on your hard drive or in device memory that help us improve our Site and your experience, see which areas and features of our Site are popular and count visits. Web beacons are electronic images that may be used in our services or emails and help deliver cookies, count visits and understand usage and campaign effectiveness. For more information about cookies, and how to disable them, please see our Cookies Policy.

Where you provide personal data of third parties (for example, names and contact details of your family members in connection with bookings or family memberships), you confirm that you have their consent to provide their personal data to us. We recommend you show them this Privacy Policy.

How the Personal Data collected is used:

We use your Personal Data for the following purposes:

Performing our contractual and customer service obligations: management of reservations and your stay at our property, catering to your requests, facilitating your use of services and performing contractual obligations such as credit card payments etc;
Improvement of our services: for the assessment and improvement of our product and services and the development of our operations;
Personalisation of our services and communications: to perform legitimate commercial interests including to personalize content and tailor our digital customer experience and offerings, understand customers’ requirements to develop targeted marketing campaigns, a newsletter and promotions;
Recruitment of staff or interns;
Compliance purposes: to fulfill statutory and fiscal compliance obligations.

If you do not provide certain information to us, we will be unable to provide you with our products and services. In cases where providing personal information is optional we will make it clear.

Disclosure of Personal Data

between and among a limited group of MRH affiliates and with the appropriate person within our company as are relevant for the above purposes including but not limited to hotel staff, IT departments and marketing services and to facilitate the operation of our business;
with third-party payment processors, payment service providers, IT and marketing support service providers and other consultants, vendors and service providers who need access to such information to carry out work or provide services on our behalf or who help us to provide the Site to you whether such consultants are based in Sri Lanka or in other jurisdictions;
with anyone involved in the process of making your travel arrangements (e.g. travel agents, group travel organisers and your employer) in order to fulfill contractual obligations;
with any law enforcement authorities, courts of law, Government or regulatory bodies (in whatever jurisdiction), or otherwise in response to a request for information if we believe disclosure is in accordance with, or required by, any applicable law, regulation, court order or legal process;
with our advisors, which includes our accountants, auditors, lawyers, other professional advisors and business contacts for the purpose of assisting us to better manage, support or develop our business and comply with our legal and regulatory obligations;
with any other party at your consent or at your direction; and otherwise as permitted or required by applicable laws and regulations.

Retention of Data

Reasonable business needs: for as long as we provide goods and services to you, for managing our business relationship with you or managing our operations, and /or
Reasonable statutory periods: such as prescriptive periods set out by law or for as long as we need to comply with fiscal and legal obligations;
Other retention periods in line with legal and regulatory guidance and requirements.

Security of Personal Data

We have implemented the necessary technical and organizational measures, in compliance with legal requirements with the aim of protecting the Personal Data, ensuring confidentiality in accordance with the principles set out in this policy.

Whenever information is requested on credit cards, this communication is made via secure SSL (Secure Sockets Layer) lines, when you are using a browser which allows SSL, such as Microsoft Internet Explorer or Google Chrome.

We cannot guarantee that our Site will function faultless and without any interruptions. We shall not be liable for damages that may result from the use of electronic means of communication, including, but not limited to, damages resulting from the failure or delay in delivery of electronic communications, interception or manipulation of electronic communications by third parties or by computer programs used for electronic communications and transmission of viruses.

Third Party Sites

The Site may contain links to other websites, apps, content, services or resources on the internet which are operated by third parties. If you access other websites, apps, content, services or resources using the links provided, please be aware they may have their own privacy policy, and we do not accept any responsibility or liability for these policies or for any personal data which may be collected through these sites. Please check these policies before you submit any personal information to these sites.

Personal Data Rights

Under certain circumstances you are entitled to the following rights:

right of access to the personal data we hold about you: please note that this is not an absolute right and the interests of other individuals may restrict your right of access.
right of rectification of any inaccurate information held by us about you
right to erasure: you may have the right to obtain erasure of information held by us
right to restrict data processing: in the event you request a restriction on the manner in which your data is processed, such data will only be used for limited purposes
right to object: you could object on grounds relating to your particular circumstance to the processing of data by us and we can be required to no longer process your data
your personal right to data portability: you have the right to receive the data provided by you to us in a structured, commonly used, machine readable format and you have the right to transmit that data to another entity without hindrance from us.

Whenever a request is made, we will strive to grant these rights as quickly as possible. You may also withdraw your consent to receiving direct marketing communications, or more generally to our processing of your personal data, at any time. Even when you opt out in respect of these services we may still contact you for transactional or informational purposes.

You may in certain circumstances ask us to delete your personal data. However, we may not be able to continue providing services to you if you entirely withdraw your consent or ask us to delete your personal data entirely.
To make these requests, or if you have any questions or complaints about how we handle your personal data, or would like us to update the data we maintain about you and your preferences, please contact our data protection officer by email at dpo@mahaweli.com or by post at 35; P.B.A. Weerakoon Mawatha, Kandy, Sri Lanka

Changes to the Privacy Policy

We may modify this Privacy Policy from time to time. Any changes to this Privacy Policy will be posted to the Site so that you are always informed of the way we collect and use your personal data, and we encourage you to review this Privacy Policy whenever you access the Site or otherwise interact with us to stay informed about our information practices and the ways you can help protect your privacy. Updated versions of this Privacy Policy will include the date of the revision at the end of this Privacy Policy so that you are able to check when the Privacy Policy was last amended. Any changes to this Privacy Policy will become effective upon posting of the revised Privacy Policy on the Site. Use of the Site following such changes constitutes your acceptance of the revised Privacy Policy then in effect. If we make any material changes we will notify of same by means of a notice on this Site prior to the changes becoming effective.

Miscellaneous

This Privacy Policy is governed by and shall be construed in accordance with the laws of Sri Lanka.

This Privacy Policy is written in the English language and may be translated into other languages. In the event of any inconsistency between the English version and the translated version of this Privacy Policy, the English version shall prevail.

Last Updated: March 2019