Ronin Privacy Policy | Secure Your Data & Information

‍

Your Privacy Matters

This Privacy Notice explains how FIVE Hotels & Resorts (“FIVE”, “we”, “us”, “our”) collects and uses personal data of guests, website visitors, applicants, and other individuals interacting with our services.

This notice has been prepared in accordance with:

EU General Data Protection Regulation (GDPR)
UAE Federal Decree-Law No.45 of 2021 (UAE PDPL)
Dubai International Financial Centre Data Protection Law No.5 of 2020 (DIFC DP Law)
Swiss Federal Act on Data Protection (revFADP)
Applicable U.S. state laws including the New York SHIELD Act

FIVE acts as a data controller and is accountable to relevant supervisory authorities depending on jurisdiction.

Where personal data is collected or processed by third-party platforms or partners, such parties may act as independent controllers for their respective processing activities.

1. Data Controllers

UAE Properties

FIVE Hotel FZE
PO Box 6438, Palm Jumeirah
Dubai, United Arab Emirates

Spain / EU

UNIVERSO PACHA, S.A. (Data Controller)
Avenida Ocho de Agosto 27, 07800,
Ibiza, Spain
N.I.F.: A-87.753.935
lopd@pacha.com

Switzerland

FIVE Zurich AG
Pfingstweidstrasse 102
8005 Zurich, Switzerland

Swiss Data Protection Advisor (revFADP Art.10):
dpo@fiveglobalholdings.com

Group Data Protection Officer

dpo@fiveglobalholdings.com

‍

2. How We Collect Personal Data

2.1 Data Collected Directly (GDPR Art.13)

We collect personal data when you:

make reservations or stay with us
use our website
communicate with our teams
subscribe to marketing communications
apply for employment

‍

2.2 Data Obtained Indirectly (GDPR Art.14)

We may receive personal data from:

online travel agencies (e.g., Booking.com, Agoda)
restaurant reservation platforms
event ticketing providers
travel agents or corporate partners
social media platforms

Where bookings are made through online travel agencies or reservation platforms, personal data is provided to FIVE by those platforms in accordance with the booking arrangement.

‍

3. Categories of Personal Data

Identity & Contact Data
Booking & Stay Information
Financial Data
Website & Technical Data
Communications Data
Recruitment Data

Special Categories

Where necessary we may process:

health or accessibility information
dietary or religious preferences
biometric access credentials used solely for secure access control

Such data is processed only where strictly necessary for service provision, legal compliance, or where voluntarily provided by the individual.

Biometric processing relies on:

GDPR Art.6(1)(a) consent
GDPR Art.9(2)(a) explicit consent

Biometric data, where implemented, is stored in encrypted form and used solely for access authentication and not for identification, profiling, or surveillance purposes.

No facial recognition is used.

CCTV & Safety Monitoring

Video surveillance operates for safety, fraud prevention, and operational security.

‍

4. Purposes and Legal Bases

Processing Purpose	Legal Basis
Managing reservations and guest stays	Performance of contract
Operational guest messaging (including WhatsApp pre-arrival coordination and service updates)	Contract performance
Promotional messaging and marketing	Consent
Identity verification, passport scanning, and regulatory guest registration required by local tourism or law-enforcement obligations	Legal obligation
Personalised services and analytics	Legitimate interests
Fraud prevention, cybersecurity and CCTV monitoring	Legitimate interests
Recruitment and candidate evaluation	Legitimate interests & pre-contract steps

‍

Guest identification information may be transmitted to competent public authorities where required by applicable laws governing guest registration and security reporting.

Where processing is based on legitimate interests, FIVE undertakes balancing assessments to ensure such interests do not override individuals’ fundamental rights and freedoms.

5. Profiling and Personalisation

We may analyse booking history or preferences to personalise services and communications.
You may object to marketing profiling at any time.

Guests may opt out of promotional communications using unsubscribe options or consent tools available on our website.

‍

6. Automated Decision-Making

FIVE does not carry out solely automated decisions producing legal or similarly significant effects. Human oversight remains in place.

‍

7. Marketing Communications

We do not sell personal data for monetary consideration.

Marketing communications may be sent where permitted by applicable law, including on the basis of consent or, where appropriate, legitimate interests in relation to existing customer relationships.

Individuals may opt out of marketing communications at any time using unsubscribe options provided in communications or through the consent settings available on our website. Where consent is relied upon, you may withdraw consent at any time.

Where marketing activities involve third-party platforms (such as social media or advertising networks), those platforms may process personal data in accordance with their own privacy policies and may act as independent controllers for certain processing activities.

‍

8. Data Retention

Data Type	Retention Period
Guest stay records	Up to 7 years
Payment data	Up to 7 years
CCTV footage	Up to 30 days
Website logs	Up to 90 days
Applicant data	Up to 12 months
Biometric credentials	Duration of authorised access only

‍

9. Sharing and Processors

We may share personal data with service providers supporting our operations, including reservation platforms, enterprise systems, cloud hosting providers, payment processors, analytics providers, and marketing platforms.

All processors are contractually required to protect personal data.

‍

10. International Data Transfers

Personal data may be transferred to:

EU / EEA
Switzerland
UAE
United States

Where required by applicable law, international transfers are supported by appropriate safeguards which may include:

Standard Contractual Clauses (SCCs)
Swiss-adapted SCCs or FDPIC adequacy decisions
EU-U.S. Data Privacy Framework (DPF) where providers are certified

‍

11. Cookies and Tracking

Please refer to our Cookie Policy for detailed information.

‍

12. Data Security

FIVE implements reasonable technical and organisational measures intended to protect personal data, however no system can guarantee absolute security. Security measures are regularly reviewed.

‍

13. Data Breaches

Where required by law, FIVE notifies regulators and affected individuals under GDPR, UAE PDPL, DIFC DP Law, Swiss revFADP, and U.S. state breach laws.

‍

14. Your Privacy Rights

Right	EU GDPR	UAE PDPL	Swiss revFADP	U.S.
Access	✔	✔	✔	✔
Rectification	✔	✔	✔	✔
Erasure	✔	✔	✔	Partial
Restriction	✔	—	✔	—
Portability	✔	Limited	Limited	—
Object to profiling	✔	✔	✔	—
Withdraw consent	✔	✔	✔	✔

‍

Contact: dpo@fiveglobalholdings.com

‍

15. Authorities and Complaints

You may contact:

UAE Data Office
DIFC Commissioner of Data Protection
Agencia Española de Protección de Datos (Spain)
Swiss FDPIC
Relevant EU supervisory authority
U.S. residents may contact the New York Attorney General regarding SHIELD Act breach rights.

‍

16. Social Media Joint Controllers

Where social media integrations or advertising pixels are used, FIVE determines marketing purposes and acts as the primary contact for rights requests.

‍

17. Third-party Websites

‍
This Privacy Notice does not apply to third-party websites or platforms linked from our services. FIVE is not responsible for the privacy practices or content of such third parties.

18. Children’s Privacy

Services are not directed to children under 18 except where bookings are made by a parent or guardian.

‍

19. Updates

Version 2.0 — March 2026

‍

20. Contact

Data Protection Officer
FIVE Hotels & Resorts
PO Box 6438, Palm Jumeirah
Dubai, UAE

dpo@fiveglobalholdings.com

‍

Term	Definition
Data Processor	An entity such as all external parties – including without limitation contractor employees, vendors, service providers that processes data on behalf of an organization.
Controller	Any person who alone or jointly with others determines the purposes and means of the Processing of Personal information
Access	The ability to use, modify or manipulate an information resource or to gain entry to a physical area or location.
Anonymize	Processing of Personal Information in such a manner that a natural person cannot be identified on the basis of output Processing of data or information
Data Subject	A living individual about whom Personal Information is processed by or on behalf of FIVE (includes Customer, Guests, Employees , Vendors etc)
Privacy by design	Is an approach to systems engineering that seeks to ensure protection for the privacy of individuals by integrating considerations of privacy issues from the very beginning of the development of products, services, business practices, and physical infrastructures.
Information security	Preservation of confidentiality, integrity, and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
Statistical Purposes	Statistical purposes mean any operation of collection and the processing of personal data necessary for statistical surveys or to produce statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose.
High-Risk Processing Activities	Processing of Personal Information where one or more of the following applies: (a) Processing that includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a Data Subject or renders it more difficult for a Data Subject to exercise his rights; (b) a considerable amount of Personal Information will be Processed (including staff and contractor Personal information) and where such Processing is likely to result in a high risk to the Data Subject, including due to the sensitivity of the Personal Information or risks relating to the security, integrity or privacy of the personal information; (c) the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or (d) a material amount of Special Categories of Personal Information is to be Processed.
Processing	To Process or Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, irrespective of the equipment and procedures used, including: collection, storage and archiving of the information or data organization, adaptation or alteration of the information or data retrieval, consultation or use of the information or data Disclosure of the information or data, dissemination or otherwise making available communication of the information or data erasure or destruction of the information or data.
Record of Processing Activities (ROPA)	A record of an organization’s processing activities involving personal data.
Sub- Processor	A Sub-Processor is a third party data processor engaged by a Data Processor who has or will have access to or process personal data from a Data Controller.
Personal Information	Any type of information related to identified or identifiable individuals, or information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Sensitive Personal Information or Special categories of personal information	EU General Data Protection Regulation (GDPR) Sensitive Personal Information means Personal Information consisting of information as to: the racial or ethnic origin of the Data Subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, genetic and biometric data of a Data Subject his physical or mental health or condition, his sexual life or sexual orientation.