Privacy Policy

Effective on: October 12, 2023
Last updated on: October 12, 2023

Contact Information

Cendyn Group, LLC
Address: 980 N. Federal Highway, 2nd Floor, Boca Raton, FL 33432, USA
Phone number: 1-800-760-8152
Email address: dpo@cendyn.com
Contact details of our Data Protection Officer: click here.
Identity and contact details of the Representative in the EU: click here.
Identity and contact details of the Representative in the UK: click here.

General Information

Do we collect Personal Data?
YES. Some categories include identifiers, internet or other similar network activity, commercial information and professional information.
Click here to know which categories of Personal Data we collect and how we obtain them.

Do we sell Personal Data?
YES (but this is limited to our use of third-party advertising cookies on our website, please click here for more information on this). Click here for instructions on how to opt out of the use of cookies that constitute a sale of your Personal Data.

Tracking

Do we use cookies or similar tracking technologies on our websites?
YES. Click here to read more about our use of cookies.

Privacy Rights

Can you request to receive a copy of the Personal Data we have collected about you?
YES. Click here to learn how.

Can you withdraw your consent to our processing of your Personal Data?
YES. Click here to learn how.

Can you request to have your data deleted?
YES. Click here to learn how.

Can you request not to have your data sold?
YES. Click here to learn how to opt-out of the sale of your personal information.

Do we discriminate you for exercising your privacy rights?
NO. Click here to learn more about your right not to be discriminated.

Do we offer you financial incentives for your Personal Data?
NO.

Security

Do we protect your Personal Data?
YES. Click here to learn more about how we protect your Personal Data.

Have we been audited by a professional third party?
YES. Cendyn has been audited against the requirements of SOC 2 Type II and PCI DSS for the appropriate applications.

Introduction

Cendyn Group, LLC and all affiliates listed below under “Entities Covered by This Privacy Notice” (collectively, “Cendyn”, “we”, “us”, “our”) take the protection of personal data (“Personal Data”) very seriously. Please read this privacy notice (the “Notice”) to learn what we are doing with your Personal Data, how we protect it, and what privacy rights you may have under applicable data protection and privacy laws, such as the European Union General Data Protection Regulation and the UK General Data Protection Regulation (“GDPR”), the Canada Personal Information Protection and Electronic Documents Act, 2000 and the California Consumer Privacy Act of 2018 (“CCPA”).

What Is Covered by this Privacy Notice?

This Notice addresses data subjects (which includes both individuals and households) whose Personal Data we:

• receive directly through our website(s);
• receive from our business partners; or
• process to promote our products and services.

What Is Not Covered by this Privacy Notice?

Human Resources Personal Data

This Notice does not apply to the Personal Data of employees, job applicants, contractors, business owners, directors, officers, and other staff of Cendyn.

Information Which Does Not Constitute Personal Data

If we do not maintain information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household, such information is not considered Personal Data and this Policy will not apply to our processing of that information.

Information That We Process on Behalf of Our Customers

This Notice does not address Personal Data we may receive from our customers (“Customers”) in our web-based software applications (collectively, the “Services”). In these cases, we do not decide why or how that Personal Data will be processed. Our Customers use our Services to store and process their own customers’ Personal Data. In these cases, we act only as a storage and service provider. We do not decide what Personal Data is being stored, and in general we will only access such Personal Data at our Customer’s request in connection with Customer support or account administration matters. We will only access Personal Data to provide the services that our Customers have directed us to provide, or if we are required to do so by law.

When you give your data to one of our Customers or when we collect your Personal Data on their behalf, our Customer’s privacy notice, rather than this Notice, will apply to our processing of your Personal Data. If you have a direct relationship with one of our Customers, please contact them to exercise your privacy rights.

What Can You Find in this Notice?

This Notice tells you, among other things:

• What Personal Data we collect about you and how we obtain it;
• The lawful bases for processing your Personal Data;
• For what purposes we use that Personal Data;
• How long we keep your Personal Data;
• With whom we share your Personal Data;
• Your rights about the Personal Data we collect about you and how you can exercise those rights;
• How we protect your Personal Data; and
• How to contact us.

Our Role with Respect to Your Personal Data

Within the scope of this Notice, Cendyn acts as a data controller or “business” for the Personal Data we process. This means that we decide how and why Personal Data is collected and further processed.

Entities Covered by this Privacy Notice

This Notice covers Cendyn Group LLC and the following affiliate entities (the “Affiliates”):

• Guestfolio
• Central Dynamics LLC
• Cendyn UK Ltd
• Cendyn Buyer Corp
• HTH Germany GMBH
• HTH II Germany GMBH
• Cendyn Singapore
• Nextguest Inc.
• Serenata IntraWare GMBH
• Hospitality eBusiness Strategies, OU
• Serenata IntraWare, Inc
• Wihp SaS
• Push Technologies S.L.

Lawful Bases for Processing

We must have a valid reason to use your Personal Data. This is called the “lawful basis for processing”.

We may process your Personal Data based on:

• your consent;
• the need to perform a contract with you, such as to respond to your customer service requests and fulfilling your company’s order(s) or sending you updates on your company’s order(s) or purchases;
• our legitimate interests, such as our interest in operating, evaluating, and improving our business (including developing new products, managing communications, determining the effectiveness of our sales, marketing and advertising, and analyzing and enhancing our products and websites);
• the need to comply with the law; or
• any other ground, as required or permitted by law.

When we rely on legitimate interests as a lawful basis of processing, you have the right to ask us more about how we decided to choose this legal basis. To do so, please use the contact details provided here.

Where we process your Personal Data based on your consent, you may withdraw it at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect the validity of our processing of Personal Data performed on other lawful grounds.

Where we receive your Personal Data as part of providing our Services to you to fulfill a contract, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to provide the Services to you.

What Personal Data We Process and How We Obtain It

The table below describes the categories of Personal Data we have collected about you in the last twelve months.

We will not collect additional categories of Personal Data without informing you. We do not collect sensitive Personal Data.

Cookies

A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide basic relevant ads, website functionality, authentication (session management), usage analytics (web analytics), to remember your settings, and to generally improve our websites and Services.

We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date. Most of the cookies placed on your device through our Services are first-party cookies which are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our Services. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.

If you would prefer not to accept cookies, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all features of our Services. For more information, please visit https://www.aboutcookies.org/.

Our Website (www.cendyn.com) is set to respond to “Do Not Track” (“DNT”) and Global Privacy Control (“GPC”) signals received from web browsers.

For What Purposes Do We Use Your Personal Data?

We may process your Personal Data for the following purposes:

• communicating with you;
• responding to your customer service requests and processing tickets;
• fulfilling your company’s order(s) or sending you updates on your company’s order(s) or purchases;
• delivery and personalization of advertisements;
• maintaining records of products or Services purchased or considered;
• running our marketing campaigns;
• determining the effectiveness of our sales, marketing, and advertising efforts; and
• analyzing and enhancing our products and websites.

How Long We Keep Your Personal Data

We will retain your Personal Data for as long as is necessary to fulfil the purpose for which we collected your Personal Data and any other permitted linked purpose and in compliance with our data retention policies. For example, we will retain and use your Personal Data to the extent necessary to provide you Services, comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

Generally, we retain usage data for a shorter period, except when this data is used to strengthen the security or to improve the functionality of our Services, or we are legally obligated to retain this data for longer time periods.

If your Personal Data is used for more than one purpose, we will retain it until the purpose with the longest retention period expires; but we will stop using it for the purpose with a shorter retention period once that period expires. Our retention periods are also based on our business needs and good practice.

Sharing Personal Data with Third Parties

The following table describes, in the last twelve months, the categories of Personal Data we have disclosed to third parties for business purposes, and the categories of those third parties. The business purposes for which we use your Personal Data includes, but is not limited, to assessing and responding to your requests; sending you product updates; security, performing services, and operating, evaluating, and improving our Services (including developing new products, managing communications, determining the effectiveness of our sales, marketing, and advertising; and analyzing and enhancing our products and website/s).

The following table also describes the categories of Personal Data we “sell” or “share” (disclosing to another party for cross-context behavioral advertising) through cookies and other trackers to third parties, and the categories of those third parties (i.e. information we have disclosed to third parties for commercial purposes).

Some of these parties may be located outside of the European Union or the European Economic Area. However, when the Personal Data is protected by the GDPR, before transferring your Personal Data to these third parties, we will either ask for your explicit consent or require the third party to maintain at least the same level of privacy and security for your Personal Data that we do. We remain liable for the protection of your Personal Data that we transfer or have transferred to third parties through our designated data transfer mechanism, such as the Data Privacy Framework or Standard Contractual Clauses (“SCCs”) as approved by the European Commission under Article 46.2 of the GDPR, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing.

Other Disclosures of Your Personal Data

We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). If we must disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.

We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.

We reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.

What Privacy Rights Do You Have?

You have specific rights regarding your Personal Data that we collect and process. Please note that you can only exercise these rights with respect to Personal Data that we process about you when we act as a data controller or as a “business” under the CCPA. To exercise your rights with respect to information processed by us on behalf of one of our Customers, please read the privacy notice of that Customer.

In this section, we first describe those rights and then we explain how you can exercise those rights.

Right to Know What Happens to Your Personal Data

This is called the right to be informed. It means that you have the right to obtain from us all information regarding our data processing activities that concern you , such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.

We are informing you of how we process your Personal Data with this Notice.

We will always try to inform you about how we process your Personal Data. However, if we do not collect the Personal Data directly from you, the GDPR exempts us from the obligation to inform you (i) when providing the information is either impossible or unreasonably expensive; (ii) the gathering and/or transmission is required by law, or if (iii) the Personal Data must remain confidential due to professional secrecy or other statutory secrecy obligations.

Right to Know What Personal Data Cendyn Has About You

This is called the right of access. This right allows you to ask for full details of the Personal Data we hold on you.

You have the right to obtain from us, including confirmation of whether we process Personal Data concerning you, and, where that is the case, a copy or access to the Personal Data and certain related information.

Once we receive and confirm that the request came from you or your authorized agent, we will disclose to you:

• The categories of your Personal Data that we process;
• The categories of sources for your Personal Data;
• Our business or commercial purposes for collecting, selling, sharing, or otherwise processing your Personal Data;
• Where possible, the retention period for your Personal Data, or, if not possible, the criteria used to determine the retention period;
• The categories of third parties with whom we share your Personal Data;
• If we conduct automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you;
• The specific pieces of Personal Data we process about you in an easily sharable format;
• If we sold or disclosed your Personal Data for a business purpose, the categories of Personal Data and categories of recipients of that Personal Data for both sale and disclosure;
• If we rely on legitimate interests as a lawful basis to process your Personal Data, the specific legitimate interests; and
• The appropriate safeguards used to transfer Personal Data from the EEA or the UK to a third country, if applicable.

Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.

We will not disclose Social Security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, account passwords, or security questions and answers we may process, if any. We can inform you that we have this information generally, but we may not provide the specific numbers, passwords etc. to you for security and legal reasons.

Right to Change Your Personal Data

This is called the right to rectification. It gives you the right to ask us to correct without undue delay anything that you think is wrong with the Personal Data we have on file about you , and to complete any incomplete Personal Data.

If you have an account with us, you may correct, update, or rectify your personal information at any time by accessing your account and making changes. If you do not have an account with us or you cannot make the desired change for any reason, please contact us by using the contact details provided below.

Right to Delete Your Personal Data

This is called the right to erasure, right to deletion, or the right to be forgotten. This right means you can ask for your Personal Data to be deleted.

You may delete your personal information at any time by accessing your account and making changes. You can also contact us by using the contact details provided below.

Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason(s) for denying your deletion request.

Right to Ask Us to Limit How We Process Your Personal Data

This is called the right to restrict processing. It is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.

Right to Ask Us to Stop Using Your Personal Data

This is called the right to object. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party). You may also object at any time to the processing of your Personal Data for direct marketing purposes.

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.

If we have received your Personal Data in reliance on the Data Privacy Framework, you may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent to our sharing your Personal Data with third parties. You may also have the right to opt out if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized.

Right to Port or Move Your Personal Data

This is called the right to data portability. It is the right to ask for and receive a portable copy of your Personal Data that you have given us or that you have generated by using our services, so that you can:

• Move it;
• Copy it;
• Keep it for yourself; or
• Transfer it to another organization.

We will provide your Personal Data in a structured, commonly used, and machine-readable format. When you request this information electronically, we will provide you a copy in electronic format.

Right Related to Automated Decision Making

We sometimes use computers to study your Personal Data. We might use this Personal Data to learn how you use our services. For decisions that may seriously affect you, you have the right not to be subject to automatic decision-making, including profiling. But in those cases, we will always explain to you when we might do this, why it is happening and the effect.

To turn off personalized advertising, please change your cookie settings by updating the setup of your browser to reject all or some cookies. You will still see advertising, but it will not be based on your activity on our website.

Right to Withdraw Your Consent

Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful.

If you have given consent for your details to be shared with a third party and wish to withdraw this consent, please also contact the relevant third party in order to change your preferences.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. Unless the applicable data protection laws allow it, we will not:

• Deny you goods or services;
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits or imposing penalties;
• Provide you a different level or quality of goods or services; or
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Your Right to Opt-Out of the Sale and Sharing of Personal Data

Cendyn generally does not directly sell your Personal Data in the conventional sense (for financial consideration). Like many companies, however, we use services that help deliver interest-based advertisements to you and that analyze our website traffic which may lead to the transfer of your Personal Data to other companies. Nevertheless, to the extent that making Personal Data (such as online identifiers or browsing activity) available to these companies may be considered a “sale” or “sharing” under the CCPA, you have the right to ask us not to sell or share your Personal Data that take place via cookies at any time. This is called the right to opt-out, and, if you want to exercise it, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all features of our Services. For more information, please visit https://www.aboutcookies.org/.

Your Right to Opt-In to the Sale of Personal Data

If you have directed us not to sell your Personal Data, you can opt-in to the sale of your Personal Data at any time.

Individuals who opt-in to Personal Data sales may opt-out of future sales at any time.

How Can You Exercise Your Privacy Rights?

To exercise any of the rights described above, please submit a request by either:

1. Calling us at 800-656-9114;
2. Contacting us by postal mail to:
   Cendyn Group, LLC
   Attn: Chief Technology Officer
   980 N. Federal Highway, 2nd Floor, Boca Raton
   FL 33432
   USA

3. Contacting us by email at privacy@cendyn.com, legal@cendyn.com, or dpo@cendyn.com (preferred method);
4. Filling out this online form.

Verification of Your Identity

In order to correctly respond to your privacy rights requests (except requests to stop the sale of your Personal Data), we need to confirm that YOU made the request. Consequently, we may require more information to confirm that you are who you say you are, such as, your first name, last name, unique personal identifier, email address, account names, company name, and the specific products or services purchased, or used on behalf of the company you represent.

We will only use the Personal Data you give us in a request to verify your identity or authority to make the request.

Verification of Authority

If you are submitting a request on behalf of somebody else, which can be done by using any of the mechanisms listed above, we will need to verify your authority to act on behalf of that individual, except for requests made by an opt-out preference signal. When contacting us, please provide us with proof that the individual gave you signed permission to submit this request, such as, for example, a valid power of attorney to act on behalf of the individual. Alternatively, you may ask the individual to directly contact us by using the contact details above to verify their identity with Cendyn and confirm with us that they gave you permission to submit this request.

Response Timing and Format of Our Responses

We will confirm the receipt of your request within the time limits of applicable laws, normally within ten (10) business days, and, in that communication, we will also describe our identity verification process (if needed) and when you should expect a response, unless we have already granted or denied the request.

Please allow us up to a month to reply to your requests (except requests to stop selling your Personal Data) from the day we received your request. If we need more time [up to ninety (90) days in total], we will inform you of the reason why and the extension period in writing.

If we cannot satisfy a request, we will explain why in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.

Your requests to opt out from selling your Personal Data should be effective as soon as you change your cookie preferences by updating your browser settings.

We will not charge a fee for processing or responding to your requests. However, we may charge a fee if we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.

Privacy of Children

The Services are not directed at, or intended for use by, children under the age of 16 and therefore we do not expect to be selling or “sharing” Personal Data of children.

Data Integrity & Security

We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorized processing, including unauthorized access, exfiltration, theft, disclosure, alteration, or destruction. Some of those measures include encryption and redaction and we also have dedicated teams to look after information security and privacy. Although Cendyn will use reasonable efforts to secure our systems, we cannot guarantee that the information submitted to, maintained on, or transmitted from our systems will be completely secure.

Data Privacy Framework

For Personal Data processed in the scope of this Notice, Cendyn complies with the principles of the Data Privacy Framework (the “Data Privacy Framework”), as adopted and set forth by the U.S. Department of Commerce regarding the processing of Personal Data transferred under the Data Privacy Framework from the European Union and the European Economic Area, and Switzerland to the United States, or otherwise received in reliance on the Data Privacy Framework.

We adhere to the Data Privacy Framework and have certified to the Department of Commerce our commitment to comply with the Data Privacy Framework Principles.

To learn more about the Data Privacy Framework Principles, and to view our certification information, please visit https://www.dataprivacyframework.gov and https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000CpDAAA0&status=Active respectively.

Dispute Resolution

Where a privacy complaint or dispute relating to Personal Data received by Cendyn in reliance on the Data Privacy Framework (or any of its predecessors) cannot be resolved through our internal processes, we have agreed to participate in the TRUSTe Feedback and Resolution System. Subject to the terms of the TRUSTe Feedback and Resolution System, TRUSTe will provide appropriate recourse free of charge to you. To file a complaint with TRUSTe and participate in the TRUSTe Feedback and Resolution System, please submit the required information here: https://feedback-form.truste.com/watchdog/request

Binding Arbitration

If your dispute or complaint related to your Personal Data that we received in reliance on the Data Privacy Framework cannot be resolved by us, nor through the dispute resolution mechanism mentioned above, you may have the right to require that we enter into binding arbitration with you under the Data Privacy Framework “Recourse, Enforcement and Liability” Principle and Annex I of the Data Privacy Framework.

U.S. Regulatory Oversight

Cendyn is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

Right to Lodge a Complaint with a Supervisory Authority

If the GDPR applies to our processing of your Personal Data, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data.

Specifically, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or the alleged violation of the GDPR.

Changes to this Notice

If we make any material change to this Notice, we will post the revised Notice to this web page. We will also update the “Effective” date.

Contact Us

If you have any questions about this Notice or our processing of your Personal Data, or want to submit a verifiable consumer request, please write to dpo@cendyn.com, legal@cendyn.com, or privacy@cendyn.com or call at 1-800-656-9114 or by postal mail at:

Cendyn Group, LLC
Attn: Chief Technology Officer
980 N. Federal Highway, 2nd Floor, Boca Raton
FL 33432
USA

Please allow up to four (4) weeks for us to reply.

European Union Representative

We have appointed Serenata IntraWare GmbH as our representative in the EU for data protection matters. Serenata IntraWare GmbH contact details are:

Serenata IntraWare GmbH
Neumarkter
Straße 18
81673
Munich,
Germany

United Kingdom Representative

We have appointed Cendyn UK Limited as our representative in the UK for data protection matters. Cendyn UK Limited contact details are:

Cendyn UK Limited
Tindles Llp, Medway House Fudan Way, Thornaby, Stockton-On-Tees, England, TS17 6EN
United Kingdom

Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:

VeraSafe LLC
100 M Street S.E., Suite 600
Washington, D.C.
20003
USA

Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/