In compliance with the provisions of the Federal Law on Protection of Personal Data Held by Private Parties ("LFPD"), its regulations and the rest of its legislation applicable to the processing of personal data, we make this Full Privacy Notice available to you, in order to inform you about the terms under which we will process your personal data, identifying the entity responsible for your information, the purposes related to obtaining, using and safeguarding of your personal data, the third parties to whom they will be transferred or may be transferred, the mechanisms so that you can exercise your rights, among other information that will allow you to make informed decisions about the use of personal data that you provide to Data Controller when you make reservations for tourist services through the means enabled for such purposes.
Identity and address of Data Controller
Controladora IHC, S.A. de C.V. (hereinafter commonly referred to as "Data Controller"), is the data controller for your personal data. Data Controller designates the address located at: Carretera Cancún Puerto Morelos km 21, Manzana 01, Lote 1 – 11, Edificio A, Supermanzana 47, Municipio Benito Juárez, Cancún, Quintana Roo, C.P. 77506.
Personal data that will be processed by Data Controller
In order to fulfill the purposes described in this Privacy Notice, Data Controller processes the following categories of personal data:
- Identification and contact data.
- Personal characteristics data.
- Financial and patrimony data.
- Browsing data and electronic devices, such as IP address, geographical location, type of browser, type of operating system and web pages visited.
- Sensitive data (health status).
Data Controller does not directly collect personal data from minors and they must refrain from providing them to Data Controller. Data Controller will only process personal data of minors provided by their parents and / or legal guardians, with the consent of the latter in all cases, when the processing of this information is necessary for the fulfillment of the primary purposes described in this Privacy Notice.
Parents and / or legal guardians may exercise the ARCO rights provided by the LFPD at any time or revoke the consent for the processing of personal data of minors that they may have provided for any purpose related to the booked services.
The personal data of third parties that you provide to Data Controller for the fulfillment of the identified purposes (for example, family data), must be after having been informed of the existence of the processing and the content of this Privacy Notice.
Processing of sensitive personal data
With the exception of the provisions below, Data Controller does not collect personal data considered sensitive by the applicable legislation, related to your health condition.
We may process sensitive personal data related to your health when you request and book special services or assistance for your stay at the reserved destination, which require knowing your health condition or specific measures related to your health condition or that of your companions.
Before collecting your sensitive personal data, we will make physical or electronic means (such as check boxes) available to you so that you can clearly indicate that you agree that we process and transfer your sensitive data for the purposes that require so.
Purposes of the processing
Data Controller will process your personal data for the following primary purposes:
- Management and administration of reservations online or by phone.
- Provide assistance, deliver information and assist our clients in booking and contracting tourist services.
- Carry out validations on the veracity and quality of the information provided to Data Controller.
- Online payment processing and transaction clarifications.
- Creation, modification, updating and deletion of customer profiles of those who make reservations online or by phone.
- Management, control and administration of communications between you and Data Controller, of confirmations, updates or any type of incident related to your reservation.
- Invoicing of the services acquired through our online reservation means or by telephone, as well as debt collection even judicially or through third parties.
- Management of the customer service channel to register and provide follow-up to complaints, suggestions, doubts, clarifications or refunds.
- When appropriate, data analysis through the use of analytical technologies, artificial intelligence and / or big data, in order to evaluate the use of our online services, improve their performance and / or correct errors.
- To fulfill judicial and administrative obligations and requirements, including the delivery of information on fraud or identity theft.
- Information file on the use of our services for compliance with the applicable legal provisions, including the defense of Data Controller´s interests before judicial or administrative instances.
If you have not expressed your opposition when providing your personal data to Data Controller, we can process them for the following additional purposes:
- Sending communications about offers and new tourist products and / or services.
- Carrying out satisfaction surveys.
Before collecting your personal data, we will make physical or electronic means (such as check boxes) available to you so that you can clearly indicate that you do not want us to process your data for these additional purposes.
Please note that if you change your mind, you can oppose the processing of your personal data for the aforementioned additional purposes, and even revoke your consent for such purposes. In such cases, you can communicate your decision through the procedure provided in the "ARCO Rights" section of this Privacy Notice.
Transfer of personal data
Your personal data may be transferred within the national territory or abroad, to the following categories of recipients and for the purposes identified:
- Towards our parent company or holding companies, affiliates or subsidiaries that operate under the same internal processes and policies, for the purposes of management, administration and centralized safekeeping of information, management, control and administration of reservations, as well as for the statistics of our clients, with the aim of evaluating, improving and designing new services.
- Tourism service providers, to communicate and complete reservations and acquisition of services made through the means established by Data Controller.
- Online payment service providers or banking entities, to process payments and, where appropriate, make clarifications of transactions made through our reservation channels.
- Specialized service providers, when we carry out identity verifications or validations on the veracity and quality of the information provided to Data Controller.
- Collection companies, for the recovery of unpaid credits and their collection, even judicially or through third parties.
- Judicial or administrative authorities, for the fulfillment of legal information obligations or duly founded and motivated information requirements.
- Business partners, to promote and / or sponsor products, services and special offers.
The LFPD establishes that the data transfers described in paragraphs 1 to 6 do not require your consent in order to be carried out. Any transfer of your personal data that requires your consent will be previously informed, through the communication and / or update of this Privacy Notice and prior to the completion of that data communication.
The knowledge and acceptance of this Privacy Notice through the electronic means that Data Controller uses to collect personal data, in particular through the booking engine used to make your reservation, implies your consent to carry out the transfer of your personal data towards "Business partners".
You can communicate to Data Controller, at any time, your desire to revoke the consent for the future transfer of your personal data.
Exercise of ARCO rights
In all those legally applicable cases, you can exercise your rights to Access, Rectification, Cancellation and Opposition (ARCO Rights), through the procedures that we have implemented.
To exercise any of your ARCO Rights, you must submit a request to our Data Protection Officer, through any of the following means:
- By sending an email to the following contact: firstname.lastname@example.org, indicating as subject “ARCO Rights” or “Revocation of Consent”.
- By sending a duly signed request to the following address: Carretera Cancún Puerto Morelos km 21, Manzana 01, Lote 1 – 11, Edificio A, Supermanzana 47, Municipio Benito Juárez, Cancún, Quintana Roo, C.P. 77506.
The request must contain or be accompanied by:
- Your name and address or other means to reply to your request,
- Copy of a document proving your identity and, where appropriate, legal representation if someone exercises the right on your behalf,
- A clear and precise description of the personal data related to your request, and
- Any other element or document that facilitates the location of your personal data.
Data Controler will respond to your request within 20 (twenty) business days after the date it is sent. If your request is appropriate, we will make it effective within 15 (fifteen) business days following the date on which we reply. If your request is incomplete or incorrect, we will ask you to correct it, with 10 (ten) business days to do so. The use of electronic means authorizes Data Controller to attend to your request by the same means, unless you indicate another means of contact you in your request.
The right of cancellation is not absolute. Please take into account that Data Controller must keep information to comply with various legal obligations and that to do so we may share data with other companies, entities or organizations. In such cases, the right of cancellation may have to be requested to the entity that received the personal data.
It will be your responsibility to keep your personal data in the possession of Data Controller updated. Therefore, you must guarantee and respond, in any case, to the veracity, accuracy, validity and authenticity of the personal data provided, and you agree to keep them duly updated, by communicating any changes to Data Controller.
Revocation of consent and limitation of the use of your personal data
You may revoke your consent to the processing of your personal data, without retroactive effect, in all those cases in which said revocation does not imply the impossibility of fulfilling obligations derived from a legal relationship in force between you and Data Controller. The procedure for revocation of consent, where appropriate, will be the same as that established in the immediately preceding section for the exercise of ARCO Rights.
You can limit the use or disclosure of your personal data by addressing the corresponding request to our Data Protection Officer. The requirements to prove your identity, as well as the procedure to meet your request, will be the same as those indicated for the exercise of ARCO rights.
Data Controller has the means and procedures to ensure the inclusion of some of your data in exclusion lists, when you expressly request the inclusion of them. Data Controller will grant Data Owners who request their registration, the corresponding registration proof.
Automatic means to collect personal data
Cookies have an expiration date, which can range from the duration of the session or visit to the website to a specific date after which they stop to be operational. Most of the cookies used by Data Controller are associated only with an anonymous user and his computer equipment, they do not provide references that allow the user's name and surnames to be deduced, they cannot read data from their hard drive or include viruses in your texts.
We can also collect information using "web beacons", "pixe tags", "clear gifs" or similar means (generically "web beacons") that allow us to obtain non-personal or aggregated information, such as domain names, website areas that you visit, your operating system, the version of the operating system that you use, the version of the browser and the URL prior to your visit. This information is used to improve your experience on the site and to understand traffic patterns.
You can configure your browser to automatically accept or reject all cookies or to receive an on-screen warning about the reception of each cookie and decide at that time whether or not to install them on your hard drive. We suggest you consult the help section of your browser to find out how to change the cookies acceptance or rejection settings. Even when you configure your browser to reject all cookies or expressly reject the cookies from our booking engine, you can continue browsing the website, but it is not possible to guarantee in these cases that you can complement your reservation process. In any case, you can delete the cookies from our booking engine implanted in your hard drive, at any time, following the procedure established in the help section of your browser.
Amendments or updates to this Full Privacy Notice
Data Controller may amend, update, extend or in any other way change the content and scope of this Full Privacy Notice, at any time and in its complete discretion. In such cases Data Controller will publish said changes on the website that hosts our booking engine.
Amendments to this Privacy Notice may also be communicated via email, when said mean has been established as a channel of communication between you and Data Controller, during the validity of a legal relationship.
August 1st, 2020.