Privacy Policy: Your Data Security at Playa Pacha

‍

Your Privacy Matters

This Privacy Notice explains how FIVE Hotels & Resorts (“FIVE”, “we”, “us”, “our”) collects and uses personal data of guests, website visitors, applicants, and other individuals interacting with our services.

This notice has been prepared in accordance with:

EU General Data Protection Regulation (GDPR)
UAE Federal Decree-Law No.45 of 2021 (UAE PDPL)
Dubai International Financial Centre Data Protection Law No.5 of 2020 (DIFC DP Law)
Swiss Federal Act on Data Protection (revFADP)
Applicable U.S. state laws including the New York SHIELD Act

FIVE acts as a data controller and is accountable to relevant supervisory authorities depending on jurisdiction.

Where personal data is collected or processed by third-party platforms or partners, such parties may act as independent controllers for their respective processing activities.

1. Data Controllers

UAE Properties

FIVE Hotel FZE
PO Box 6438, Palm Jumeirah
Dubai, United Arab Emirates

Spain / EU

UNIVERSO PACHA, S.A. (Data Controller)
Avenida Ocho de Agosto 27, 07800,
Ibiza, Spain
N.I.F.: A-87.753.935
lopd@pacha.com

Switzerland

FIVE Zurich AG
Pfingstweidstrasse 102
8005 Zurich, Switzerland

Swiss Data Protection Advisor (revFADP Art.10):
dpo@fiveglobalholdings.com

Group Data Protection Officer

dpo@fiveglobalholdings.com

‍

2. How We Collect Personal Data

2.1 Data Collected Directly (GDPR Art.13)

We collect personal data when you:

make reservations or stay with us
use our website
communicate with our teams
subscribe to marketing communications
apply for employment

‍

2.2 Data Obtained Indirectly (GDPR Art.14)

We may receive personal data from:

online travel agencies (e.g., Booking.com, Agoda)
restaurant reservation platforms
event ticketing providers
travel agents or corporate partners
social media platforms

Where bookings are made through online travel agencies or reservation platforms, personal data is provided to FIVE by those platforms in accordance with the booking arrangement.

‍

3. Categories of Personal Data

Identity & Contact Data
Booking & Stay Information
Financial Data
Website & Technical Data
Communications Data
Recruitment Data

Special Categories

Where necessary we may process:

health or accessibility information
dietary or religious preferences
biometric access credentials used solely for secure access control

Such data is processed only where strictly necessary for service provision, legal compliance, or where voluntarily provided by the individual.

Biometric processing relies on:

GDPR Art.6(1)(a) consent
GDPR Art.9(2)(a) explicit consent

Biometric data, where implemented, is stored in encrypted form and used solely for access authentication and not for identification, profiling, or surveillance purposes.

No facial recognition is used.

CCTV & Safety Monitoring

Video surveillance operates for safety, fraud prevention, and operational security.

‍

4. Purposes and Legal Bases

Processing Purpose	Legal Basis
Managing reservations and guest stays	Performance of contract
Operational guest messaging (including WhatsApp pre-arrival coordination and service updates)	Contract performance
Promotional messaging and marketing	Consent
Identity verification, passport scanning, and regulatory guest registration required by local tourism or law-enforcement obligations	Legal obligation
Personalised services and analytics	Legitimate interests
Fraud prevention, cybersecurity and CCTV monitoring	Legitimate interests
Recruitment and candidate evaluation	Legitimate interests & pre-contract steps

‍

Guest identification information may be transmitted to competent public authorities where required by applicable laws governing guest registration and security reporting.

Where processing is based on legitimate interests, FIVE undertakes balancing assessments to ensure such interests do not override individuals’ fundamental rights and freedoms.

5. Profiling and Personalisation

We may analyse booking history or preferences to personalise services and communications.
You may object to marketing profiling at any time.

Guests may opt out of promotional communications using unsubscribe options or consent tools available on our website.

‍

6. Automated Decision-Making

FIVE does not carry out solely automated decisions producing legal or similarly significant effects. Human oversight remains in place.

‍

7. Marketing Communications

We do not sell personal data for monetary consideration.

Marketing communications may be sent where permitted by applicable law, including on the basis of consent or, where appropriate, legitimate interests in relation to existing customer relationships.

Individuals may opt out of marketing communications at any time using unsubscribe options provided in communications or through the consent settings available on our website. Where consent is relied upon, you may withdraw consent at any time.

Where marketing activities involve third-party platforms (such as social media or advertising networks), those platforms may process personal data in accordance with their own privacy policies and may act as independent controllers for certain processing activities.

‍

8. Data Retention

Data Type	Retention Period
Guest stay records	Up to 7 years
Payment data	Up to 7 years
CCTV footage	Up to 30 days
Website logs	Up to 90 days
Applicant data	Up to 12 months
Biometric credentials	Duration of authorised access only

‍

9. Sharing and Processors

We may share personal data with service providers supporting our operations, including reservation platforms, enterprise systems, cloud hosting providers, payment processors, analytics providers, and marketing platforms.

All processors are contractually required to protect personal data.

‍

10. International Data Transfers

Personal data may be transferred to:

EU / EEA
Switzerland
UAE
United States

Where required by applicable law, international transfers are supported by appropriate safeguards which may include:

Standard Contractual Clauses (SCCs)
Swiss-adapted SCCs or FDPIC adequacy decisions
EU-U.S. Data Privacy Framework (DPF) where providers are certified

‍

11. Cookies and Tracking

Please refer to our Cookie Policy for detailed information.

‍

12. Data Security

FIVE implements reasonable technical and organisational measures intended to protect personal data, however no system can guarantee absolute security. Security measures are regularly reviewed.

‍

13. Data Breaches

Where required by law, FIVE notifies regulators and affected individuals under GDPR, UAE PDPL, DIFC DP Law, Swiss revFADP, and U.S. state breach laws.

‍

14. Your Privacy Rights

Right	EU GDPR	UAE PDPL	Swiss revFADP	U.S.
Access	✔	✔	✔	✔
Rectification	✔	✔	✔	✔
Erasure	✔	✔	✔	Partial
Restriction	✔	—	✔	—
Portability	✔	Limited	Limited	—
Object to profiling	✔	✔	✔	—
Withdraw consent	✔	✔	✔	✔

‍

Contact: dpo@fiveglobalholdings.com

‍

15. Authorities and Complaints

You may contact:

UAE Data Office
DIFC Commissioner of Data Protection
Agencia Española de Protección de Datos (Spain)
Swiss FDPIC
Relevant EU supervisory authority
U.S. residents may contact the New York Attorney General regarding SHIELD Act breach rights.

‍

16. Social Media Joint Controllers

Where social media integrations or advertising pixels are used, FIVE determines marketing purposes and acts as the primary contact for rights requests.

‍

17. Third-party Websites

‍
This Privacy Notice does not apply to third-party websites or platforms linked from our services. FIVE is not responsible for the privacy practices or content of such third parties.