NOBU HOTEL PRIVACY STATEMENT

Updated on March 2022

At Nobu, we take your privacy very seriously and we are committed to protecting your personal information.

This privacy statement describes how we collect, use, protect and share personal information we collect from you, or that you provide to us when you visit our hotels, use our website (https://www.nobuhotels.com/) (the “Website”) or the Nobu mobile app (the “App”), that link to this Privacy Statement.

and otherwise interact with us.

If you wish to contact us regarding this privacy statement, we may be reached at [email protected].

Please read the following carefully to understand our views and practices regarding your personal information and how we will treat it.

ABOUT NOBU AND THE NOBU FAMILY

The Nobu companies worldwide are described further below. This privacy statement applies to handling of personal information by each Nobu Hotel worldwide, as run by any company within the Nobu Family (“Nobu” / “we” / “our” / “us”).

The Nobu company within the Nobu Family to which you supplied your personal information will be your point of contact for data processing and marketing activities undertaken by it and, if applicable, any other member of the Nobu Family.

There will typically be one member of the Nobu Family to whom you have given your personal information. This entity would be a “data controller” in relation to your personal

information. The term “data controller” broadly means the person or entity who determines the purpose and means for which your data is processed. It is possible that you have given your data directly to more than one member of the Nobu Family, in which case each such member could be a data controller of your data in that context. The Nobu Family also has a shared customer database and may have shared customer relationship initiatives across the Nobu Family.

This privacy statement does not apply to the processing of your data by the operator of our mobile app to the extent that such operator is using the data for its own purposes as a data controller.

INFORMATION WE COLLECT AND PROCESS

We may collect one or more of the following categories of personal information about you when you when you (i) visit our hotels, (ii) use our Website or our App, or (iii) through wireless/wi-fi connectivity that may be offered at our properties (“Wi-Fi Access”), and through social media channels that we control (“Social Media Channels,” collectively with Websites, Wi-Fi Access and Apps, the “Services”) that link to this Privacy Statement.

Categories of Personal Information Collected

Specific Pieces of Personal Information

Source of Personal Information

Business Purpose for Collection of Personal Information

Identifiers

Your name, address, phone number, email address,

details, details of any allergies and dietary requirements (including any dietary or access assistance requirements you may provide).

Information you give us, your reservation details, your profile details, information from third parties, including social media, delivery or reservation providers.

To process any reservations or bookings for private events, to collect payments, and provide our services, for legal and/or regulatory requirements.

Financial Information

Your name, bank details, credit card and/or debit card details.

Information you give us, your reservation details, your profile details, information from third parties, including delivery or reservation providers.

To provide you with our services, to collect payments, and for legal and/or regulatory requirements.

Internet, Computer, or Other Similar Networking

Technical information, including the type of device (and its unique device identifier) you use to access the Online Services, the Internet protocol (IP) address used to connect your device to the Internet, your unique device identifier (UDID) or mobile equipment identifier (MEID) for your mobile device, your device and component serial

numbers, your login

Information you give to us or that is collected automatically through our cookies or other tracking technologies.

To provide you with our services, to enhance our Online Services, for legal and/or regulatory requirements.

information, browser type and version, time zone setting, browser plug in types and versions, operating systems, mobile network information and platform and details of any referring website or application; and Information about your visit to the Online Services including full Uniform Resource Locators (URL), clickstream to, through and from the Online Services (including date and time), pages you viewed, page response time, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.

RATIONALE FOR PROCESSING PERSONAL INFORMATION

We process personal information as necessary for us:

  • To provide our services to our customers;
  • To fulfill our legitimate interests, including to allow us to understand our customers better, ensure our offerings are updated and relevant, and to develop our business and inform our marketing strategy;
  • To inform you of our services and other relevant information; and
  • For other purposes with notice to you and with you consent, where necessary.To the extent we rely on our legitimate interests as a legal basis for processing personal information, we have considered the balance between our own interests (among other things, the lawful and efficient operation of our services) and your interests and we believe that (i) you would reasonably expect us to carry out the kind of processing referenced above and (ii) such processing will not cause you any harm and/or will not seriously impact your rights and freedoms with regards to data privacy. You have the right to withdraw any consent given to us for the processing of your personal information at any time.

    COOKIES AND OTHER TECHNOLOGIES

    A “cookie” is a small text file that is placed onto an Internet user’s web browser or device and is used to remember and/or obtain information about the user and a “web beacon” is a small object or image that is embedded into a web page, application, or email and is used to track activity, which are also sometimes referred to as pixels and tags.

    We use the following cookies:

  • Strictly necessary cookies. These are cookies that are required for the operation of the Website and the Online Services. They include, for example, cookies that enable you to log into the Online Services.
  • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the Website when they are using it. They also enable us to see how users use the Online Services. This helps us to improve the way the Website and the Online Services work.
  • Functionality cookies. These are used to recognize you when you return to the Online Services. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
  • Targeting cookies. These cookies record your visit to the Website or the Online Services, the pages you have visited and the links you have. We will use this information to make the website and the advertising displayed on it more relevant to your interests.You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

    Cookie

    Type of Use

    How it’s used

    PHPSES SID

    Strictly necessary

    Created by backend PHP language to keep track of information traveling between pages. It is a random

    generated number. It does not keep any specific information of the user (https://cookiepedia.co.uk/cookies/PHPSESSID)

       cfduid

    Strictly necessary

    Set by the CloudFlare service to identify trusted web traffic. It does not correspond to any user id in the web application, nor does the cookie store any personally identifiable information. (https://support.cloudflare.com/hc/en- us/articles/200170156-What-does-the-CloudFlare-cfduid- cookie-do-)

    _ga &

    _gid

    Analytical/perfor mance cookies

    Google Analytics. In order for Google Analytics to determine that two distinct hits belong to the same user, a unique identifier, associated with that particular user, must be sent with each hit. (https://developers.google.com/analytics/devguides/collectio n/analyticsjs/cookies-user-id)

    You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of the Online Services.

    For more detailed information about cookies and how they can be managed and deleted, please visit www.allaboutcookies.org.

    MARKETING AND YOUR CHOICES

    We will, if you have given us your consent and in line with your choices, provide you with information by post, telephone, email and SMS, which may be of interest to you in respect of the Nobu hotels.

    We will only provide you with marketing communications if you would like us to. You will have the opportunity to clearly set out whether you wish to receive marketing messages from us by ticking the relevant boxes.

    PERSONAL INFORMATION OF CHILDREN

    We do not knowingly collect information from children under the age of 13 through our Website or App. If you are under 13, please do not give us any personal information. We encourage parents and legal guardians to monitor their children’s internet usage to help enforce this Privacy Statement by instructing their children never to provide us personal information. If you become aware that your child or any child under your care has provided us with information without your consent, please email us at [email protected] and we will endeavor to delete that personal information from our databases

    DISCLOSURE OF YOUR PERSONAL INFORMATION

    We do not sell your personal information.

    We may share your personal information with selected third parties in accordance with this privacy statement, with the following categories of recipients:

  • Our business partners, including our partners within the Nobu Family, social media companies (if you use your account with them to sign up or sign in with us); professional advisers, including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
  • In the event of an acquisition or merger, with third parties, who acquire us or substantially all of our assets, in which case your personal information (including any sensitive personal information) will be one of the transferred assets (however, we will let you know before this happens).
  • Our service providers (for example, IT services or CRM services); suppliers and sub- contractors for the performance of any contract we enter into with you or for marketing communications; and other vendors who provide services to us, such as fulfilling orders, providing data processing and other information technology services, managing promotions, carrying out research and analysis, and personalizing individual Nobu customer experiences; and with analytics and search engine providers that assist us in the improvement and optimization of the Website and the Online Services.
  • Legal & Regulatory Authorities, including government or other law enforcement agencies, in connection with the investigation of unlawful activities or for other legal reasons (this may include your location information).

    WHERE WE STORE YOUR PERSONAL INFORMATION

    We may transfer your personal information to a third party that is located in a jurisdiction other than the one form which we collected your personal information, including to countries that have not been deemed to have an adequate level of protection for the rights and freedoms of data subjects. If we do transfer your personal information to another jurisdiction, we will do so following due diligence and provided that the data recipient is subject to contractual agreements imposing obligations on it to ensure appropriate technical and organizational measures are implemented and maintained at all times to prevent from unauthorized and unlawful processing of personal information, consistent with our obligations under applicable data protection laws.

    INFORMATION SECURITY

    We are committed to taking appropriate measures designed to keep your personal information secure. Our technical and organizational procedures are designed to protect your personal information from accidental, unlawful or unauthorized loss, access, disclosure, use, alteration, or destruction. While we make efforts to protect our information systems, no website, mobile application, computer system, or transmission of information over the Internet or any other public network can be guaranteed to be 100% secure. Once we have received your personal information, we will use strict procedures and security features to try to prevent unauthorized access or inadvertent disclosure.

    Where we have given you (or where you have chosen) a password which enables you to access the Online Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

    RETAINING PERSONAL INFORMATION

    We will only keep your information for the length of time needed to carry out the purposes outlined in this privacy statement and for the purposes of satisfying any legal, accounting or reporting requirements.

    To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

    In some circumstances, we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

    Even if you request that we erase your data, we may still need to keep it (please see below) or may keep it in a form that does not identify you.

    If you have not agreed that we may use your personal information for marketing purposes, we will keep it for a period of 6 years after you have attended one of our hotels or last used the Online Services, whichever is longer.

    YOUR CHOICES & RIGHTS

    Depending upon where you reside, certain choices and rights may be available to you under applicable data protection laws, including the right to request access to your personal information or to request to have your personal information deleted. If you have questions about what rights may apply to you, please contact us at [email protected].

    Do Not Track: Our websites and apps are not designed to respond to “do not track” requests from browsers.

    “Shine the Light” and “Eraser” Laws: Residents of the State of California may request a list of all third parties to which we have disclosed certain information during the preceding year for those third parties’ direct marketing purposes.

    For California Residents:

    The CCPA provides California residents and/or their authorized agents with specific rights regarding the collection and storage of their personal information.

    Your Right to Know: California residents have the right to request that we disclose the following information to you about our collection and use of your personal information over the past twelve (12) months. We may ask you to provide certain information to identify yourself so that

    we may compare it with our records in order to verify your request. Upon verification, we will disclose to you:

    1. The categories of personal information we have collected about you.
    2. The categories of sources for the personal information we have collected about you.
    3. The specific pieces of personal information we have collected about you.
    4. Our business or commercial purpose for collecting or selling your personal information.
    5. The categories of third parties to whom we have sold or shared your personal information, if any, and the categories of personal information that we have shared with each third-party recipient.

    Your Right to Opt Out of Sale: California residents have the right to opt-out of the sale of their personal information by submitting a request as directed on the homepage of our website or by contacting us using the information in the “Contact Us” section below. Please note we do not sell your personal information.

    Please note that we do not knowingly sell the personal information of any individuals under the age of 16.

    Your Right to Delete: California residents have the right to request that we delete any of the personal information collected from you and retained by us, subject to certain exceptions. We may ask you to provide certain information to identify yourself so that we may compare it with our records in order to verify your request. Once your request is verified and we have determined that we are required to delete the requested personal information in accordance with the CCPA, we will delete, and direct our third-party service provides to delete, your personal information from their records. Your request to delete personal information that we have collected may be denied if we conclude it is necessary for us to retain such personal information under one or more of the exceptions listed in the CCPA.

    Non-Discrimination: You will not receive any discriminatory treatment by us for the exercise of your privacy rights conferred by the CCPA.

    Verifying Your Request: Only you, or a person that you authorize to act on your behalf, may make a request related to your personal information. In the case of access and deletion, your request must be verifiable before we can fulfill such request. Verifying your request will require you to provide sufficient information for us to reasonably verify that you are the person about whom we collected personal information or a person authorized to act on your behalf. We will only use the personal information that you have provided in a verifiable request in order to verify your request. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority. Please note that we may charge a reasonable fee or refuse to act on a request if such request is excessive, repetitive or manifestly unfounded.

    For Individuals Located in the European Economic Area (EEA), the United Kingdom (UK) or Switzerland:

    You have a number of rights under applicable data protection laws in relation to your personal information. Under certain circumstances, you have the right to:

  • Have access to your personal information by submitting a request to us;
  • Have your personal information deleted;
  • Have your personal information corrected if it if wrong;
  • Have the processing of your personal information restricted;
  • Object to further processing of your personal information, including to object to marketing from us;
  • Make a data portability request;
  • Withdraw any consent you have provided to us;
  • Restrict any automatic processing of your personal information; and
  • Complaint to the appropriate Supervisory Authority.

We may provide links to other websites or resources provided by third parties. These links are provided for your convenience only. We have no control over the contents of those websites or resources, and accept no responsibility for them or for any loss or damage that may arise from your use of them. If you decide to access any third-party links on the from this Website or App, you do so entirely at your own risk and subject to the terms and conditions of those websites.

CHANGES TO THIS PRIVACY STATEMENT

This privacy statement is in effect as of the date noted at the top of the statement. We may change this privacy statement from time to time. If we do, we will post the revised version here and change the “last updated date” (the date it applies from) at the top of the statement. You should check here regularly for the most up-to-date version of the statement. Continued use of the Online Services will signify that you agree to such changes, however, if we need to seek updated, additional or different consents from you, we will, of course, do so.

HOW TO CONTACT US

Questions, comments and requests regarding our privacy statement are welcome and should be addressed to:

Privacy at Nobu Nobu Hospitality

40 West 57th St, Suite 320 New York, NY 10019 [email protected]

Please also contact us if you would like to know more about our data processing activities, to update or amend any of your personal information which you have provided to us or if you believe our records relating to your personal information are incorrect. If you are located in the United Kingdom or European Economic Area and believe we have not adequately resolved any issues, you may contact the Supervisory Authority concerned.

 

Updated on March 2022.

Download here.