Privacy Policy

1. INTRODUCTION

An entity of SAS CHG Participations, SAS Château Hôtel Grand Barrail ("we", "us", "our") offers its customers and prospective customers ("you", "your") hotel services, including hotel, restaurant, and spa services, as well as special offers, gift packs, and associated newsletters.

This Privacy Policy describes our practices for collecting, using and transferring your personal data for all our activities.

We are committed to protecting your data in accordance with the General Data Protection Regulation (2016/679) and the French Data Protection Act (78-17).

The data controller is SAS Hôtel Grand Barrail, an SNC registered with the Libourne Trade and Companies Register under SIREN number 503.714.222, whose address for all matters relating to personal data is 3343 Route de Libourne, 33330 Saint-Émilion.

The Data Controller's representative is the hotel's General Manager, Mr Benjamin Robic.

2. COLLECTION OF YOUR DATA

Your data and that of the persons accompanying you may be collected directly from you on the Château Hôtel Grand Barrail website (via information or reservation forms or cookies) or during your stay at the Château Hôtel Grand Barrail (form filled in, data provided verbally, etc.).

Due to the nature of the services offered, your data may be collected by other entities, mainly reservation sites, service providers, and platforms, for transmission to us. We may also collect data from affiliated entities, commercial partners, subcontractors, and service providers if their personal data protection policies permit. In any event, your data will not be collected from a publicly accessible source.

Given the above, the purpose of this Privacy Policy is to inform not only those whose data is collected directly but also those whose data is collected indirectly by and/or for Château Hôtel Grand Barrail, in accordance with Articles 13 and 14 of the General Data Protection Regulation (no 2016/679).

3. PERSONAL DATA WE PROCESS

"Personal Data" refers to information directly or indirectly identifying a natural person. This is the case for a surname or first name but also for the language selected on the site, the details of your reservation, your number plate, etc.

The term "purpose" refers to why we process your data.

The term "legal basis" refers to the legal basis on which your data is processed. All processing must have a legal basis to be lawful.

No data collected and processed by Château Hôtel Grand Barrail will be used for any other purpose than that indicated in the tables below.

Summary table of categories of data processed, purpose of processing and retention periods

Goals	Categories of data processed	Shelf Life
Video surveillance to protect the premises	Images and any data derived from them	Fifteen (15) days on the Château Hôtel Grand Barrail servers
Booking, supply and payment of services	Identification and contact details Bank details Health data	Ten (10) years from the date of the operation (billing data) The data required for payment is kept from the time the CB imprint is taken (where applicable) until actual payment and may be kept for longer with the customer's consent. For the duration of the service, in particular spa or restaurant services, and retention of the health record for a period of 13 months, with the customer's consent.
Managing and sending a newsletter	Identification data, contact details, data relating to newsletter follow-up (e-mail opened, link clicked, etc.)	As long as the person is registered, with an annual purge of inactive persons Deletion from the active database on receipt of a withdrawal of consent or a request to that effect, retention for evidential purposes for five (5) years
Carrying out satisfaction surveys by sending out questionnaires	Identification and contact details Responses to questionnaires (pre- and post-stay)	This data is anonymised after processing by the service provider and before publication of the notice. Three (3) years from the last service or contact.
Claims management	Identification details, contact details, details of the stay, content of the complaint	While the application is being processed, then for a probationary period of five (5) years
Litigation management	Any data relevant to the dispute	At the latest until the corresponding action is time-barred Court decisions are kept indefinitely.
Digital marketing	Targeting criteria	The data is held by the marketing service providers (social networks and search engines) for the periods defined by each.
Management of the Data Controller's contractual partners	Professional identification data of partners' staff	Duration of contract with contracting partner, then five (5) years probationary period
Website management and operations	Mandatory connection data for the proper operation of the site and cookies	Thirteen (13) months maximum
Cookie management	Necessary cookie data, in particular: location, page tracking, links clicked, etc.	Six (6) months maximum
Communication management (social networks)	Any public data posted online by users of social networks, and/or messages exchanged with the Data Controller's accounts	Data held and stored by each social network, according to its own procedures
Drawing up a police form	Data required by Article R814-2 of the Code on the Entry and Residence of Foreigners and the Right of Asylum	Duration imposed by Article R814-3 of the Code on the Entry and Residence of Foreigners and the Right of Asylum (6 months)
General accounting	Items shown on invoices	Term imposed by Article L123-22 of the French Commercial Code (10 years)
Exercising your RGPD rights (listed below)	Identification and contact details, data relevant to processing the request	While the application is being processed, then five (5) years probationary period

Summary Table

Legal Basis	Associative Objectives	Details
Contractual performance	Booking, provision and payment of services Managing contractual partners	N/A
Legitimate interest	Video surveillance to protect the premises Wi-Fi connection provided throughout the premises Satisfaction survey Managing cookies that are necessary or exempt from consent Management of tracers and similar online tracking technologies (excluding cookies) Management of social networks Managing complaints and disputes Digital marketing	Safety of property and people Improving service by providing Internet access Seeking to improve service through feedback Proper operation of the site and audience measurement Management of external communications and personalised advertising Monitoring, researching and improving the customer experience Defending the Data Controller's interests in court Managing external marketing through targeted advertising
Consent	All health data, regardless of purpose Any banking data to be retained beyond the performance of the service, notwithstanding the purpose for which it was collected. Cookie management (not required) Managing and sending a newsletter	N/A
Legal obligation	General accounting Police file Keeping a single staff register Exercising the rights of individuals guaranteed by the RGPD	This includes billing data resulting from certain contractual performances.

We also recommend that you provide as little information as possible about people other than yourself or your health and theirs when browsing the site and, in general, during your stay.

4. COOKIES AND OTHER WEB TECHNOLOGIES

We collect data via cookies and other similar technologies (web beacons).

Cookies are small text files automatically copied to your computer or mobile device when you visit a website. They contain basic information about your use of the Internet. Your browser sends these cookies to our website each time you visit it so that your computer or mobile device is recognised and your browsing experience is personalised and enhanced.

Some cookies are "necessary," meaning that without them, the website cannot function and display on your terminal.

The others are said to be "unnecessary" and are intended to establish traffic statistics, personalise and improve your browsing experience, and target the advertising you see. They will only be stored on your browser if you expressly accept them.

You can control your consent to unnecessary cookies by clicking on the drop-down banner displayed on your first visit to the site and then at any time by clicking on the "Cookie settings" bar displayed in the bottom right-hand corner of your screen when browsing our site.

The drop-down menu's "Configure your choices" and "See partners" tabs contain lists of cookies and tracers, their purposes, and the partners installing them.

In addition, our website may contain links to third-party websites, applications and plug-ins. If you access other websites from links provided on our website, the operators of those websites may collect or share information about you. These operators will use this information in accordance with their privacy policy, which may differ from ours. We invite you to read these confidentiality policies and to contact these third parties directly if you have any questions about their practices.

5. THE SOURCE(S) TO WHICH YOUR DATA ARE SUBMITTED AND THE PERSONS TO WHOM THE DATA ARE SUBMITTED

When we do not collect your data directly, it is sent to us by our subcontractors and partners, i.e. mainly the booking platforms that offer our services: travel agencies, tour operators, online booking platforms, etc.

Within Château Hôtel Grand Barrail, your data is only accessible to persons who have a strict need to know. It may be shared with the following categories of recipients:

- Official bodies: to fulfil our legal obligations, your data may be transmitted to such bodies as:

Police services (e.g. video surveillance images handed over to a criminal investigation officer on request);

Legal bodies (example: all the information needed to defend the Château Hôtel Grand Barrail in court, such as the invoice and details of the stay);

Control bodies (e.g. invoicing information for statutory auditors).

- Website: your data may be shared with our service providers who operate our website (e.g. audience measurement) or enable us to offer our online services (e.g. automatic redirection to our online payment service provider).

- Satisfaction surveys and newsletters: your data may be passed on to our service providers offering these services.

6. DATA SECURITY AND INTERNATIONAL TRANSFERS

We have put in place technical and organisational measures appropriate to the sensitivity of the personal data to ensure the integrity and confidentiality of the data and to protect it against malicious intrusion, loss, alteration or disclosure to unauthorised third parties.

We conduct regular audits to check that data security rules are being applied correctly at an operational level.

To meet these commitments, our service providers and subcontractors are carefully selected and must provide a level of personal data protection equivalent to our own.

For example, our service provider Whip (the banner allowing you to make your choices about cookies) has been chosen because it anonymises the data collected by unnecessary cookies before passing it on to Google Analytics.

In this way, your data does not pass through the United States (a country considered not to offer a level of data protection equivalent to that of the EU).

Certain service providers transfer data outside the European Union to countries that are not subject to the European Commission's adequacy decisions, such as the United States.

In these cases, we only choose service providers who have adopted Standard Contractual Clauses (SCCs) or obtained certifications (e.g., Data Privacy Framework) to protect your data as effectively as possible.

We also put in place organisational measures to limit and secure data transfers as much as possible.

7. YOUR RIGHTS

Following data protection regulations, you have the following rights concerning your data:

- Rights of access, rectification and deletion;

- Right to limit processing;

- Right to object to processing;

- Right to the portability of your data;

- The right not to be subject to automated processing or profiling. However, none of the processing carried out by (or on behalf of) Château Hôtel Grand Barrail constitutes automated processing or profiling with a significant legal impact for you.

You can exercise your rights or request further information in the following ways:

- By email to contact@grand-barrail.com;

- By post to the following address : 3343 Route de Libourne, 33330 Saint-Émilion;

- At the hotel reception.

If you would like more information, or if, despite our replies, you feel that they are inadequate or that data processing is unlawful, you can contact the Commission Nationale Informatique et Libertés (https://www.cnil.fr/fr/plaintes).

8. CHANGES TO THE PRIVACY POLICY

We may modify, update, and/or replace this privacy policy, particularly in the event of changes to regulations relating to the protection of personal data. Therefore, we recommend that you consult this personal data protection policy regularly to ensure you are aware of the latest version.