This privacy statement describes how Heaven Boutique Hotel may collect, use, share, and otherwise process your personal information, as an employee of one of our corporate clients or other individual to whom we offer or provide our services in hospitality, travel, safaris, meetings, events, and related products and services via our websites, mobile applications, email communications or other online and offline means.
Summary of key points
What information we collect:
What information we collect
Travel Information:
When booking services, we collect travel details including arrival and departure locations, airline, hotel and car rental information, rooming preferences, and any other data necessary to complete your reservation. We may also gather special category information, such as accessibility requirements or meal preferences, to accommodate requested services.
Payment Information:
To process bookings and transactions, we collect payment card details and other information required to complete payments securely.
Device Data:
We collect information about your access to our services, including your computer’s IP address (and related data such as your internet provider and approximate location), device unique identifiers, and other technical details. We also track how you use our websites and mobile apps, using cookies and similar technologies as explained in the Cookies section below.
How we collect personal data
We collect personal data in the following ways:
a) directly from you when you book, register, contact us, attend our events, or otherwise use our services.
b) from your employer, travel sponsor or travel agent when they book or manage travel on your behalf.
c) from service providers involved in your booking (e.g., payment providers, travel suppliers) where necessary to deliver services; and
d) automatically when you use our websites/apps via cookies and similar technologies (see Cookies section).
How we use your information
We process personal information only where we have a lawful basis under Rwanda Law No. 058/2021 and, where applicable, GDPR.
Typical lawful bases include:
(i) performance of a contract / providing requested service;
(ii) compliance with legal obligations;
(iii) our legitimate interests (balanced against your rights) such as security, fraud prevention and service improvement
(iv) your consent (e.g., marketing, optional cookies).
| Purpose | Examples | Typical data used |
Typical lawful basis |
|---|---|---|---|
|
Provide accommodation, |
Bookings, itineraries, invoices, customer support, account management | Account and/or travel, preference data | Contract / Legitimate interests |
|
Provide services to corporate clients |
Manage business travel and policy compliance | Account and booking data | Contract / Legitimate interests |
| Process payments | Card payments, fraud checks, refunds | Payment data, identifiers | Contract / Legal obligation / Legitimate interests |
|
Operate websites and apps |
Service performance, troubleshooting, security | Device data, cookies | Legitimate interests / Consent (where required) |
|
Marketing and promotions |
Newsletters, offers, ad measurement | Contact details, cookie identifiers | Consent (and/or Legitimate interests where permitted) |
|
Compliance and protection |
Legal compliance, audits, dispute handling | Relevant transaction and account data | Legal obligation / Legitimate interests |
Providing Hotel Accommodation and Related Services:
We use your personal information to deliver hotel accommodation, restaurant reservations, spa reservations and other associated services. This includes booking travel, organising meetings and events, preparing itineraries and invoices, communicating with you regarding arrangements or our products and services, providing customer support, and managing your account.
Providing Products and Services to Corporate Clients:
To fulfil our agreements with your employer, travel sponsor, or travel agent, we process your information to provide our products and services and to assist these organisations in ensuring their policies are followed.
Processing Payments:
Your information is used to process transactions and to provide related customer service.
Operating Websites and Mobile Applications:
Device data is used to monitor and improve performance and content of our digital services, analyse trends and usage patterns, and measure the effectiveness of promotional offers, subject to your cookie choices where applicable.
Business Operations and Improvement:
We use information to support accounting and financial tasks, detect and prevent fraud or criminal activities, and to analyse and enhance our business and services. We may aggregate personal data and remove identifying elements to analyse patterns and improve content, products and services.
How we share your information
We may share your personal information with the following categories of recipients, only where necessary for the purposes described in this statement:
Service providers (processors) who support our operations (e.g., website hosting, property management, IT support, communications tools, analytics and customer relationship management).
· Advertising and analytics partners used to measure and improve marketing effectiveness, subject to your cookie choices (e.g., Google Analytics, Google Ads). Where required, your consent is needed.
· Payment providers and financial institutions to process payments and prevent fraud.
· Professional advisers (e.g., auditors, lawyers) where necessary.
· Government authorities, regulators, law enforcement, and courts where required or permitted by law.
· Your employer, travel sponsor or travel agent where services are provided under corporate agreements.
· Affiliates within our corporate family, to the extent permitted by law.
· Travel suppliers and other travel service providers, and their vendors, as necessary to book travel and provide travel-related services.
· Business transfers: parties involved in a reorganization, merger, sale or acquisition, to the extent permitted by law.
· Aggregated data: aggregated statistics that do not identify you personally, which may be shared for business insights.
· Your employer, travel sponsor or travel agent – Our services to you may be provided under the terms of service agreements with your employer, travel sponsor or travel agent. We share your information with them to allow them to manage their business travel needs and assure compliance with their company travel policies. At the request of your employer, travel sponsor or travel agent, we may also share information with their vendors.
· Affiliates – We may share information within our corporate family to the extent permitted by law to allow them to provide, analyze and improve their and our products and services.
· Travel and hotel management service providers – We share information with travel suppliers (for example, airlines and hotels) and travel service providers (for example, ticket distribution systems, travel application providers, property management, restaurant reservation management), and the vendors for both, as necessary to book your travel and provide travel-related services to you and your employer, travel sponsor or travel agent. We do not sell information to third parties so that they can independently market their own products or services directly to you.
· Vendors – We share information with Service providers (processors) who support our operations and perform functions on our behalf, such as travel agencies, meeting and event planners, visa and passport service providers, mobile application and software developers, and vendors who provide IT support, data hosting, website hosting, analytics, marketing and communications services, and collections. These vendors access information only as necessary to perform their functions, as instructed in our contracts with them.
· Website Analytics: Data may be shared with advertising and analytics partners to measure and improve marketing effectiveness, subject to your cookie choices (e.g., Google Analytics, Google Ads) through which consent is provided.
· Business insights – We may combine data from many people to create aggregated statistics that do not identify you personally. We use this data to understand business trends and insights, and we may share them with third parties.
· Business transfers – If we negotiate or complete a transaction involving all or part of the business (for example, a reorganization, merger, sale or acquisition), we may disclose information to third parties involved in the transaction to the extent permitted by law.
· As required or permitted by law – We may disclose information to regulatory authorities, courts, and government agencies where we believe doing so would be permitted or required by law, regulation or legal process, or to defend the interests, rights or property of the Hemingways group or others.
· We may also share personal information with other parties as directed by you or subject to your consent.
We do not sell information to third parties so that they can independently market their own products or services directly to you.
International transfers and storage outside Rwanda
Where we transfer or store personal information outside Rwanda, we do so only in accordance with Rwanda Law No. 058/2021 and any guidance issued by the supervisory authority. Where required, we will obtain authorization from the supervisory authority before transferring or storing personal data outside Rwanda. We implement appropriate industry safeguards and use recognized transfer mechanisms to protect your data.
How we protect and store your information
We maintain reasonable administrative, technical, and physical security measures to protect your information from unauthorized access and use.
Administratively:
(a) we have created an authorization matrix that is used by authorized employees;
(b) no personal data is processed beyond the intended purpose, and personal data is minimized as much as possible;
(c) we have confidentiality commitments taken from our employees who may come in contact with your personal information;
(d) we have ensured that the contracts we have signed with third parties, to whom data is transferred, include data security provisions; and
(e) we have organised that the necessary security measures are in place in relation to the entry and exit of areas that contain personal data.
Technically:
(a) we use firewalls. intrusion detection and prevention systems to secure the personal data we collect;
(b) we use strong and up to date anti-virus software for detection of malware;
(c) the access logs to the information systems are kept in a way that prevents any user intervention;
(d) all the personal data is retained upon being backed up, and adequate security measures have been put in place;
(e) we have means to limit the access rights to a specific range of data within the personal data set processed in the IT system.
We retain your information only as long as needed to provide our Services, for legitimate business purposes and in accordance with our Data Retention policy, unless we are required by law or regulation or for litigation and regulatory investigations to keep it for longer periods of time. Accordingly, we maintain a data retention policy and schedule that outlines the appropriate retention periods for different types of data in accordance with legal, regulatory, and business requirements, unless a different time period is provided under law or regulation or for litigation and/or regulatory investigations. Our data retention practices are designed to protect individuals’ privacy rights, and mitigate risks associated with data storage in compliance.
Retention of personal information
We keep personal data for as long as is reasonably necessary for the purposes for which it was collected, to provide relevant products or services, for legitimate business purposes, and in accordance with our data retention policy and schedule, unless a longer period is required by legal, regulatory, tax, or accounting requirements. Retention is determined by factors such as fulfilling bookings/contractual services, resolving complaints or disputes,
enforcing agreements, and security/audit needs. After the retention period, we delete or anonymize personal data; if this is not possible, we securely store and isolate it until deletion is possible.
Children’s privacy
We recognise the importance of protecting children’s personal data. We will only process children’s personal data where we have obtained verifiable consent from a parent or guardian, or where processing is otherwise permitted by applicable laws.
Our data processing activities prioritise the best interests of children and adhere to the principle of data minimisation, purpose limitation and confidentiality. We provide for clear and age-appropriate information regarding the processing of children’s data and also have mechanisms against unauthorised access, disclosures, alteration, or destruction. Parents and guardians may review, update, or request the deletion of their children’s data by contacting us through the provided channels.
If you believe we have collected a child’s personal data without appropriate consent, please contact us and we will take appropriate steps to delete the information
Cookies
A “Cookie” is a small file downloaded to your device that collects information as you navigate our websites. Cookies help us remember your preferences, understand usage of our websites and apps, and improve user experience. Cookies may collect personal data, such as online identifiers and IP address. You may configure your browser settings and (where implemented) our cookie banner/preferences tool to manage cookie choices.
Automated decision-making
We do not make decisions that produce legal or similarly significant effects solely by automated means. Where analytics or profiling is used for marketing measurement, it is subject to your cookie choices and applicable consent requirements.
Your rights and how to exercise them
You may request access to your personal data; correction of inaccurate data; deletion/erasure in limited circumstances; withdrawal of consent where processing is based on consent; restriction or objection to certain processing (including objection to automated processing where applicable); and data portability in certain cases. To exercise your rights, we may ask for additional information to confirm your identity. Please contact us using info[at]heavenrwanda.com. If you are dissatisfied with our response, you may lodge a complaint with the supervisory authority (DPO under NCSA).
Changes to this Privacy Statement
We may update this Privacy Statement from time to time as our business or legal requirements change. If we make material changes, we will post a notice on our website before the changes go into effect and notify you as otherwise required by applicable law.
Contact us
If you have questions or complaints about Heaven Boutique Hotel and privacy, please contact us at info[at]heavenrwanda.com
In most cases, we will ask that you put a complaint in writing. We will investigate your complaint and will generally respond to you in writing within 30 days of receipt. If we fail to respond or if you are otherwise dissatisfied with the response that you receive from us, you may have the right to make a complaint to your regulator.
