Privacy Policy

Personal Details You Share With Us

When you make a reservation or check in, we'll need the basics: your name, email, phone number, and address. We also collect payment information (though that's securely processed through our payment partners - we don't actually store your full credit card details on our systems).

Stuff We Pick Up Automatically

Our website uses cookies and similar tech to track things like which pages you visit, how long you stick around, and what device you're using. It helps us figure out what's working and what needs improvement. Your IP address gets logged too, mainly for security purposes.

Preferences & Special Requests

If you've got dietary restrictions, accessibility needs, or just really love feather pillows, we'll keep that on file to make your future stays better. This also includes your loyalty program details if you're part of our rewards system.

Security Footage

Yeah, we've got cameras in public areas of the hotel - it's standard practice for everyone's safety. The footage is kept for 30 days and then automatically deleted unless there's a specific security reason to keep it longer.

We're not in the business of selling your data - that's not our thing. Here's what we actually do with it:

• Process your bookings: Pretty obvious, but we need your details to confirm reservations and handle payments
• Communicate with you: Confirmation emails, pre-arrival info, occasional updates about the hotel (you can opt out of marketing stuff anytime)
• Improve your experience: Remember your preferences so your next stay is even better
• Legal compliance: Keep records as required by Canadian law - taxes, audits, that sort of thing
• Security & fraud prevention: Protect both you and us from sketchy activity
• Service delivery: Make sure room service shows up to the right room and the spa knows about your massage appointment

We'll occasionally send you special offers or news about the Citadel, but only if you've said that's cool. There's always an unsubscribe link if you change your mind.

Cookies aren't just delicious treats from our bakery - they're also little files that websites use to remember stuff about you. Here's the breakdown:

Essential Cookies

These keep the website functioning properly. They remember things like items in your cart or that you're logged in. Can't really turn these off without breaking the site.

Analytics Cookies

We use these (mainly Google Analytics) to see how people use our site. It's anonymized data that helps us understand what's confusing or what works well. You can opt out if you want.

Marketing Cookies

These track your browsing to show you relevant ads around the web. Like if you checked out our spa page, you might see spa-related ads later. We work with partners like Facebook and Google for this, but you can disable them through your browser settings.

Pro tip: Most browsers let you control cookie settings. Check your browser's help section to manage or delete cookies. Just know that blocking all cookies might make some parts of our site wonky.

We're selective about who gets access to your information. Here's the short list:

• Payment Processors: Companies like Stripe or Square that handle credit card transactions securely
• Booking Platforms: If you booked through Expedia, Booking.com, or similar sites, they already have your info
• Service Providers: Our email platform, cloud storage, and IT support folks who help keep everything running smoothly
• Legal Authorities: Only if we're legally required to - like a court order or police investigation
• Business Transfers: If the hotel ever gets sold (not planning on it!), your data would transfer to the new owners

All these partners are bound by confidentiality agreements and can't use your data for their own purposes. We don't sell or rent your personal information to random third parties - that's a hard line for us.

Your data is yours, and you've got rights. Here's what you can do:

To exercise any of these rights, just shoot us an email at reservations@halrioncitadelx.info or call (416) 555-2847. We'll get back to you within 30 days, though usually it's way faster.

We welcome guests from all over the world, including the European Union. If you're an EU resident, you've got additional protections under GDPR (General Data Protection Regulation).

Legal Basis for Processing

We process your data based on:

• Contract necessity: We need it to provide you hotel services
• Legitimate interests: Improving our services and security
• Legal obligations: Tax laws and record-keeping requirements
• Your consent: For marketing and non-essential uses

Data Transfers

Your information is primarily stored on Canadian servers. If we do transfer data internationally, we use standard contractual clauses approved by the EU Commission or work with Privacy Shield certified partners.

EU residents can also lodge a complaint with their local data protection authority if they're not happy with how we've handled things. Though we'd really prefer if you gave us a chance to make it right first.

Security's a big deal to us. The Citadel's been standing since the historic district was established, and we protect your data with the same commitment.

Technical Measures

• SSL encryption for all data transmitted through our website
• Encrypted databases with restricted access
• Regular security audits and penetration testing
• Firewalls and intrusion detection systems
• Secure backup systems with off-site storage

Physical & Administrative Measures

• Limited staff access to personal data (only those who need it)
• Employee training on data protection and privacy
• Locked filing cabinets for physical documents
• Secure disposal of outdated records

That said, no system is 100% bulletproof. If there's ever a data breach that affects you, we'll let you know right away and take immediate steps to fix it. Transparency matters.

We don't keep your data forever - that'd be creepy and unnecessary. Here's our general timeline:

• Reservation details: 7 years (tax law requirements)
• Payment information: As long as needed for transaction processing, then securely deleted
• Marketing preferences: Until you opt out or ask us to delete them
• Guest preferences: Kept to improve future stays, but you can request deletion anytime
• Security footage: 30 days, then automatically overwritten
• Website analytics: Anonymized after 26 months

If you haven't stayed with us or interacted with our site in 5 years, we'll reach out to see if you want to keep your account active. No response means we'll delete your non-essential data.

Our website isn't designed for kids under 16, and we don't knowingly collect their personal information directly. If you're booking a family room, we'll need to know how many kids are coming for appropriate accommodations, but we don't need their personal details.

If we somehow end up with a child's information and find out about it, we'll delete it promptly. Parents or guardians who discover we have their child's data can contact us at reservations@halrioncitadelx.info and we'll sort it out immediately.

Our website might link to other sites - tour operators we recommend, local attractions, partner services, that kind of thing. Once you click through to their sites, this privacy policy doesn't apply anymore.

We try to partner with reputable companies, but we can't control their privacy practices. It's worth checking out their policies before sharing personal info with them.

Same goes for our social media pages. Facebook, Instagram, and Twitter have their own data collection practices separate from ours.

Privacy laws evolve, and so do we. When we update this policy, we'll change the "Last Updated" date at the top and let you know about significant changes via email if you're on our mailing list.

We recommend checking back occasionally, especially if you're a regular guest. Continued use of our services after changes means you're cool with the updated terms.