New World Hospitality Limited respects your privacy. This notice explains what personal data we collect about you, how we use it, who we share it with, and the rights you have under UK data protection law.
01.Who we are
The data controller
The data controller responsible for the personal data described in this notice is:
New World Hospitality Limited
[Registered office address, including postcode]
Registered in England & Wales, company number [xxxxxxxx]
ICO registration number [Zxxxxxxx]
For the purposes of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, "we", "us", "our" and "NWH" refer to New World Hospitality Limited.
02.Scope of this notice
What this notice covers
This notice applies to personal data we process in the following contexts:
- Visitors to our corporate website at newworldhospitality.co.uk
- Prospective and current clients (hotel owners, investors, lenders, family offices and their advisors)
- Suppliers, contractors and third-party brand partners
- Job applicants and prospective hires
- Recipients of our marketing communications
It does not cover personal data processed by individual hotels operating under NWH management — those properties have their own guest-facing privacy notices governing reservations, stays and loyalty programmes. If you have a query about a hotel reservation or stay, please contact the relevant property directly.
03.Personal data we collect
Categories of data
We may collect and process the following categories of personal data, depending on your relationship with NWH:
Identity & contact data
Name, job title, employer, business postal address, business email, business telephone number, and (for prospective hires) home address and personal contact details where you choose to provide them.
Professional & commercial data
Company information, role, area of investment focus, deal references, and other professional context provided in the course of business correspondence or meetings.
Communications data
Records of correspondence with us — emails, letters, meeting notes — and information you provide when you contact us through our website or by telephone.
Website & technical data
IP address, browser type and version, time zone setting, operating system, the pages you visit on our website, the time and date of your visit, and the referring URL. See our Cookies Policy for full detail.
Marketing & preference data
Your preferences in receiving marketing communications from us and any unsubscribe or preference settings you have applied.
Recruitment data
For job applicants: your CV, employment history, references, qualifications, right-to-work documentation, interview notes, and other information necessary to assess your suitability for a role.
Special category data. We do not knowingly collect special category data (such as health, ethnicity, religion or trade-union membership) except where it is volunteered in a recruitment context for the purpose of equal-opportunities monitoring or accessibility adjustments — and where we do, we process it only with your explicit consent.
04.Why we use your personal data
Purposes of processing
We process personal data for the following purposes:
- Conducting our business — managing our relationships with clients, advisors, lenders, brand partners and suppliers; negotiating, signing and performing contracts; and providing the operational, asset-management and investment services described on our website.
- Marketing & business development — sending you information we believe may be of legitimate professional interest (e.g. insights, deal announcements, opportunities), responding to enquiries and arranging meetings.
- Recruitment — assessing applications, conducting interviews, performing pre-employment checks, and administering offers of employment.
- Compliance & risk — meeting our legal, regulatory and contractual obligations including anti-money-laundering, sanctions, fraud-prevention, tax and employment law obligations.
- Operating our website — providing, maintaining, securing and improving our website, and analysing how visitors use it (see Cookies Policy).
05.Lawful basis for processing
Article 6 UK GDPR
We rely on one or more of the following lawful bases to process your personal data:
| Lawful basis | Where we rely on it | Examples |
|---|---|---|
| Performance of a contract | Article 6(1)(b) | Negotiating and delivering management agreements, advisory engagements, employment contracts. |
| Legitimate interests | Article 6(1)(f) | Business development with professional contacts, security and fraud prevention, internal record-keeping, B2B marketing. |
| Legal obligation | Article 6(1)(c) | Anti-money-laundering checks, statutory record-keeping, responding to lawful requests from regulators or courts. |
| Consent | Article 6(1)(a) | Optional cookies, consumer-direction marketing, sensitive recruitment categories. Consent can be withdrawn at any time. |
Where we rely on legitimate interests, we have undertaken a balancing assessment to ensure that our interest does not override your rights and freedoms. You may request details of that assessment by contacting us.
07.How long we keep your data
Retention periods
We keep personal data only as long as necessary for the purposes for which it was collected. Our default retention positions are:
- Client & supplier records — for the duration of the relationship and for at least seven years after termination, in line with UK statutory record-keeping requirements.
- Marketing & business-development contacts — until you object or request erasure, with periodic review every two years.
- Job-application data (unsuccessful candidates) — typically retained for twelve months in case of a future suitable role, and then deleted unless you ask us to keep it longer.
- Website & analytics data — typically retained for 26 months, after which it is aggregated or deleted.
- Anti-money-laundering & KYC records — retained for five years after the end of the business relationship, in line with UK money-laundering regulations.
08.International transfers
Where data may be processed
NWH operates in the United Kingdom and predominantly stores and processes personal data in the UK and the European Economic Area. Where personal data is transferred outside the UK or EEA — for example to a cloud service provider with infrastructure in the United States — we ensure that the transfer is protected by an appropriate safeguard such as:
- An adequacy decision adopted by the UK government in respect of the destination country;
- The UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum;
- Other lawful safeguards permitted under UK GDPR.
You can request details of the safeguards in place for any specific transfer by contacting us.
09.Your rights
Under UK GDPR
You have the following rights in respect of your personal data, subject to limited exceptions:
- Right of access — to obtain a copy of the personal data we hold about you.
- Right to rectification — to have inaccurate or incomplete data corrected.
- Right to erasure — to request deletion of personal data, sometimes called the "right to be forgotten".
- Right to restrict processing — to limit how we process your data in certain circumstances.
- Right to data portability — to receive your personal data in a structured, machine-readable format.
- Right to object — to processing based on legitimate interests, and to object to direct marketing at any time.
- Right to withdraw consent — where we rely on consent as our lawful basis.
- Rights relating to automated decision-making — we do not use solely automated decision-making in any way that produces legal or similarly significant effects.
To exercise any of these rights, contact us using the details in section 13. There is no fee for most requests, but we may charge a reasonable fee or refuse manifestly unfounded or excessive requests.
10.Security
How we protect your data
We have implemented technical and organisational measures appropriate to the risk and nature of the personal data we process. These include access controls, encryption in transit and at rest where appropriate, secure backup processes, and staff training on data protection and information security.
No system is completely secure. We cannot guarantee absolute protection against all forms of unauthorised access, but we will notify the Information Commissioner's Office and (where required) affected individuals of any personal data breach in line with our statutory obligations.
12.Changes & updates
Updates to this notice
We may update this notice from time to time. The "Last updated" date at the top of the page indicates when it was most recently revised. Material changes will be notified to clients and contacts where we have a legitimate basis to do so.
13.Contact & complaints
How to reach us, and your right to complain
For any question about this notice or to exercise any of your rights, please contact:
Data Protection Lead — New World Hospitality Limited
Email: privacy@newworldhospitality.co.uk
Post: [Registered office address]
Telephone: +44 20 7096 0788
You also have the right to lodge a complaint with the UK supervisory authority for data protection at any time:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
We would, however, appreciate the opportunity to address any concerns directly before you contact the ICO — please reach out to us first if you can.