PRIVACY POLICY

Last updated: MARCH 2024

The Cardinal Bar & Kitchen (provided by Aldgate Hotel Opco Limited) is committed to protecting and
respecting your privacy and personal data at all times. This privacy policy sets out the basis on which
any personal data we collect from you, or that you provide to us, through the use of our services or
products including staying at our properties (the “Services”) or the use of any of our websites or apps
(together, the “Sites”), will be processed by us.

Please read the following information carefully to fully understand our practices regarding your
personal data and how we will treat it.

At all times, we keep our privacy practices and the terms of this policy under review to ensure your
personal data is processed as securely as possible and in accordance with applicable laws. This
policy was last updated on the date given above. Any changes to this policy will be posted on our
Sites.

INFORMATION WE MAY COLLECT FROM YOU

Personal data, or personal information, means any information about an individual from which that
person can be identified. To provide you with the Services and/or the Sites, we must collect, store,
transfer, analyse and otherwise process some of your personal data. This policy describes what
personal data we process and why.

The personal data we process includes:

• Name and Contact Information. For us to provide the Services and for other purposes, we
  require certain information about you including your first name and surname, postal address,
  email address and phone number. We will use the personal data for several purposes
  including securing your reservation, sending you communications with regards your
  reservation, verifying your identity, providing you with customer support, sending marketing
  communications via email, direct mail, text, and social media (where permitted), processing
  payments, and otherwise where necessary to provide you with the Services or fulfil any
  requests from you.
• Account Data. If you would like to create an account to access our Services more efficiently,
  we will require certain personal data from you to do this, including your name, email address
  and a password. You may also choose to provide additional data to your account so we can
  better get to know you (for example preference data, as described below).
• Other Reservation Data. When purchasing and using our Services, in addition to the above,
  we may also ask for other personal data if required or permitted by applicable law including
  nationality, date of birth and gender. This data may be optional or required but we will clearly
  let you know when we ask you for it.
• Passport or Other Proof of ID. When purchasing and using our Services, in addition to the
  above, we may also ask for a copy of your passport or other photographic ID, such as a
  driving licence. This is so we can confirm you are the person who made the reservation to
  use our Services and, where applicable, to comply with applicable laws.
• Preference Data. We want to ensure your use of our Services is the best it can be and
  therefore we like to tailor your experience to the best of our abilities. To do so, we need to
  know more information about you, what you like, what you don’t like, and anything else which we should know to make your use of the Services more enjoyable. This may include, for example, your room preference, whether you have any dietary requirements, whether you have any allergies, whether you have any disabilities which may or may not require special assistance when using our Services, or your preferred language.
• Service Usage Data. Once you have made a reservation to use our Services, we will collect
  other data which could identify you related to your use of the Services. This includes, for
  example, the room number you stay in, your arrival time, your check-out time, and any
  additional Services you use while staying at our property including booking a table at one of
  our restaurants.
• Additional Guest Data. We require you provide us with the names of all persons staying
  under your reservation. This is so we can keep an accurate record of who is using our
  Services at any one time for health and safety reasons and to ensure compliance with
  applicable laws. The guests may also be required to provide other data included in this list
  and may also choose to provide additional data (such as preference data) so they can
  experience a more tailored Service.
• Payment Data. To purchase the Services, we will require payment card information from
  you.
• Corporate Data. If you are using our Services for work purposes, we may collect information
  with respect to your employment, namely the name of your employer. Your employer may
  also have a corporate account with us and may provide us with information about you.
• Images or Footage Collected by CCTV. We use CCTV at our properties to ensure all of our
  guests, visitors and staff are kept safe and secure. CCTV cameras are only used on our
  properties where it is appropriate to do so.
• Query or Complaint Data. Should you wish to ask us a query or make a complaint about our
  Services or Sites, such personal data will also be automatically added to your account.
• Customer Ratings and Comments. If you choose to give us a rating and/or any comments,
  this will be considered your personal data. We may, depending on the circumstances, record
  your name and email address with your rating and/or comment.
• Technical, Usage and Cookie Data. We may collect information about your use of the Sites,
  including how you interact with the Sites and how often you use the Sites. We do this to
  better understand how to provide the Sites, what our users like about our Sites and what our
  users don’t like about the Sites. Such information may include, if applicable, your
  preferences, such as your language preference, internet protocol (IP) address, browser type
  and version, browser plug-in types and versions.
• Device Information. We may collect information about the device you use to access the
  Sites including the hardware model, the mobile network, and the time zone setting.
• Third Party Data. We may receive certain data about you from third parties including our
  advertising partners, social media providers, airline partners or travel agents. This data will
  be used to provide you with the Services.
• Sensitive Data. We may collect more sensitive information, for example, when you tell us
  about dietary requirements, disabilities and accessibility requirements or religious beliefs.
  Where you provide us with sensitive information, we will only hold this information with your express permission. This information is stored securely with restricted access and handled with the greatest respect to your privacy. Where you provide information to us about other people, you need to make sure you have their permission to do so, or that you can speak on their behalf, for example, in the case of children.

HOW WE USE YOUR PERSONAL DATA

The reason we use your information will often be obvious from the way you interact with us, however,
some uses of your information may not always be so obvious and we may use your personal
information to:

• create your account,
• allow you to make a reservation at one of our properties and use such reservation,
• keep you updated with regards your reservation and to allow you to change your reservation
  in advance,
• allow you to set up an account,
• allow you to interact with us online and offline,
• send you product or service-related communications,
• verify your reservation, your identity and check you in,
• tailor your experience of the Services where possible,
• process any payments,
• make any bookings for Services at our outlets or other properties such as in one of our hotels
• keep guests safe and ensure the security of our restaurants and hotels,
• ensure the acceptable use of our products and services,
• allow you to participate in membership / loyalty programmes,
• send you marketing materials via email, direct mail, text and social media, including in relation to other products and services provided by our group companies,
• check you out once your stay with us is over,
• facilitate payments and credit checks,
• facilitate the restructuring or sale of the Hotel,
• investigate and respond to disputes,
• provide you with help and support where required,
• comply with legal obligations on us. For anti-fraud and risk identification and management
  purposes, we may use your personal data to comply with legal obligations relating to fraud
  and other financial crimes, and to ensure you, your personal data and your finances are
  protected,
• verify activity, and to promote safety and security on Sites and at our properties. Should we
  believe you have breached our Terms & Conditions, or are acting suspiciously, we may
  investigate to ensure you are not breaking the law. This may include sharing your personal
  data with authorities if requested or deemed necessary,
• respond to any of your queries,
• improve and customise our Services and Sites.

We only process your personal data when it is lawful for us to do so. Certain laws require us to have
lawful grounds when undertaking a processing activity. We rely on the following lawful grounds under
applicable law to process your personal data:

• If you provide your consent, for example with respect to receiving marketing communications.
• The performance of the Terms & Conditions, which is a contract under which we agree to provide you with the Services, and you agree to the relevant obligations upon you.
• Compliance with a legal obligation to which we are subject, for example health and safety
  laws.
• To protect your vital interests or those of another natural person, for example if you suffer an
  injury while at one of our properties, and/or
• The legitimate interests pursued by us or by a third party as listed below, subject at all times
  to us ensuring your rights and freedoms do not outweigh the pursued interests.

The legitimate interests we pursue are:

• to constantly improve and customise our Services
• to tailor our Services
• to ensure the safety and security of our Service and Site users and third parties, and to
  promote such safety and security, and
• to secure our Sites from harmful acts such as cyber-security breaches.

When processing special category data, we may rely on the following additional lawful grounds:

• with your express consent
• when processing is necessary to protect your vital interests or those of another person
• when processing relates to personal data which are manifestly made public
• when processing is necessary for the establishment, exercise, or defence of legal claims
• when processing is necessary for reasons of substantial public interest.

SHARING YOUR PERSONAL DATA AND INTERNATIONAL TRANSFERS

We may always share your personal data in the following circumstances and in accordance with
applicable laws:

• we may share your personal data with your consent
• we may share your personal data with certain service providers, partners or group companies that facilitate and support us in providing the Services and Sites, including in relation to carrying out promotions, storing information or undertaking promotions
• we may share your personal data with certain service providers or groups companies to analyse our Services and Sites so we can improve and provide the best Services and Sites to you and others
• we may share your personal data if we are required to respond to law enforcement officials, regulatory agencies and other lawful requests or legal processes, or to comply with a legal obligation to which we are subject
• we may share your personal data if we undergo a merger, acquisition or other form or reorganisation and pursuant to such, a third party will become the controller of your personal data
• we may share your personal data with group companies if you request a product or service provided by one of our group companies, or if one of our group companies provides us with services which relate to the provision of the Services to you.

Please note that if we are required and permitted by law to transfer any of your personal data to a
country outside that in which we collected it, we will do so in accordance with the applicable data
privacy legislation. This may mean your personal data is transferred to a country outside the UK or
the EU, such as to the U.S. The lawful requirements will depend on the flow of personal data,
meaning it will depend on whether the sharing of personal data is cross-border and which countries
are involved. At all times, we will ensure an essentially equivalent degree of protection is afforded to
your personal data outside the country in which you are based. We generally do this by relying on the
standard contractual clauses for transfers of personal data to third countries which have been
approved by the European Commission and the Information Commissioner’s Office (the UK data
protection authority).

SECURITY OF YOUR PERSONAL DATA

We take your privacy very seriously and work hard to protect your data from being accidentally lost,
used or accessed in an unauthorised way, altered or disclosed. We have put in place appropriate
security measures to prevent this from happening, for example we use encryption tools and password
protected access to certain documents.

In addition, we limit access to your personal data to those employees, agents, contractors and other
third parties (as listed above) who have a need to know. They will only process your personal data on
our instructions, and they are subject to a duty of confidentiality.

Unfortunately, the transmission of information via the internet is not completely secure. Although we
will do our best to protect your personal data, we cannot guarantee the security of your data
transmitted through our Sites; any transmission is at your own risk. Once we have received your
information, we will use strict procedures and security features to try to prevent your data from being
accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.

HOW LONG WE KEEP YOUR PERSONAL DATA FOR

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we
collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or
reporting requirements. To determine the appropriate retention period for personal data, we consider
the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised
use or disclosure of your personal data, the purposes for which we process your personal data and

whether we can achieve those purposes through other means, and the applicable legal, regulatory,
tax, accounting, or other requirements.

YOUR RIGHTS
In certain circumstances and subject to certain jurisdictional restrictions, you may have the right to:

Request access to your personal data (commonly known as a “data subject access
request”). This enables you to receive a copy of the personal data we hold about you and to
check that we are lawfully processing it.

• Request correction of the personal data that we hold about you. This enables you to have
  any incomplete or inaccurate data we hold about you corrected, though we may need to verify
  the accuracy of the new data you provide to us.
• Request erasure of your personal data. This enables you to ask us to delete or remove
  personal data where there is no good reason for us continuing to process it. You also have
  the right to ask us to delete or remove your personal data where you have successfully
  exercised your right to object to processing (see below), where we may have processed your
  information unlawfully or where we are required to erase your personal data to comply with
  local law.
• Object to processing of your personal data where we are relying on a legitimate interest (or
  those of a third party) and there is something about your situation which makes you want to
  object to processing on this ground as you feel it impacts on your fundamental rights and
  freedoms. You also have the right to object where we are processing your personal data for
  direct marketing purposes.
• Request restriction of processing of your personal data. This enables you to ask us to
  suspend the processing of your personal data in certain scenarios.
• Request the transfer of your personal data to you or to a third party. We will provide to you,
  or a third party you have chosen, your personal data in a structured, commonly used,
  machine-readable format.
• Withdraw consent at any time where we are relying on consent to process your personal
  data.
• Complain to the appropriate regulator for any data protection issues. We would, however,
  appreciate the chance to deal with your concerns before you approach the regulator so
  please contact us in the first instance. 

We may need to request specific information from you to help us confirm your identity and ensure you
are able to exercise the right you wish to exercise. This is a security measure to ensure that personal
data is not disclosed to any person who has no right to receive it. We may also contact you to ask you
for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer
than a month if your request is particularly complex or you have made a number of requests. In this
case, we will notify you and keep you updated.

THIRD PARTY LINKS

Our Sites may include links to third-party websites, plug-ins, and applications. Clicking on those links
or enabling those connections may allow third parties to collect or share data about you. We do not

control these third-party websites, plug-ins and/or applications and are not responsible for their
privacy statements. When you leave our Site, we encourage you to read the privacy policy of every
website or application you visit or use.