PURPOSE
StarCruises and Dream Cruises, its direct and indirect holding companies, subsidiaries, affiliates, designees, agents, assignees or successors, the named Vessel, any substituted vessel, and its or their owners, operators, employees, agents, charterers, tenders, launches and related facilities (referred to as “our”, “we”,“us” or “our Group”) are committed to protecting your privacy. To ensure that you can make informed decisions and feel confident about supplying your personal data to us, we provide this Privacy Policy outlining our practices, and the choices you have, concerning how we use your personal data.
You will be asked to consent to the terms of this Privacy Policy when making a reservation, joining our membership programs, registering for events or promotions or otherwise corresponding with us or otherwise where required under applicable law. Otherwise your continued use of our services will constitute your deemed consent to the terms of this Privacy Policy.
1. Definitions
“GDPR” means General Data Protection Regulation (Regulation (EU) 2016/679), as may be amended from time to time;
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, or as defined under the relevant law, as well as any other information identified under Section 2 below. Some Personal Data is classed as “special category data” because this information is more sensitive e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Types of Personal Data We Collect
2.1 We collect the Personal Data that you provide when you interact with us, including through the following ways:
2.1.1 Visit and browse our website https://stardreamcruises.in
2.1.2 Use our website to submit an enquiry, sign up for our newsletter or sign up to one of our mailing lists;
2.1.3 Submit information to make a booking for our cruise voyages (whether directly via our website or indirectly through travel agencies / IBS Software PTE Ltd) or buy any of our services;
2.1.4 Contact us, make an enquiry, or communicate with us in any way, including by email, direct message, video chat, phone, and text;
2.1.5 Provide information to us and communicate with us in any way, including through our website, on the cruise (for example, signing up of our on-site activities), in writing and verbally; and
2.1.6 Data from people who act for you or who you deal with through our services, including travel agencies, airlines and/or other authorized individuals.
2.2 We will collect certain Personal Data (including where applicable sensitive Personal Data) from you when you request for or access our services. Notwithstanding the definition of “Personal Data” under section 1, it also includes:
2.2.1 your name (first name, middle name, last name, suffix), identity card number, passport number, a copy of your identity card and/or passport, contact information (phone number, email address, postal address, country of residence, emergency contact details), date of birth, gender, nationality, country of birth and visa information;
2.2.2 information you submit to us related to your disabilities, dietary requirements, medical and contagious disease and vaccination information;
2.2.3 financial information (including, without limitation, your credit or debit card details, billing information and/or bank account details) and transactional data;
2.2.4 booking records, including details of your past and future bookings with us, including date of booking, booking ID, name, date and type of cruise, date of booking, pick-up location and destination, trip duration, cabin information, price paid;
2.2.5 details about your travel patterns and preferences, including the trips that you take with us, such as the length and type of trips, number of people you travel with, propensity to book certain vacations or destinations during particular time periods;
2.2.6 your membership or loyalty program information, including your loyalty account ID, reward history, points balance, account activity and loyalty tier;
2.2.7 your social account ID, profile photo and other data publicly available, or data made available by linking your social media and loyalty accounts;
2.2.8 any information necessary to fulfill special requests (for example, health conditions that require specific accommodation or services);
2.2.9 your reviews, feedback and opinions about our programs and services;
2.2.10 information collected whilst on our cruise and at our properties through the use of closed circuit television systems, cameras, internet systems (including wired or wireless networks that collect data about your computer, smart or mobile device, or your location), card key and other security and technology systems, such as your biographic (e.g. photo) and biometric (e.g. fingerprints and face ID) data;
2.2.11 information about your onboard details, including your purchases, the activities that you sign up, the loyalty benefits that you earned, your use of onboard casinos (e.g. customer ID, all information and forms related to your application for cheque cashing facility, close trip settlement and use of our casino facilities, loyalty reward details and gaming habits) and any other information divulged while on board our cruise;
2.2.12 information collected while you access our websites, mobile applications and social media platforms (including the details of your visits and other information collected through cookies and other tracking technology), such as your IP address (including geographic and location data from your electronic device or mobile), your device information, such as unique identifier and connection information, language preferences; and viewing content (including the web pages that you view and click on, and search queries that you have made on our website);
2.2.13 any information that is relevant to your interaction with us, your visit to our website, making an enquiry and making a booking. This may include details of family members and persons who may travel with you, travel insurance details, and 24-hour medical emergency number; and
2.2.14 any other personal data you choose to provide us.
2.3 We may also collect Personal Data about you from third parties such as travel agencies, credit reporting agencies, employer (where your employer books travel for you), your third party card or loyalty scheme provider or from public records.
2.4 Where you provide us with Personal Data about another person(s) (for example, names and contact details of your family members in connection with bookings or family memberships), you represent that they have appointed and authorized you to act on their behalf. This includes providing consent (to the extent this is required) to:
2.4.1 us Processing their Personal Data; and
2.4.2 you receiving any personal data protection notices on their behalf.
2.5 We may ask you to provide evidence that you have been appointed and authorized to act on behalf of the other person(s).
3. Purpose of Collection
3.1 We may use your Personal Data for the following purposes:
3.1.1 to process your request for, or to administer or provide, any products or services offered by us, including, without limitation, to process your membership application, cruise booking request;
3.1.2 to process, manage and confirm your travel arrangements, including us sending your booking confirmation, allowing you to make and alter your reservations to board the cruise, checking you in when you board the ship and keeping track of you and providing you with further products and services onboard the vessel (e.g. when you purchase in our shops, restaurants and casinos)];
3.1.3 for the operation of the membership programs, including creating and managing your online account(s), points tracking, delivery of associated benefits and services (including members: (a) being assisted by the Guests Services Department with their cruising needs; (b) gaining access to promotion events / sales / discounts / giveaways; (c) tracking, earning and redeeming membership points; and (d) accessing other special products and on-board services), customer relationship management, ongoing research and program development and delivering news and information to members of the membership programs;
3.1.4 for identification and verification purposes, in connection with any of the services or products that may be supplied to you. Your Personal Data will only be requested when necessary. When possible we will utilize methods of validation without retaining a copy of your identification;
3.1.5 to contact your emergency contact in the event of an emergency;
3.1.6 to administer contests, games of chance and sweepstakes conducted by us or on our behalf, including disclosing the winner of any such contest;
3.1.7 to respond to, handle and process any enquiries or complaints submitted by you;
3.1.8 to conduct credit checks on you, maintain your credit history and/or ensure your ongoing credit worthiness;
3.1.9 to meet or comply with any obligation, requirement or arrangement for disclosing or using data that applies to us or with which we are expected to comply to:
(a) any law or regulation binding on or applying to us;
(b) any rules, guidelines and/or guidance given or issued by any legal, regulatory, governmental, tax, law enforcement or other authority, or self-regulatory or industry body or association relating to industries in which we participate (including without limitation the financial services industry), or the relevant stock exchange (each an “Authority”);
(c) any present or future contractual or other commitment with any Authority that is assumed by or imposed on us by reason of our business or other interests or activities in or related to the jurisdiction of the relevant Authority;
3.1.10 to meet or comply with any obligation, requirement, procedure, measure or arrangement set out in any of our programs or policies for compliance with sanctions or for the prevention or detection of money laundering, terrorist financing or other unlawful activity;
3.1.11 for direct marketing (see “Direct Marketing Statement” section);
3.1.12 to conduct customer analytics and market research, including using aggregated data to identify trends in bookings, to improve our services and for business reporting purposes;
3.1.13 to manage our business, including protecting our business interests and exercising our legal rights;
3.1.14 for ongoing research and development of any of the products or services offered by us or Other Genting Companies; and/or
3.1.15 any other purposes relating to the purposes listed above.
3.2 To fulfill any of the above purposes, we may contact via email, direct mail, telephone call, SMS or other means that are allowed by local authorities.
3.3 If we use your Personal Data for a new purpose, we will get your consent before doing so.
4. Disclosure of Your Personal Data
4.1 In order for you to explore our offers, book a cruise trip with us, or simply to interact with us, we require using, Processing and storing your Personal Data. Otherwise, we would not be able to provide you with an optimal experience or deliver the services that you require from us.
4.2 We will keep your Personal Data confidential, but we may provide and disclose such information to the following parties (whether within or outside Hong Kong) in a proportionate and secure manner:
4.2.1 Our Subsidiaries, Parent Company and Affiliated Businesses
(a) We may share your Personal Data within our Group for the purposes described in this Privacy Policy, [ including for each company's marketing purposes (with your consent if required by applicable law) ].
4.2.2 Our Service Providers
(a) We may share some or all of your Personal Data identified above, as necessary for the specific services, with our service providers, who provide services to us or to you on our behalf (e.g., sending email or text messages on our behalf, processing payments, fulfilling orders or delivering subscriptions or improving or customizing your overall experience). These third party service providers are not authorized to use it for any other purpose than the specific service they are providing to us or to you on our behalf.
(b) When you pay for a purchase through our platform or on the cruise, we will process your payment details to process the transaction.
4.2.3 Our Suppliers
(a) In the context of this Privacy Policy, “suppliers” refer to parties that help us provide you with products and services off and on board the cruise, as well as before, during and after you board the cruise.
(b) Such suppliers include (but are not limited to) legal advisers, accountants, auditors, consultants, risk management personnel, payment providers, IT service, platform providers, insurance providers, caterers, marketing consultants, entertainers and other vendors.
4.2.4 Our Business Partners
(a) We may share your data with business partners to provide you with services or features that you participate in, such as events, contests or other promotions ("Co-Branded Services"). These Co-Branded Services may be hosted by us or on the third party's service. The business partner's use of your information will be governed by its Privacy Policy.
(b) We may share your Personal Data with partners and providers of reward or loyalty programs or non-profit organizations.
4.2.5 For Social Networking Services
(a) We may share your information when you log into or connect a social media service account. Our website may offer you the ability to share information to a social networking site (e.g., Facebook, Twitter), by using integrated tools (e.g., Facebook “Like” button, or Twitter “Tweet” button). To control this sharing of information, please review and adjust your privacy settings for the relevant social network. The social networking service's use of the shared information will be governed by its privacy notice.
4.2.6 For Legal Requirements and Proceedings
(a) We may disclose your Personal Data to law enforcement authorities or other government officials if we are required to do so to comply with court orders, or other government measures, and to comply with other legal obligations. We may also disclose information if we believe disclosure is necessary or appropriate in connection with an investigation of suspected or actual fraud or illegal activity.
4.2.7 With Third Parties for the Protection of Our Group and Our Customers
(a) We may disclose your Personal Data to protect and defend the rights, interests and safety of our Group and our customers, employees, contractors and agents.
(b) We may disclose your Personal Data to medical practitioners, hospitals, clinics or laboratories if you require medical assistance.
(c) We may disclose your Personal Data to local or international ports, customs, law enforcement agencies, other government authorities and courts. We are required to disclose passenger details to local ports and customs authorities when our ships arrive at those ports. Law enforcement agencies may request for access to your Personal Data, including for the purpose of criminal investigations or in connection with legal proceedings. We may be required to share your Personal Data with other parties, including trade associations or regulatory bodies, for consumer protection purposes.
(d) We may also disclose your Personal Data to legal advisers, private investigators and risk management providers who act for us.
(e) We may share your anonymised data with other unlisted parties. If we do this, you will not be identified from the shared data].
4.2.8 With Other Third Parties to Complete a Corporate Transaction
(a) We may disclose information we have about you in the event we sell or transfer all or part of our business or assets (including in the event of a merger, reorganization, dissolution or liquidation) to the third party or its advisors involved in such corporate transaction.
5. International Transfers of Personal Data
5.1 StarCruises and Dream Cruises has operations in various countries and regions. In order to provide you with our services, we will, subject to law, transfer your Personal Data to entities in countries or regions where data protection standards may differ from or be lower than those in the country or region where you reside (for example, to store your Personal Data, including in the cloud). Such countries and regions include but not limited to China (including Hong Kong and Taiwan), Malaysia, India, Singapore, Philippines, Australia, European Economic Area (“EEA”) and America. Nevertheless, whenever your Personal Data is transferred, your Personal Data will be processed in accordance with this Privacy Policy or other relevant policy and applicable laws.
5.2 Where required under applicable data protection laws, we will only disclose Personal Data with your prior consent. In certain jurisdictions, we may also be required to take additional measures prior to giving effect to such transfers (e.g. carrying out privacy impact assessments prior to the transfer).
5.3 We may share some or all of your Personal Data identified above, as necessary for the specific services, with our service providers, who provide services to us or to you on our behalf (e.g., sending email or text messages on our behalf, processing payments, fulfilling orders or delivering subscriptions or improving or customizing your overall experience). These third party service providers are not authorised to use it for any other purpose than the specific service they are providing to us or to you on our behalf. When you pay for a purchase through our platform or on the cruise, we will process your payment details to process the transaction.
5.4 Where required under applicable data protection laws, we use the (i) European Commission’s standard data protection clauses and (ii) UK Information Commissioner’s Office’s International Data Transfer Agreement to provide safeguards for your Personal Data that is transferred outside the EEA or the United Kingdom.
6. Consequences of Failing to Provide Personal Data
6.1 You may always choose what Personal Data (if any) you wish to provide to us. However, if you choose not to provide us with certain information marked with an asterisk or otherwise indicated as mandatory, we may be unable to process your request or comply with our legal obligations.
7. Retention of your Personal Data
7.1 We will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.
7.2 The criteria used to determine our retention periods include:
7.2.1 The length of time we have an ongoing relationship with you and provide our services to you (for example, for as long as you have a membership account with us or keep using our services);
7.2.2 Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); and
7.2.3 Whether retention is advisable considering our legal position (such as, for statutes of limitations, litigation or regulatory investigations).
7.3 At the end of the retention period, we will erase or anonymise your Personal Data.
8. Security of your Personal Data
8.1 We use reasonable and appropriate measures to protect your Personal Data from loss, misuse, unauthorised access, disclosure, alteration, and destruction, taking into account the risks involved in the Processing and the nature and sensitivity of the Personal Data.
8.2 We use technical measures such as access control, password protection and dedicated user ID for authentication to protect your data and the systems they are held in. We also use operational measures to protect the data, for example by limiting the number of people who have access to the databases in which our booking information is held.
9. Data Breach Notification
9.1 All Personal Data breaches must be reported immediately to our Data Protection Officer.
9.2 If a Personal Data breach occurs and that breach is likely to result in a risk to your rights and freedoms (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the relevant supervisory authority is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
9.3 In the event that a Personal Data breach is likely to result in a high risk (that is, a higher risk than that described under Clause 9.2) to your rights and freedoms, the Data Protection Officer must ensure that all affected Data Subjects are informed of the breach directly and without undue delay.
9.4 Data breach notifications shall include the following information:
9.4.1 The categories and approximate number of Data Subjects concerned;
9.4.2 The categories and approximate number of personal data records concerned;
9.4.3 The name and contact details of our Data Protection Officer (or other contact point where more information can be obtained);
9.4.4 The likely consequences of the breach; and
9.4.5 Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
10. Acting on Other’s Behalf
10.1 If you provide us with information in relation to another person(s), including other guest(s), we will perceive this as them having appointed and authorised you to act on their behalf. This includes providing consent to (i) us using, Processing and storing your Personal Data and (ii) you receiving information or notices on their behalf.
11. Children
11.1 We do not knowingly solicit personal data from children, unless permitted by applicable law. If you are under the age of 16 (or a minor in the jurisdiction in which you are accessing our services), you may only use our services with the permission of your parent or guardian.
11.2 Our online services are not directed at children under the age of 16. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, please contact us so that we may take appropriate steps to delete such information.
11.3 Any adult that submits information about children may only do so on the basis that they are the parent or guardian of the child and waive all claims in relation to that child.
12. Cookies and other tracking technologies
12.1 We use cookies and other technologies on our websites to help us to improve your experience of our websites and to ensure that they perform as you expect them to. For detailed information on how we use cookies and the purposes for which we use then.
13. Your Rights
13.1 We are always happy to fulfil any one of your rights wherever possible. ] With respect to your Personal Data, your rights include the following:
13.1.1 Right of access to your Personal Data that we retain. You may make such a request in writing to info@stardreamcruises.in;
13.1.2 Right to request us to correct or update the Personal Data held by us, as well as the name or job title of the individual that handles such requests on our behalf. You may make such a request in writing to info@stardreamcruises.in. Once we have been properly notified, we will take every reasonable step to ensure that the Personal Data that is inaccurate, having regard to the purpose(s) of Processing, is erased or rectified without delay. We may charge a reasonable fee to process any Personal Data access or correction request;
13.1.3 Right to withdraw consent: If you have given us your consent to process your Personal Data but change your mind later, you have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of our use of your Personal Data before your withdrawal. If you want to withdraw your consent with regard to receiving promotional communications, you can unsubscribe through the method described in each promotional message;
13.1.4 Right to restrict processing your Personal Data;
13.1.5 Right to object to us Processing your Personal Data;
13.1.6 Right to data portability, meaning that you can obtain and reuse your Personal Data for your own purpose across different services;
13.1.7 Right to request that your Personal Data be erased;
13.1.8 Right not to be subject to automated decision making and profiling; and
13.1.9 Right to lodge a complaint with a data protection regulator.
13.2 You can invoke any of your rights at any time by writing to info@stardreamcruises.in. We may ask for identification documents to confirm we are dealing with the correct individual. If you elect a representative to invoke these rights on your behalf, we will request that the representative demonstrate that they have the authority to act on your behalf and their identity.
13.3 If the Personal Data is sensitive (“special category data”), at least one of the following conditions must be met:-
13.3.1 The Data Subject has given their explicit consent to the Processing of such data for one or more specified purposes (unless EU or EU Member State law prohibits them from doing so);
13.3.2 The Processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the Data Subject in the field of employment, social security, and social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides for appropriate safeguards for the fundamental rights and interests of the Data Subject);
13.3.3 The Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving consent;
13.3.4 The data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the Data Subjects;
13.3.5 The Processing relates to Personal Data which is clearly made public by the Data Subject;
13.3.6 The Processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity;
13.3.7 The Processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the Data Subject;
13.3.8 The Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of EU or EU Member State law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in Article 9(3) of the GDPR;
13.3.9 The Processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the Data Subject (in particular, professional secrecy); or
13.3.10 The Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or EU Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject.
14. Direct Marketing Statement
14.1 We may use your name, address, email address, social account and/or telephone number (“Contact Information”) to send you special offers, promotional material and other news in relation to cruise and cruise related operations, retail products and services, leisure, entertainment, hospitality and related services, food and beverage, health and beauty, telecommunication, transportation, travel-related products and services (“Services”) offered by StarCruises and Dream Cruises, and co-branding partners and business partners, but only if we receive your consent for such use.
14.2 If you do not want us to use or transfer your Contact Information for direct marketing as described above, you may opt-out (either entirely or selectively) at any time by making such request by writing to: info@stardreamcruises.in.
15. Data Protection Officer
15.1 If you have any questions about this Privacy Policy, please contact our Data Protection Officer at info@stardreamcruises.in.
16. Changes to Privacy Policy
16.1 We will modify or update this Privacy Policy from time to time, which is accessible on our website (https://stardreamcruises.in/privacy-policy). If we do so, the Effective Date of the updated policy and the changes will become effective as of the date we post such policy. If at any point we decide to use the Personal Data you submitted in a way that differs materially from the Privacy Policy that applied at the time of that submission, you will be notified and given the opportunity to opt out or otherwise prevent such usage.
16.2 Unless expressly excluded by the GDPR and/or other laws, the updated Privacy Policy will apply retroactively as amended.