Main content starts here, tab to start navigating

Privacy Policy

Updated On 01/14/2025

Table of Contents 

Version Control.................................................................................................2 Purpose............................................................................................................ 3

Scope .............................................................................................................. 3

Key Instructions................................................................................................3

Technical Standards.........................................................................................4

User Experiences......................................................................................................4 

Experience Flow....................................................................................................................................................................4

Appendix 1 – Default Cookie Banner ...................................................................................................................................6

Appendix 2 – Default Cookie Banner ..........................................................................................................................7

Appendix 3 – Default Cookie Template Language ............................................................................................................... 8

Appendix 4 – Default Privacy Policy................................................................................................................9

Appendix 5 – CCPA – DNOS ........................................................................................................................10

Appendix 6 – EU Experience Questionnaire .........................................................................................................................11

Appendix 7 – EU Cookie Banner.............................................................................................................14

Appendix 8 – EU Cookie Banner..............................................................................................................15

Appendix 9 – EU Cookie Template Language.....................................................................................................................17

Appendix 10 – EU Privacy Policy ........................................................................................................................................20

Appendix 11 – DSR Procedure............................................................................................................................................21

Appendix 12 – DSR Procedure............................................................................................................................................22

Version Control

Version: 1.0

Date: 10/24

Author: M. Washington

Change: Initial release


Approval

Version: 1.0

Approver: M. Washington


Purpose

This document provides instructions for ensuring compliance with privacy requirements for websites, based on the guidelines established in the Privacy Compliance Requirements for Websites (Version 1.1). The appendices offer detailed instructions for specific components, such as cookie management, privacy policies, and user experience flows.

Scope

This instruction document applies to all websites managed by [Organization Name] that collect user data, serve cookies, and need to comply with international data privacy regulations such as GDPR and CCPA. It is intended for use by web developers, content managers, and compliance officers.

Key Instructions

1. Cookie Banner and Management

Refer to Appendix 1 and Appendix 7 for cookie banner requirements. All websites must:
o Implement a Cookie Banner that allows users to accept, reject, or manage cookies.
o Prevent cookies from being loaded until the user interacts with the banner.
o Display the banner on the first visit and subsequent visits until the user makes a choice.

Refer to the Default Cookie Banner (Appendix 1) for general users and the EU Cookie Banner (Appendix 7) for users from the EU.

2. Cookie Center

Per Appendix 2 and Appendix 8, each website must:

o Provide a Cookie Center that enables users to manage their cookie preferences.
o Set non-essential cookie categories to inactive by default (EU-specific requirements in Appendix 8).
o Include links to the Cookie Center in the website’s footer.


3. Privacy Policy

Websites must include a privacy policy that meets legal requirements based on the user's region.
o For general users, refer to the Default Privacy Policy in Appendix 4. o For EU users, the EU Privacy Policy (Appendix 10) must be used. A link to the policy must be placed in the website’s footer.

4. CCPA-DNSOS (Do Not Sell or Share My Personal Information)

All websites subject to the CCPA must provide a DNSOS mechanism as outlined in **Appendix 5**:
o Include a Do Not Sell or Share My Personal Information link in the footer.
o Ensure this link directs users to a DNSOS form (details provided in Appendix 5).

5. Data Subject Access Requests (DSAR)

Websites must offer a process for users to request access to their data:
o Follow the DSAR Procedure provided in Appendix 11.
o Ensure the website links to the appropriate DSAR form and integrate with the DSAR process outlined.

6. GPC Signal Recognition

Per Appendix 12, all websites must recognize a Global Privacy Control (GPC) signal:
o Automatically suppress cookies when a GPC signal is detected from a user’s browser.

7. User Experience Flow

Each website must ensure the correct user experience based on geolocation:
o Users with an EU IP address should receive the EU Experience (Appendix 6).
o All other users should receive the Default Experience. The logic is represented in the flowchart under Experience Flow.


Technical Standards

Each website must have the technical capacity to:

• Geolocate a user’s IP
• Implement a Cookie Management Solution (OneTrust) that supports a Cookie Banner and Cookie Center
• Prevent cookies from loading until after a user has accepted, rejected, or closed the cookie banner, or otherwise interacted with the website.
• Easily update and manage website links and basic policy content on associated pages.
• Support multiple languages.
• Suppress cookies.
• Recognize a browser GPC signal.


User Experiences

Each website must serve the correct experience to each user. Each experience is defined by the requirements contained in the table below. The details of each requirement are contained in the appendices.

Requirement: Cookie Banner

Default Experience: Default Cookie Banner (appx. 1)

EU Experience: EU Cookie Bannner (appx. 7)


Requirement: Cookie Center

Default Experience: Default Cookie Center

EU Experience: EU Cookie Center (appx. 8)


Requirement: Privacy Policy

Default Experience: Default Privacy Policy (appx. 4)

EU Experience: EU Privacy Policy (appx. 10)


Requirement: DSAR Procedure

Default Experience: DSAR Procedure (appx. 11)

EU Experience: DSAR Procedure (appx. 11)


Requirement: GPC Signal

Default Experience: GPC Signal (appx. 12)

EU Experience: GPC Signal (appx. 12)


Requirement: CCPA-DNSOS

Default Experience: CCPA-DNSOS (appx. 5)

EU Experience: N/A


Experience Flow

Each website must serve the correct experience to the correct user. A user should receive the EU Experience if (A) the user’s IP is an EU IP, and (B) the website is covered by the GDPR according to the questionnaire in Appendix 6. All other users should receive the Default Experience. This logic is represented in the following flowchart:

View Flowchart

Compliance and Enforcement

The guidelines and processes outlined in this document are mandatory. Failure to comply with these requirements may result in regulatory penalties and reputational damage. Monitoring and periodic audits will be conducted to ensure ongoing compliance.

Review and Updates

This document will be reviewed periodically, and any updates will be documented in the Version Control section of the main policy document.


Appendix 1 - Default Cookie Banner

Each website must:

1. Have a Cookie Banner.
2. Contain the Cookie Banner Language and Buttons (below).
3. Fire the Cookie Banner upon a user’s first visit and every time. thereafter until the user chooses to accept or suppress cookies.
4. Not load cookies until the user takes some action, including accepting cookies, rejecting cookies, managing cookie settings, closing the banner, or interacting with the website but ignoring the banner.

Banner Language and Buttons:

View Banner and Language Buttons


Appendix 2 - Default Cookie Banner:

Each website must:
1. Have a Cookie Center.
2. Display the Default Cookie Template Language (appx. 3) language in the Cookie Center.
3. Display the Default Cookie Template Language in each language applicable to the website (e.g., English, Spanish, French, etc.)
4. Set toggles on all cookie categories to active by default when user first views cookie center*.
5. Contain a link in the footer titled ‘Cookie Center’ which allows users to re-launch the Cookie Center *this requirement cannot override item 4 in Appendix 1, above.

Example:

View Default Cookie Banner


Appendix 3 - Default Cookie Template Language

This site uses cookies and other technologies including to analyze traffic, personalize content and ads, record sessions, and improve our sites and services. Click on the different options below to manage your cookie preferences.

Under the California Consumer Privacy Act (“CCPA”), a “sale” of personal information may occur when personal information is transferred to a third party for any form consideration. The use of certain cookies may be viewed as a “sale” under the CCPA. As described in our Privacy Policy, California residents can request to opt-out of the sale of their personal information to a third party by visiting our Do Not Sell My Personal Information page. To exercise your “Do Not Sell My Personal Information” right with respect to cookies, you can adjust your Targeted Advertising Cookies and other cookie preferences below. Choices you make regarding cookies are website, device, and browser specific, and are deleted whenever you clear your cookies or your browser’s cache. This means you need to adjust your cookie preferences on each website, device and browser you use. For more information, see our Privacy Policy.

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites. These cookies are based on identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising, but you will continue to receive non-targeted or contextual advertising.

Social Media Cookies

These cookies are set by social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building a profile of your interests. This personalization may influence the content and messages you see on other websites you visit. If you do not allow these cookies, you may not be able to use or see these social media sharing tools.

Functional Cookies

These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. If you do not allow these cookies, we will not know when you have visited our site, and we will not be able to monitor its performance in the course of your interactions with the site.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work.


Appendix 4 - Default Privacy Policy

Each website must:

1. Have the Default Privacy Policy Template.
2. Have a link in the footer titled ‘Privacy Policy’ which allows users to navigate to the website’s privacy policy.

Default Privacy Policy Template:

Please reach out to obtain the specific Privacy Policy for a given website.


Appendix 5 – CCPA – DNOS

All applicable websites must:

1. Have a privacy policy which contains a section titled ‘Do Not Sell Or Share My Personal Information’ and which links to Hyatt’s DNSOS form.
2. Contain a link in the footer titled ‘Do Not Sell Or Share My Personal Information’ which links to Hyatt’s DNSOS form.

Hyatt DNSOS form link: https://privacyportal.onetrust.com/webform/9c6a75e1-7924-4576-b3ba-d5ec88c9ad5e/99cb394e-9038-4c9a-81e4- 285f5688f5e8


Appendix 6 – EU Experience Questionnaire 

Is your website covered by the GDPR? 

Step 1 – Questions about the website

ALG customer

- Is the website used to offer ALG holidays or other services to individuals present in Europe?

Please see notes below on:

- ‘offer’
- ‘present in Europe
 - ‘Europe’

Answers: Yes or No

Is the website used to collect information about ALG customers who are present in Europe?

Please see notes below on:
- ‘present in Europe’
- ‘Europe’

Answers: Yes or No


ALG Teams

- Does an ALG team established in Europe (for example, a marketing, analytics or customer services team based in France or Germany) decide how and why to use information collected by the website relating to ALG customers or other individuals resident anywhere in the world?

Please see notes below on:
- ‘established in Europe’
- ‘Europe’

Answers: Yes or No

 

Location

Is the website used to offer ALG holidays or other services that are located in Europe (for example, holidays to resorts in Greece, Portugal or Spain) to individuals anywhere in the world?
Please see note below on:
- ‘Europe’

Answers: Yes or No

 Yes – if you have answered ‘yes’ to any of the above, your website is covered by the GDPR.
Importantly, it must have an ALG GDPR privacy policy.
Please contact the legal team for further assessment of your website.

No – if you have answered ‘no’ to all of the Step 1 questions, please go to Step 2.


Step 2 – Question about European vendors 

Third-party vendors

- Is the website hosted in Europe by a third-party?

Please see notes below on:
- ‘Europe’

Answers: Yes or No

- Do any other third-party vendors established in Europe provide ALG services for the purposes of operating the website?

Please see notes below on:

- ‘Europe’
- ‘established in Europe’

Answers: Yes or No

 ALG as a vendor

- Does an ALG team established in Europe use the website to handle information relating to individuals present anywhere in the world as a vendor on behalf of a third party?

Please see notes below on:
- ‘Europe’
- ‘established in Europe’

Answers: Yes or No

- Does an ALG team established anywhere in the world, use the website to handle information relating to individuals present in Europe on as a vendor on behalf of a third party?

Please see notes below on:
- ‘present in Europe’
- ‘Europe’

Answers: Yes or No

Yes – if you have answered ‘yes’ to any of the above, your website is covered by the GDPR.
Importantly, it must have an ALG GDPR privacy policy.
Please contact the legal team for further assessment of your website.

No – if you have answered ‘no’ to all of the Step 1 questions, please go to Step 2.

Notes:

‘Offer’ does not include individuals resident in Europe being able to access the website and book services. Instead, the offer must be actively targeted at individuals resident in Europe.

When determining whether the website is used to actively target services to individuals in Europe, you must consider if it:
- Is available in European-specific languages. This will be a stronger indicator for languages such as German and Latvian which are not spoken widely outside of those countries but less relevant for languages such as English, French, and Spanish, which are widely spoken outside of those jurisdictions).
- Uses European-specific currencies to accept payments. For example, if the website takes payments in British pounds and Euros, regulators are likely to consider that it is offering services to European residents.
- Is marketed to individuals resident in Europe or is part of a marketing campaign aimed at individuals resident in Europe.
- Contains information such as travel criteria or passport requirements only or chiefly relevant to individuals resident in Europe.
- Contains references to providing services to individuals from specific European jurisdictions.
- Is optimised to appear in search results for specific European countries. - Contains dedicated contact details for specific European countries. - Uses European domain names. For example, .co.uk, .de, .pl, .fr or .eu.
- Contains reviews or other testimonials from customers or journalists based in Europe.

‘Present in Europe’ includes any individual who is in Europe on long-term basis or who is habitually in Europe for specific purposes. It does not include individuals who are temporarily in Europe for ad-hoc purposes, such as North American holidaymakers in Paris who can access the website.

‘Europe’ includes the UK, EEA and any overseas territories where UK or EEA law applies directly (for example, Curaçao, Madeira, Martinique and Saint Martin).

‘Established in Europe’ means any meaningful activity taking place in Europe through stable arrangements. The arrangements can take many forms including (but not limited to) activity via a local branch or a European subsidiary with a legal personality. In reality ‘establishment’ is quite a low bar and any reasonably permanent meaningful economic activity in Europe via established arrangements will be covered.

Appendix 7 - EU Cookie Banner

Each website must:
1. Have a Cookie Banner.
2. Contain the EU Cookie Banner Language and Buttons (below).
3. Fire the Cookie Banner upon a user’s first visit and every time thereafter until the user chooses to accept or suppress cookies.

Banner Language and Buttons:

View Language and Buttons Example 1 

View Language and Buttons Example 2

View Language and Buttons Example 3

Appendix 8 – EU Cookie Banner

Each website must:
1. Have a Cookie Center
2. Update the EU Cookie Template Language (appx. 9) to reflect the name, cookies, links and other information applicable to the website in question.
3. Display the updated EU Cookie Template Language in the Cookie Center.
4. Display the EU Cookie Template Language in each language applicable to the website (e.g., English, Spanish, French, etc.)
5. Set all cookie categories to inactive by default, except for Strictly Necessary Cookies.
6. Contain a link in the footer titled ‘Cookie Center’ which allows users to re-launch the Cookie Center and adjust their preferences.

View Cookie Center Example

View Targeting Cookies Example


Appendix 9 – EU Cookie Template Language

Language:

Cookies and other tracking and third party access technologies Cookies are small text files that websites save to the hard disk of your computer, on your electronic device or to your browser's memory.

We use cookies, related tracking technologies and third-party access to make our website operate effectively. We also use cookies and other tracking and third-party access technologies for analytics and marketing purposes.

Necessary

Some of the cookies we use are necessary to operate the website. Unless your browser settings block first-party cookies, we will automatically set these necessary cookies on your device.
If your browser settings do block these cookies, you may not be able to access or operate parts of our website.

 We use the following necessary cookies: 

Host: http://www.appleleisuregroup.com/ 

Name of cookie: nlbi_2430857 

Purpose: Load balancing

How long will it stay on or access your device: End of session (on closing the browser)

Host: http://www.appleleisuregroup.com/

Name of cookie: incap_ses_1463_2430857

Purpose: Site navigation

How long will it stay on or access your device: End of session (on closing the browser)

Host: http://www.appleleisuregroup.com/

Name of cookie: incap_ses_1464_2430857 

Purpose: Site navigation

How long will it stay on or access your device: End of session (on closing the browser)

Host: http://www.appleleisuregroup.com/ 

Name of cookie: incap_ses_1457_2430857  

Purpose: Site navigation

How long will it stay on or access your device: End of session (on closing the browser)

Host: http://www.appleleisuregroup.com/

Name of cookie: visid_incap_2430857

Purpose: Site navigation

How long will it stay on or access your device: 350 days (unless deleted before)

Host: www.appleleisuregroup.com 

Name of Cookie: incap_ses_9076_2430857

Purpose: Site navigation

How long will it stay on or access your device: End of session (on closing the browser)

Host: http://www.appleleisuregroup.com/

Name of Cookie: Microsoft Azure ARRAffinitySameSite

Purpose: Load balancing

How long will it stay on or access your device: End of session (on closing the browser)

Host: http://www.appleleisuregroup.com/

Name of Cookie: Microsoft Azure ARRAffinity

Purpose: Load balancing

How long will it stay on or access your device: End of session (on closing the browser)

Host: http://www.appleleisuregroup.com/

Name of Cookie: Microsoft Azure x-ms-routing-name 

Purpose: Routing

How long will it stay on or access your device: 1 day (unless deleted before)

Host: http://www.appleleisuregroup.com/

Name of Cookie: Microsoft TiPMix

Purpose: Test production

How long will it stay on or access your device: 1 day (unless deleted before)

Host: http://www.appleleisuregroup.com/

Name of Cookie: Microsoft Azure ai_session

Purpose: Creates a unique anonymous session identifier

How long will it stay on or access your device: 1 day (unless deleted before)

Host: http://www.appleleisuregroup.com/

Name of Cookie: Microsoft Azure ai_user AI_sentBuffer AIBuffer

Purpose: Creates a unique anonymous session identifier

How long will it stay on or access your device: 351 days (unless deleted before)

Host: http://www.appleleisuregroup.com/

Name of Cookie: Microsoft Azure __RequestVerificationToken

Purpose: Anti-forgery

How long will it stay on or access your device: End of session (on closing the browser.

Host: http://www.appleleisuregroup.com/

Name of Cookie: Episerver / Optimizely .EpiForm_VisitorIdentifier

Purpose: Functionality of our online forms

How long will it stay on or access your device: 76 days (unless deleted before).

Host: http://www.appleleisuregroup.com/

Name of Cookie: Microsoft Azure ASP.NET_SessionId

Purpose: Unique anonymous session identifier

How long will it stay on or access your device: End of session (on closing the browser)

Host: cdnjs.cloudflare.com

Name of Cookie: Font Awesome

Purpose: Font and icons

How long will it stay on or access your device: End of session (on closing the browser.

Host: dl.episerver.net

Name of Cookie: Episerver / Optimizely

Purpose: Content management

How long will it stay on or access your device: End of session (on closing the browser.

Host: fonts.googleapis.com fonts.gstatic.com

Name of Cookie: Google Fonts

Purpose: Fonts

How long will it stay on or access your device: End of session (on closing the browser.

Host: Az416426

Name of Cookie: Microsoft Azure

Purpose: Hosting

How long will it stay on or access your device: End of session (on closing the browser.

Optional Cookies

We will ask for your consent for the use of the cookies and other tracking and third-party access technologies where they are not necessary to operate our website.

Where you have provided consent, you can change or withdraw your consent using our consent management platform. 

We use the following such optional cookies and other tracking and third-party party access technologies:

Analytics and functionality 

Host: http://www.appleleisuregroup.com/

Name of cookie or tracking: __utmvc

Purpose: Google Analytics cookie used to determine the time a user spends on our website.

How long will it stay on or access your device: 1 day (unless deleted before)

Marketing 

Host
Name of cookie or tracking
Purpose
How long will it stay on or access your device

How to contact us

Please contact us if you have any questions about this cookie policy or the information we hold about you.

If you wish to contact us, please do so via the Contact Us [LINK TO https://www.appleleisuregroup.com/#Contact] page on our website.

Appendix 10 – EU Privacy Policy 

Each website must:
1. Have the EU Privacy Policy Template.
2. Have a link in the footer titled ‘Privacy Policy’ which allows users to navigate to the website’s privacy policy.

EU Privacy Policy Template:
Please reach out to obtain the specific Privacy Policy for a given website.

Appendix 11 – DSR Procedure 

All applicable websites must: 

1. Have a privacy policy which explains a user’s privacy rights and which links to Hyatt’s DSAR form.
2. Be integrated with the appropriate DSR process.

DSAR link:

https://privacyportal.onetrust.com/webform/9c6a75e1-7924-4576-b3ba-d5ec88c9ad5e/6b298deb-32f3-4ba6-a108- b569cce2ccce

Appendix 12 – DSR Procedure

Each website must:
- Recognize a GPC signal sent by a user’s browser
- Suppress all cookies in the event that a GPC signal is received