Privacy Policy
Privacy policy
Introduction
We are committed to protecting the privacy and personal information of our guests, employees, and partners. This policy outlines how we collect, use, store and safeguard data in compliance with the Protection of Personal Information Act (POPIA) and other applicable laws.
Scope
This policy applies to all personal information processed by our entity including hotel, restaurant and event services.
Who we are
Our website address is: https://www.lermitage.co.za. What personal data we collect and why we collect it
Guest details: name, contact information, ID/passport number, payment details.
Booking information: reservation dates, preferences, add-ons.
Operational data: CCTV footage, Wi-Fi usage, access logs.
Employee data: HR records, payroll, compliance documentation.
Purpose of Data Use
We use personal information to:
Process reservations and payments.
Deliver personalized guest experiences.
Ensure compliance with legal and regulatory requirements.
Manage marketing (with consent).
Comments
When visitors leave comments on the website, we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. An anonymized string created from your email address (also called a hash) may be provided
to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.
Media
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Addendum B
Contact forms
When guests use our website contact forms, we collect the information they provide (such a name, email address, phone number, and message content). This data is used solely to respond to inquiries, provide requested services, and improve communication. Contact form submissions are stored securely and are not shared with third parties unless necessary to fulfil the request.
Cookies
If you leave a comment on our website, you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
Analytics
We use analytics tools to understand guest behaviour, improve our services, and optimize operations. Data collected may include website usage, booking patterns, and service preferences. This information is anonymized where possible and used only for internal performance improvement.
Who we share your data with
Personal information may be shared with:
Trusted third-party service providers (payment processors, booking platforms)
Regulatory authorities when legally required.
We do not sell personal information to unrelated third parties.
How long we retain your data If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
Data retention periods and requirements:
Reservation data: retained for 5 years for VAT/tax compliance.
CCTV footage: retained for 30–90 days.
HR records: retained per labour law requirements.
What rights you have over your data If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Guests have the right to:
Access, correct, or delete their personal information.
Withdraw consent for marketing communications.
Lodge complaints with the Information Regulator.
Where we send your data
Visitor comments may be checked through an automated spam detection service.
Your contact information We collect and store guest contact information (such as email addresses and phone numbers) to manage reservations, send confirmations, and provide updates. With consent, we may also use this information for marketing and loyalty communications. Guests can opt out at any time.
Additional information
We may collect additional information voluntarily provided by guests, such as dietary preferences, special requests, or feedback. This information is used to enhance guest experiences and is treated with the same level of confidentiality as other personal data.
How we protect your data
We implement:
Secure servers and encryption.
Access controls and staff confidentiality training.
Regular audits and risk assessments.
What data breach procedures we have in place
In the event of a data breach:
We will immediately investigate and contain the breach.
Affected individuals will be notified promptly.
We will report the breach to the Information Regulator as required by law.
Corrective measures will be implemented to prevent recurrence.
What third parties we receive data from
We may receive guest data from:
Online travel agencies (OTAs).
Corporate booking partners.
Loyalty program affiliates.
Payment processors
All third parties are required to comply with data protection standards.
What automated decision making and/or profiling we do with user data
We may use automated systems to:
Suggest personalized offers based on booking history.
Allocate rooms according to preferences.
Identify potential fraud in payment transactions These processes are designed to improve guest experiences and protect our operations. Guests may request human
review of automated decisions.
Industry regulatory disclosure requirements
We comply with industry-specific regulations, including:
POPIA (South Africa).
Health and safety regulations requiring guest logs.
Tax and VAT reporting obligations.
Labor law requirements for employee data Where disclosure is legally mandated, we
ensure it is limited to the necessary scope.
Contact information
For privacy inquiries, please contact our Data Protection Officer:
Email: reservations@lermitage.co.za
Phone: +27 21 204 0279
