Aparthotels Worldwide

Facebook Youtube Instagram
Talk to an agent
Menu
Menu
Talk to an agent

Privacy Policy

Aparthotels Worldwide

Effective Date: 24 March 2026  |  Version 1.0

20 Canonmills, Edinburgh EH3 5LH, United Kingdom

This Privacy Policy applies to all personal data collected and processed by Aparthotels Worldwide via its website (aparthotelsww.com), its Edinburgh Aparthotel at 20 Canonmills, and through its corporate accommodation sourcing services. It is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are and How to Contact Us

The data controller responsible for your personal information is:

Company name:  Aparthotels Worldwide

Trading address:  20 Canonmills, Edinburgh EH3 5LH, United Kingdom

Website:  https://aparthotelsww.com

Email:  stay@aparthotelsww.com

Telephone:  +44 131 474 7000

You may contact us at any time regarding your personal data using the details above. We aim to respond to all data-related enquiries within 72 hours and all formal Subject Access Requests within one calendar month as required by UK GDPR Article 12.

2. What Personal Data We Collect

We collect and process the following categories of personal data depending on how you interact with us:

2.1 Data you provide directly

  • Full name
  • Email address
  • Telephone number
  • Postal address (for booking and invoicing purposes)
  • Company name and job title (for corporate and B2B enquiries)
  • Payment card information (processed and encrypted via secure third-party payment processors — we do not store full card details)
  • Government-issued photo ID (passport or driving licence number — collected at check-in as required by law and for fraud prevention)
  • Booking reference numbers and stay history
  • Special requests and accessibility requirements
  • Communications sent to us via email, contact forms, or telephone

2.2 Data collected automatically

  • IP address and approximate geolocation
  • Browser type and version
  • Device type and operating system
  • Pages visited, time spent on page, and navigation paths
  • Referral source (how you arrived at our website)
  • Cookie identifiers (see Section 7)

2.3 Data received from third parties

  • com, and other online travel agents (OTAs) through which reservations are made — we receive booking confirmations and guest details necessary to fulfil the reservation
  • Corporate clients who provide employee details for accommodation sourcing and relocation services
  • International SOS and Anvil Group in connection with duty-of-care and traveller tracking services for corporate accounts
  • Review platforms (Trustindex, Google Reviews) — we receive publicly posted review content

3. How and Why We Use Your Personal Data

We process your personal data only where we have a lawful basis to do so under UK GDPR Article 6. The lawful bases we rely on are:

3.1 Performance of a contract (Article 6(1)(b))

We use your data to fulfil your booking, process your payment, provide accommodation and related services, issue VAT receipts, and communicate essential information about your stay. This is the primary lawful basis for our core service activities.

3.2 Compliance with a legal obligation (Article 6(1)(c))

We are required by law to collect and retain certain information, including photo ID at check-in (under anti-money laundering regulations and for fraud prevention), financial transaction records (under HMRC requirements), and health and safety records. We cannot waive these obligations.

3.3 Legitimate interests (Article 6(1)(f))

We process data for our legitimate business interests, including: improving our website and services, fraud detection and prevention, maintaining the security of our premises and guests, responding to enquiries, and administering corporate accounts. We have conducted legitimate interests assessments for each purpose and are satisfied that these interests are not overridden by your rights.

3.4 Consent (Article 6(1)(a))

Where we rely on consent — for example, for marketing emails, optional cookies, or newsletter subscriptions — we will obtain your clear, affirmative consent before processing. You may withdraw consent at any time by contacting us at stay@aparthotelsww.com or by using the unsubscribe link in any marketing email. Withdrawal of consent does not affect the lawfulness of any processing carried out before withdrawal.

4. Who We Share Your Data With

We do not sell, rent, or trade your personal data to any third party for commercial purposes. We share data only as described below:

 

4.1 Service providers and data processors

We share data with carefully selected third-party service providers who process data on our behalf under data processing agreements compliant with UK GDPR Article 28. These include:

  • Payment processors (for secure card transaction handling)
  • com and connected OTAs (for reservation management)
  • International SOS and Anvil Group (for corporate duty-of-care and traveller tracking services — applicable to corporate accounts only)
  • Website hosting and IT infrastructure providers
  • Email service providers
  • Google Analytics and similar analytics providers (see Section 7)
  • Trustindex and Google Reviews (for review verification)

4.2 Legal and regulatory disclosure

We may disclose personal data to law enforcement agencies, regulatory bodies, or courts where required to do so by law, in response to a valid legal order, or where we believe disclosure is necessary to protect the rights, property, or safety of Aparthotels Worldwide, our guests, or others.

4.3 Business transfers

In the event of a merger, acquisition, or sale of all or part of our business assets, personal data held by us may be transferred to the acquiring entity. We will notify affected individuals of any such transfer where required by law.

4.4 International transfers

Where we transfer personal data outside the United Kingdom, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V, including adequacy decisions, standard contractual clauses, or other approved transfer mechanisms. Where any of our service providers process data in countries without an adequacy decision, we ensure contractual protections are in place before any transfer occurs.

5. How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our standard retention periods are:

 

  • Booking records and guest information: 7 years from the date of departure (in accordance with HMRC record-keeping requirements under the Taxes Management Act 1970)
  • Financial records and VAT receipts: 6 years from the relevant financial year end (as required by HMRC)
  • Photo ID records (copies taken at check-in): 12 months from the date of departure, unless required for longer by law or in connection with an ongoing legal matter
  • Marketing consent records: For the duration of the marketing relationship plus 3 years
  • Website analytics data: 26 months from collection (in line with Google Analytics default retention)
  • CCTV footage: 31 days from the date of recording, unless required for longer in connection with an incident, insurance claim, or legal proceedings
  • Correspondence (email and written enquiries): 3 years from the date of last contact

When data is no longer required, it is securely deleted or anonymised in accordance with our data destruction policy.

6. Your Rights Under UK GDPR

As a data subject under UK GDPR, you have the following rights. To exercise any of these rights, please contact us at stay@aparthotelsww.com. We will respond within one calendar month of receiving your request.

6.1 Right of access (Article 15)

You have the right to request a copy of all personal data we hold about you. This is known as a Subject Access Request (SAR). We will provide this information free of charge in most cases. Where requests are manifestly unfounded or excessive, we reserve the right to charge a reasonable fee.

6.2 Right to rectification (Article 16)

You have the right to request that we correct any inaccurate personal data we hold about you, or complete any incomplete data.

6.3 Right to erasure (Article 17)

You have the right to request that we delete your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where you object to processing and we have no overriding legitimate grounds. This right does not apply where we are required to retain data for legal compliance purposes.

6.4 Right to restrict processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have contested.

6.5 Right to data portability (Article 20)

Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

6.6 Right to object (Article 21)

You have the right to object to processing of your personal data where we rely on legitimate interests as our lawful basis, or where we process data for direct marketing purposes. Where you object to direct marketing, we will cease processing your data for that purpose immediately.

6.7 Rights related to automated decision-making and profiling (Article 22)

We do not use automated decision-making processes that produce legal or similarly significant effects on individuals. We do not carry out profiling for automated decision-making purposes.

6.8 Right to lodge a complaint

If you believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

  • Website: https://ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you contact the ICO and encourage you to contact us in the first instance.

7. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device by a website you visit. Cookies help us to provide you with a good experience and to improve our website.

 

7.1 Types of cookies we use

Strictly necessary cookies

These cookies are essential for the website to function and cannot be switched off. They are set in response to your actions such as completing a booking form or setting privacy preferences. They do not store personally identifiable information.

Analytics and performance cookies

We use Google Analytics to collect anonymous information about how visitors use our website, including pages visited, time spent on site, and referral sources. This data is aggregated and does not identify you personally. You can opt out of Google Analytics tracking at all times by installing the Google Analytics Opt-Out Browser Add-on (https://tools.google.com/dlpage/gaoptout).

Functional cookies

These cookies enable us to remember your preferences and customise your experience. They may be set by us or by third-party providers whose services we use on our pages.

Marketing and targeting cookies

We may use these cookies to track visitors across websites and display relevant advertising. These are only set with your explicit consent. You can withdraw consent at any time by adjusting your cookie preferences via the cookie banner on our website.

7.2 Managing cookies

On your first visit to our website, you will be presented with a cookie consent banner allowing you to accept, reject, or customise your cookie preferences. You can change your preferences at any time. You can also manage cookies through your browser settings — please note that disabling cookies may affect the functionality of certain parts of our website.

8. Security of Your Personal Data

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, destruction, or alteration. These measures include:

 

  • SSL/TLS encryption for all data transmitted via our website
  • Secure, access-controlled server environments
  • Restricted staff access to personal data on a need-to-know basis
  • Regular security reviews and staff data protection training
  • Data processing agreements with all third-party processors
  • CCTV on-site security at our Edinburgh property

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

9. Children’s Privacy

Our website and accommodation services are not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18 without the consent of a parent or legal guardian. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at stay@aparthotelsww.com and we will take prompt steps to delete that information.

10. Third-Party Links and Embedded Content

Our website contains links to third-party websites, including Booking.com, Google Maps, and social media platforms. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies before providing any personal data. Clicking on a third-party link will take you to a site operated by that third party, whose data collection practices are governed solely by their own privacy policy.

Our website may embed content from third-party platforms such as YouTube, Google Maps, and Trustindex. Embedded content may use cookies and tracking technologies operated by those third parties. Please refer to their respective privacy policies for further information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, our services, or our data processing practices. When we make material changes, we will update the effective date at the top of this document and, where appropriate, notify you by email or by a prominent notice on our website.

We encourage you to review this Privacy Policy periodically. Continued use of our website or services after any changes take effect constitutes acceptance of the revised policy.

12. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of England and Wales. Any disputes arising in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Last reviewed and approved: 24 March 2026. This policy will be reviewed annually or following any material change to our data processing activities or applicable law, whichever occurs first.