Cinnamon Hotels & Resorts respects your right to privacy. This privacy statement (“Privacy Statement”) details the way we collect, store, use and disclose your personal data (“Personal Data”) when you interact with our websites, applications and all other services. You are required to read through this statement before providing personal data of yourself, or others on their behalf, to Cinnamon Hotels & Resorts, which also forms part of our Terms and Conditions that govern our services. This statement does not apply to employees, Cinnamon Hospitality Academy (CHA) Students, or Vendors who are governed by their respective statements. This Privacy Statement may also be referred to as “Privacy Policy”.

1. DATA COVERED BY THIS PRIVACY STATEMENT

This Privacy Statement governs the way Cinnamon Hotel Management Limited (“Company”) [company registration number PB 7] of No. 117, Sir Chittampalam A. Gardiner Mawatha, Colombo 02, Sri Lanka and the hotels it operates under the Cinnamon Brand (jointly “Cinnamon Hotels & Resorts) collects, uses, maintains and discloses information collected whilst providing services to guests (“Guests”) and from users (each, a “User”) of websites and applications operated by the Company (“Site”).

2. WHAT PERSONAL DATA DO WE COLLECT

We collect personal data from Guests and Users in a variety of ways, including, but not limited to, when they visit our Site, through software applications, social media pages, emails and visits to our properties.

We will be collecting Personal Data including but not limited to the following:

• Name
• Gender
• Postal address
• Telephone number
• Email address
• Financial information (such as credit and debit card number or other payment data)
• Date and place of birth
• Nationality, passport, visa, or other government-issued identification data
• Employer details (for business-related bookings)
• Social media account ID, profile photo and other data publicly available, or data made available by linking your social media and loyalty accounts
• Data about family members and companions, names, and ages of children
• Images, video and audio data: security cameras located in public areas, such as hallways and lobbies and in our properties
• We may also collect your “Personal Preferences,” that you wish to share with us to improve your experience and may include details of your special events (such as birthdays and, anniversaries), your hobbies. who you usually travel with and their relationship to you.
• Other personal data required such as emergency contact information, and any special access or security requirements.

We may also use:

Technical Data such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.

Usage Data relating to your usage of this website or our services.

Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

Children

For children younger than eighteen (18) years old, the use of any of our services is only allowed with the valid consent of a parent or a guardian. However, if their personal data is being processed, children over the age of sixteen (16) will require to give their own informed consent. If we become aware that we process information of a child under 16 years of age without the valid consent of a parent or guardian, we reserve the right to delete it.

If you are a parent or guardian of a child (under 16 years of age) who has provided personal information without your knowledge and consent, you may request we remove this children’s information by emailing [email protected].

3. HOW WE USE COLLECTED INFORMATION:

We always process your personal information based on one or more of the following legal grounds:

• Legitimate Interests: The legitimate interests of CH&R in conducting and managing its business in order to ensure a high standard of service, secure experience and legal compliance. We use best endeavors to balance any potential impact on you and your rights (both positive and negative) prior to processing your Personal Data for our legitimate interests. We will not use your Personal Data for activities where our interests are overridden by the impact on you (save with your express consent or as required/permitted by law).
• Performance of Contract:  Processing and using your data is necessary for the performance of any services or contract to which you are a party to or to take steps at your request before entering into such a contract and the provision of the same to our service providers, agents and other parties as required for the purpose of facilitating the performance of the contract with you.
• Comply with a legal or regulatory obligation: It may be necessary for us to process your Personal Data to ensure compliance with applicable legal obligations or to comply with requests from Government, law enforcement, regulatory, judicial or related authorities in relation to obligations under law, regulation, national or public security or related inquiry.
• Consent: Where you have explicitly provided your consent, we will process your Personal Data for the specific purpose(s) for which that consent was obtained. You have the right to withdraw your consent at any time; however, this will not affect the lawfulness of any processing carried out prior to withdrawal. Where consent is the basis for processing, we will ensure that it is freely given, informed, specific, and unambiguous.
• Public Interest: We may process your Personal Data where such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in CH&R. This may include situations where processing is required to support public functions or statutory duties that contribute to broader societal or community objectives, while ensuring that your rights and freedoms are respected.
• Vital Interests: In rare circumstances, we may process your Personal Data where it is necessary to protect your vital interests or those of another individual. This basis will only be relied upon where the processing is essential to protect someone’s life or physical safety, and when no other lawful basis is available

Some of these instances are detailed below.

Purpose/Activity	Lawful Basis for Processing
Bookings and Reservations Facilitate reservations and bookings of hotel services Pre-arrival communications Collect payments and security deposits.	Necessary for the performance of a contract (to process and manage reservations, communicate pre-arrival information, and collect required payments or security deposits). Necessary for our legitimate interests (to ensure efficient booking operations, prevent reservation-related issues, and support smooth guest service delivery).
Hotel Stays Check-in and check-out. Collect payments and security deposits. Provide personalized service and advice about the on-site services (based on past usage or expressed preferences). Provide concierge, luggage storage and parking services. Make arrangements with third-party providers on request of the guests (such as coordinating excursions). Arrange taxi, shuttle and chauffeur services; and facilitating reservations and bookings at restaurants and events. Administering and facilitating access to Wi-Fi, TV and other connectivity services (including access to business center amenities, such as fax and photocopying services) and entertainment systems (such as music players). Facilitate in-room dining (including taking into account any dietary, health restrictions or other personal needs expressed by the guest). Housekeeping services (including preferences for special pillows, duvets and other amenities) and dry-cleaning services. Handling customer requests, inquiries and complaints. Determining eligibility for age restricted goods and services (such as alcohol or tobacco).	Necessary for the performance of a contract (to manage check-in and check-out, arrange payments and security deposits, provide requested hotel, concierge, dining, housekeeping and related guest services, and facilitate access to connectivity and entertainment systems). Necessary for our legitimate interests (to deliver personalized services, enhance the guest experience, respond to inquiries or complaints, and coordinate third-party arrangements efficiently). Based on consent (when providing personalized services or processing specific preferences such as dietary, health-related, or amenity preferences, and when determining eligibility for age-restricted goods or services where consent is required).
Conferences & Events Communicate with customers about conferences and other event planning (“Events”). Facilitate reservation and bookings of Events. Engage in pre-event communications (logistics, accommodations, changes, etc.) Preparing for and coordinating Events in accordance with customer instructions, expectations and preferences; facilitating catering. Communicate about billing and recovering amounts owed. Processing of payments and security deposits. Performing credit checks. Handling customer requests, enquiries and complaints. Communicating with participants during Events.	Necessary for the performance of a contract (to manage event reservations and bookings, coordinate pre-event logistics, prepare and deliver event services including catering, communicate with participants, and process payments, security deposits, and billing). Necessary for our legitimate interests (to ensure effective event coordination, maintain accurate records, respond to enquiries or complaints, and to perform credit checks). Based on consent (when processing specific preferences or optional information provided by customers or participants for the organization of Events).
Internal Business Administering customer care services to facilitate and address inquiries, comments, and complaints about any of our services (such as in person, through phone lines, email, or on social media). Handling security and fraud prevention. Administering online services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and the hosting of data). Analyzing usage of services and using data analytics to improve services, Facilitating mergers, acquisitions and other reorganizations and restructurings of our business (including prospective transactions).	Necessary for the performance of a contract (to provide customer care, respond to inquiries, and support the proper functioning of services used by customers). Necessary for our legitimate interests (to ensure the security of our systems and operations, prevent fraud, conduct data analysis to improve services, maintain and troubleshoot online platforms, and support business reorganizations, mergers, or acquisitions).
Emergency and Security Ensuring the security of on-site services. Responding to, handling, and documenting on-site accidents and medical and other emergencies (including facilitating in-house doctor services). Actively monitoring properties to ensure adequate incident prevention, response and documentation (including CCTV). Requesting assistance from emergency services.	Necessary for our legitimate interests (to ensure the safety and security of our premises, guests, and employees, to prevent and respond to incidents, to document accidents and emergencies and to support effective monitoring through CCTV). Necessary for the vital interests (to coordinate with emergency services when required).
Compliance Complying with applicable laws. Complying with legal processes. Responding to requests from public and government authorities. Meeting national security or law enforcement requirements. Enforcing our terms and conditions. Protecting our operations. Protecting the rights, privacy, safety, or property of Cinnamon Hotels and Resorts, guests, users and other relevant individuals. Allowing us to pursue available legal remedies and limit the damages that Cinnamon Hotels and Resorts may sustain.	Necessary to comply with our legal obligations (to meet statutory requirements, respond to lawful requests from public authorities, and comply with legal processes). Necessary for our legitimate interests (to enforce our terms and conditions, protect our operations, safeguard the rights, privacy, safety and property of guests, users and other individuals, and pursue or defend legal claims).
Spa and other Recreational Services Facilitating reservations and bookings. Determining eligibility for services. Honoring disability or other health-related restrictions and providing appropriate and safe activities, services, and treatments. Providing consistent and personalized service based on past usage and preferences expressed by the individual. Processing payments. Arranging requested professionals for specific treatments and services. Handling customer requests, enquiries, and complaints.	Necessary for our legitimate interests (to manage reservations and bookings, determine service eligibility, arrange requested professionals, process payments, and respond to enquiries or complaints, ensuring efficient delivery of spa and recreational services). Based on consent (when providing personalized services, and when processing health-related or disability information necessary to tailor treatments and ensure safety).
Food & Beverage Facilitating reservations. Honoring dietary preferences. Providing consistent and personalized service based on past usage and preferences expressed by the individual. Processing payments. Arranging reservations Handling customer requests, enquiries, and complaints.	Necessary for our legitimate interests (to manage reservations, process payments, arrange dining services, and respond to enquiries or complaints, ensuring efficient delivery of food and beverage operations). Necessary for the performance of a contract (when reservations are made via contracted third-party sites/applications). Based on consent (when honoring dietary preferences and providing personalized services based on past usage or preferences expressed by the individual).
Children Facilitating babysitting and kids club. Facilitating reservations and bookings. Preparing for and coordinating hotel accommodations and services in accordance with guest preferences, instructions, and expectations. Payment and billing services. Child friendly Dining services	Necessary for our legitimate interests (to manage reservations and bookings, coordinate babysitting and kids club services, prepare and deliver requested hotel accommodations and child-friendly dining services, and process payments and billing efficiently). Based on consent (when processing information related to children (under 16 years of age)’s preferences, needs, or any details required to ensure their safety, comfort, and appropriate participation in provided services).
Communications Communicate about products and services that may be of interest to guests. Sending you surveys Providing personalized advertisements for products and services on selected websites. Facilitating contests. Handling customer requests, enquiries, and complaints.	Necessary for our legitimate interests (to handle customer requests, enquiries, and complaints, and to facilitate contests). Based on consent (when communicating marketing information, surveys, or personalized advertisements about products and services that may be of interest to guests).
Membership and Loyalty Schemes Registration for loyalty and client account programs and payment card programs. Determining eligibility for various programs and related services. Administering loyalty programs. Providing consistent and personalized offers and services based on past usage and preferences. Ensuring access to Online Services. Processing payments. Notifying members about changes to programs, terms and conditions. Handling members' requests, inquiries, and complaints.	Necessary for the performance of a contract (to register and administer loyalty and client account programs, process payments, ensure access to online services, and notify members about changes to programs or terms and conditions). Necessary for our legitimate interests (to determine eligibility, provide personalized offers and services based on past usage and preferences, and respond to members’ requests, inquiries, and complaints).

Obtaining and Handling Your Consent

When we collect your personal data, we’ll let you know whether the details we’re asking for are optional. If you share personal data about your spouse, children or any other person/s, we trust that you’ve received their permission to do so. Please note that choosing not to provide certain information may limit access to some services or benefits. For example, if you choose not to provide details about your preferences or requirements, we may not be able to accommodate specific requests during your stay or provide certain personalized services.
 

Testimonials and Event Coverage

From time to time, we may use photos, videos, or testimonials to showcase our properties, events, or guest experiences. If you do not want your personal data to be shared or published, you can let us know anytime by contacting our Data Protection Officer (DPO). Please note that this would not affect your stay or access to our services.
 

Cookies

Cookies are small files or pieces of data stored on your device that help us remember you and understand how you use our site. Thereby, helping us to personalize, enhance and secure your experience on our website and online services. Cookies allow us to collect browser type, time spent on the Online Services, pages visited, language preferences, and other aggregated traffic data. We use both “first-party cookies”, which are set by us, and “third-party cookies”, which are set by our partners or external websites. Cookies can be “session cookies”, which are deleted when you close your browser, or “persistent cookies”, which are stored for longer.

Cookies help us:

• Keep you signed in and support smooth navigation
• Understand how you use our site, including pages visited, time spent, and language preferences
• Improve site design, performance, and functionality
• Display content more effectively
• Ensure security
• Personalize your experience
• Process payments and resolve technical issues
• Deliver relevant products, services, and advertisements
• Send marketing emails and track responses to ads and emails

The types of cookies we use include:

• Essential: These technologies are required to activate the core functionality of our service.
• Functional: These technologies enable us to analyze usage behavior in order to measure and improve performance. We use them to remember your preferences and settings for security purposes, to facilitate navigation, to display content more effectively, to collect statistical data, to personalize your experience while using the Online Services, and to recognize your computer to assist your use of the Online Services.
• Analytics: These technologies collect data to help us understand how you use our website. We use them to remember and analyze your preferences, settings and usage to continually improve design and functionality, understand how they are used and resolve questions.
• Marketing: These technologies are used by advertisers to serve ads that are relevant and personalized to your interests, and measure marketing effectiveness by selecting which advertisements or offers are most likely to appeal to you and display them while you are using the Online Services. We also use them to send marketing emails and to track responses to online advertisements and marketing emails.

Each of these cookie types includes additional cookie types under it, and you can choose to consent to or deny them individually. You can set your browser to refuse all or some cookies, or to alert you when a website sets or accesses them. You can also manage or change your cookie preferences at any time through your browser settings or through the cookie manager. Please note that if you disable or refuse cookies, some parts of the website may become inaccessible or may not function properly.
 

Third Party Advertising:

We may use third-party advertising companies to serve advertisements regarding goods and services that may interest you when you access and use the Online Services. To serve such advertisements, these companies place or recognize a unique cookie on your browser (including through use of pixel tags).

• Pixel Tags and other similar technologies. We collect data from pixel tags (also known as web beacons and clear GIFs), which are used with some Online Services to, among other things, track the actions of users of Online Services (including email recipients), measure the success of our marketing campaigns, and compile statistics about usage of the Online Services.
• Analytics. We collect data through Google Analytics and Adobe Analytics, which use cookies and technologies to collect and analyze data about use of the Services. These services collect data regarding the use of other websites, apps, and online resources. You can learn about Google’s practices by going to www.google.com/policies/privacy/ partners/ and opt out by downloading the Google Analytics opt out browser add-on, available at https://tools.google.com/dlpage/gaoptout. You can learn more about Adobe and opt out by visiting http://www.adobe.com/privacy/opt-out.html.
• Your IP Address. We collect your IP address, a number that is automatically assigned to the device that you are using by your Internet Service Provider (ISP). An IP address is identified and logged automatically in our server log files when a user accesses the Online Services, along with the time of the visit and the pages that were visited. We use IP addresses to calculate usage levels, diagnose server problems and administer the Online Services. We also may derive your approximate location from your IP address.
• Aggregated and Segmented Data. We may aggregate data that we collect, and this aggregated data will not personally identify you or any other user. We may also use both Personal Data and Other Data to divide customers into segments, or groups, to provide more relevant advertising.
• Precise Location-based Services. With your consent, we may collect the precise physical location of your device by using satellite, cell phone tower, Wi-Fi signals, or other technologies. We will collect this data if you opt-in through the App or other programme (either during your initial login or later) to improve special offers and to enable location-driven capabilities on your device. If you have opted-in to share your location, the App or other programme will continue to collect location data based on how you chose to share the data.

4. HOW WE PROTECT YOUR INFORMATION

We adopt appropriate data collection, storage and processing practices and security measures as reasonably possible to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site. While we take reasonable measures to protect your personal data, no method of transmission or storage can be guaranteed to be completely secure.

5. SHARING YOUR PERSONAL INFORMATION

Strategic Business Partners: We may share your personal data with our business partners to enhance your stay, such as spas, restaurants, and transport services.

Service Providers: We may share your personal data with third-party service providers who assist us in providing our services, such as website hosting, data analytics, payment processing, and customer service.  

On-Site Third-Party Vendors: When visiting third-party vendors located in our premises, you may be required to provide personal data directly to them. These vendors operate independently, and the Cinnamon Hotels and Resorts are not responsible for how they handle or process your personal data. You are encouraged to review their respective privacy policies before sharing any personal information or using their services.

If we need to share your personal data with a third-party vendor to fulfil a request you have made, we will inform you of the vendor’s identity and the specific data to be shared. Your consent will be obtained prior to any disclosure. You are advised to review the vendor’s privacy policy before providing consent.

Law Enforcement and Regulatory Authorities: We may share your personal data with law enforcement and regulatory authorities to comply with public security, legal obligations, prevent fraud and cooperate with investigations.   

Other John Keells Group Companies: We may share your personal data with other companies within our corporate structure to provide our services and personalize your experience.

6. YOUR RIGHTS AND YOUR PREFERENCES

You have several rights regarding the way CH&R processes your personal data. These include the right to be informed about the collection and use of your data, to request access to the information we hold about you, and to request the rectification of any inaccuracies. You may also request the erasure of your personal data or the restriction of its processing, object to the processing of your data (including processing based on legitimate interests or for direct marketing), and request the portability of your data. In addition, you have the right to inquire about or object to automated individual decision-making, including profiling, where applicable. You may withdraw your consent at any time for processing activities based on consent, however, this does not affect the lawfulness of any processing carried out before the withdrawal. Where relevant, you also have the right to lodge a complaint with the appropriate Data Protection Authority (DPA)/ to a relevant Supervisory Authority if you believe your personal data has been processed in violation of applicable data protection laws.
 

7. RETENTION PERIOD

Your Personal Data will be ordinarily stored by the Company for seven (7) years but maybe extended for a further period due to legal, regulatory, business needs or public interest. Once the retention period expires, we will dispose or securely anonymize your personal information to prevent unauthorized access or disclosure.

8. DISCLAIMER

Although we attempt to keep all information in the WWW servers accurate and up to date, the accuracy and timelines of the information provided cannot be guaranteed. We hope that you will find the information helpful and easy to use, but we provide all content for informational purposes only and make no representations or warranties of any kind regarding the same. The Company and its management and its owning company disclaims all liability of any kind whatsoever arising out of the use of, or inability to use, its WWW servers and the information contained on them unless there is negligence or fault on part of the Company. The Company’s WWW servers were designed to provide information about the Company, its products, and links to specific external Sites. Use of this system for any purpose other than that for which it was designed is unauthorized and prohibited.

9. SUBMITTED MATERIALS

All parties submitting materials to the WWW servers represent and warrant that the submission, installation, copying, distribution, and use of such materials in connection with the WWW servers will not violate any other party’s proprietary or legal rights.
 

10. INTELLECTUAL PROPERTY RIGHTS

The material and content provided on the Site is strictly for your personal and non-commercial use only. However, you could save where expressly provided, and you agree not to by yourself or through or by way of assistance from any third party to distribute, copy, extract or commercially exploit such material or contents. Except as otherwise indicated, all materials on this Site, including, but not limited to text, information such as; customer or partner references, data, images and pictures, illustrations and written and other materials contained in this Site are protected by copyrights, database rights, trademarks and/or other Intellectual Property rights owned, or used with permission of their owners by us or our partners, affiliates or associates. This Site is protected by copyright and other intellectual property rights. All rights reserved.

11. THIRD PARTY CONSENT

In the event you provide us with any personal information or Personal Data on behalf of another person, you confirm that such Personal Data has been obtained by you and provided to us with the prior specific consent of such person who has fully apprised himself/herself of terms and conditions of this Privacy Policy. Any such third-party Personal Data provided by you shall be accurate, up to date, valid and not include any false, inaccurate information, any misstatements of fact, misrepresentations or the like.

12. THIRD PARTY LINKS 

This website may include links to third-party websites, plug-ins and applications which are not maintained or controlled by us. Clicking on those links or enabling those connections may allow third parties to collect or share Personal Data about you based on their own terms of use and privacy. We do not control these third-party websites and are not responsible for their privacy statements and therefore we request that you fully apprise yourself of the terms and conditions contained on such websites. We are not responsible for any third- party actions or their security controls in respect of any Personal Data they may collect or process via their website, service or otherwise.

13. OTHER IMPORTANT PROVISIONS

Unsolicited Personal Data
Unless specifically requested, we ask that you not send us Personal Data.
International Data Transfers
Cinnamon Hotels and Resorts provides a global service, and the international transfer of data is essential to ensure you receive consistent, high-quality service wherever you are. Consequently, and in accordance with applicable laws, we may transfer Personal Data and Other Data collected in connection with our Services to entities in other countries. These countries may have data protection standards that differ from those in your country of residence, including locations outside Sri Lanka or the European Union. Personal information submitted to us may therefore be transferred to, stored, and processed on cloud servers located both within and outside of Sri Lanka, as well as the other countries in compliance with relevant legal requirements. By making a reservation, visiting, or staying at a Cinnamon branded property, or by using any Cinnamon Hotels and Resorts branded service, you understand that we globally transfer your Personal Data.
 

CINNAMON DISCOVERY membership

You can create a CINNAMON DISCOVERY membership with us which gives you added benefits. If you set up a CINNAMON DISCOVERY membership, we ask you to provide the following Personal Information:

• Your full name and email address
• Your date of birth
• Your home address and phone number
• Your language preference for email communication
• Your email marketing preferences

The CINNAMON DISCOVERY loyalty program is provided by a third-party, which is Global Hotel Alliance (GHA).  

You can deactivate your account by sending an email to [email protected] 

14. YOUR ACCEEPTANCE OF THESE TERMS

By submitting any Personal Data, you signify your acceptance of this Statement. If you do not agree, please do not submit any Personal Data. Any submission of your Personal Data will be deemed your acceptance of this Privacy Statement.

15. CONTACTING US

If you have any questions, feedback, or complaints, please contact us at [email protected]

No fee usually required

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded, unreasonable, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to verify your identity and ensure your right to access Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. 

Time limit to respond

We will use all best endeavors to respond to all legitimate requests within twenty-one days. Occasionally, it may take us longer if your request is particularly complex or you have made a number of requests. We will keep you updated in such case.

 

16. LANGUAGE AND INTERPRETATION

This Privacy Statement may be translated into other languages for the convenience of our guests. In the event of any inconsistency between the English version and a translated version, the English version shall prevail.
 

17. UPDATES TO THE PRIVACY NOTICE

We reserve the right to amend, modify, vary or update this Privacy Statement, at our discretion from time to time, as and when the need arises. The most recently published Privacy Statement shall prevail over any of its previous versions.

We’ll do our best to keep you informed about any updates to this Privacy Statement. You’re also welcome to check back on it from time to time so you always know how we look after your personal information.

Last updated date: 08/12/2025