Miral Destinations – Sole Proprietorship LLC Privacy Policy

Introduction

Please read the following Privacy Policy carefully to understand how and why we use your personal data in order for you to access and browse our websites or mobile apps and use our services.

About this Policy

This Privacy Policy is issued for Miral Destinations – Sole Proprietorship LLC (“Miral Destinations”, “we”, “us”, “our”). Miral Destinations regularly collect and use personal data about individuals who visit our websites or mobile apps and use our services Personal data is any information that can be used, directly or indirectly, to identify you as an individual.

Your privacy is very important to us and we understand our responsibilities to protect your personal data in an appropriate and lawful manner and in accordance with applicable data protection regulations. This Privacy Policy should be read in conjunction with our Cookies Policy, which together provide you with details of how and why we collect and process your personal data when you are using Miral Destinations’s websites or mobile apps.

For any privacy queries, you can contact us at any time at: privacy-md@miral.ae

Miral Destinations – Sole Proprietorship LLC

P.O. Box 128717

Abu Dhabi

UAE

License Number: 2307598

Who is responsible for protecting your personal data?

Miral Destinations is responsible for promoting destinations and attractions in Abu Dhabi and is a one stop booking partner, helping design holiday packages for travelers. Such destinations include Yas Island and Saadiyat Island, and attractions include but are not limited to Ferrari World Abu Dhabi, Warner Bros World™ Abu Dhabi, Yas Waterworld, CLYMB™ Abu Dhabi, Qasr Al Watan, Yas Marina Circuit and various other leisure and tourism facilities.

Websites and mobile apps

In connection therewith, Miral Destinations operates the following websites or mobile apps:
MyPass

These websites also use ‘MyPass’, which is a centralised authentication service provided by our affiliate company Miral Experiences LLC (“Miral”). MyPass allows you to seamlessly connect to various online, application and WiFi services; for further information, please review sections 3 and 5 below.

As the entity responsible for collecting your information when you use our websites or apps (as outlined above), Miral Destinations is a Data Controller of your personal data, along with our affiliates and partners where you use MyPass to engage with their services. Miral, as the operator and provider of the MyPass service, may be acting as Data Controller or Data Processor depending on whether you use MyPass to engage with Miral’s services or whether your information is solely hosted by Miral as part of providing the MyPass service. Miral will also be acting as a Data Controller of your personal data used in connection with FacePass and contactless services.

For additional information; Miral’s Privacy Policy can be located here.

This Policy is additional to and is not intended to override other notices or policies we may provide to you or the terms of any contract that you have with us (for example, specific package or ticket terms and conditions) or any rights you may have.

What personal data do we collect, and how do we collect it?

Miral Destinations collects three types of information about you: personal data, special categories of personal data and aggregated/anonymous data (as outlined in this Policy).

Information we collect directly from you
- Information that you personally provide to us when: purchasing our products and services, registering for a MyPass account, enrolling FacePass, subscribing to our mailing lists, making a telephone booking or enquiry or complaint, completing a survey, competition or taking part in promotional activities, or contacting us via a contact us form, livechat or other means available on our website or mobile app.
- This information will vary depending on the service or package you are purchasing or enquiring about but may include:
  - your full name, title, address, booking reference, date of birth, preferred language, MyPass ID, nationality, country of residence, e-mail address, telephone number, number of adults and children, children’s age, check-in/out date, and room or other package related preferences;
  - your chosen marketing preferences and objections, general enquiry details any other information or messages you may decide to provide to us;
  - first name, last name and date of birth for your family members, and their relationship to you, where you have chosen to add your family members’ details to your profile (where this option exists on a particular website or mobile app). If you give us personal information about other people (such as family members or friends), you should make sure you have their permission to do so;
  - credit or debit card and transaction details if you store the information or make a payment for our products and services on our website or mobile app (where available), which are provided directly to our payment solution provider via a secured connection. All credit or debit card details and transaction processing adheres to global data security standards to protect cardholder data;
  - for certain services, this may include special categories of personal data. For example:
    - where you consent to use FacePass, this may include your biometric information. The photo taken or uploaded for FacePass is used only to convert your face into a unique numerical identifier (your FacePass). For further information on the use of your personal data in connection with your FacePass, please review sections 3 and 5;
    - biometric information: as used in this Policy, biometric data includes “biometric identifiers” and “biometric information”. “Biometric identifier” means a scan of face geometry (Miral Destinations uses facial recognition for FacePass, please review section 3). Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
Information we collect indirectly

We collect information you give us, information from your use of our products and services and information we get from third parties:
- in some cases, information about you may be provided to us by a third party verbally or in writing. For example, this could include if a family member or friend has booked a package or tickets on your behalf, or has entered you into a competition. This may also include affiliated companies or partners (for example, your chosen travel agent), or where you engage with services that we provide in conjunction with our affiliates or other companies (for example, rewards or loyalty points programs, joint promotions or FacePass), or social media or technology platforms (for example, by using your Facebook, Google or Apple account login details to sign into our website, mobile app, MyPass, where such facility is available).
- This information may include some of the same information as which you may have provided directly to us (as referenced within this section 2 above).
Information we collect automatically
- Information that we may collect automatically via cookies and other location based tracking mechanisms, when you are using the website or mobile app (as outlined above) or use our applications on third-party sites or platforms. More information on the use of cookies is at section 8 below and in our Cookies Policy.
- This information includes traffic data, location data, weblogs, communication data and the resources you access; for example, your IP address, device ID, device type, referrer URL, operating system and version, geolocation, browser type and browsing history.
- Information may also be collected through campaign performance and engagement, including but not limited to information such as email opens, push notifications and SMS clicks.

How do we use your personal data?

We will use your personal data for the following reasons:

To respond to you and perform the contract
- We will use your information to process and respond to your requests, reservations or queries, when you register, subscribe or contact us, and to provide access to restricted parts of our websites or mobile apps if required. Where you purchase our services we use your information to enter and perform our contract with you.
To improve our products and services
- We use your information to provide content on our websites and mobile apps in the most effective way. Your information allows us to identify you as a user, remember your preferences and deliver an enhanced digital experience. Such data is not retained beyond your visit of the respective website page or mobile app, but may be kept in log files to allow us to maintain and improve our website or mobile app.
To keep our services secure
- Your information may be used to detect, investigate, prevent fraud and rectify potential errors in our technology and against potential cyber-attacks or other abuse of our technology, and to prevent or mitigate any damages that may have been caused by such abuse.
- While we take steps to maintain the security of your information, you should be aware of the many information security risks that exist and take appropriate care to help safeguard your information.
To provide your MyPass (Unique Customer Identity)
- Where our websites or mobile apps have MyPass, when you choose to register for an account with us, we will collect your information to create a unique identifier (your MyPass), which is then used to authenticate you across the different services and enable you to enjoy a frictionless digital experience.
- MyPass is a centralised authentication service provided by Miral that allows you to seamlessly connect to various services throughout Abu Dhabi. This means that once you have created a MyPass at an available location or service on Abu Dhabi, you can use your MyPass to login at other locations and services (for example, at www.yasisland.com or at one of the Yas Island theme park’s websites), without you having to register again at each location or service.
- When you are using MyPass service, we use your mobile ID, device type and other location based data (where you have permitted collection of this in your chosen device settings) to enable us to provide these services to you in the most effective way.
- In certain cases, we might use your location and activities on Yas Island and Saadiyat Island for which you have used your MyPass for the purpose of creating a unique customer profile and to deliver a personalised and enhanced customer experience. For example, if you have bought a ticket online for Warner Bros World™ using MyPass, this activity will be associated to your MyPass.
- Further, as detailed at section 5, where you use MyPass your information may be shared with the other entities making use of MyPass.
- Where you log in to MyPass with your Facebook, Google or Apple account details, those parties will receive information about your activity on our websites or mobile apps. For more details on the information that such parties receive and how they use this, please review their respective Privacy Policies at www.facebook.com/policy, www.policies.google.com and www.apple.com/legal/privacy/en-ww.
FacePass and contactless services
- FacePass services, including contactless access and contactless payment services, are provided by Miral at certain designated attractions on Yas Island (such as Ferrari World Abu Dhabi, Warner Bros. World™ Abu Dhabi and Yas Waterworld).
- Contactless access involves the processing of your FacePass to identity you when entering the designated attractions; once your FacePass is enrolled you can enjoy easier and safer contactless entry to the attraction using your FacePass and without the need to scan your ticket or physically touch assets. The way this works is that you (or a parent or legal guardian, if the FacePass relates to a person under 18 years of age or a person of determination) can consent to enrol your FacePass. Enrolment may be done online through the Yas Island mobile app or website (where available), by uploading a photo of your face. Alternatively, enrolment may be done offline by completing the necessary requirements with guest relations at our designated Attractions and thereafter allowing the camera at the turnstiles to capture your photo.
- Contactless payment involves the processing of your FacePass to identify you when making payments at operating food and retail outlets (where available) inside the designated attractions. The way this works is that (provided you are 18 or older) you can choose to link a debit or credit card to your FacePass through the Yas Island mobile app or website (where available). Once this link is made you can enjoy making payments using your FacePass without the need to physically use the debit or credit card.
- The photo taken or uploaded for FacePass is used only to convert your face into a unique numerical identifier (your FacePass) for means of facial recognition. Once authentication is confirmed, the photo is not stored beyond this purpose and cannot be reused or regenerated for any means. Due to different factors such as picture quality of device used, shading and lighting, your photo may be stored securely on systems within Miral’s premises for up to a maximum of four weeks to ensure authentication and accuracy of the photo. When this process is completed the photo is then removed. The unique numerical identifier is encrypted and the encrypted value is stored securely and linked to your customer profile
- The encrypted values are stored and processed solely for authentication purposes; in other words, when you are next making a contactless entry or contactless transaction your FacePass will be authenticated against the stored encrypted value and once matched the entry or transaction will be completed. Your FacePass and the encrypted values are not processed for any other reasons.
- You can withdraw your consent for processing your FacePass and disable your payment information at any time by selecting the ‘Remove FacePass consent’ or ‘Manage your card’ options on the mobile app or website (where available). You can also contact us at privacy-md@miral.ae. Where you withdraw your consent, such services will no longer be provided to you.
Marketing
- If you have provided your consent by opting in to receive personalised updates and offers, we may send you such updates and offers by email, SMS, mobile app notifications (only available via the mobile app where you have opted in to receiving them), WhatsApp, social media and post, or occasionally contact you by telephone. You may withdraw your consent to receiving such communications at any time by using the [‘unsubscribe’] link in any communication received, by contacting us at privacy-md@miral.ae, or where the particular website or mobile app has the facility to create an account, by changing your marketing preferences within the account management function on the website or mobile app.
- Our servers automatically protocol the consent gathering process to enable us to evidence that you have consented. For this purpose we will store the following information: email address, details of how and when consent was given, details of confirmation email sent and confirmation email clicked; including the date, time and IP address relating to the consent and clicked confirmation link, the wording of the consent and the information about the right to withdraw your consent at any time.
- If you have opted in to hear from other companies in our group or our partners, you may also receive personalised updates and offers from such companies. You may withdraw your consent at any time by using the unsubscribe link in any communication received, by contacting us at privacy-md@miral.ae, or where the particular website or mobile app has the facility to create an account, by changing your marketing preferences within the account management function on the website or mobile app.
Personalised content and services
- Your personal information may be used to understand your customer journey and to provide you with personalised offers or advertisements. These offers or advertisements may be shown to you on our websites or mobile apps or the websites of third parties (for example, your chosen social media platforms).
- Where we have permission to send marketing materials (as set out under Marketing in this section), these personalised offers and advertisements may be included within those updates and will be in accordance with your chosen marketing preferences.
- Please note we do not carry out any automated decision making based on your information.

Livechat

We deploy artificial intelligence technology on our websites and mobile app to provide live chat services with a view to effectively responding to your enquiries and providing information about our services and attractions. When you engage with our live chat, we use the information that you provide to us in order to respond to your enquiry.
The live chat service provides non-personal data only about our services and attractions; for example, information about attraction opening hours. We do not request any personal data in connection with this service as personal data is not required to provide the livechat service.
An open text box is required to provide the live chat service which means we do not control the information a user may input. Any information (whether personally identifiable or not) voluntarily placed into the live chat will be processed. If a user submits personal data then such personal data will not be used for any other purposes.

Promotional or other activities

If (at your discretion) you decide to take part in any promotional activities such as employee benefits, competitions, surveys or interactive features of our services, your personal data may be processed to administer the activity or enable participation.

Notifications

We may notify you of any changes or updates to your current services or subscriptions. For example, security alerts or important support or administration messages about your services or notices of when annual passes are due to expire.

Legal obligations

We may have to process your information to comply with legal or regulatory obligations, where required by applicable laws. Information may be used to:
- enforce our terms and conditions and other agreements, policies, and standards, including investigation of any potential violation thereof;
- detect, prevent or otherwise address security, fraud or technical issues;
- protect the rights, property or safety of us, our users, a third party or the public as required or permitted by law
(including exchanging information with other companies and organisations for such purposes).

Business analysis

We may use your information for our business purposes; for example, to carry out data analytics to assess consumer demands and trends.

Aggregated or anonymised data

We may use your information to compile aggregated or anonymised data (data which does not identify you as an individual, such as statistical or demographic data), so that we can analyse and improve our products and services. However, if we combine aggregated data with your personal data so that it can identify you in any way, we treat the combined data as personal data and it will be used in accordance with this Privacy Policy.

What is the legal basis for processing your personal data?

In most cases, we process your data at your request in order to enter into a contract with you and to perform our contract obligations (for example, to process your booking). If the processing is not related to a contract, we will process your information on one of the following basis:
- based on your explicit consent for us to do so (for example, when you use FacePass, or opted in to our mailing lists or promotions);
- as required to comply with relevant legal or regulatory obligations (for example, to resolve disputes or enforce contracts);
- where processing is mandatory for the establishment, exercise or protection of a right;
- where data is publicly available;
- as required to support the legitimate interests that we have as a business (for example, to carry out market research and analytics, protect against unlawful behaviour or online services (such as prevent fraud by ensuring tickets are in the hands of the purchaser), create a profile regarding your interactions, purchases and interests (such as to inform you of new services or attractions that may be of interest to you) and to further improve and market our products and services), provided always that such processing is carried out in a way that does not violate your fundamental privacy rights.
With regard to special categories of personal data, such as the biometric information outlined at section 2, we require your explicit consent (or the consent of your parent or legal guardian) to process such information. Such consent can be withdrawn; however, this is likely to mean that the services that require consent (for example, FacePass) can no longer be provided to you. We will advise of such consequences of withdrawing your consent if you take this action. Please note that we will only rely on consent as a legal basis when we strictly require consent for processing. We will not rely on this legal basis in circumstances where we may rely on one of the other legal bases, as outlined above.
Who do we share your personal data with?

Service providers

We may share your information with third parties who provide a service to us. We do this where it is necessary for the service provider to have access to your information and solely for the purpose of them delivering that service to us. An example of this is when you purchase a service from us your payment details are processed by a third party payment solution provider.

Our service providers include:
- IT companies (e.g. hosting providers);
- Payment solution providers;
- Marketing or communication providers;
- Developers and support providers;
- Data analytics providers;
- Survey or market research providers;
- Professional advisers or auditors;
- Regulators;
- Insurers.
Affiliates and partners

We may need to share your personal data with our partners connected with your booking. For example, if you book a package holiday with us that involves tickets to a theme park and a hotel stay, we may need to share certain information with the hotel in order to fulfil your booking. Such partners include but are not limited to hotels, theme parks, museums, restaurants or transport providers. We only share the information required to process the booking and if the partner does not require any personal data (for example, if they only need to know the number of tickets), we do not disclose it.

If you opt in to receiving marketing communications from our affiliates or partners when selecting your marketing preferences on our websites or mobile apps, we will share the information required in order for those affiliates and partners to contact you in the ways you have chosen.

Where you enrol for FacePass and contactless services through our website or mobile app (where available), we will need to share your information with Miral, or the respective operator of the attraction or outlet where such services are available, in order that such services can be provided to you.

We also share information in connection with services we provide in conjunction with affiliates or partners; for example, to provide rewards or loyalty points programs and other benefits or services that you may wish to make use of.

Other third parties

We may also disclose your personal data:
- internally, including any of the intra-group companies, our holding company and its subsidiaries where it is necessary to perform certain responsibilities efficiently as part of the service provided to you (for example, data may be accessible to certain types of persons involved within the operation of our services from our administration, IT, marketing or legal teams);
- if required by applicable laws or regulations;
- to government or supervisory bodies or agencies in response to their legitimate requests, or where it is in our legitimate interests to do so, even if such disclosure is not mandatory under law;
- if you explicitly requested or authorised us to do so;
- in the event we sell or merge whole or part of any business or assets, we would need to transfer your information to the acquiring company.
We only share the information that is necessary for the required purpose so we do not disclose all of the information you provide to us, and we do not sell, rent or lease your personal information to third parties under any circumstances.

Aggregated or anonymised data may be shared with our service providers, affiliates or other third parties for the purpose of analytics and to improve products and services.

The categories of third parties to whom we disclose your information may change from time to time. We will update this Privacy Policy before any such changes take effect.
Links to third party websites

You may have accessed one of our websites by clicking a link on a third party website; for example, you may have clicked a link on one of our partners’ websites so that you could view package holiday options or theme park tickets, and were then redirected to our website. Similarly, our websites contain links to our partners’ websites.

We also integrate our websites or mobile app with third party products (for example, Google Analytics, Facebook, Twitter) to enable us to measure the performance of our websites and website content, present personalised offers and enable you to share, like and recommend pages to others via social media.

We are responsible for protecting your personal data when you visit our websites but are not responsible for the websites of any third parties, and this Privacy Policy does not govern any third party websites. You are responsible for understanding how your personal data is used by third party websites and we recommend that you review the privacy policy on the relevant website.
Transfers outside of the EEA

As a business located outside of the European Economic Area (“EEA”), we process your information outside of the EEA and in some cases (as described in section 5), your information may be transferred to and processed by third parties who are also located outside of the EEA.

We will only transfer your information to such third parties where we have made arrangements to ensure that your data is treated securely in accordance with this Privacy Policy and applicable law.
Cookies

Our websites use cookies which help us provide you with a better website and browsing experience, by enabling us to monitor which pages you find useful and which you do not. You can choose to accept or decline cookies; most web browsers will automatically accept them but you can usually modify your browser settings to decline cookies if you wish to; however, this may prevent you from taking full advantage of the website.

More detailed information on our use of cookies is contained within our Cookies Policy.
Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place appropriate technical and organisational security measures to safeguard and secure the information we collect. Whilst we have implemented such measures, we cannot completely guarantee the security of your information; any transmission by you is at your own risk.

Your personal data is stored in a centralised database hosted in the cloud, and affiliates or partners might have access to this database where such entities make use of MyPass.

You are responsible for maintaining the confidentiality of any password or account details.

Where you chose to click a link to any of the websites of our partners, advertisers and affiliates, please note that those websites have their own privacy policies and we do not accept any responsibility or liability for their policies or their security of your personal data. Please check their policies before you submit any personal data to those websites.
Retention

Unless otherwise required by applicable law, we will retain your information for as long as is necessary for the relevant purpose outlined in this Privacy Policy. If you register for an account with us, your information will be retained for as long as your account is active and after closure for an additional period to administer any requests concerning your account, or in accordance with our legal obligations including where it is necessary for the establishment, exercise or defence of legal claims. If you wish to delete your account or any data related to it, please contact us at privacy-md@miral.ae and we will execute your request.
How you can control your personal data

You have certain rights in relation to your personal data as determined by applicable data protection laws.

If you benefit from the rights of a data subject under the European Union General Data Protection Regulation 2016/679, or the Dubai International Financial Centre Data Protection Law No. 5 of 2020, you will have certain additional rights in relation to our handling of your personal information, including:

You have the right at any time to:
- be informed of the use of your personal data;
- access, rectification or erasure of your personal data;
- restrict and/or object to the processing of your personal data;
- data portability;
- not be subject to any decision based solely on automated processing of your personal data.
You can exercise some of these rights when providing data to us at registration or purchase or when contacting us, by reviewing and selecting or deselecting the boxes on the forms you are required to complete. Where the particular website or mobile app has MyPass or the facility to register for an account, you can also exercise some of these rights via the account management tools on our website or mobile app.

If at any time you wish to unsubscribe or opt-out from any communications we have sent you based upon your selected preferences, you may do so by using the one click unsubscribe link on those communications.

You can also contact us at privacy-md@miral.ae.

If you wish to discuss how we have handled your personal data, you can contact us at any time and we will investigate this. If you are not satisfied with the response or believe we are not processing your data in accordance with the applicable law you can refer the matter to any competent data protection authority.
Contacting us

For any privacy related queries, you may contact us at any time on any of our contact us facilities or at privacy-md@miral.ae.

Please note, for your safety and to allow us to make sure that we do not disclose any of your personal data to any unauthorised third parties, we may need to verify your identity and guarantee the adequate exercise of your rights. In doing so, we may request specific information and/or documents from you before we can properly respond to any request received concerning your data. All data and documents received from you in the process of responding to your requests will be used strictly for the purposes of analysing your request, authenticating your identity, and responding to your request in full.
Updates to this Privacy Policy

We may change this Privacy Policy in whole or part at any time by updating this page and without prior notification to the extent permitted by applicable law. Please ensure you review this page from time to time to take notice of any such changes. Most changes are likely to be minor but for substantive changes, we may provide additional notice to you by either providing a pop up notice or similar statement on our website, or by sending you an email. Your further use of our services after a change to our Privacy Policy will be subject to the updated policy. We indicate at the bottom of the Privacy Policy when it was last updated.

Last updated: 20-Feb-2023