Privacy Policy
This Privacy Policy applies to PUREPROP LTD, a private limited company incorporated in England and Wales and trading as The Grand Key, together with its affiliates where applicable (“The Grand Key”, “TGK”, “we”, “us”, or “our”).
This Privacy Policy is applicable to our websites, digital platforms, and online services, and to all products and services made available, offered, or distributed by us via such websites and platforms (collectively, our “Services”).
This Policy describes how and why we collect, store, use, share, and otherwise protect personal data (“Process”) that identifies or relates to an identifiable individual (“Personal Data”) through our websites and platforms, in connection with the provision of our Services, and when you interact with us in any capacity.
This Policy also explains the rights and choices available to you in respect of the Personal Data that we Process.
SUMMARY
By accessing or using our Services, you acknowledge and agree that we may collect and Process your Personal Data in accordance with this Privacy Policy.
Before providing us with any Personal Data, you should read this Policy carefully and in its entirety to ensure that you understand how your Personal Data will be used, shared, and protected.
This Privacy Policy applies to our websites, digital platforms, and online services (together, the “Websites”), as well as to all Services offered by The Grand Key. Accordingly, references in this Policy to “Services” should be understood as referring to one or more of our services, as the context requires.
Where we refer in this Policy to our “Terms”, we mean the Terms of Use, Booking Conditions, Cancellation and Refund Policy, and any other contractual terms governing your relationship with The Grand Key, which you accept when you engage with or purchase our Services.
Capitalised terms used but not otherwise defined in this Policy are explained in the Glossary located at the end of this Privacy Policy.
WHAT PERSONAL DATA DO WE PROCESS?
Depending on how you choose to access, use, and interact with our Websites and Services, the Personal Data we Process may include information relating to:
(i) individuals who enquire about, book, or stay in accommodation offered through the Platform (“Guests”);
(ii) owners or authorised controllers of accommodation listed on the Platform (“Owners”);
(iii) third-party property management companies acting on behalf of Owners (“Property Management Companies” or “PMCs”);
(iv) service providers, suppliers, and professional partners engaged in connection with our Services (“Partners”); and
(v) individuals who browse, interact with, or otherwise use our Websites or Services, whether or not they create an account (“Users”).
In relation to the Personal Data described above, The Grand Key generally acts as a Data Controller, determining the purposes and means of Processing.
HOW AND WHY DO WE PROCESS YOUR PERSONAL DATA?
We Process Personal Data in order to:
- provide, operate, and administer our Services;
- facilitate bookings, enquiries, and stays;
- manage relationships with Guests, Owners, PMCs, and Partners;
- communicate with you regarding your use of the Services, including for safety, security, and service-related purposes;
- improve, develop, and optimise our Websites and Services; and
comply with applicable legal, regulatory, accounting, and compliance obligations.
We may also Process your Personal Data for other specific purposes where you have provided your express consent, or where such Processing is otherwise permitted or required by Applicable Law.
We Process Personal Data lawfully, fairly, and transparently, apply appropriate technical and organisational safeguards, and limit Processing to what is necessary in light of the purposes for which the Personal Data is collected.
Depending on the specific Processing activity, The Grand Key may act as a Data Controller or, in limited circumstances, as a Data Processor, including where Personal Data is processed on behalf of Owners, PMCs, or Partners pursuant to contractual arrangements.
INTERNATIONAL OPERATIONS AND LEGAL FRAMEWORK
The Grand Key operates internationally and provides Services to Users, Guests, and Owners located in multiple jurisdictions, including the United Kingdom, the European Union, and the United States.
As a result, our data protection obligations include compliance with a range of applicable privacy and data protection laws, including but not limited to:
- the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR);
- Regulation (EU) 2016/679 (the EU GDPR);
- applicable United States federal and state privacy laws, including the California Consumer Privacy Act (CCPA), as amended; and
- other national or regional data protection laws that may apply based on your location or residency.
Certain additional provisions applicable to individuals based on their country or region of residence are set out in Section II(6) and Section II(7) of this Privacy Policy. Unless expressly stated otherwise, the provisions of this Policy apply to all individuals whose Personal Data we Process, regardless of location.
QUESTIONS OR CONCERNS
This Privacy Policy is intended to help you understand how we Process Personal Data and the rights and choices available to you.
If you do not agree with the practices described in this Policy, you should discontinue use of our Websites and Services.
If you have any questions, concerns, or requests relating to this Privacy Policy or our Processing of Personal Data, you may contact us:
- by email at: info@thegrandkey.com
- or by post at:
PUREPROP LTD
Trading as The Grand Key
128 City Road
London EC1V 2NX
United Kingdom
To the extent that any provision of this Privacy Policy is inconsistent with Applicable Law, or where you have provided express consent for Processing not expressly described herein, Applicable Law and/or your express consent shall prevail.
TABLE OF CONTENTS
I. GENERAL PRINCIPLES APPLICABLE TO OUR PERSONAL DATA PROCESSING
- To whom does this Policy apply?
- What are our commitments?
- What Personal Data is collected?
- What special categories of data are collected?
- Cookies and other trackers
- What measures are taken to ensure Personal Data security?
- Is your data transferred outside the European Union?
- How to exercise your data rights?
- Updates and questions
II. SPECIFIC RULES CONCERNING YOU
- If you are a Guest
- If you are an Owner
- If you are a Property Management Company (PMC)
- If you are a User
- If you are a Partner
- If you live outside the European Union
- Do United States residents have specific privacy rights?
- Supplemental EEA Privacy Notice
III. GLOSSARY OF TERMS
I. GENERAL PRINCIPLES APPLICABLE TO OUR PERSONAL DATA PROCESSING
1. TO WHOM DOES THIS POLICY APPLY?
This Privacy Policy applies to all individuals and entities whose Personal Data is processed by PUREPROP LTD trading as The Grand Key, including, without limitation:
- individuals who enquire about, book, or stay in accommodation offered through the Platform (“Guests”);
- owners or authorised controllers of accommodation listed on the Platform (“Owners”);
- third-party property management companies acting on behalf of Owners (“Property Management Companies” or “PMCs”);
- service providers, professional advisers, and commercial partners engaged in connection with our Services (“Partners”);
- individuals who browse, interact with, or otherwise use our Websites or Services, whether or not they create an account (“Users”).
If you stay in an accommodation listed on our Websites as a Guest, then, in certain circumstances, your Personal Data may be shared with the relevant Owner, a PMC, Partners, and/or competent public authorities. Such sharing may occur, for example, in order to:
- facilitate bookings and the provision of Services;
- enable communication between relevant parties;
- coordinate concierge, operational, or ancillary services;
- ensure safety and security; and
- comply with Applicable Law, including regulatory or reporting obligations.
The Personal Data of Owners is not shared with Guests. However, under certain circumstances, Owner Personal Data may be shared with third parties such as PMCs, insurers, professional advisers, Partners, financial institutions, and/or public authorities, where necessary for:
- performance of contractual obligations;
- booking and Services facilitation;
- operational coordination;
- insurance or risk-management purposes; and
- compliance with Applicable Law.
Accommodation listed and offered on our Websites is not owned by The Grand Key. Properties are listed pursuant to agreements entered into between The Grand Key and Owners and/or through PMCs or Partners acting on behalf of Owners.
2. WHAT ARE OUR COMMITMENTS?
We Process Personal Data in accordance with this Privacy Policy, in compliance with Applicable Law, and in line with the following fundamental principles:
- Lawfulness
We Process Personal Data only where a valid legal basis exists, including where Processing is necessary for the performance of a contract, compliance with a legal obligation, pursuit of legitimate interests, or where the data subject has provided consent. We facilitate the informed exercise of data-subject rights at all times. - Fairness, Transparency, and Identified Purposes
We clearly inform data subjects of how, when, and why their Personal Data is Processed. Personal Data is collected for specified, explicit, and legitimate purposes and is not further Processed in a manner incompatible with those purposes. - Data Minimisation
We Process only the minimum amount of Personal Data necessary to perform and facilitate our Services effectively and lawfully. - Security and Confidentiality
We apply appropriate technical and organisational measures, at least equivalent to industry standards, to maintain the integrity, confidentiality, and overall security of the Personal Data we Process.
3. WHAT PERSONAL DATA IS COLLECTED?
We collect and Process Personal Data for a variety of purposes. The primary reason we collect Personal Data is to provide, operate, and continuously improve our Services, and to deliver a high-quality experience consistent with the standards of The Grand Key.
Where you have expressly consented, we may also collect and Process Personal Data to personalise or enhance your experience when visiting or using our Websites and Services.
Regardless of the purpose, we ensure that:
- we do not collect more Personal Data than is necessary; and
- we do not collect or Process Personal Data for purposes that are different, unrelated, or incompatible with those described in this Privacy Policy.
The categories of Personal Data we collect about you depend on multiple factors, including:
- the Services you use;
- the Websites through which you access the Services;
- your device and account settings;
- the contractual terms you have agreed to; and
- the nature of your relationship with us (for example, Guest, Owner, PMC, User, or Partner).
Personal Data may be collected:
- directly from you when you voluntarily provide it;
- automatically when you use our Websites or Services; or
- lawfully from third parties, such as Owners, PMCs, Partners, payment service providers, or public authorities.
Not all categories of Personal Data will be collected or received in relation to every individual.
For the avoidance of doubt, Personal Data does not include publicly available information from official government records or information that has been anonymised or aggregated such that it can no longer be used to identify an individual.
CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA PROCESSED
| Category of Data Subjects | Personal Data Processed |
| If you are a Guest | Personal Data voluntarily provided by you, including information relating to marketing preferences, participation in surveys, feedback requests, promotions, or other communications. This may include your first and last name, email address, telephone number, postal address, country of residence, country of origin, nationality, date of birth, occupation, interests, dietary requirements or preferences, and any other information you choose to disclose to us. Booking and stay-related information, including reservation details, length of stay, property selection, number of guests, special requests, and communications relating to your booking. Payment and financial information necessary to process bookings, deposits, refunds, or other charges, such as credit or debit card details, billing address, transaction references, and payment confirmations. Full payment card details are processed by secure third-party payment providers and are not stored by The Grand Key. Technical and usage data, including IP address, device identifiers, browser type, operating system, and browsing activity on our Websites. Images, photographs, or video footage where relevant, including images voluntarily provided, or images captured by security or monitoring systems at certain properties where legally permitted and clearly signposted. Audio or video recordings and transcriptions created during meetings, calls, virtual viewings, concierge discussions, or recorded sessions, where applicable and lawful. |
| If you are an Owner | Identification and contact information, including first and last name, email address, telephone number, postal address, country of residence, nationality, and country of origin. Professional and contractual information, including occupation, sector of activity, tax identification number, and details required to perform contractual, accounting, or compliance obligations. Financial information, including bank account details necessary for payments, owner payouts, or reimbursements. Property-related information, including property address, availability calendars, occupancy information, general reasons for unavailability, property specifications, security or access information, inventories, and other operational details required to market, manage, or advertise the property. Browsing and technical data, including IP address and device-related information when using our Websites or systems. Images, photographs, or video footage voluntarily provided or captured in connection with marketing materials, professional photography, virtual tours, or property-related media, as well as audio or video recordings and transcriptions created during meetings or communications, where applicable and lawful. |
| If you are a Property Management Company (PMC) | Identification and contact information, including name, surname, business name, professional email address, professional telephone number, and role or capacity within the organisation. Financial and payment information necessary for settlement of fees or services, including bank account details. Communications data relating to bookings, operations, guest coordination, and service delivery. Technical and usage data collected when interacting with our Websites or systems. |
| If you are a Partner | Identification and professional contact information, including name, surname, company name, postal address, professional email address, and professional telephone number. Commercial, contractual, and operational information as specified in our agreement with you, including service descriptions, billing information, and communications relating to the provision of services. Technical and usage data collected when interacting with our Websites or systems. |
| If you are a User | Identification and enquiry-related information, including first and last name, email address, telephone number, desired destination, potential arrival and departure dates, and any other information voluntarily provided in connection with enquiries or communications. Marketing-related information voluntarily provided by you, including preferences, survey responses, feedback, or participation in promotions or offers. Communications content, including messages exchanged between you and our representatives via chat, email, or other communication channels, where you have consented or where permitted by Applicable Law. Automatically collected technical and usage data when you visit or interact with our Websites, which does not directly identify you but may include IP address, device identifiers, browser type, operating system, language preferences, referring URLs, approximate location, date and time of access, and information about how you interact with our Websites and communications. Tracking and analytics data collected via cookies and similar technologies, including browsing history, interaction with content, clickstream data, referral information, and engagement with emails or marketing communications, primarily for security, analytics, and service improvement purposes. |
In addition to the Personal Data that you voluntarily provide to us or that we collect directly through your use of our Websites and Services, The Grand Key may collect and Process Personal Data obtained from third parties, as well as Personal Data generated in connection with your interactions with us.
Information Collected Through Third Parties
We may receive Personal Data from third parties in connection with the marketing, promotion, administration, and improvement of our Services. Such third parties may include marketing vendors, data providers, analytics providers, and other commercial partners.
This information may include marketing or contact information derived from consumer or professional lists, publicly available databases, online memberships, or other lawful sources. In certain cases, such information may be created or enriched through technology-based matching, profiling, or modelling processes, where permitted by Applicable Law.
All Personal Data obtained from third parties is Processed in accordance with this Privacy Policy and Applicable Law, and we take reasonable steps to ensure that such data has been collected and shared with us lawfully.
Electronic Communications and Online Chat Services
We use third-party software and communication tools to facilitate electronic communications with Users, Guests, Owners, and other data subjects, including online chat functionality, enquiry forms, email communications, and text messaging.
These tools are used to provide enhanced and responsive Website-related Services and may include real-time messaging between Users and representatives of The Grand Key, as well as follow-up communications by email or text message.
Online chat and similar electronic communication Services are made available only where you have provided your informed and express consent, where required by Applicable Law, to the collection of identifiers such as your email address and/or IP address, and to the association of that information with chat transcripts, message logs, and other categories of Personal Data we Process.
Where chat, messaging, or recorded communications are enabled, logs of such communications may be retained and associated with other Personal Data we hold, strictly for purposes including service delivery, quality assurance, training, security, and compliance with Applicable Law.
Data Retention
We retain Personal Data only for as long as is reasonably necessary to provide, administer, promote, and improve our Services, and/or as required to comply with Applicable Law.
The Grand Key maintains documented records management and data retention policies and procedures to ensure that Personal Data is deleted or anonymised after a reasonable period, determined by reference to the following criteria:
- We retain Personal Data for as long as we have an ongoing relationship with you, including where you maintain an active account with us or have an active booking, listing, or contractual relationship with The Grand Key.
- We retain Personal Data only for so long as necessary to provide the Services you have requested or to which you are entitled.
- We retain Personal Data for as long as necessary to comply with applicable legal, regulatory, accounting, or contractual obligations.
- We may retain Personal Data where necessary for other legitimate and lawful purposes, including preventing harm, investigating suspected or actual violations of our Terms of Use or other policies, investigating reports of abuse or misconduct, resolving disputes, or protecting the rights, property, or safety of The Grand Key, our Users, or third parties.
Although certain of our systems and processes are designed to delete or anonymise Personal Data automatically, we cannot guarantee that deletion will occur by a specific date or within a fixed timeframe.
In some circumstances, we are legally required to retain Personal Data for a minimum period, which prevents immediate deletion. Additional reasons for retaining Personal Data may include ongoing investigations, enforcement of contractual rights, or compliance with Applicable Law.
Certain Personal Data may also be retained in secure backup systems for a limited period or as otherwise required by Applicable Law.
Further details regarding retention periods applicable to specific categories of Personal Data and data subjects are set out in the Guest, Owner, Property Management Company, Partner, and User tables in Section II – Specific Rules Concerning You of this Privacy Policy.
4. WHAT SPECIAL CATEGORIES OF DATA ARE COLLECTED?
As a general principle, The Grand Key does not collect, use, store, or otherwise Process “special category” or “sensitive” Personal Data. This includes Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to uniquely identify a natural person, data concerning health, or data concerning a person’s sex life or sexual orientation.
Notwithstanding the above, in limited circumstances we may collect and Process special category Personal Data relating to Guests or Owners where such information is voluntarily and unsolicitedly communicated to us.
In such cases, the special category Personal Data that you choose to provide, in particular where it may be relevant to the organisation, facilitation, or delivery of the Services, will be collected and Processed only where we have obtained your explicit consent, or where such Processing is otherwise permitted under Applicable Law, and will be subject to enhanced safeguards.
5. COOKIES AND OTHER TRACKERS
Like many organisations operating online, The Grand Key collects information through cookies and similar tracking technologies.
We use both first-party and third-party cookies and tracking devices on our Websites for purposes including website functionality, analytics, performance measurement, and, where permitted by Applicable Law, advertising and marketing.
Our Cookie Notice provides specific information about the cookies and similar technologies we use, the purposes for which they are used, and how you can manage your cookie preferences through our consent management platform.
We, together with our third-party analytics and marketing partners, may use session cookies and persistent cookies, as well as invisible pixels, web beacons, and similar technologies.
- A session cookie is temporary and expires when you close your browser.
- A persistent cookie is a small text file stored on your device for a longer period of time and can be removed by following your internet browser’s instructions.
By indicating how and when you use our Websites, cookies help us understand which areas of our Websites are most frequently visited and which are not, and assist us in tailoring content and information based on user interests.
Cookies also enable us to store the preferences you set during visits to our Websites, which in turn allows us to streamline and improve your experience during future visits.
Log Files
Like most standard websites, The Grand Key uses log files. Information collected through log files may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring and exit pages, platform type, date and time stamps, and the number of clicks or interactions.
This information is used to administer our Websites, analyse trends, track user movement, gather demographic information, and improve the overall performance, security, and functionality of our Websites and Services. Log file data is not used to identify individual Users directly.
Clear GIFs (Web Beacons / Web Bugs)
We employ software technologies commonly referred to as clear GIFs, also known as web beacons or web bugs, to assist in the management and optimisation of content on our Websites.
Clear GIFs are small graphic files with unique identifiers, similar in function to cookies, which are embedded invisibly within web pages or emails. Unlike standard image files, clear GIFs are not visible to Users and are typically no larger than a single pixel.
These technologies allow us to understand how Users interact with our Websites and communications, including which content is effective and which emails have been opened. Clear GIFs may also be used in HTML-based emails to monitor engagement.
The Personal Data collected through clear GIFs helps us measure content popularity, assess campaign effectiveness, improve Services, and personalise content. Clear GIFs function similarly to cookies but are embedded directly within content rather than stored on a User’s device.
Do Not Track (“DNT”) Signals
Some web browsers offer a Do Not Track (DNT) setting, which sends a signal to websites indicating a User’s preference not to be tracked across websites.
Because DNT signals represent a preference request rather than a binding legal requirement, The Grand Key does not currently respond to or recognise DNT signals.
We may work with third-party analytics and advertising partners that use tracking technologies on our Websites to provide tailored advertising on our behalf or on behalf of our Partners. These third parties may collect information about your activity on our Websites and your interactions with advertising and other communications in order to determine which advertisements or content may be most relevant to you.
Most browsers are initially configured to accept cookies and tracking technologies. You may configure your browser settings to notify you when cookies or similar technologies are used, giving you the opportunity to accept or reject them.
You may reject cookies and continue to use our Websites; however, certain features or functionalities, including account-related or personalised Services, may not operate as intended.
Cookie and tracking preferences may also be managed through your browser’s settings or, where applicable, through device-level or application-specific settings on mobile devices.
Automated Decision-Making
The Grand Key does not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you without human involvement.
Automated decision-making refers to decisions made solely by automated means, without human review, based on algorithmic processing. Where automation is used for analytics or service optimisation, it does not result in decisions that materially affect your rights or interests.
6. WHAT MEASURES ARE TAKEN TO ENSURE PERSONAL DATA SECURITY?
We implement appropriate technical and organisational measures, in accordance with Applicable Law (including Article 32 of the GDPR), to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.
These measures include, without limitation:
- secure hosting environments and network protections, including firewalls;
- encryption of data in transit where appropriate;
- access controls, authentication mechanisms, and role-based permissions;
- internal policies, training, and procedures designed to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems.
Personal Data relating to payments made through our Websites is collected and processed directly by secure third-party payment providers through dedicated interfaces. Payment Data is processed by such providers in accordance with the strict security and confidentiality standards applicable within the payment card industry.
Where credit or debit card information is transmitted in connection with a booking or payment, SSL (Secure Socket Layer) encryption technology is used to secure transactions.
Despite these safeguards, no electronic transmission or storage system can be guaranteed to be fully secure. Accordingly, we cannot guarantee absolute security of Personal Data.
Where you have been provided with, or have chosen, a password to access certain areas of our Websites or Services, you are responsible for maintaining the confidentiality of that password and for complying with any security procedures notified to you. You should not share your password with any third party.
Any suspected or actual unauthorised access to or use of our Websites or Personal Data should be reported to us without delay using the contact details set out in this Policy.
LINKS TO OTHER WEBSITES
Our Websites and Services may contain links to third-party websites or applications. The Grand Key is not responsible for the privacy practices, content, or data-handling practices of such third parties.
This Privacy Policy applies solely to Personal Data collected by us through our Websites and Services. Where you access third-party websites or applications through links on our Websites, the privacy policies of those third parties will apply.
We encourage you to review the privacy policies of any third-party websites or applications before providing Personal Data or using their services.
7. IS YOUR DATA TRANSFERRED OUTSIDE THE EUROPEAN UNION?
Personal Data is typically processed on servers located within the United Kingdom or the European Economic Area (EEA). However, for the purposes described in Section II of this Policy, we may transfer Personal Data to internal or external recipients, including affiliates, service providers, and Partners, who may be located in jurisdictions that do not provide an equivalent level of data protection.
Where Personal Data is transferred outside the UK or EEA, we implement appropriate safeguards to ensure lawful and secure transfers in accordance with Applicable Law. These safeguards may include:
- adequacy decisions issued by relevant authorities;
- standard contractual clauses adopted by the European Commission or the UK Information Commissioner; and
- additional technical or organisational measures where necessary.
You may request further information regarding the safeguards applied to international data transfers by contacting us using the details set out below. See also Section II(8) – Supplemental EEA Privacy Notice.
8. HOW TO EXERCISE YOUR DATA RIGHTS?
Subject to Applicable Law, you have the following rights in respect of your Personal Data:
- the right to request access to your Personal Data and obtain a copy of the information we Process;
- the right to request rectification of inaccurate or incomplete Personal Data;
- the right to request erasure of your Personal Data where we no longer have a lawful basis to retain it;
- the right to object to Processing carried out on the basis of legitimate interests or for direct marketing purposes;
- the right to request restriction of Processing;
- the right to data portability, where applicable;
- the right to withdraw consent at any time where Processing is based on consent.
You may opt out of receiving commercial communications from us at any time by following the unsubscribe instructions included in such communications, replying “STOP” where applicable, or contacting us directly.
Please note that even if you opt out of marketing communications, we may continue to send non-commercial, transactional communications relating to your account, bookings, or Services.
Additional rights may apply depending on your place of residence. Please refer to Sections II(6) and II(7) of this Policy for residency-specific rights.
You may exercise your rights by contacting us using the contact details provided below. For security purposes, we may request verification of your identity before responding to your request. Where appropriate, a copy of an official identification document may be requested.
You also have the right to lodge a complaint with a relevant data protection authority.
9. POLICY UPDATES AND QUESTIONS
We may revise this Privacy Policy from time to time to reflect changes in law, regulation, or our Processing practices.
When updates are made, the revised version will be published on our Websites and the “last updated” date at the top of this Policy will be amended accordingly. Continued use of our Websites or Services following publication of an updated Policy constitutes acceptance of the revised terms.
If you do not agree with this Privacy Policy, you should discontinue use of our Websites and Services.
If you have any questions or concerns regarding this Policy or our Processing of Personal Data, you may contact us:
By email:
Info@thegrandkey.com
By post:
PUREPROP LTD
Trading as The Grand Key
128 City Road
London EC1V 2NX
United Kingdom
II. SPECIFIC RULES CONCERNING YOU
1) IF YOU ARE A GUEST
Guests are natural persons who enquire about, book, or stay in accommodation listed on The Grand Key platform, whether such booking is made directly via our Websites, by telephone, or via third-party Property Management Companies (“PMCs”) and/or Partners (including online travel agencies).
The Grand Key Processes Guest Personal Data in accordance with the criteria set out below:
Purposes of the Processing of your Personal Data | Legal Basis of the Processing | Recipients of your Personal Data | Retention Periods |
| Management of your booking and stay Services, including reservation handling, check-in and check-out coordination, and stay administration | Processing necessary for the performance of a contract to which you are a party | Internal recipients: internal teams of The Grand Key (including customer service, operations, concierge, and finance)
External recipients: hosting provider of the Websites; Owners; PMCs; on-site service providers (where applicable); payment service providers; call-centre or communications providers; local or governmental authorities where required by law; affiliates | Duration of the contractual relationship |
| Management of after-sales Services, including handling enquiries, complaints, and support requests | Processing necessary for the performance of a contract and/or legitimate interests to ensure service quality | Same as above | Duration of the contractual relationship |
| Creation and management of your Services account, including authentication and access | Processing necessary for the performance of a contract | Internal teams; hosting and IT providers | Until account deletion or 2 years after last account activity, unless you object |
| Provision of assistance or support relating to your use of the Services | Performance of contract and/or your consent | Internal customer support teams; relevant service providers | Duration of support need, then archived per statutory limits |
| Services-related, informational, marketing, and promotional communications (where permitted) | Legitimate interests where you are an existing customer and/or your consent | Internal marketing teams; authorised marketing service providers | Until you withdraw consent, object to marketing, or 3 years from last contact |
| Litigation and dispute management | Legitimate interests to assert or defend legal rights; legal obligation where applicable | Legal advisers; insurers; courts; authorities | Duration of the dispute and applicable statutory limitation periods |
| Guest satisfaction surveys and feedback | Legitimate interests and/or your consent | Internal teams; survey providers | For the duration of the survey purpose or until you object or withdraw consent |
| Fraud prevention and security monitoring | Legitimate interests to prevent fraud and secure systems; legal obligation where applicable | Internal security teams; fraud detection providers; authorities | 90 days for analysis, then 2 years in a restricted database for system improvement; incident file entries retained up to 2 years or until resolved |
| Disputing unpaid bills or chargebacks | Legitimate interests to recover sums due; legal obligation | Internal finance teams; payment providers; legal advisers | 5 years if unresolved; 48 hours after resolution once confirmed |
| Improvement of the Websites and Services, including analytics and performance monitoring via cookies | Your consent where required | Analytics and technology providers | Data retained for a maximum of 25 months |
| Management of newsletters | Your consent | Internal marketing teams; email distribution providers | Until you unsubscribe or 3 years from last contact |
| Accounting and tax management | Processing necessary to comply with a legal obligation | Internal finance teams; auditors; tax authorities | 6 years for tax records; 10 years for accounting records |
2) IF YOU ARE AN OWNER
Owners are natural persons who own or control accommodation listed for booking on The Grand Key platform. Personal Data relating to Owners may be collected directly by The Grand Key or indirectly via Property Management Companies (“PMCs”).
Owner Personal Data Processing Table
Purposes of the Processing of your Personal Data | Legal Basis of the Processing | Recipients of your Personal Data | Retention Periods |
| Management of the rental and marketing of your accommodation | Performance of the contract to which you are a party | Internal recipients: operations, customer service, finance, legal teams of The Grand Key
External recipients: website hosting provider; payment service providers; PMCs (where applicable); affiliates; local or governmental authorities where required by law | Duration of the contractual relationship |
| Management of the contractual relationship | Performance of contract and/or your consent | Same as above | Duration of the contractual relationship |
| Management of your User Account | Performance of contract | Internal IT and support teams; hosting providers | Until account deletion or 2 years after last account activity, unless you object |
| Services-related, informational, marketing, and promotional communications | Legitimate interests where you are an existing customer and/or your consent | Internal marketing teams; authorised communication providers | Until you withdraw consent, object to marketing, or 3 years from last contact |
| Litigation and dispute management | Legitimate interests to assert or defend legal rights | Legal advisers; insurers; courts; authorities | Duration of litigation and applicable limitation periods |
| Satisfaction surveys and feedback | Legitimate interests and/or your consent | Internal teams; survey providers | Until survey purpose is fulfilled or consent is withdrawn |
| Website improvement via cookies and analytics | Your consent where required | Analytics and technology providers | Maximum of 25 months |
| Newsletter management | Your consent | Internal marketing teams; email distribution providers | Until you unsubscribe or 3 years from last contact |
| Accounting and tax management | Legal obligation | Finance teams; auditors; tax authorities | 6 years for tax records; 10 years for accounting records |
| Compliance with applicable legislation | Legal obligation | Authorities and regulators | Retention period prescribed by Applicable Law |
3) IF YOU ARE A PROPERTY MANAGEMENT COMPANY (PMC)
PMCs are typically professional real estate or hospitality management companies. We may collect Personal Data relating to PMC representatives and staff members.
PMC Personal Data Processing Table
Purposes of the Processing of your Personal Data | Legal Basis of the Processing | Recipients of your Personal Data | Retention Periods |
| Management of the contractual relationship | Performance of contract and/or your consent | Internal recipients: commercial, operations, and finance teams of The Grand Key
External recipients: payment providers; affiliates; local authorities where required by law | Duration of the contractual relationship |
| Litigation and dispute management | Legitimate interests to defend legal rights | Legal advisers; insurers; courts; authorities | Duration of litigation and applicable limitation periods |
| Accounting and tax management | Legal obligation | Finance teams; auditors; tax authorities | 6 years for tax records; 10 years for accounting documents |
4) IF YOU ARE A USER
Users are natural persons who navigate or interact with The Grand Key Websites. Users may also be Guests, Owners, PMCs, or Partners.
User Personal Data Processing Table
Purposes of the Processing of your Personal Data | Legal Basis of the Processing | Recipients of your Personal Data | Retention Periods |
| Management of enquiries, requests, and contacts | Legitimate interests to provide and manage Services | Internal recipients: customer service, commercial, and support teams | Duration necessary to manage the request and 3 years from last contact |
| Improvement of the Websites through cookies and analytics | Your consent where required | Analytics and technology providers | Maximum of 25 months |
| Provision of Website support, including via AI or chatbots | Legitimate interests and/or your consent | Internal support teams; technology providers | Duration of support interaction and related retention obligations |
| Newsletter management | Your consent | Internal marketing teams; email service providers | Until you unsubscribe or 3 years from last contact |
| Services-related, informational, marketing, and promotional communications | Legitimate interests where you are an existing customer and/or your consent | External recipients: website hosting providers; service providers working in accommodations (where applicable); PMCs; call-centre providers; payment providers; affiliates; authorities where required by law | Until you withdraw consent, object, or 3 years from last contact |
5) IF YOU ARE A PARTNER
Partners include suppliers, vendors, service providers, and professional advisers engaged by The Grand Key. We may collect business-related Personal Data relating to Partner representatives and staff.
Partner Personal Data Processing Table
Purposes of the Processing of your Personal Data | Legal Basis of the Processing | Recipients of your Personal Data | Retention Periods |
| Management of the contractual relationship | Performance of the contract to which you are a party | Internal recipients: commercial, operations, and finance teams of The Grand Key
External recipients: local authorities where required by law; affiliates | Duration of the contractual relationship and applicable statutory periods |
6) IF YOU LIVE OUTSIDE THE EUROPEAN UNION
Depending on your country of residence, additional data protection laws and local specificities may apply to the Processing of your Personal Data by The Grand Key.
Residency-Specific Privacy Rules
Country of Residence | Local Specificities Applicable to The Grand Key |
| If you live in the United Kingdom | • Applicable Law: The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply.
• International Data Transfers: Where Personal Data is transferred outside the European Economic Area (EEA), such transfers are accompanied, where required, by the UK International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses, or other lawful transfer mechanisms recognised under UK law.
• Retention Periods: Personal Data processed for accounting and tax management purposes is retained for 7 years, in accordance with UK legal requirements.
• Supervisory Authority: You have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK data protection supervisory authority. |
| If you live in the United States | • No Sale of Personal Data: The Grand Key does not sell Personal Data. Personal Data is shared with Partners and service providers solely for the purposes described in this Privacy Policy and under agreements that prohibit use for any other purpose. • Purpose Limitation and Proportionality: Personal Data is Processed only to the extent reasonably necessary and proportionate to achieve the lawful purposes described in this Policy. • Data Breach Response: In the event of a data breach resulting in unauthorised access, use, or disclosure of Personal Data, we take prompt remedial action and provide notifications as required by Applicable Law. • Additional Rights: In addition to the rights described in Section I(8), you may object to any attempt to sell your Personal Data to third parties (which we do not do). Personal Data may, however, be transferred to a successor-in-interest in the event of a merger, acquisition, reorganisation, or sale of all or part of our business. You will not be discriminated against for exercising your privacy rights. • Children’s Privacy: In accordance with the U.S. Children’s Online Privacy Protection Act (COPPA) and similar laws, our Websites and Services are not intended for children under the age of 18. We do not knowingly collect Personal Data from individuals under 18. If such data is identified, it will be deleted promptly. If you believe a child under 18 has provided Personal Data to us, please contact us immediately. • Do Not Track (DNT) Signals: Our Websites may not currently recognise or respond to Do Not Track (DNT) signals from web browsers. There is no universally accepted standard governing responses to such signals. Should an applicable standard be adopted in the future, we will assess and implement appropriate measures. • Further Information: See Section II(7) – United States State-Specific Privacy Rights below for additional information. |
7) DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
If you are a resident of certain U.S. states, including California, Colorado, Connecticut, Utah, and Virginia, you are granted specific rights regarding access to, use of, and control over your Personal Data under applicable U.S. state privacy laws.
The rights described below apply only to residents of the relevant states and are subject to limitations and exceptions provided by Applicable Law.
California Residents
Shine the Light Law
Under California Civil Code Section 1798.83 (the “Shine the Light” law), California residents may request, once per calendar year and free of charge, information regarding:
- the categories of Personal Data (if any) disclosed to third parties for direct marketing purposes during the preceding calendar year; and
- the names and addresses of such third parties.
Requests must be submitted in writing using the contact details set out at the end of this Policy.
Removal of Content Posted by Minors
If you are under the age of 18, reside in California, and have a registered account with The Grand Key, you may request the removal of Personal Data that you have publicly posted on the Services.
Upon receipt of a valid request, we will take reasonable steps to remove such content from public display. Please note that removal may not result in complete or comprehensive deletion from all systems, including backups.
California Consumer Privacy Act (CCPA / CPRA Notice)
This subsection applies only to California residents, as defined by California law.
Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), California residents have the following rights, subject to statutory limitations:
Right to Request Deletion
You may request that we delete Personal Data we hold about you. We will comply with such requests unless retention is permitted or required by law, including for legal compliance, security, fraud prevention, or the exercise or defence of legal claims.
Right to Know (Access)
You have the right to request information regarding:
- whether we collect and Process your Personal Data;
- the categories of Personal Data collected;
- the purposes for which Personal Data is used;
- whether Personal Data is sold or shared;
- the categories of Personal Data disclosed for business purposes;
- the categories of third parties with whom Personal Data is shared; and
- the specific pieces of Personal Data collected about you.
We are not required to re-identify or link de-identified data to respond to a request.
Right to Non-Discrimination
You will not be discriminated against for exercising your privacy rights. We will not deny Services, charge different prices, or provide a different quality of service solely because you exercised a statutory privacy right.
Where permitted by law, we may offer financial incentives reasonably related to the value of your Personal Data, with your express consent.
Sensitive Personal Information
The Grand Key does not Process sensitive personal information for purposes requiring limitation under California law.
Verification Process
To protect your Personal Data, we will verify your identity before responding to requests. Verification may require matching information you provide with data already held by us. Additional information may be requested where necessary and will be deleted once verification is complete.
Colorado Residents
Under the Colorado Privacy Act (CPA), Colorado residents have the right to:
- confirm whether we Process Personal Data;
- access Personal Data;
- correct inaccuracies;
- request deletion;
- obtain a portable copy of Personal Data; and
- opt out of Processing for targeted advertising, sale of Personal Data, or profiling producing legal or similarly significant effects.
You may exercise these rights by contacting us using the details below.
If we deny a request, you may appeal by email. We will respond to appeals within 45 days, with written reasons.
California and Colorado Loyalty or Rewards Program Disclosure
If you participate in any loyalty, referral, rewards, or premium access programme offered by The Grand Key, your Personal Data may be Processed in connection with that programme in accordance with this Privacy Policy and any specific consent provided.
Participation is voluntary and may be withdrawn at any time.
Connecticut Residents
Under the Connecticut Data Privacy Act (CTDPA), Connecticut residents have rights to:
- confirm Processing;
- access Personal Data;
- correct inaccuracies;
- request deletion;
- obtain a copy of Personal Data; and
- opt out of Processing for targeted advertising, sale, or profiling.
If a request is denied, you may appeal. We will respond within 60 days.
Illinois Residents
If you are an Illinois resident and participate in any programme involving biometric information, such information and any data derived from it will be permanently destroyed once the original purpose is satisfied or within three (3) years of your last interaction, whichever occurs first, in accordance with Illinois law.
Nevada Residents
Under Nevada Revised Statutes Chapter 603A, Nevada residents may request that we do not sell certain covered Personal Data by contacting us using the details below.
Utah Residents
Under the Utah Consumer Privacy Act (UCPA), Utah residents have rights to:
- confirm Processing;
- access Personal Data;
- request deletion;
- obtain a copy of Personal Data; and
- opt out of targeted advertising or sale of Personal Data.
Requests may be submitted using the contact details below.
Virginia Residents
Under the Virginia Consumer Data Protection Act (VCDPA), Virginia residents acting in an individual or household context have the right to:
- confirm Processing;
- access Personal Data;
- correct inaccuracies;
- request deletion;
- obtain a copy of Personal Data; and
- opt out of Processing for targeted advertising, sale, or profiling with significant effects.
Requests are responded to within 45 days, extendable once by an additional 45 days where reasonably necessary.
Appeals
If a request is denied, you may appeal. Appeals will be decided within 60 days, with written reasoning. If an appeal is denied, you may submit a complaint to the Virginia Attorney General.
Exercising Your U.S. Privacy Rights
All U.S. privacy requests, verifications, and appeals may be submitted using the contact details provided in Section I(9) of this Privacy Policy.
Authorised agents may act on your behalf, subject to verification of authority.
8. SUPPLEMENTAL EEA PRIVACY NOTICE
This Supplemental EEA Privacy Notice (the “EEA Notice”) provides additional information for Users, Guests, Owners, PMCs, Partners, and other data subjects located in the European Economic Area (EEA).
Individuals located in the EEA benefit from specific data protection rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). The Grand Key’s Privacy Policy is drafted to comply with these laws, and this EEA Notice is intended to ensure that all EEA-specific transparency and information obligations are fully met.
By providing this EEA Notice, The Grand Key complies with its information obligations under Articles 12–14 GDPR. This Notice does not confer any rights or impose any obligations beyond those provided by Applicable Law.
This EEA Notice must be read together with the Privacy Policy to understand the full scope of how The Grand Key Processes Personal Data. Any capitalised terms used in this EEA Notice but not defined herein shall have the meaning given to them in the Privacy Policy or the Glossary of Terms.
Legal Bases for Processing Personal Data of EEA Data Subjects
For detailed information about how we collect, use, and disclose Personal Data, please refer to the Privacy Policy.
Where GDPR applies, The Grand Key Processes Personal Data only where a valid legal basis exists. The applicable legal basis depends on the nature of the Personal Data, the Services used, the context of collection, and the relationship between you and The Grand Key.
In particular, we Process Personal Data where:
- Performance of a contract: Processing is necessary to perform a contract to which you are a party or to take steps at your request prior to entering into a contract.
- Provision of Services: Processing is necessary to operate, maintain, and support the Services, including customer support, communications, security, and personalisation features.
- Legitimate interests: Processing is necessary for the purposes of legitimate interests pursued by The Grand Key or a third party, provided such interests are not overridden by your fundamental rights and freedoms. These interests may include research and development, service improvement, marketing of Services, fraud prevention, and protection of legal rights.
- Consent: You have provided your express consent for Processing for one or more specific purposes.
- Legal obligations and vital interests: Processing is necessary to comply with a legal obligation, or, in limited circumstances, to protect your vital interests or those of another person, including compliance with lawful requests from authorities or regulatory audits.
Where Processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal will not affect the lawfulness of Processing carried out prior to withdrawal.
Where Processing is based on legitimate interests, you have the right to object to such Processing. In certain circumstances, an objection may result in The Grand Key being unable to continue providing certain Services.
If you require further information regarding the legal basis on which your Personal Data is Processed, you may contact us using the details set out in the Privacy Policy.
Transfers of EEA Personal Data Outside the EU/EEA
The Grand Key may transfer Personal Data relating to EEA data subjects to countries outside the EU/EEA, including the United States, where necessary to perform the Services or for the purposes described in this Privacy Policy.
Where such transfers occur and the destination country has not been recognised by the European Commission as providing an adequate level of data protection, appropriate safeguards are implemented. These safeguards include, where applicable:
- Standard Contractual Clauses adopted by the European Commission; and
- Additional technical and organisational measures designed to ensure an essentially equivalent level of protection.
You may request further information regarding international data transfer safeguards by contacting us using the details provided in the Privacy Policy.
Automated Decision-Making
The Grand Key does not generally use Personal Data for automated decision-making processes, including profiling, that produce legal effects concerning you or similarly significantly affect you, within the meaning of Article 22 GDPR.
Rights of EEA Data Subjects Under GDPR
Where GDPR applies, you have the following rights in relation to your Personal Data, subject to statutory limitations:
- the right to request access to your Personal Data;
- the right to request rectification of inaccurate or incomplete Personal Data;
- the right to request restriction of Processing;
- the right to request erasure of your Personal Data;
- the right to withdraw consent where Processing is based on consent, without affecting prior lawful Processing;
- the right to object to Processing based on legitimate interests or direct marketing;
- the right to data portability in certain circumstances, enabling you to receive a transferable copy of Personal Data you have provided to us or to request transfer to a third party.
If you wish to exercise any of these rights or raise concerns regarding our Processing of Personal Data, you may contact us using the details provided in the Privacy Policy. You also have the right to lodge a complaint with a competent EEA Data Protection Authority.
Information We May Require From You
When exercising your rights, we may request additional information necessary to verify your identity and ensure that Personal Data is disclosed only to authorised individuals. Any such information will be used solely for verification and security purposes.
Data Protection Supervisory Authority
If you are not satisfied with how The Grand Key Processes your Personal Data and GDPR applies, you may contact us using the details in the Privacy Policy. You also have the right to lodge a complaint with the relevant Data Protection Authority in the EEA.
Data Protection Oversight
The Grand Key has appointed appropriate internal oversight to ensure compliance with applicable data protection laws, including GDPR. Questions regarding this EEA Notice or our data protection practices may be directed using the contact details set out in the Privacy Policy.
III. GLOSSARY OF TERMS
For the purposes of this Privacy Policy, the following terms shall have the meanings set out below. Defined terms apply equally whether used in the singular or plural.
“Person”
Means any natural individual as well as legal entities, organisations, or public bodies, as the context of use herein requires.
“Personal Data” or “Data”
Means any information that identifies or relates to an identified or identifiable Person, whether directly or indirectly, including by reference to an identifier. This may include, without limitation, a Person’s first and last name, contact details, postal address, email address, image, voice, identification numbers, IP address, device identifiers, online identifiers, location data, or any other information that can reasonably be used to identify a Person.
“Process”, “Processed”, or “Processing”
Means any operation or set of operations performed on Personal Data, whether or not by automated means. This includes, without limitation, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, restriction, erasure, or destruction of Personal Data.
“Legal Basis”
Means the lawful ground that authorises the Processing of Personal Data by The Grand Key under Applicable Law. Legal Bases include, without limitation, consent of the data subject, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task carried out in the public interest, or the legitimate interests of the Data Controller, provided such interests are not overridden by the fundamental rights and freedoms of the data subject.
“Purpose”
Means the specific and legitimate reason for which The Grand Key Processes Personal Data, being the objective pursued by the Processing activity.
“Data Controller”
Means the Person or entity that determines the purposes and means of the Processing of Personal Data. For the purposes of this Privacy Policy, PUREPROP LTD trading as The Grand Key acts as a Data Controller in respect of the Personal Data it Processes.
“Data Processor”
Means a Person or entity that Processes Personal Data on behalf of a Data Controller, pursuant to documented instructions and a written data processing agreement, in accordance with Applicable Law.
“Recipient”
Means any Person or entity to whom Personal Data is disclosed, whether a third party or not, in accordance with this Privacy Policy and Applicable Law.
“Applicable Law”
Means any law, statute, regulation, ordinance, code, rule, or binding regulatory requirement governing the rights, obligations, conduct, or performance of The Grand Key in connection with this Privacy Policy and the Processing of Personal Data.
Applicable Law includes, without limitation:
- the UK General Data Protection Regulation (UK GDPR);
- the EU General Data Protection Regulation (Regulation (EU) 2016/679);
- the Data Protection Act 2018;
- the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA);
- the Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act;
- the CAN-SPAM Act;
- the Telephone Consumer Protection Act (TCPA);
- the Electronic Signatures in Global and National Commerce Act (ESIGN Act); and
- any other applicable data protection, privacy, electronic communications, or consumer protection legislation in force from time to time.
“Affiliate”
Means any current or future entity that directly or indirectly controls, is controlled by, or is under common control with The Grand Key. For the purposes of this definition, “control” means the direct or indirect ownership of, or the right to exercise, more than ten percent (10%) of the ownership interests or voting rights of an entity.
“Services”
Means all products and services offered, provided, or facilitated by The Grand Key via its Websites or otherwise, including accommodation advertising, booking facilitation, property marketing, property management services, concierge services, and related support services offered to Guests, Owners, PMCs, and Users.
“Guest”
Means any Person who books, enquires about, or stays in accommodation listed on The Grand Key platform, whether such booking is made directly via the Websites, by telephone, or indirectly through PMCs or Partners, including online travel agencies.
“Owner”
Means any Person who owns, controls, or has authority to offer accommodation for listing, marketing, or booking on The Grand Key platform.
“Partner”
Means any third-party vendor, supplier, professional adviser, or service provider engaged by The Grand Key to assist in the provision or facilitation of the Services. Partners may include, without limitation, technology providers, payment processors, marketing agencies, photographers, insurers, professional advisers (including legal and accounting firms), cleaning and housekeeping providers, and concierge or experience suppliers.
“PMC” (Property Management Company)
Means a third-party property management company engaged by an Owner or by The Grand Key to manage, maintain, operate, or service accommodation listed on the platform.
“User”
Means any Person who visits, accesses, browses, or otherwise interacts with The Grand Key Websites or Services, including Guests, Owners, PMCs, and Partners.
“Terms”
Means the contractual terms and conditions governing the use of The Grand Key platform and Services, including Guest terms, Owner agreements, marketing agreements, and management contracts, as made available on the Websites.
“Website(s)”
Means any website, application, digital platform, or online interface owned, operated, or controlled by The Grand Key or its Affiliates, including any successor domains or applications.
“Data Protection Authority”
Means an independent public authority established under Applicable Law to supervise and enforce data protection legislation. Within the European Union, this includes national supervisory authorities in each Member State and the European Data Protection Board (EDPB), which promotes consistent application of GDPR across the EU.
“European Economic Area” or “EEA”
Means the Member States of the European Union together with Iceland, Liechtenstein, and Norway. Switzerland is excluded from the EEA for the purposes of this definition.
Contact Information
If you have any questions or concerns regarding this Privacy Policy or the Processing of your Personal Data, you may contact us:
By email:
info@thegrandkey.com
By post:
PUREPROP LTD
Trading as The Grand Key
128 City Road
London EC1V 2NX
United Kingdom