Nobu Hotel Privacy Notice

NOBU HOTEL PRIVACY STATEMENT
Last Updated: March 2024
At Nobu, we take your privacy very seriously and we are committed to protecting your personal information.
This privacy statement describes how we collect, use, protect and share personal information we collect from you, or that you provide to us when you visit our hotels, use our website
(https://www.nobuhotels.com/) (the “Website”) or the Nobu mobile app (the “App”) or otherwise interact with us.
If you wish to contact us regarding this privacy statement, we may be reached at privacy@nobuhotels.com.
Please read the following carefully to understand our views and practices regarding your personal information and how we will treat it.

ABOUT NOBU AND THE NOBU FAMILY
The Nobu companies worldwide are described further below. This privacy statement applies to handling of personal information by each Nobu Hotel worldwide, as run by any company within the Nobu Family (“Nobu” / “we” / “our” / “us”). For purposes of data protection laws in the European Economic Area, United Kingdom and Switzerland, the data controller of your personal information is Nobu Hotel worldwide. Nobu can be contacted at:
Privacy at Nobu
Nobu Hospitality
40 West 57th St, Suite 320
New York, NY 10019

This privacy statement does not apply to the processing of your data by the operator of our mobile app to the extent that such operator is using the data for its own purposes as a data controller.

INFORMATION WE COLLECT AND PROCESS
We may collect one or more of the following categories of personal information about you when you when you (i) visit our hotels, (ii) use our Website or our App, (iii) connect to the wireless/wi-fi that may be offered at our properties (“Wi-Fi Access”), or (iv) interact with us, including through the social media channels that we control (“Social Media Channels,” collectively with Websites, Wi-Fi Access and Apps, the “Services”) that link to this Privacy Statement.

Categories of
Personal Information
Collected
Types of Personal
Information Collected
Source of Personal
Information
Business Purpose for
Collection of
Personal Information
Identifiers Your name, address,
phone number, email
address, details, details
Information you give
us, your reservation
details, your profile
To process any
reservations or bookings
for private events, to
of any allergies and
dietary requirements
(including any dietary
or access assistance
requirements you may
provide).
details, information
from third parties,
including social
media, delivery or
reservation providers,
cookies and other
online tracking
technologies.
collect payments, and
provide our services, for
legal and/or regulatory
requirements.
Financial Information Your name, bank
details, credit card
and/or debit card
details.
Information you give
us, your reservation
details, your profile
details, information
from third parties,
including delivery or
reservation providers.
To provide you with our
services, to collect
payments, and for legal
and/or regulatory
requirements.
Internet, Computer, or
Other Similar
Networking
Technical information,
including the type of
device (and its unique
device identifier) you
use to access the
Online Services, the
Internet protocol (IP)
address used to connect
your device to the
Internet, your unique
device identifier
(UDID) or mobile
equipment identifier
(MEID) for your
mobile device, your
device and component
serial numbers, your
login information,
browser type and
version, time zone
setting, browser plug in
types and versions,
operating systems,
mobile network
information and
platform and details of
any referring website
or application; and
Information about your
visit to the Online
Services including full
Uniform Resource
Locators (URL),
clickstream to, through
Information you give
to us or that is
collected
automatically through
our cookies or other
online tracking
technologies.
To provide you with our
services, to enhance our
Online Services, for
legal and/or regulatory
requirements.
and from the Online
Services (including
date and time), pages
you viewed, page
response time,
download errors, length
of visits to certain
pages, page interaction
information (such as
scrolling, clicks, and
mouse-overs), and
methods used to
browse away from the
page.

RATIONALE FOR PROCESSING PERSONAL INFORMATION
We process personal information as necessary for us:
• To provide our services to our customers;
• To fulfill our legitimate interests, including to allow us to understand our customers better, ensure
our offerings are updated and relevant, and to develop our business and inform our marketing
strategy;
• To inform you of our Services and other relevant information; and
• For other purposes with notice to you and with you consent, where necessary.

To the extent we rely on our legitimate interests as a legal basis for processing personal information, we have considered the balance between our own interests (among other things, the lawful and efficient operation of our Services) and your interests and we believe that (i) you would reasonably expect us to carry out the kind of processing referenced above and (ii) such processing will not cause you any harm and/or will not seriously impact your rights and freedoms with regards to data privacy. At times, we may also collect your personal information where we have your consent to do so or as otherwise necessary for the performance of a contract to which you are a party, and in order to take steps (at your request) to enter into such contract. You have the right to withdraw any consent given to us for the processing of your personal information at any time. We may also collect your personal information as necessary for us to comply with our legal obligations, including to protect your vital interests or those of another.

COOKIES AND OTHER ONLINE TRACKING TECHNOLOGIES
A “cookie” is a small text file that is placed onto an Internet user’s web browser or device and is used to remember and/or obtain information about the user and a “web beacon” is a small object or image that is embedded into a web page, application, or email and is used to track activity, which are also sometimes referred to as pixels and tags.

We use the following cookies:
• Strictly necessary cookies. These are cookies that are required for the operation of the Website and the Online Services. They include, for example, cookies that enable you to log into the Online Services.
• Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the Website when they are using it. They also enable us to see how users use the Online Services. This helps us to improve the way the Website and the Online Services work.
• Functionality cookies. These are used to recognize you when you return to the Online Services. This enables us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
• Targeting cookies. These cookies record your visit to the Website or the Online Services, the pages you have visited and the links you have. We will use this information to make the website and the advertising displayed on it more relevant to your interests.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
Cookie Type of Use How it’s used
PHPSESS
ID Strictly necessary
Created by backend PHP language to keep track of information
traveling between pages. It is a random generated number. It does
not keep any specific information of the user
(https://cookiepedia.co.uk/cookies/PHPSESSID)
__cfduid Strictly necessary
Set by the CloudFlare service to identify trusted web traffic. It
does not correspond to any user id in the web application, nor does
the cookie store any personally identifiable information.
(https://support.cloudflare.com/hc/en-us/articles/200170156-Whatdoes-
the-CloudFlare-cfduid-cookie-do-)
_ga &
_gid
Analytical/perform
ance cookies
Google Analytics. In order for Google Analytics to determine that
two distinct hits belong to the same user, a unique identifier,
associated with that particular user, must be sent with each hit.
(https://developers.google.com/analytics/devguides/collection/anal
yticsjs/cookies-user-id)
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all
or some cookies. However, if you use your browser settings to block all cookies (including essential
cookies) you may not be able to access all or parts of the Online Services.
For more detailed information about cookies and how they can be managed and deleted, please
visit www.allaboutcookies.org.

MARKETING AND YOUR CHOICES
We will, if you have given us your consent and in line with your choices, provide you with information by post, telephone, email and SMS, which may be of interest to you in respect of the Nobu hotels. We will only provide you with marketing communications if you would like us to. You will have the opportunity to clearly set out whether you wish to receive marketing messages from us by ticking the relevant boxes.

PERSONAL INFORMATION OF CHILDREN
We do not knowingly collect information from children under the age of 13 through our Website or App. If you are under 13, please do not give us any personal information. We encourage parents and legal guardians to monitor their children’s internet usage to help enforce this Privacy Statement by instructing their children never to provide us personal information. If you become aware that your child or any child under your care has provided us with information without your consent, please email us at privacy@nobuhotels.com and we will endeavor to delete that personal information from our databases.

DISCLOSURE OF YOUR PERSONAL INFORMATION
We do not sell your personal information.
We may share your personal information with selected third parties in accordance with this privacy statement, with the following categories of recipients:
• Our business partners, including our partners within the Nobu Family, social media companies (if you use your account with them to sign up or sign in with us); professional advisers, including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
• In the event of an acquisition or merger, with third parties, who acquire us or substantially all of our assets, in which case your personal information (including any sensitive personal information) will be one of the transferred assets (however, we will let you know before this happens).
• Our service providers (for example, IT services or CRM services); suppliers and sub-contractors for the performance of any contract we enter into with you or for marketing communications; and other vendors who provide services to us, such as fulfilling orders, providing data processing and other information technology services, managing promotions, carrying out research and analysis, and personalizing individual Nobu customer experiences; and with analytics and search engine providers that assist us in the improvement and optimization of the Website and the Online Services.
• Legal & Regulatory Authorities, including government or other law enforcement agencies, in connection with the investigation of unlawful activities or for other legal reasons (this may include your location information).

WHERE WE STORE YOUR PERSONAL INFORMATION
We may transfer your personal information to a jurisdiction other than the one from which we collected your personal information, including to countries that may not have the same level of protections for your personal information. By using our Website, App and/or Services, you agree to the transfer of your personal information to other jurisdictions.

INFORMATION SECURITY
We are committed to taking appropriate measures designed to keep your personal information secure. Our technical and organizational procedures are designed to protect your personal information from accidental, unlawful or unauthorized loss, access, disclosure, use, alteration, or destruction. While we make efforts to protect our information systems, no website, mobile application, computer system, or transmission of information over the Internet or any other public network can be guaranteed to be 100% secure. Once we have received your personal information, we will use strict procedures and security features to try to prevent unauthorized access or inadvertent disclosure.
Where we have given you (or where you have chosen) a password which enables you to access the Online Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

RETAINING PERSONAL INFORMATION
We will only keep your information for the length of time needed to carry out the purposes outlined in this privacy statement and for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances, we may anonymize your personal information so that it can no longer be associated
with you, in which case we may use such information without further notice to you. Even if you request that we erase your data, we may still need to keep it (please see below) or may keep it in a form that does not identify you. If you have not agreed that we may use your personal information for marketing purposes, we will keep it for a period of 6 years after you have attended one of our hotels or last used the Online Services, whichever is longer.

YOUR CHOICES & RIGHTS
Depending upon where you reside, certain choices and rights may be available to you under applicable data protection laws. If you have questions about what rights may apply to you, please contact us at privacy@nobuhotels.com.
Do Not Track: Our websites and apps are not designed to respond to "do not track" requests from browsers. “Shine the Light” and “Eraser” Laws: Residents of the State of California may request a list of all third parties to which we have disclosed certain information during the preceding year for those third parties’ direct marketing purposes. California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA): The CCPA, as amended by the CPRA, provides California residents and/or their authorized agents with specific rights
regarding the collection and storage of their personal information. Your Right to Know: California residents have the right to request that we disclose the following information to you about our collection and use of your personal information over the past twelve (12) months. We may ask you to provide certain information to identify yourself so that we may compare it with our records in order to verify your request. Upon verification, we will disclose to you:
1. The categories of personal information we have collected about you.
2. The categories of sources for the personal information we have collected about you.
3. The specific pieces of personal information we have collected about you.
4. Our business or commercial purpose for collecting or selling your personal information.
5. The categories of third parties to whom we have sold or shared your personal information, if any,
and the categories of personal information that we have shared with each third-party recipient.

Your Right to Opt-Out of Sale or Sharing of Personal Information: Under the CCPA, as amended by the CPRA, California residents have the right to opt-out of the sale of their personal information and/or the sharing of personal information with third parties for the purposes of cross-contextual behavioral advertising or profiling by submitting a request. Please note that we do not sell personal information, including the personal information of any individuals under the age of 16, nor do we share any personal information for the purposes of cross contextual behavioral advertising. Your Right to Limit Use of Sensitive Personal Information: California residents have the right to request that we limit our use of any sensitive personal information to those uses, which are necessary to perform the Services or for other business purposes under the CCPA, as amended by the CPRA. Your Right to Delete: California residents have the right to request that we delete any of the personal information collected from you and retained by us, subject to certain exceptions. We may ask you to provide certain information to identify yourself so that we may compare it with our records in order to verify your request. Once your request is verified and we have determined that we are required to delete the requested personal information in accordance with the CCPA, as amended by the CPRA, we will delete, and direct our third-party service provides to delete, your personal information from their records. Your request to delete personal information that we have collected may be denied if we conclude it is necessary for us to retain such personal information under one or more of the exceptions listed in the CCPA, as amended by the CPRA.

Your Right to Correct: Under the CCPA, as amended by the CPRA, California residents have the right to request that we correct any inaccurate personal information we maintain about you, taking into account the nature of the personal information and the purposes for which we are processing such personal information. We will use commercially reasonable efforts to correct such inaccurate personal information about you.
Non-Discrimination: You will not receive any discriminatory treatment by us for the exercise of your privacy rights conferred by the CCPA, as amended by the CPRA. For Individuals Located in the European Economic Area (EEA), the United Kingdom (UK) or
Switzerland:
You have a number of rights under applicable data protection laws in relation to your personal information.
Under certain circumstances, you have the right to:
• Have access to your personal information by submitting a request to us;
• Have your personal information deleted;
• Have your personal information corrected if it if wrong;
• Have the processing of your personal information restricted;
• Object to further processing of your personal information, including to object to marketing from us;
• Make a data portability request;
• Withdraw any consent you have provided to us;
• Restrict any automatic processing of your personal information; and
• Complain to the appropriate Supervisory Authority.

Verifying Your Request: Only you, or a person that you authorize to act on your behalf, may make a request related to your personal information. In the case of access and deletion, your request must be verifiable before we can fulfill such request. Verifying your request will require you to provide sufficient information for us to reasonably verify that you are the person about whom we collected personal information or a person authorized to act on your behalf. We will only use the personal information that you have provided in a verifiable request in order to verify your request. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority. Please note that we may charge a reasonable fee or refuse to act on a request if such request is excessive, repetitive or manifestly unfounded.

THIRD-PARTY LINKS
We may provide links to other websites or resources provided by third parties. These links are provided for your convenience only. We have no control over the contents of those websites or resources, and accept no responsibility for them or for any loss or damage that may arise from your use of them. If you decide to access any third-party links on the Website or App, you do so entirely at your own risk and subject to the terms and conditions of those websites.

CHANGES TO THIS PRIVACY STATEMENT
This Privacy Statement is effective as of the date stated at the top of this Privacy Statement. We may change this Privacy Statement from time to time. By accessing and using the Website, App and Services after we notify you of such changes to this Privacy Statement, you are deemed to have accepted such changes.
Please refer back to this Privacy Statement on a regular basis.

HOW TO CONTACT US
Questions, comments and requests regarding our privacy statement are welcome and should be addressed to:
Privacy at Nobu
Nobu Hospitality
40 West 57th St, Suite 320
New York, NY 10019
privacy@nobuhotels.com

Please also contact us if you would like to know more about our data processing activities, to update or amend any of your personal information which you have provided to us or if you believe our records relating to your personal information are incorrect. If you are located in the United Kingdom or European Economic Area and believe we have not adequately resolved any issues, you may contact the Supervisory Authority concerned.