Privacy Notice

We want to share with you how we treat personal data about you that we receive, including personal details such as your name, e-mail address, address and other information provided by you.

1.    Scope

This Privacy Notice sets out how we process your personal data.

We”, “our”, “us” or the “Alliance” refer to the World Sustainable Hospitality Alliance. World Sustainable Hospitality Alliance is the trading name of Sustainable Hospitality Alliance, which is a registered charity in England and Wales (1188731), and company limited by guarantee (12373950). We are listed on the Information Commissioner’s register of data controllers under Registration Number ZA754200.

This Privacy Notice includes the information that we are required to provide in accordance with the General Data Protection Regulation (GDPR).

Please note this Policy does not cover data relating to employees (current/former) or those working on behalf of the Alliance. This information can be found in the Privacy Policy or requested from the Director of Finance and Resources.

1.1  About this Privacy Notice:

This Privacy Notice sets out:

1.2  Cookies Notice
2. What personal data we collect about you

The type of information we may collect about you includes (but is not limited to):

  • Your first name and last name
  • Your job title and employer’s details
  • Your contact email and your country of residence
  • Your phone number and address
  • The areas of our work you are interested in
  • Your image/video and personal story for the purposes of communications (with your consent)

We will not collect personal data about your ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning your health, data concerning your sex life and sexual orientation and biometric data (sensitive data) or data about criminal offences. However, there may be situations where we use sensitive data, where appropriate, for the purposes of a case study. We will only use your sensitive data if we have your explicit consent.

3.    How we obtain your personal data

Your personal data may be collected from:

  • our website (login details, contact form, training site, e-newsletter sign up)
  • conversations between you and Alliance employees
  • information that you provide to us
  • information that is otherwise lawfully obtained about you. We will only source this information from publicly available sources such as national and local press, Charity Commission, Companies House and from social media sites like Facebook and LinkedIn.
  • professional contact information supplied for the purposes of undertaking a business activity (for example, to join our membership, collaborate on a project, or participate in one of our programmes)
  • information you give the Alliance for the purposes of communications (including personal stories, quotes, images, film etc)
4.    How we use your personal data

We use your personal data:

  • to maintain and develop our relationship with you;
  • to communicate with you regarding Alliance updates and opportunities via e-mail;
  • to provide you with information about our work and activities (with your consent);
  • to further our charitable objectives, including asking you to donate or otherwise help us raise funds, but always in accordance with best fundraising practice;
  • to conduct donor research to gain a better understanding of our supporters, inform our fundraising strategy and target our communications more effectively and appropriately;
  • to monitor and evaluate our programmes and resources;
  • to communicate examples of our work e.g. via case studies (with your consent);
  • for administrative purposes: for example, regarding a donation you have made or an event you have registered for or attended;
  • for recruitment purposes;
  • to monitor the impact of our communications and platforms, such as using email tracking to record when an email we sent to you has been opened, and website analytics;
  • when data processing is authorised by law, for example conducting due diligence before accepting a major donation.

We may transfer your data to our third-party affiliates as outlined in section 5 below.

We may use your personal data where we believe it is in the legitimate interests of the Alliance, or of a third party, and where those interests do not override your rights. The legitimate interests we rely on include:

  • communications regarding your membership, or participation in one of our governance groups
  • communications regarding the delivery of a programme you are participating in or supporting
  • communications about attending an event or featuring on a panel at an event – public or private
  • carrying out research and analysis internally with a view to improving our services and programmes
  • researching opportunities for new programmes, partnerships or potential supporters or donors who might be interested in becoming involved or increasing their involvement.
5.    Who we share your personal data with

Your personal data will only be shared with third parties in accordance with this Privacy Notice and to the extent permitted by applicable law.

World Sustainable Hospitality Alliance may share your personal data with service providers we work with to send our newsletters; maintain our mailing lists, CRM and website platforms; perform surveys and questionnaires; process information on our behalf; and host our IT servers. These companies – our vendors – are contractually bound to only use your personal data that we share with them with the sole purpose of performing the services we have engaged them to provide and to keep your personal data confidential.

We may also provide your personal data to our professional advisors for the services they provide to us and we may need to disclose your personal data if compelled to do so by law, by a regulator or during legal proceedings.

We will transfer your personal data as part of any sale of some or all of our business and assets to any third party, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, sale, merger, reorganisation, change of legal form, dissolution or similar event (we will always notify you in advance and we will aim to ensure that your privacy rights will continue to be protected).

In the case of student stories, these will be shared with trusted partners and media, and used on digital platforms and publications as outlined in the consent form.

6.    How we protect your personal data

We have defined security and privacy controls to protect your personal data and to comply with applicable data protection law. We ensure that all our personal, infrastructure and strategic systems comply with high-standard, business grade specifications. Despite the security measures we employ, you should be aware that it is impossible to guarantee absolute security with respect to information sent through the Internet.

7.    How long we retain your personal data

We will hold your information on our systems for no longer than necessary; in any event no longer than two years from last point of contact, unless a longer retention period is required by law or to meet our contractual obligations, in which case we will hold your information for the period required.

In the case of student stories, these will be held and used by the Alliance and its trusted partners as long as reasonably necessary to promote our programme and meet our contractual obligations, but in any event no longer than ten years after the student’s graduation or termination from the Programme. If someone withdraws their consent for the Alliance to use their personal data, for example in a case study, we will take reasonable steps to recall and delete the data (e.g. by removing it from websites). However, we cannot guarantee that all materials that have been published in accordance with the student’s consent can be recalled.

8.    Where your personal data is stored

Data collected through the website is stored on databases by third-party service providers which manage our website and mailing lists.

Other data is stored on digital CRM systems and cloud-based storage, with the appropriate data security as outlined above.

8.1  Transfer of data outside EEA

All countries in the European Economic Area (EEA) have similar standards of legal protection for your information.

We may store your information in third party data centres located outside the EEA, where there may not be a similar standard of data protection laws. If we do this, we will take steps to ensure that adequate levels of protection are applied to your information. In particular, our e-newsletter personal data is managed by Mailchimp, who may transfer your personal data to the US. Such transfers will be protected by the terms of the European Commission’s Standard Contractual Clauses. See their Privacy Policy for more details.

9.    Your rights

Under data protection laws, you have a right to:

  • request access to your personal data (commonly known as a “subject access request”) and to receive a copy of your information;
  • ask us to make any changes to ensure that it is accurate and up to date.

In certain circumstances you also have the right to:

  • ask that we delete your information if we do not have a good cause to retain it;
  • object to the way in which we use your information to further our legitimate interests (or those of a third party) or where we are using your personal information for direct marketing purposes;
  • ask us to restrict or suspend the use of your personal information, for example, if you want us to establish its accuracy or our reasons for using it;
  • ask us to transfer your personal information to another person or organisation.

You also have rights in relation to automated decision making which has a legal effect or otherwise significantly affects you. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces significant legal effects concerning you.

If you wish to exercise any of these rights, or if you have any questions about our use of your information, please email us at

You also have a right to complain to the Information Commissioner’s Office or other appropriate regulatory authority in relation to your information held by us, and how we use it (contact details can be found at

10.    Opting out of marketing communications

You may withdraw your consent to our use of your personal information for future marketing mailings or other non-essential purposes, at any time by e-mailing us at, or unsubscribing directly from an email.

11.    Personal information from children

We do not knowingly collect personal information from children.

Our website is not intended for, or directed to, children. If you are under 13 years of age or otherwise considered a minor under the laws of your country of residence, then please do not use or access our website at any time or in any manner. If a parent or legal guardian becomes aware that his or her child has provided us with personal data without their consent, please contact us. If we become aware that a user is a minor and has provided us with personal data without verifiable parental consent, we will delete such information from our databases.

12.    Links to third-party content

You may, from time to time, receive links to third-party sites whose information practices may be different than ours (e.g. via links on our website, an email or our social media platforms). Visitors should consult the other sites’ privacy policies as we have no control over information that is submitted to, or collected by, these third parties. Use of such third-party websites may be subject to a third party’s terms and conditions and is at your own risk. We do not control these third-party websites and shall have no responsibility in connection with any access or use by you of these sites.

13.    Status of Privacy Notice and updates

This Privacy Notice is non-contractual. We reserve the right to amend it from time to time. Amendments will be posted to the website and, where appropriate, through e-mail notification. Unless otherwise specified all such changes will take effect immediately upon posting to the website.

For the avoidance of doubt, no change to the Privacy Notice will change the content of your consent that you may have granted.

14.    Privacy questions

If you have any questions or concerns about this Privacy Notice or data processing or if you would like to make a complaint about a possible breach of local privacy laws, please contact:

15.    Cookies Notice
15.1    Cookies and technical information

We may use “cookies” – a small data file that we transfer to your computer’s hard drive – to collect certain information about you and your use of the website, such as IP addresses (the Internet access or address of a computer), domain names, and the type of computer and operating system being used. We may then also use cookies to identify your computer when you revisit the website to, for example, recall your authentication information or to track statistical information related to navigation throughout the website.

15.2    Controlling and disabling cookies

You may adjust your browser to refuse to accept cookies, remove cookies or notify you when a cookie is set by editing your web browser preferences or options. (Each browser is different, so check the “Help” menu on your browser to learn how to change your cookie preferences.) You do not have to accept all cookies sent to you by the website; however, depending on the cookie you reject, you may not be able to use some features of the Website.

You may also click the ‘Cookies policy’ tab at the bottom of the screen to adjust your settings for this site.

15.3    What cookies will we use and for what purpose

viewed_cookie_policy, Necessary, To store whether or not user has consented to the use of cookies. It does not store any personal data.

cookielawinfo-checkbox-necessary, Necessary, To check whether or not the user has given their consent to the usage of cookies under the category ‘necessary’.

cookielawinfo-checkbox-non-necessary, Necessary,  To check whether or not the user has given their consent to the usage of cookies under the category ‘non-necessary’.

cookielawinfo-checkbox-advertisement, Necessary, To check whether or not the user has given their consent to the usage of cookies under the category ‘advertisement’.

cookielawinfo-checkbox-performance, Necessary, To check whether or not the user has given their consent to the usage of cookies under the category ‘performance’.

fr, Advertisement, To show relevant advertisements to the users and measure and improve the advertisements. The cookie also tracks the behaviour of the user across the web on sites that have Facebook pixel or Facebook social plugin.

visitor_info1_live, Advertisement, This cookie is set by YouTube. Used to track the information of the embedded YouTube videos on a website.

YSC, Performance, This cookie is set by Youtube and used to track the views of embedded videos.

15.4    Third party cookies

We use some some third party services or software on our website. If you go to a page on our website that contains this embedded content you may be sent cookies from these websites, for example YouTube videos, Google maps, Facebook and Twitter. We do not control the setting of these cookies, so we suggest you check the third party website for more information about their cookies and how to manage them.

15.5    Updates to the Cookies Notice

We may update our Cookie Notice from time to time. When we change the Cookie Notice in a material way, a prominent notice will be posted on the website along with the updated Notice. If you disagree with the changes, you may send us an e-mail to For the avoidance of doubt, no change to the Cookie Notice will change the content of your consent that you may have granted separately.