Lore Group Privacy Policy

Date of last revision: June 2026

Update:
With effect from 19 June 2026, every UK organisation is required to have a data protection complaints procedure. We have one, which you can access Data Protection Complaints Policy. If you have a data protection complaint, the information you need is contained in that procedure, which also contains an optional template form that you could use.

Introduction

Lore Group takes your privacy seriously and is committed to protecting and respecting it. We want you to understand how we collect and use information about you.
This privacy notice (“Notice”) contains important information on who we are, on how and why we collect, store, use and share personal data, and on your rights in relation to your personal data.
It is important that you read this Notice, together with any other privacy policy or processing policy that we may provide to you on specific occasions, so that you are fully aware of how and why we use your personal data. This Notice supplements our other notices and policies and does not override them.
Please note: this Notice, our website, www.loregroup.com (“Website”), and any Apps that we provide, are not intended for use by children.

1. Who are we?

We are Global Holdings Management Group (UK) Limited, trading as Lore Group (referred to from now as “we” and via similar words, such as “our”). We are a company incorporated in England and Wales under company number 02531397, and our registered office is at:

7th Floor, Portman House
2 Portman Street
London W1H 6DU
United Kingdom

We are one business in a group of companies. Therefore, the word “we” (and similar) includes a reference to a group company, where relevant.

Under data protection law, we are known as a “data controller”. This means we are responsible for the way in which we collect and process your personal data and must meet our legal obligations in relation to it. We are registered as a data controller with the Information Commissioner’s Office, which is the UK’s supervisory authority for data protection matters. Our registration reference is ZA490316.

2. How can you get in touch?

If you would like to contact us about this Notice generally, our details are as follows:
E-mail: privacy@loregroup.com
Post: at our registered office (see section 1).
If you have a data protection complaint, please see our Data Protection Policy.

3. Our key data principles

We live by the following principles:
(a) We do not collect more personal data than we need

(b) When we collect it, we do not use personal data more widely than is necessary

(c) We safeguard your personal data.

4. What is “personal data”?

Any information that relates to an identified, or identifiable, living person is personal data.
You are identifiable if it is reasonably likely that your identity could be inferred from that data alone or from that data in combination with other information.

5. When do we collect personal data?

In the course of carrying out our core business as an international hospitality company designing, transforming, managing and operating hotels, restaurants and bars across the United States, United Kingdom, and Europe, we collect personal data at the following times:

Direct interaction with you. For example, when you:

• make a booking
• purchase goods or services
• visit any of our hotels, restaurants or bars (including when you use any of our facilities at the hotels, restaurants or bars)
• register to receive emails or newsletters from us (relating to our products, services, discounts, offers, competitions or events)
• take part in competitions or contact us via social media or other means
• connect to our Wi-Fi networks
• contact us (for example, with a question or to provide feedback)
• tag us in a social post or communicate with us by social media
• use any App that we provide
• provide us with feedback
• contact us via telephone (please note: your call may be recorded for security, training, and evidential purposes)
• apply for a position with us (and, if you are successful, our use of your personal data in a work context will be governed by our internal privacy policy for staff).

Note on CCTV: for your safety, and for the safety of our other customers and our staff, we have CCTV at our hotels, restaurants and bars in various places. This is used proportionately, and naturally we do not make recordings in private places such as our hotel bedrooms or any washroom facilities. The CCTV data is deleted without undue delay, and we limit access to the data to a small number of people who have a legitimate reason to have such access. 

From third parties.

For example:

• from publicly available sources, such as social media
• when you are copied on, or referred to in, an email
• when you interact with one of our partners supplying services on our behalf or in our hotels, restaurants and bars, we may also receive the personal data you provide to them.

These partners include:

• travel agencies
• booking platforms
• third parties that operate services or concessions within our hotels (such as food and beverage outlets, spa, and gym)
• referees whom we approach in respect of any job application.

From automated technologies. As you use the Website and any Apps that we provide, we collect Technical Data (see definition in section 6 below) about your equipment, browsing actions and patterns. We collect this by using cookies and other similar technologies, subject to receiving your consent for the setting of non-essential cookies where this is required. Much of this is not personal data in the legal sense – but, to the extent that it is, we treat it lawfully as such.

Please see our Cookies Policy on our website (“[link: Lore’s Cookie Policy]”) for further details. You are able to set your cookies as required.

6. What types of personal data do we collect?

It will depend on the circumstances, but the types of personal data we may collect include:

• Identity Data – such as your name, title, date of birth, and gender (and, when you visit our hotels, restaurants or bars, your image on CCTV), plus important dates (such as an anniversary or special occasion, where relevant), your passport number and data (plus visa or other government-issued identity data), your nationality and place of birth, employer details, and social media account IDs
• Contact Data – such as your email address, billing address, delivery address, and mobile and other telephone numbers
• Financial Data – namely, your payment card or bank details
• Transaction Data – namely details about payments you make to us (and any refunds given), any services you have purchased from us, and any rewards or points that you have with us or other hotels, restaurants or bars in a related scheme
• Technical Data – including your internet protocol (IP) address, browser type and version, time-zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Website
• Profile Data – including any feedback and survey responses that you provide, and in some cases biographical information that you provide (or that is publicly available), language preference, travel itinerary, hobbies and preferences based on your stay
• Usage Data – including information about how you use our websites and services
• Marketing Data – including your opt-in/opt-out preferences in relation to electronic marketing.

In more limited circumstances, we will collect information about allergies, disabilities or medial conditions, and family members and companions (such as the ages of children).

Applying for a role
Note that if you apply for a post with us, and provide your CV, we will receive more detailed personal data (if you provide it), including biographical data about institutions you have attended and other posts that you have held.

Aggregated Data
We also collect Aggregated Data, which is large-scale statistical data. We use it for matters such as understanding the percentage of Website users that look at a particular page. Aggregated Data is not personal data, as it will not reveal your identity. However, if we combine Aggregated Data with your personal data, so that you can be identified, we will treat the combined data as personal data and use it in accordance with this Notice.

Special Categories of Personal Data
This is the legal term describing details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data.

We do not ordinarily collect any “special categories” of personal data about you, save as set out in this Notice (for example, regarding allergies or health). Nor do we collect any information about criminal convictions and offences.

Note: do you have to provide personal data?
In general, no – although, in some situations, we may be unable to provide a service to you if you do not. If we need to collect personal data by law, or in order to perform a contract with you, and if you do not provide it, we may be unable to proceed.

In all circumstances, you are responsible for ensuring that you have the right to give us any personal data that you provide about another person (for example, about a child or about a person for whom you are making a reservation).

7. How do we use your personal data?

Subject to being permitted by law to do so, we use your personal data to perform contracts with you (such as enabling you to stay at our hotels and use our restaurants and bars), when our legitimate interests allow us to, to market our business, and to comply with the law.

Whenever we use your personal data, we need what is known as a “lawful basis”. These are prescribed by law and are limited in number. Please see the glossary below for more about lawful bases. Sometimes we may have more than one lawful basis for the same processing activity.

The key moments at which we use personal data are as follows:

• Providing you with goods and services
• Taking a pre-authorisation on your card (for example, to cover cancellation)
• Processing payments and refunds
• Processing information about rewards and competitions
• Conducting credit control
  • Communicating with you about this Notice
  • Asking and enabling you to complete a survey or leave a review
  • Sending marketing emails or SMS
  • Responding to your questions or any complaints
  • Personalising your hotel, dining or bar experience
• Operating, evaluating and improving our business and the Website and any Apps
  • Protecting against fraud and other criminal activity
  • Complying with our legal obligations (for example, to HM Revenue & Customs and to comply with requests not to send electronic marketing)
  • Participating in legal action
• Evaluating your job application
• Safeguarding and emergencies

More detail about how we process your personal data and our lawful basis for doing so is set out in the table below. The types of personal data listed in the table are as explained in paragraph 6 above, and the lawful bases are as described in the Glossary below. Note that the purposes related to bookings and their fulfilment will be carried out by our hotels, restaurants and bars, rather than by Lore Group itself, and that this information is provided here for completeness.

Purpose	Types of personal data	Lawful basis for processing
Sending direct marketing communications to you to:   •         promote our hotels, restaurants and bars •         promote services or concessions within our hotels, such as food and beverage outlets, spa, and gym. These services/concessions may be operated by us, or by third parties.	Identity Contact Transaction Marketing Technical	Our marketing by email/SMS: Consent (unless, at the time of contracting with us, we offer you an opt-out that you do not take).   Our marketing by post: Our Legitimate Interests to promote our hotels, restaurants and bars and/or our services within them, including to encourage visits.   Marketing by third-party service/concession operators:  Consent to our sharing of your personal data with specific third-party operators. Details of the relevant third party will be provided to you in the consent request.
Taking a booking	Identity Contact	Performance of a contract
Taking a pre-authorisation from your card	Identity Contact Financial	Performance of a contract   Our Legitimate Interests in protecting ourselves, including in the event of a no-show
Checking you in	Identity Contact	Performance of a contract   Legitimate Interests of knowing who is in the hotel, restaurant or bar   Compliance with a legal obligation
Providing you with goods and services	Identity Contact	Performance of a contract
Monitoring certain areas on CCTV	Identity	Legitimate Interests of maintaining the security and safety of guests and staff   Compliance with a legal obligation (if we are required to hand material to the police)
Processing payments and refunds	Identity Contact Financial Transaction	Performance of a contract   Legitimate Interests of running our business and receiving correct payments
Creating and processing rewards information	Identity Contact Financial Transaction	Performance of a contract   Legitimate Interests of ensuring that customers receive correctly administered rewards
Communicating with you about this Notice	Identity Contact	Compliance with a legal obligation   Legitimate Interests of administering our data protection tasks properly
Asking and enabling you to leave a review or complete a survey	Identity Contact Profile Marketing	Performance of a contract   Legitimate Interests of ensuring that we are running our business as effectively as possible
Responding to your questions or dealing with service complaints	Identity Contact Financial Transaction Profile	Performance of a contract   Legitimate Interests of aiding customer satisfaction and improving our processes
Dealing with a data protection complaint or addressing any data protection requests	Identity Contact Transaction Profile	Performance of a contract   Legitimate Interests of aiding customer satisfaction and improving our processes
Personalising your website and/or in-hotel/-restaurant/-bar experience	Identity Contact Profile Usage Technical	Legitimate Interests of aiding customer satisfaction
Understanding any essential health information, or otherwise helping to protect your health in the event of accident or emergency	Identity Profile (including special-category data in relation to your health, such as any allergies that you may have)	Legitimate Interests (with the special category condition of explicit consent and/or vital interests where we are seeking allergy information), in order to ensure your safety during your stay   Recognised Legitimate Interests in relation to accident or emergency
Operating, evaluating and improving our business and the Website	Technical Usage	Legitimate Interests of aiding customer satisfaction and improving our processes
Protecting against fraud and other criminal activity	Identity Contact Financial Transaction Technical Profile	Compliance with a legal obligation   Legitimate Interests of protecting our business proportionately
Complying with our legal obligations (for example, to HM Revenue & Customs, or complying with a request not to send electronic marketing)	Identity Contact Transaction Marketing	Compliance with a legal obligation   Legitimate Interests of maintaining adequate processes
Participating in legal action	Identity Contact Financial Transaction Profile Usage Marketing	Compliance with a legal obligation   Legitimate Interests of protecting our business proportionately
Evaluating your job application	Identity Contact Profile	Compliance with a legal obligation   Legitimate Interests of ensuring that we hire the right people
Dealing with your application to become a business partner or franchisee (or manchisee or similar)	Identity Contact Financial Profile	Performance of a contract   Legitimate Interests of securing the right partners

Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we fairly consider that we need to use it for another reason and that reason is compatible with the original purpose. There are lawful exceptions to this, such as where use is required in relation to a person’s health or safety.

If you wish to receive an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, and are lawfully entitled to do so, we will notify you and explain the new legal basis.

Consent
We will make sure we have your consent, or that we are otherwise permitted under privacy law, before sending direct-marketing communications to you via email or SMS on our own behalf or if we provide your contact details to third parties so that they can send you direct marketing communications via email or SMS.

You have the right to withdraw consent to e-marketing at any time. This will not affect the lawfulness of marketing that took place prior to the time when we action your withdrawal of consent.

As explained in our Cookies Policy, we will seek consent for the setting of non-essential cookies where we are required to do so by law.

Automated decision-making

Please note that we do not make decisions solely by automated means, including by use of A.I.

8. How do we share your personal data?

We share your personal data only when necessary and to people in the following categories:

Other companies in our group

Your personal data may be shared with, or collected, stored or used by, other companies within our group (principally to enhance your stay at any group hotel).

Business partners and suppliers
Like most businesses, we rely on partners to provide certain services, and this may require use of personal data by these partners. These include:

• any third parties that operate services or concessions within our hotels, restaurants or bars (such as food and beverage outlets, spa, or gym) if you have indicated that you wish to make use of these services or concessions, or if you have consented to receive direct marketing from these third parties
• e-mail and mail service providers
• booking platforms

• technical and support partners, such as the businesses that host our websites (and who provide technical support and back-up services), or who process data on our behalf
  • professional advisers, such as lawyers, accountants, auditors and insurers, who require such information to provide services to us or for other lawful purposes
  • merger or acquisition partners, to the extent that sharing your personal data is necessary

We work with InCode, who provide ID verification services (as part of Lore Group’s digital check-in) for our guests and who, if you provide your consent, will collect biometric data and other Personal Data, if you choose to use certain of our services. We refer you to InCode’s privacy policy and retention period, which can be found here: https://incode.com/privacy-policy/

Law-enforcement agencies
We may be required to share personal data with a law-enforcement agency (or similar regulatory body) in connection with an investigation.

HM Revenue & Customs (and other related authorities)
We are required by law to maintain certain data for a period of years to enable a proper assessment of taxation and similar matters.

Emergency and support services

In the event of an emergency, or in relation to the safeguarding of a vulnerable individual, we may share personal data to enable the emergency or safeguarding needs to be addressed.

CCTV

We share CCTV data, where appropriate, with law-enforcement agencies. We also have an external provider that services and maintains the systems. They do not have remote access, but when they are on site carrying out servicing or maintenance, they have full access to the systems as required.

9. For how long will your personal data be kept?

We retain your personal data for no longer than is reasonably necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data (and whether we can achieve those purposes through other means), and the applicable legal, regulatory, tax, accounting, and other requirements.

10. Marketing

If you have given your consent, or if we are otherwise entitled to do so, we may store your contact details and contact you about our products or services that may be of interest to you, or carry out profiling activities, for direct electronic marketing purposes. Please see the table above for more information.

If you prefer not to receive any direct electronic marketing communications from us, you can opt out at any time. We will give you the option to opt out each time we send a marketing communication by electronic means.

Opting out will not affect our ability to use your personal data for the other purposes set out in this Notice, and it will not affect the lawfulness of electronic marketing carried out prior to the time when we actioned your opt-out request.

We may retain your data for the purposes of maintaining a “Do not send” list of people who should not receive further marketing communications, but we will not retain it for any other marketing purpose.

11. International transfers

We will transfer your personal data to another location outside the United Kingdom if we consider it reasonably necessary for the purposes set out in this Notice. This includes other businesses in our group.

Where we do so, we will ensure that transfers:
• are made to countries that have been deemed to provide an adequate level of protection to personal data; or
• are carried out under approved standard contractual clauses that enable the transfer.

12. Keeping your personal data secure

We have appropriate security measures in place designed to prevent data loss, to preserve data integrity, and to regulate access to the data. Only our authorised employees and contractors, and those referred to in this Notice, have access to your personal data.

All our employees and contractors who have access to your personal data are required to adhere to this Notice and our internal privacy policy, and we have in place contractual safeguards with our third-party data processors to ensure that your personal data is processed only as instructed by us.

We take all reasonable steps to keep your data safe and secure and to ensure the data is accessed only by those who have a legitimate interest to do so. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.

Please note, however, that transmission of information over the internet may not be 100% secure, and that we have no liability for any loss or damage that may result from your transmission of information to us, other than where we are liable for such as a result of breach of a contract that we have in place with you. 

13. Your information rights

You have certain rights in relation to your personal data. Please see the “Your Legal Rights” section of the glossary below for more information.

We may first need to verify your identity (and, in certain cases, verify that you have authority to make the request on another person’s behalf).

In general, we try to deal with genuine requests within one month. Occasionally it may take longer, in which case we will let you know in advance.

You do not have to pay a fee to exercise these rights. However, if your request is excessive, repetitive or unfounded, we may charge a reasonable fee or refuse to comply with your request.

We also have a complaints policy in the event that you have a data protection complaint, which you can access Data Protection Complaints Policy.

14. Cookies

Our Website uses cookies. For more information on which cookies we use and how we use them, please see our Cookies Policy.

15. Third-party links

The Website may include links to websites, plug-ins and applications that are owned by someone other than us. Clicking on those links may allow the owner to collect or share your personal data. Once you leave our Website, no information that you have provided to us will be forwarded.

We have no control over other sites, are we not responsible for their privacy statements. We encourage you to read the privacy notice of every website you visit.

16. Changes to this Notice

We may change this Notice from time to time. Please check this Notice on our Website from time to time to ensure you are aware of the most recent version.

GLOSSARY

LAWFUL BASES

Consent means processing your personal data on the basis that you have given clear consent for a specified purpose.

Performance of contract means processing your personal data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

Vital interests means that the processing is necessary to protect someone’s life.

Performance of a public task means that the processing is necessary to perform a task in the public interest (or for carrying out an official function) and the task (or function) has a clear basis in law.

Legitimate interest means our interest in conducting and managing our business to enable us to give you the best services and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Recognised legitimate interest means handling your personal data in one of five situations, covering (1) certain voluntary public-task disclosures, (2) safeguarding vulnerable people, (3) national security, public security and defence, (4) emergencies (related to people’s welfare or the environment, or to war or terrorism), and (5) prevention, reporting or helping to prosecute crime. Provided that we have met all the criteria relevant to the situation, we are not obliged to carry out the balancing exercise relevant to the legitimate interest basis (above), but we are still bound by the other general requirements such as not sharing more data than is necessary. 

YOUR LEGAL RIGHTS

You have the right to:

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected (although we may need to verify the accuracy of the new data you provide to us).

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for legal reasons, which will be notified to you, if applicable, at the time.

Object to processing of your personal data where we are relying on a legitimate interest and where this adversely affects your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to continue to process your information.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
• If you want us to establish the data's accuracy
• Where our use of the data is unlawful, but you do not want us to erase it
• Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims
• You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide you, or a third party you have chosen, with your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information that you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent, or our right to process personal data in circumstances that do not require consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

END OF PRIVACY NOTICE