Global Hotel Alliance - Privacy Policy


GHA Loyalty DMCC (“GHA”, "us" or “we”) is the operator of the GHA DISCOVERY loyalty programme.

Your privacy is very important to us and this Privacy Policy is intended to help you understand what type of personal information we collect from you, how we store and use it and how we make sure that information is not made available to third parties unless it is needed to process your booking requirements or for completing financial transactions. 

This Privacy Policy applies to our customers, suppliers and other third parties that we interact with during the day to day provision of our Services. It only applies to the use of your personal information obtained by us, whether from you directly or from a third party. It does not apply to personal information collected by third parties during your communications with those third parties or your use of their products or services (for example, where you follow links to third party websites over which we have no control, or you purchase goods or services from those third parties).

This Privacy Policy sets out:

  • the information privacy practices on, the GHA DISCOVERY mobile application and on other websites and applications operated by or on behalf of GHA (the “Sites”);
  • in relation to all members of the GHA DISCOVERY loyalty programme (excluding NH DISCOVERY members) – how we collect, store and use personal information as a Controller about members of the GHA DISCOVERY loyalty programme (“Members”) so that we can provide them with recognition and rewards services when they stay at hotels participating in the GHA DISCOVERY loyalty programme (“Participating Hotels”); and
  • in relation to NH DISCOVERY members of the GHA DISCOVERY loyalty programme only – how we process personal information for the purposes of the DISCOVERY loyalty programme services ("Services") as Processor on behalf of NH Hotel Group, S.A. ("NH Hotels"), who is the ultimate Controller of the personal information.

This Privacy Policy sets out your rights in respect of our processing of your personal information. It is intended to assist you in making informed decisions when using the Sites and our Services. Please take a moment to read and understand it. It should be read in conjunction with our Cookie Policy.

How to contact us:

If you have any questions about this Privacy Policy or want to exercise the rights set out in this Privacy Policy, you can contact our Data Protection Officer at [email protected]


1. GHA DISCOVERY (all Members excluding NH DISCOVERY members) 



GHA collects information about you that you specifically and voluntarily provide. The personal information collected may include a broad range of information, as set out in more detail below.

Although you are required to register in order to use our GHA DISCOVERY programme and you will need to provide some personal information when making a hotel reservation, many areas of our Sites can be accessed without providing any personal information.

On all Sites that collect any of your personal information, we specifically describe what information is required in order to provide you with the product or service you have requested.

GHA collects personal information when you:

  • browse our Sites;
  • contact GHA or GHA DISCOVERY Customer Care;
  • participate in a survey or contest;
  • sign up for the GHA DISCOVERY programme; or
  • make a reservation for a hotel stay.

Browsing the Sites:

When browsing our Sites, we may also collect a series of general data and information about your navigation of our Sites on an aggregated basis, such as your Internet Protocol Address (“IP Address”), which is identified and logged automatically in our server log files whenever you navigate our Sites, your Internet Service Provider (“ISP”), your login frequency, the pages you visited within the Sites, the operating system used by the accessing system, the website or mobile apps from which an accessing system reaches our website or mobile app (so-called “referrers”), and the Internet browser types and versions used as well as the device you are using to access the Sites and mobile apps.

This information is needed to (1) deliver the content of our website and mobile application correctly, (2) optimize the content of our website and mobile application, (3) ensure the long-term viability of our information technology systems and website/mobile application technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, GHA analyses anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by you.

Contacting us:

You may also voluntarily provide personal information when you send us an enquiry or support request via email. When you contact us, we keep a record of your communication, and may use third party service providers (email system provider, CRM systems), to help solve any issues you might be facing.


Surveys are periodically conducted to collect information to help us improve our Sites and Services. All information collected through surveys will remain confidential, even if we use a third party to help us conduct the survey, unless otherwise indicated.

GHA DISCOVERY Member registration information:

When you register on the Sites or otherwise to become a member of GHA DISCOVERY, we use your information to create your member account. You will then receive a 'Welcome to GHA DISCOVERY' email which confirms your email address.  For these purposes, we will collect personal information such as your name, phone number, date of birth, preferred communication methods, language preference, business name, email address, physical address and GHA DISCOVERY member number. We will also ask you to indicate whether you are over 18 years old, and we will record a GHA DISCOVERY number and password linked to your personal details. 

GHA DISCOVERY reservation information:

When you are ready to make a hotel reservation, we will collect details of the booking and any special requests. We will share this information with the Participating Hotel that you have booked for the purposes of coordinating your stay.  We will also use this information to calculate points and rewards. 

GHA DISCOVERY travel purchase information:

GHA collects the billing address of the credit card that is used to purchase travel. We will also collect credit card information, including card number, card type, cardholder name, and expiration date. All financial details provided to GHA are sent to us through a secured site (using SSL technology) and are encrypted with 128 Bit encryption. Your financial details will be transmitted to Participating Hotels and to third parties only to the extent needed, such as clearing houses, fulfilment centres and our data centre provider. We will ensure that our partners will not disclose any financial information that you have provided to us. 


A cookie is a small file of letters and numbers that we store on the hard drive of your computer if you agree. Our Sites use cookies to distinguish you from other users of our website and mobile apps. Through the use of cookies, GHA can provide users of the Sites with services that would not be possible without the cookie setting and they also help us to provide you with a good experience when you browse our Sites and also allows us to improve the performance of our Sites. Some cookies may collect your personal data.  Further information in relation to specific cookies is set out in our Cookie Policy.



We will use the information collected on our Sites as set out above for the following purposes:


Types of personal information

Lawful basis

Registering you as a GHA DISCOVERY member

GHA DISCOVERY Member registration information

Necessary for our contract with you

Legitimate interest (to process this information to provide you with a good service)

Administering your account and calculating DISCOVERY Dollars (D$)

GHA DISCOVERY Member registration information

GHA DISCOVERY reservation information

Necessary for our contract with you

Assisting your planning and purchasing of travel

GHA DISCOVERY Member registration information

GHA DISCOVERY reservation information

GHA DISCOVERY travel purchase information

Necessary for our contract with you 

Notifying you of travel changes

GHA DISCOVERY Member registration information

GHA DISCOVERY reservation information

Legitimate interest (to provide you with a good service)

Sending marketing communications or surveys to you

GHA DISCOVERY Member registration information

GHA DISCOVERY reservation information

Any other information you may provide in response to the survey


Responding to your questions or suggestions

GHA DISCOVERY Member registration information

GHA DISCOVERY reservation information

Any other information you may voluntarily provide

Legitimate interest (to provide you with a good service)

Improving the quality of your visit to our Sites

Cookies information and technical information about your device

Legitimate interest (to provide you with a good service)

Amending or updating your profile and preference details

GHA DISCOVERY Member registration information

Legitimate interest (to provide you with a good service)



Sharing with Brands and Participating Hotels:

In order for the GHA DISCOVERY Programme to provide guest recognition it is necessary that we are able to share with Brands and Participating Hotels the personal information that we receive about you from your membership profile, from your stays in hotels or dealings with travel partners, through surveys or forms on our Sites, through verbal, written or electronic requests for information, and through various other means.

Sharing with other third parties:

We may also share your personal information with:

  • IT service providers used by us in providing services;
  • third-party organisations and specialist suppliers that assist us with the administration of our promotions;
  • third party advertising partners, including those set out in our Cookies Policy [and/or our Cookie preference centre] when you use our Sites. This data is used to provide you with, and measure the effectiveness of, online personalised advertising and for other advertising related activities

Occasionally, where necessary in the legitimate interests of business, or in order to comply with legal obligations:

  • in the event that we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets;
  • if we are under a duty to disclose or share your personal information with law enforcement agencies and regulatory bodies, or otherwise for the prevention or detection of crime; or
  • to enforce or apply our website terms of use, terms and conditions or other agreements, or to protect the rights, property or safety of our group or others.

This list is non-exhaustive and there may be circumstances where we need to share personal data with other third parties in order to operate our Sites and to provide our Services.



In our capacity as Controller, GHA is responsible for processing your personal information as part of its administration and management of the GHA DISCOVERY loyalty programme. This personal information is intended for use by GHA, by the operators of the Participating Hotels, by affiliates and by commercial partners for the purpose of providing information and administering the membership in the GHA DISCOVERY loyalty programme and to coordinate offers and activities with GHA, the Brands, Participating Hotels and GHA’s partners around the world, as set out above.

As a result of the global nature of our business, Members’ personal information is likely to be transmitted for the above-mentioned purposes to Brands, Participating Hotels, IT service providers and other recipients located in countries outside the European Economic Area ("EEA") which may not offer the same level of protection of your data as countries inside the EEA.

This transmission is required for the operation of the GHA DISCOVERY Programme and for providing recognition and customer services to the Member. Such information may also be used by Brands and Participating Hotels for their marketing purposes that you may find useful or otherwise of value, such as particular hotel, brand or programme marketing or other offers where you have either agreed to, or not opted out of such marketing.

We will endeavour to take the appropriate steps to ensure that Members’ personal information is protected and handled in accordance with best practice in all territories and, where appropriate, and ensure that standard contractual clauses are in place where appropriate. Please see more information in relation to international transfers in the section 'Transfers outside the EEA" below.



We are located in the United Arab Emirates. Therefore, when you submit personal information to us, whether through your interactions with our Sites or otherwise, you acknowledge that your personal information will be transferred outside the EEA to the United Arab Emirates where it will be stored and processed by us and our suppliers for the purposes set out in this Privacy Policy.

Where necessary in order to operate our Sites and to otherwise deliver our Services, we will transfer personal information to countries outside the EEA. Non-EEA countries do not have the same data protection laws as the EEA. In particular, non-EEA countries may not provide the same degree of protection for your personal information, may not give you the same rights in relation to your personal information and may not have a data protection supervisory authority to help you if you have any concerns about the processing of your personal information. However, when transferring your personal information outside the EEA, we will comply with our legal and regulatory obligations in relation to your personal information, including having a lawful basis for transferring personal information and putting appropriate safeguards in place to ensure an adequate level of protection for the personal information.

We will take reasonable steps to ensure the security of your personal information in accordance with applicable data protection laws.

When transferring your personal information outside the EEA, we will ensure that, where required by applicable law, at least one of the following safeguards is implemented:

Please contact us at [email protected] if you would like further information on the specific mechanisms used by us when transferring your personal information outside the EEA.



We will retain your personal information in accordance with our data retention policy and will not retain your personal information for any longer than is necessary for our purposes, including for the purposes of satisfying any legal, accounting or reporting requirements.  If you would like further information, please contact us using the details above.

If you have opted out of receiving marketing communications from us, we will need to retain certain personal information on a suppression list indefinitely so that we know not to send you further marketing communications in the future.



We want you to feel confident about using our Sites to plan and purchase your travel, so we are committed to protecting the information we collect. GHA has implemented a security programme to keep information that is stored in our systems protected from unauthorised access.

We have implemented information security policies, rules and technical measures to protect the personal information that we have under our control from:

  • unauthorised access;
  • improper use or disclosure;
  • unauthorised modification; and
  • unlawful destruction or accidental loss.

All our employees and data processors (i.e. those who process your personal information on our behalf, for the purposes listed above) who have access to and are associated with the processing of personal information are obliged to respect the confidentiality of the personal information of all users of our Sites and our Services.

Our systems are configured with data encryption and industry-standard firewalls.

When you send personal information to GHA over the Internet, your data is protected by Secure Socket Layer (SSL) technology to ensure safe transmission.



On our Sites and through the GHA DISCOVERY family of Hotel and Brands in the Global Hotel Alliance, you are given the opportunity to manage your subscription to GHA DISCOVERY communications.

GHA sends regular emails to GHA DISCOVERY loyalty programme members to tell them about their account status, to inform them about GHA DISCOVERY programme news and also to let them know about offers.

You may withdraw your consent to marketing and stop receiving communications from us at any time by:

  • following the simple unsubscribe process set out at the bottom of each email
  • sending us an email at [email protected]
  • going to your GHA DISCOVERY Member account preference settings on or in the mobile app and deselecting the relevant boxes or selecting "Unsubscribe from All".

However, we may still need to contact you when you make a booking, when you complete a stay or when your status in the programme changes.

Please note that:

  • During your registration for receiving marketing communications on our Sites, we store the IP address assigned to your computer system by the Internet service provider (ISP) and used by you at the time of the registration, as well as the date and time of the registration. We collect this data in order to monitor the (possible) misuse of your email address at a later date.
  • Communication-Tracking: Most DISCOVERY emails contain so-called tracking pixels. A tracking pixel is a miniature graphic embedded in such emails, which are sent in HTML format to enable log file recording and analysis. These pixels allow us to analyse the success or failure of online marketing campaigns. Based on the embedded tracking pixel, GHA may see if and when you opened an email, and which links in the email you clicked on. Personal data collected via the tracking pixels are stored and analysed by us in order to track the distribution of the emails, as well as to adapt the content of future emails even better to your interests. This personal information will not be passed on to third parties. 



In addition to the right to be informed about how we use your personal information (as set out in this Privacy Policy), you have various other rights which are set out in more detail below.  If you wish to exercise any of these rights, please contact the Data Protection Officer at [email protected].

  • Access to your personal information: You can contact us to request the information we hold about you, as well as supplementary information such as why we have that information, who has access to the information and where we got the information.
  • Withdrawing consent: If you have given us your consent to use your personal information, you can withdraw your consent at any time – for example, if you have given us consent to use your sensitive information (please see below).  However, it will have been lawful for us to use the personal information up to the point you withdrew your consent.
  • Correction of your personal information: In order to comply with applicable legislation, GHA will be required to routinely update your personal information whereupon you will be asked to verify and/or update relevant personal information. If information we hold about you is out of date, incomplete or incorrect, you can also ask us to update it at any time.
  • Deletion of your personal information: You can request that we erase the information we hold. When we receive your request, we will confirm whether the information has been deleted or tell you the reason why it cannot be deleted. For example, we may need to continue to hold your information for legal reasons or in connection with legal claims.
  • Objection to processing your personal information: You have the right to request that we stop processing your information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to us processing the information. We will tell you whether we are able to comply with your request, or whether there is a compelling reason why we need to continue processing it – for example, we may need to continue holding the information for legal reasons or in connection with legal claims. 
  • Restriction: You can ask us to temporarily limit the use of your personal information, for example where you have questioned the accuracy of your information or our use of it, but you do not want us to delete it.
  • Objection to direct marketing: You have the right to request that we stop contacting you with direct marketing.
  • Portable data: You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred. We will comply where possible and it is technically feasible to do so.
  • Automated decision-making: Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.  You have the right not to be subject to automated decisions that will create legal effects or have a similar significant impact on you, unless you have given us your consent, it is necessary for a contract between you and us or is otherwise permitted by law.  You also have certain rights to challenge decisions made about you. We do not currently carry out any automated decision-making.

Some of these rights only apply in certain circumstances, so we may not be able to fulfil every request.  If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.

If you have a concern about any aspect of our privacy practices, including the way we have handled your personal information, please contact us using the contact details provided in the “How to Contact Us” section above. You can also report any issues or concerns to a national supervisory authority in the Member State of your residence or the place of the alleged infringement. You can find a list of contact details for all EU supervisory authorities at:



The Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Economic Area and other provisions related to data protection is:

GHA Loyalty DMCC

21st Floor, JBC5 Tower, Jumeirah Lake Towers

PO Box 487771 Dubai

United Arab Emirates

Phone: +971 4 4214287



The Data Protection Officer of the controller is:

Prof. Dr. Rolf Lauser

Dr.-Gerhard- Hanke-Weg 31

85221 Dachau


Email: [email protected]

You may, at any time, contact our Data Protection Officer directly with all questions and suggestions concerning data protection.



If you are an NH DISCOVERY member of GHA DISCOVERY, then we will process your personal information for the purposes of the loyalty scheme, including your reservations and travel purchases, as Processor for NH Hotels who is the ultimate Controller.

You have the same rights in relation to your personal information as other members and may exercise your rights by contacting [email protected], who will manage your request on NH Hotels' behalf.  Please see NH Hotels' privacy policy here for more information on their lawful bases for processing and procedures in relation to data protection applying to your personal information.





Google Analytics provides anonymised statistical information to GHA. Google Analytics gathers data on behalf of GHA about visits to our Sites. Google Analytics uses cookies, log file data and code which is embedded on our Sites. GHA uses this information to track the volume of usage on the websites and mobile apps and to help improve the services it provides to users. IP addresses and other information that Google Analytics collects is transferred to them in the United States of America. Google is committed to complying with applicable data protection laws.

To find out more about Google Analytics privacy policies or to opt out of being tracked by Google Analytics across all websites visit:



On our Sites, we have integrated components of the Facebook, Instagram and Linkedin websites and mobile apps. You will recognise the Facebook, Instagram and Linkedin plug-ins on our Sites through the Facebook, Instagram and Linkedin logos or the “Like button”.

The operator of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, United States. If a person lives outside of the United States or Canada, the controller is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

An overview of all the Facebook Plug-ins may be accessed under If you activate the Facebook button, a direct link is created between your browser and the Facebook server via the plug-in and data is transferred to Facebook. This provides Facebook with the information that you have visited our Sites from your IP address. If you click on the Facebook “Like button” while you are logged into your Facebook account, the content of our Sites may be linked automatically to your Facebook profile.

Facebook can link your visit to our Sites to your Facebook user account. We, as providers of the Sites, do not receive information about the contents of the transmitted data nor their use by Facebook.

Please refer to Facebook’s data protection statement at for further information on the purpose and scope of data collection by Facebook and its processing and usage of your data and the associated rights and setting options on the protection of your privacy.

If you do not want Facebook to assign the visit of our web pages to your Facebook user account, please log out of your Facebook user account before activating the button.



All text, images, audio- and video material used on this website and mobile app is protected by copyright and may not be copied, modified or used for private or commercial reasons. Our aim is to keep the information displayed on this website and mobile app timely and accurate. We do not accept any responsibility or liability whatsoever with regards to the information on this site and mobile app.



Our Sites may contain links to third party websites and services. This Privacy Policy does not apply to your interaction with services provided by third parties. When you use a link to go from our Sites to another website (even if you don’t leave our Sites) or you request a service from a third party, this Privacy Policy shall not apply to the processing of your personal information carried out by the relevant third party provider.

Your browsing and interactions on any other websites, or your dealings with any other third party service provider, is subject to that website’s or third party service provider’s own rules and policies. For example, our website invites you to connect with us on social media platforms such as Facebook and Instagram. When you click on the links we provide to such platforms, you will be transferred from our website to the relevant platform and the privacy notice (and other terms and conditions) of that platform will apply to you.

We do not monitor, endorse, warrant, or guarantee the products, services, or information described or offered at these other Internet sites or the privacy practices of any third parties.

We encourage you to become familiar with the privacy practices of every website you visit or third party service provider that you use in connection with your interaction with us and to contact them if you have any questions about their respective privacy notices and practices.

This Privacy Policy applies solely to personal information processed by us through your use of our Sites, your receipt of our Services and/or in connection with our business operations. It does not apply to the processing of your personal information by these third party websites and third party service providers.