Privacy Policy


GHA Loyalty DMCC (“GHA”, "us" or “we”) is the operator of the GHA DISCOVERY loyalty programme. 

Your privacy is very important to us and this Privacy Policy is intended to help you understand what type of personal information  we collect from you, how we store and use it and how we make sure that information is not made available to third parties unless it is needed to process your booking requirements or for completing financial transactions.  

[This Privacy Policy applies to our users, suppliers and other third parties that we interact with during the day to day provision of our Services.] It only applies to the use of your personal information obtained by us, whether from you directly or from a third party. It does not apply to personal information collected by third parties during your communications with those third parties or your use of their products or services (for example, where you follow links to third party websites over which we have no control).

This Privacy Policy sets out:

  • the information privacy practices on, the GHA Support Portal, DISCOVERY in a Box and on other websites and applications operated by or on behalf of GHA (the “Sites”);
  • in relation to all users of the Sites (“Users”) – how we collect, store and use personal information as a Controller;  and

This Privacy Policy sets out your rights in respect of our processing of your personal information. It is intended to assist you in making informed decisions when using the Sites and our Services. Please take a moment to read and understand it. It should be read in conjunction with our Terms of Use and the Cookie Policy.

How to contact us:

If you have any questions about this Privacy Policy or want to exercise the rights set out in this Privacy Policy, you can contact our Data Protection Officer at [email protected]



GHA collects information about you that you specifically and voluntarily provide. The personal information collected may include a broad range of information, as set out in more detail below.
Although you are required to register in order to use our GHA DISCOVERY programme and you will need to provide some personal information when making a hotel reservation, many areas of our Sites can be accessed without providing any personal information.

On all Sites that collect any of your personal information, we specifically describe what information is required in order to provide you with the product or service you have requested.

GHA collects personal information when you: 

  • Sign up to;
  • Browse our Sites;
  • Contact GHA or GHA DISCOVERY Customer Care;
  • Participate in e-learning


Browsing the Sites:

When browsing our Sites, we may also collect a series of general data and information about your navigation of our Sites on an aggregated basis, such as your Internet Protocol Address (“IP Address”), which is identified and logged automatically in our server log files whenever you navigate our Sites, your Internet Service Provider (“ISP”), your login frequency, the pages you visited within the Sites, the operating system used by the accessing system, the website or mobile apps from which an accessing system reaches our website or mobile app (so-called “referrers”), and the Internet browser types and versions used as well as the device you are using to access the Sites and mobile apps.

This information is needed to (1) deliver the content of our website correctly, (2) optimize the content of our website, (3) ensure the long-term viability of our information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, GHA analyses anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by you.

Contacting us:

You may also voluntarily provide personal information when you send us an enquiry or support request via email. When you contact us, we keep a record of your communication, and may use third party service providers (email system provider, CRM systems), to help solve any issues you might be facing. 


Surveys are periodically conducted to collect information to help us improve our Sites and Services. All information collected through surveys will remain confidential, even if we use a third party to help us conduct the survey, unless otherwise indicated.

User registration information:

When you register on the Sites or otherwise to become a registered user, we use your information to create your user account. You will then receive a confirmation email which confirms your email address. For these purposes, we will collect personal information such as your name, business name, email address and your role within your business. We will also record a password linked to your personal details.  


A cookie is a small file of letters and numbers that we store on the hard drive of your computer if you agree. Our Sites use cookies to distinguish you from other users of our website and mobile apps. Through the use of cookies, GHA can provide users of the Sites with services that would not be possible without the cookie setting and they also help us to provide you with a good experience when you browse our Sites and also allows us to improve the performance of our Sites. Some cookies may collect your personal data.  Further information in relation to specific cookies is set out in our Cookie Policy.



We will use the information collected on as set out above for the following purposes:


Types of personal information

Lawful basis

Registering you as a user
registration information

Necessary for our contract with you

Legitimate interest (to process this information to provide you with a good service)

Responding to your questions or suggestions

User registration information 

User claim information

Any other information you may voluntarily provide

Legitimate interest (to provide you with a good service) 
Improving the quality of your visit to our SitesCookies information and technical information about your deviceLegitimate interest (to provide you with a good service)
Amending or updating your user profile. User registration informationLegitimate interest (to provide you with a good service) 



We may share your personal information with IT service providers used by us in providing services.



In our capacity as Controller, GHA is responsible for processing your personal information as part of its administration and management of the GHA DISCOVERY loyalty programme. This personal information is intended for use by GHA. 

As a result of the global nature of our business, User’s personal information is likely to be transmitted for the above-mentioned purposes to IT service providers and other recipients located in countries outside the European Economic Area ("EEA") which may not offer the same level of protection of your data as countries inside the EEA. 

This transmission is required for the operation of the GHA DISCOVERY Programme. We will endeavour to take the appropriate steps to ensure that Users’ personal information is protected and handled in accordance with best practice in all territories and, where appropriate, and ensure that standard contractual clauses are in place where appropriate. Please see more information in relation to international transfers in the section 'Transfers outside the EEA" below.



We are located in the United Arab Emirates. Therefore, when you submit personal information to us, whether through your interactions with our Sites or otherwise, you acknowledge that your personal information will be transferred outside the EEA to the United Arab Emirates where it will be stored and processed by us and our suppliers for the purposes set out in this Privacy Policy. 

Where necessary in order to operate our Sites and to otherwise deliver our Services, we will transfer personal information to countries outside the EEA. 

Non-EEA countries do not have the same data protection laws as the EEA. In particular, non-EEA countries may not provide the same degree of protection for your personal information, may not give you the same rights in relation to your personal information and may not have a data protection supervisory authority to help you if you have any concerns about the processing of your personal information. However, when transferring your personal information outside the EEA, we will comply with our legal and regulatory obligations in relation to your personal information, including having a lawful basis for transferring personal information and putting appropriate safeguards in place to ensure an adequate level of protection for the personal information. 
We will take reasonable steps to ensure the security of your personal information in accordance with applicable data protection laws.
When transferring your personal information outside the EEA, we will ensure that, where required by applicable law, at least one of the following safeguards is implemented:

Please contact us at [email protected] if you would like further information on the specific mechanisms used by us when transferring your personal information outside the EEA.



We will retain your personal information in accordance with our data retention policy and will not retain your personal information for any longer than is necessary for our purposes, including for the purposes of satisfying any legal, accounting or reporting requirements.  If you would like further information, please contact us using the details above.


We want you to feel confident about using our Sites, so we are committed to protecting the information we collect. GHA has implemented a security programme to keep information that is stored in our systems protected from unauthorised access. 

We have implemented information security policies, rules and technical measures to protect the personal information that we have under our control from:

  • unauthorised access;
  • improper use or disclosure;
  • unauthorised modification; and
  • unlawful destruction or accidental loss.

All our employees and data processors (i.e. those who process your personal information on our behalf, for the purposes listed above) who have access to and are associated with the processing of personal information are obliged to respect the confidentiality of the personal information of all users of our Sites and our Services.

Our systems are configured with data encryption and industry-standard firewalls.

When you send personal information to GHA over the Internet, your data is protected by Secure Socket Layer (SSL) technology to ensure safe transmission.



In addition to the right to be informed about how we use your personal information (as set out in this Privacy Policy), you have various other rights which are set out in more detail below.  If you wish to exercise any of these rights, please contact the Data Protection Officer at [email protected]

  • Access to your personal information: You can contact us to request the information we hold about you, as well as supplementary information such as why we have that information, who has access to the information and where we got the information. 
  • Withdrawing consent: If you have given us your consent to use your personal information, you can withdraw your consent at any time – for example, if you have given us consent to use your sensitive information (please see below).  However, it will have been lawful for us to use the personal information up to the point you withdrew your consent. 
  • Correction of your personal information: In order to comply with applicable legislation, GHA will be required to routinely update your personal information whereupon you will be asked to verify and/or update relevant personal information. If information we hold about you is out of date, incomplete or incorrect, you can also ask us to update it at any time.
  • Deletion of your personal information: You can request that we erase the information we hold. When we receive your request, we will confirm whether the information has been deleted or tell you the reason why it cannot be deleted. For example, we may need to continue to hold your information for legal reasons or in connection with legal claims.
  • Objection to processing your personal information: You have the right to request that we stop processing your information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to us processing the information. We will tell you whether we are able to comply with your request, or whether there is a compelling reason why we need to continue processing it – for example, we may need to continue holding the information for legal reasons or in connection with legal claims.  
  • Restriction: You can ask us to temporarily limit the use of your personal information, for example where you have questioned the accuracy of your information or our use of it, but you do not want us to delete it.
  • Portable data: You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred. We will comply where possible and it is technically feasible to do so. 

Some of these rights only apply in certain circumstances, so we may not be able to fulfil every request.  If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.

If you have a concern about any aspect of our privacy practices, including the way we have handled your personal information, please contact us using the contact details provided in the “How to Contact Us” section above. You can also report any issues or concerns to a national supervisory authority in the Member State of your residence or the place of the alleged infringement. You can find a list of contact details for all EU supervisory authorities at:


The Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Economic Area and other provisions related to data protection is:

GHA Loyalty DMCC
21st Floor, JBC5 Tower, Jumeirah Lake Towers
PO Box 487771 Dubai
United Arab Emirates
Phone: +971 4 4214287

The Data Protection Officer of the Controller is:

Prof. Dr. Rolf Lauser
Dr.-Gerhard- Hanke-Weg 31
85221 Dachau
Email: [email protected]

You may, at any time, contact our Data Protection Officer directly with all questions and suggestions concerning data protection.


All text, images, audio- and video material used on this website is protected by copyright and may not be copied, modified or used for private or commercial reasons. Our aim is to keep the information displayed on this website and mobile app timely and accurate. We do not accept any responsibility or liability whatsoever with regards to the information on this site.

Our Sites may contain links to third party websites and services. This Privacy Policy does not apply to your interaction with services provided by third parties. When you use a link to go from our Sites to another website (even if you don’t leave our Sites) or you request a service from a third party, this Privacy Policy shall not apply to the processing of your personal information carried out by the relevant third party provider. 

Your browsing and interactions on any other websites, or your dealings with any other third party service provider, is subject to that website’s or third party service provider’s own rules and policies. When you click on the links we provide to third party platforms, you will be transferred from our website to the relevant platform and the privacy notice (and other terms and conditions) of that platform will apply to you.

We do not monitor, endorse, warrant, or guarantee the products, services, or information described or offered at these other Internet sites or the privacy practices of any third parties.

We encourage you to become familiar with the privacy practices of every website you visit or third party service provider that you use in connection with your interaction with us and to contact them if you have any questions about their respective privacy notices and practices.
This Privacy Policy applies solely to personal information processed by us through your use of our Sites, your receipt of our Services and/or in connection with our business operations. It does not apply to the processing of your personal information by these third party websites and third party service providers.