Skip to main content
← Back to URE

Privacy Policy — URE (Ultimate Resort Experience)

Status: template — first version, requires legal review before publication. Last modified: 25 April 2026 Maintainer: Sebastiaan

>

Translation note: the Dutch version is the legally binding source. This English translation is provided for convenience and accessibility; in case of conflict the Dutch text prevails.

>

Applies to: https://ultimateresortexperience.com, https://*.ure.services, all URE tenant storefronts and the URE platform application. Does not apply to: https://ure.team (outreach domain per ADR-OUT-001; separate privacy policy on that site).

1. Who we are

URE is a trade name of [company name], registered in [address], registered with the Dutch Chamber of Commerce under number [KvK]. For privacy questions: privacy@ultimateresortexperience.com. Our Data Protection Officer is reachable at the same address.

URE is a platform for post-stay commerce: guests of affiliated luxury resorts can buy products they experienced during their stay after departure (bed linens, toiletries, local specialties, etc.). The resort pays URE a commission per sale; URE builds and maintains the platform.

2. Who processes which data?

URE acts in three different roles, depending on the data category:

CategoryOur roleController
Guest data (email, name, stay dates, purchases)ProcessorThe resort that hosted the guest
Operator accounts of resort staffControllerURE
Brand-partner contracts and administrationControllerURE
Visitors to ultimateresortexperience.com + marketing pagesControllerURE

For guest data we hold a Data Processing Agreement (DPA) with each affiliated resort. The resort is the party in contact with the guest and determines the purpose of processing; URE facilitates.

3. What data do we process?

3.1 Guest data (on behalf of the resort)

  • Identification: first and last name, email address.
  • Stay data: arrival and departure dates, room number (optional).
  • Preferences: language; allergies / dietary preferences if shared.
  • Purchase history: orders placed via URE (product, price, date).
  • Communication history: which emails sent, opened, clicked.
  • Technical data: IP address and user-agent at the moment of opening / clicking (for deliverability and attribution).

3.2 Operator accounts

  • Email address, first and last name.
  • Cognito attributes (token claims, MFA setting).
  • Audit log of actions taken.

3.3 Marketing visitors (ultimateresortexperience.com)

  • Visit statistics via privacy-friendly analytics (no cookies, anonymised IP).
  • Data you submit yourself in contact forms.

3.4 What we do not process

  • No credit-card or bank data — those go directly to Stripe (PCI-DSS Level 1, certificate available on request).
  • No special category personal data (health, religion, ethnicity) unless explicitly shared by the resort (in which case the processing falls under the DPA with the resort).
  • No third-party tracking cookies for advertising networks.

4. On what legal basis do we process?

ProcessingBasis (GDPR art. 6)
Guest receives post-stay email from the resort via URELegitimate interest of the resort (art. 6.1.f) — guest and resort have an existing customer relationship
Order fulfilmentPerformance of contract (art. 6.1.b)
Operator account managementPerformance of contract with the resort (art. 6.1.b)
Analysing marketing visitorsLegitimate interest (art. 6.1.f) — privacy-friendly analytics, no tracking
Brand-partner contractsPerformance of contract (art. 6.1.b)

Consent is requested for:

  • Cookies that are not strictly necessary (none currently, hence no cookie banner).
  • Specific marketing communications outside the standard post-stay email.

5. Retention periods

DataTermReason
Guest profile + purchases7 years after last purchaseStatutory bookkeeping retention (art. 52 AWR — Dutch tax law)
Guest profile without purchases (email only)24 months after last contactDefault inactivity cleanup
Audit logs (operator actions, service-role traces)5 yearsForensic investigation after an incident
Operator accountsRemoved within 30 days of contract terminationNo further necessity
Email engagement events (open, click, bounce)24 monthsDeliverability reporting and reputation management
Sentry error logs90 daysPII-stripping before storage (see §10)

At the resort's request, all guest data can be deleted within 14 days of contract termination (see §9 — right to erasure).

6. With whom do we share data?

Sub-processors with which we hold a contractual data-processing agreement:

PartyPurposeLocationCertification
Amazon Web Services (eu-west-1, Ireland)Hosting, database, email (SES)EUISO 27001, SOC 2 Type II
Stripe Payments Europe Ltd.Payment processingEU + US (data flows under SCCs)PCI-DSS Level 1
Cognito (AWS)AuthenticationEUISO 27001
Sentry (Functional Software Inc.)Error loggingUS, with EU data-residency option enabledSOC 2 Type II
Anthropic (PBC)Personalisation of marketing contentUS, no guest PII transmittedSOC 2 Type II
Google (Gemini API)Image generation for marketing assetsUS, no guest PII transmittedISO 27001
NetlifyHosting of marketing site (ultimateresortexperience.com)US / EU edgesSOC 2 Type II

We never sell data to third parties.

For international transfers (Stripe, Sentry, Anthropic, Gemini) we use Standard Contractual Clauses (SCCs) and, where applicable, the supplementary safeguards required by the Schrems II ruling.

7. Brand-partner data

Brand partners (suppliers whose products are sold via URE — Tier 3 and Tier 4 per ADR-CAT-001) receive:

  • Aggregated sales figures per product per period.
  • Conversion and attribution statistics.

Brand partners never receive:

  • Identifiable guest data (email, name, room number).
  • Guest-level behavioural data.
  • Cross-resort comparisons that surface individual guests.

Tier 4 partners (referral-only, MAP-respecting) receive only referral counts and anonymised demographic totals.

8. Rights of data subjects

Every data subject has the following rights under the GDPR:

RightHow?Response time
Access to your own dataprivacy@ultimateresortexperience.com1 month
Rectificationprivacy@ultimateresortexperience.com1 month
Erasure ("right to be forgotten")privacy@ultimateresortexperience.com or click "unsubscribe" in any URE email1 month (unsubscribe is immediate)
Restriction of processingprivacy@ultimateresortexperience.com1 month
Data portability (machine-readable export)privacy@ultimateresortexperience.com1 month
Object to processingprivacy@ultimateresortexperience.com1 month
Withdraw consent (where applicable)Directly in the email or via account settingsImmediate
File a complaintDutch Data Protection Authority: autoriteitpersoonsgegevens.nlPer AP timeline

For guest data we route requests through the relevant resort — they are the controller. We facilitate execution.

9. Right to erasure — process

When a resort terminates its tenant, or an individual guest submits an erasure request:

  1. Request submitted to the resort or via privacy@ultimateresortexperience.com.
  2. Verification of the requester (email confirmation or operator confirmation).
  3. Marking in URE: tenant status flips to pending_deletion with a scheduled deletion date (default 14 days later — provides a recovery window in case of error).
  4. Stop of all further processing: no new emails sent, storefront unreachable, audit log read-only.
  5. Hard-delete by automatic cron Lambda after 14 days: all tenant-scoped rows are permanently removed from the database. RDS snapshots older than 30 days fall outside retention.
  6. Confirmation by email to the requester.

Audit log entries are retained for 5 years to enable forensic investigation after a possible security incident — this is a statutory retention obligation under GDPR accountability.

Purchase data (orders) is retained for 7 years due to tax record-keeping obligations (art. 52 AWR), but pseudonymised: name and email address are replaced with a hash; only the purchase amount, date, and VAT base remain traceable.

10. Security measures

  • Encryption: TLS 1.2+ everywhere (in transit), AES-256 (at rest).
  • Multi-tenant isolation: PostgreSQL Row-Level Security (RLS) mandatory on every table — see ADR-MT-001 in our technical documentation.
  • Access: Cognito-based authentication with 12+ character passwords minimum, optional MFA (mandatory for URE personnel).
  • Audit trail: every super-admin action is recorded immutably; UPDATE and DELETE on the audit table are revoked at the privilege level.
  • Privacy-by-design: PII is stripped before error logs reach Sentry; query strings carrying guest tokens are masked for logging.
  • Rate-limiting: login attempts, MFA attempts and provisioning are rate-limited per IP+account.
  • Pen-testing: yearly external pen-test (first cycle after go-live).
  • Incident response: documented runbook (docs/operations/Incident_Response_Runbook.html); GDPR-compliant 72-hour notification to the AP in case of a data breach.

11. Cookies

URE uses only strictly necessary cookies:

CookiePurposeDuration
ure_accessSession cookie for admin login8h (super-admin) / 24h (resort-admin)
ure_refreshSession refresh (sent only to /auth/refresh)30 days
ure_idUI hydration of "current user" without round-tripSame as ure_access
ure_impersonateTemporary super-admin impersonation of a tenant (requires a justification logged in the audit trail)4h
ure-localeVisitor's chosen language for the marketing site1 year

No tracking, advertising, or analytics cookies. No cookie banner needed (the cookies are strictly necessary).

12. Changes to this policy

This policy may be amended. Material changes will be:

  • Published on this page with an updated revision date (see top).
  • Announced by email to operator accounts.
  • For guest data (where URE is processor) presented to each affiliated resort for approval before taking effect.

Version history is preserved in our git history and available on request.

13. Contact

Questions, requests, or complaints:

  • Email: privacy@ultimateresortexperience.com
  • Post: [postal address]

For complaints we cannot resolve to your satisfaction: Dutch Data Protection Authority, autoriteitpersoonsgegevens.nl.