Section 1: Introduction and Scope
SHAN Holdings (together with its affiliates, "we", "us", or "our") operates the SHAN Club membership platform, including shan.club (the "Portal"), our mobile applications, and our concierge services (collectively, "Services"). We respect the privacy of our Members and visitors ("you" or "Data Subject") and are dedicated to maintaining the absolute confidentiality of the personal data you entrust to us.
This Privacy Policy explains how we collect, use, store, disclose, and protect your personal data when you apply for membership, log in to our Portal, utilize our Services, or interact with our Concierge team. By using our Services, you consent to the practices described in this Privacy Policy.
Section 2: Personal Data We Collect
We collect personal data that identifies you or can be used to identify you. The categories of personal data we collect include:
- Identity Data: Full name, username or member ID, passport number, passport expiration date, nationality, gender, date of birth, and photos (where required for identification).
- Contact Data: Email address, billing address, home address, phone number, and social media/messenger handles (e.g., Telegram details for AI Copilot integrations).
- Financial Data: Bank account details, payment card information (though processed securely via vetted PCI-DSS compliant gateways), and billing histories.
- Technical Data: IP address, login credentials (passwords, OIDC tokens), browser type and version, time zone setting, location data, operating system, and device identifiers.
- Profile Data: Membership tier (Voyager, Prestige, Sovereign), interests, preferences (including dietary requirements, allergy information, room type selections, pillow preferences), feedback, and survey responses.
- Usage Data: Information about how you interact with our Portal, experiences search queries, and utilize our concierge desk.
- Special Category Data: For certain bespoke travel itineraries, we may collect details relating to health requirements (e.g., physical accessibility constraints) or religious dietary restrictions. We process this data strictly with your explicit consent.
Section 3: Methods of Data Collection
We collect your personal data through different methods, including:
- Direct Interactions: You provide us with your Identity, Contact, and Financial data by filling in registration forms, applying for membership, booking experiences, participating in message threads, or communicating with the SHAN Concierge by email, phone, or chat.
- Automated Technologies: As you interact with our Portal, we automatically collect Technical and Usage data through session states, server logs, and functional cookie protocols.
- Third Parties and Suppliers: We may receive personal data about you from independent luxury travel providers, airlines, hotels, or corporate sponsors who facilitate your membership or travel arrangements.
Section 4: Purposes and Legal Bases for Processing Data
Under the Singapore Personal Data Protection Act (PDPA) and GDPR, we must have a legal basis to process your personal data. We utilize your data for the following purposes and legal bases:
| Purpose / Activity | Type of Data | Legal Basis for Processing (under GDPR / PDPA) |
|---|---|---|
| To register you as a new Member | Identity, Contact | Execution of a contract |
| To verify your identity via secure credentials | Identity, Contact, Technical | Execution of a contract / Legitimate Interests |
| To curate, book, and process luxury itineraries | Identity, Contact, Financial, Profile | Execution of a contract |
| To manage payments, billing, and settlements | Identity, Contact, Financial | Execution of a contract |
| To operate, secure, and optimize our Portal | Technical, Usage | Legitimate Interests (system administration, security) |
| To handle inquiries, feedback, and customer support | Identity, Contact, Profile, Usage | Execution of a contract / Legitimate Interests |
| To comply with legal and regulatory obligations | Identity, Contact, Financial | Compliance with legal obligations |
Section 5: Disclosures of Your Personal Data
To deliver bespoke travel and concierge experiences, we may share your personal data with:
- Service Providers and Suppliers: Luxury hotels, private villa estates, yacht charter companies, airlines, destination management companies, and local guides who perform services required to fulfill your booking.
- Third-Party Contractors: IT hosting partners, secure database services, payment gateways, and communications software platforms.
- Professional Advisors: Bankers, lawyers, auditors, and insurers located in Singapore and other operating jurisdictions.
- Law Enforcement and Regulators: Government authorities, tax offices, and security services where required by law or in defense of legal claims.
We require all third parties to respect the security of your personal data and treat it in accordance with the law. We do not allow third-party service providers to use your personal data for their own marketing purposes.
Section 6: Cross-Border Data Transfers
As a global private club, the execution of your travel itineraries will frequently require transferring your personal data outside of Singapore or the European Economic Area (EEA), to the locations of your selected destinations and accommodation partners.
When we transfer your personal data across borders, we ensure a similar degree of protection is afforded to it. In accordance with the PDPA and GDPR, we ensure that transfer mechanisms are secured by standard contractual clauses, binding corporate rules, or that the country has been deemed to provide an adequate level of data protection.
Section 7: Data Security Measures
We have implemented robust administrative, technical, and physical security measures designed to prevent your personal data from being accidentally lost, used, accessed, altered, or disclosed in an unauthorized manner:
- Encryption: All data in transit is encrypted using Secure Socket Layer (SSL/TLS) protocols. Data at rest is secured via advanced cryptographic standards.
- Access Control: Access to your personal data is strictly limited to employees, concierge agents, and contractors who have a legitimate business need to know. They operate under strict confidentiality obligations.
- Security Audits: We perform regular security reviews and penetration testing to identify vulnerabilities and harden our systems against intrusion.
Section 8: Data Retention
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, and applicable legal requirements. Upon expiration of the retention period, your personal data will be permanently deleted, anonymized, or securely destroyed.
Section 9: Your Legal Rights
Under applicable data protection laws, you possess the following rights regarding your personal data:
- Right of Access: You can request details of the personal data we hold about you and receive a copy of that data.
- Right to Rectification: You can ask us to correct inaccurate or incomplete personal data.
- Right to Erasure (Right to be Forgotten): You can request that we delete your personal data under certain conditions.
- Right to Restrict Processing: You can ask us to suspend processing your personal data.
- Right to Data Portability: You can request the transfer of your data to another organization in a structured, machine-readable format.
- Right to Withdraw Consent: Where we rely on your consent to process your data, you can withdraw your consent at any time.
To exercise any of these rights, please contact our Data Protection Officer (DPO) at [email protected]. We will respond to your request within thirty (30) days.
Section 10: Data Protection Officer (DPO) and Contact Details
If you have any questions about this Privacy Policy or our privacy practices, please contact our DPO:
SHAN Holdings Attn: Data Protection Officer Email: [email protected] Portal: shan.club (Member Inquiry Desk)
Note: In alignment with our commitment to member privacy and security, physical addresses and local telephone hotlines are reserved exclusively for registered members and are accessible via the secure member dashboard or by contacting the Concierge directly.
