Data Privacy and Security Policy

Effective Date: 1 August 2019
Last Updated: 5 January 2024

This Data Privacy and Security Policy (“Privacy Policy”) sets out how OSHM, its group companies, affiliates, and all properties managed or operated by OSHM (“OSHM Group”, “our group”, “we”, “our”, “us”, “Popsible Hospitality Management Limited” or “Popway Hotel”) collects, stores and handles “Personal Data” (i.e., any personal information that can be used to identify a living individual), which we may collect.

We are committed to protecting the privacy of the personal data (“Personal Data”) we hold. To ensure that you can feel confident about providing your Personal Data to us, we outline in this policy how we collect, store and use your personal data. For any comments or queries, please contact us in accordance with Section 6 (Contacting us) below.


1. The information we collect and how we collect it

In providing our Services, we collect, store and use the following information relating to you:

  • Personal Data: data relating directly or indirectly to you from which we can identify you, such as your name, address, e-mail address and telephone number, birthday, anniversary as well as information generated through your use of the Services, such as details of your purchases and other transaction information
  • Non-personal Data: information that relates to you but from which we cannot directly or indirectly identify you
  • Tracking Data: technical information that is automatically collected by us when you use our Services, whether through the use of cookies or otherwise

We may collect your information from your use of any of our Services, whether you provide it via our website or mobile applications, over the phone, at our hotel or restaurant, or otherwise, including when you:

  • make an inquiry
  • book a hotel room
  • check-in
  • make a restaurant booking
  • request to receive our hotel newsletters and hotel communications
  • join any of our promotions or sweepstakes
  • submit comment


2. How we use your information

We will collect information from you for the following purposes:

  • to provide our Services to you
  • for customer service, support, security, fraud-detection, archival and backup purposes in connection with the provision of our Services
  • for sending you direct marketing offering or advertising our products and Services and/or the products and services of selected third parties (we will not use your Personal Data for this purpose unless you have given us your consent to do so)
  • to better understand how you access and use our Services, and to try to improve our Services, and to respond to customer desires and preferences
  • as required by or under any law or regulation applicable to us or any of our affiliates (whether in Hong Kong or elsewhere) or at the request or direction of any regulator, law enforcement agency, or other officials (whether in Hong Kong or elsewhere)
  • for running and administering promotions, sweepstakes, or other features


3. How we share your information

We may share your information within our group of companies and to third-party service providers, contractors, and agents for any of the purposes set out in the “How we use your information” section. In addition, these third parties may be located and use and store your information outside of your jurisdiction for these purposes.


4. How we transmit, protect, and store Personal Data

Security of communications

It is important to note that transmitting information over security system or the internet cannot be guaranteed to be one hundred percent secure. There is a risk inherent in the submission of information online and the use of email and facsimile. Please be aware of this when requesting information or sending forms to us online or by email or facsimile, for example, from the “Contacting us” section. We recommend that you do not include any sensitive information including credit card details when submitting information online, using email, facsimile or when using any public computers/public WIFI.

Security Control

  • We take commercially reasonable administrative (e.g., information security and access policies), technical, and physical safeguards designed to protect the Personal Data that we possess. Despite such efforts, however, please note that no company can fully eliminate risks or guarantee complete security of Personal Data. We cannot guarantee the security of your Personal Data transmitted through the Services or otherwise via the Internet – any transmission is at your own risk. Unauthorised entry or use, hardware or software failure, and other factors may also compromise the security of your information. Further, while we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Personal Data hosted on databases run by third parties, and to the extent legally permissible, we bear no liability for uses or disclosures of personal information or other data arising in connection with theft of the information or other malicious actions.
  • We store certain customer information and reservation details in our Customer Information System and Reservation System on our subcontractor’s secure servers. Our server resides behind various measures such as firewalls, authentication, access control, integrity protection, encryption and anti-virus tools designed to protect Personal Data collected from you against unauthorised or accidental access. Because laws applicable to personal information vary by country, our hotels or other business operations will put in place additional measures that may be different depending on the applicable legal and regulatory requirements.
  • Your Personal Data will be stored for the period of time required to fulfil the relevant purpose described in Section 1 (How we collect and use Personal Data) above unless otherwise required or permitted by law. If information is used for two purposes, we will retain it until both purposes have been fulfilled, but we will stop using it for a purpose once that purpose is fulfilled.
  • Our retention periods are based on business needs and on the applicable statutory requirements.


5. Your Rights

Opt-out of Marketing

You have the right to ask us not to process your Personal Data for marketing purposes at any time. You can exercise your right by checking certain boxes online or on the data collection forms, by talking to us in person, or by contacting us via the manner as set out in the Section 6 below and relevant annexes. If you opt out of receiving our marketing messages, where permitted by the applicable laws, you may continue to receive other messages from us as required by the relationship between you and us.

Other rights

Subject to various exceptions and applicable data protection laws in your country, you may enjoy the following rights and exercise them by contacting us via the manners as set out in the Section 6 below and relevant annexes:

  • Access: you may ask us to provide you with access to your Personal Data and further details on the use we make of your Personal Data and who we share your Personal Data with.
  • Correction: you may ask us to correct any inaccuracies in the Personal Data we hold about you.
  • Complaint: if you are not satisfied with our use of your Personal Data or our response to any exercise of these rights, you may complain to the data protection authority in your country.
  • Erasure: you may ask us to delete your Personal Data if we no longer have a lawful ground for use, unless otherwise required or stipulated by applicable laws and regulations, but we will let you know if that is the case.
  • Withdrawal of consent: where processing is based on consent (e.g., marketing, or certain uses of the special categories of Personal Data), and to the extent provided by applicable laws and regulations, you may withdraw your consent to certain processing activity or activities by us by contacting us, and we will stop that particular processing activity. Where consent is required to process your Personal Data, if you do not consent to the processing or if you withdraw your consent, we may not be able to deliver the expected service. Please note that the right to withdraw consent is only available if the legal basis for processing Personal Data is consent.
  • Restriction: you may require that we stop processing your Personal Data (other than for storage purposes in certain circumstances). Please note, however, that if we stop processing such Personal Data, we may use it again if there are valid grounds under data protection laws for us to do so (e.g., for the defence of legal claims or for another’s protection).


6. Contact Us

You have the right to request access to and correct Personal Data that we hold about you, which requests will be reviewed and processed according to applicable law. If you would like to exercise these rights or you have any questions or concerns regarding this Privacy Statement or our data privacy practices, please get in touch with us:

Address: 2/F, 117 Chatham Road South, Tsim Sha Tsui, Kowloon, Hong Kong
Tel: +852 3951 8398
Email: [email protected]

Please allow 10 business days for us to process any data access requests. Where the request involves complex information gathering, we will advise you of the additional time needed to process your request.


7. Cookies

By using any of our websites (hereby referred to as, or, you consent to the use of cookies in accordance with this Cookies Policy. Cookies are useful because they allow a website to recognise a user’s device. Cookies allow you to navigate between pages efficiently, remember preferences and generally improve the user experience. They can also be used to tailor advertising to your interests through tracking your browsing across websites.


8. Changes to the Privacy Policy

In some instances, we may have to change, modify or amend this Privacy Statement to comply with the evolving regulatory environment or the needs of our business. All changes will be included in the latest Privacy Policy published on our Websites or Apps, so that you will always understand our current practices with respect to the Personal Data. Any changes to our Privacy Policy will become effective upon posting of the revised Privacy Policy. If required by the applicable laws and regulations, we will notify you of any major changes to this Privacy Policy. Unless otherwise required by the applicable laws and regulations, you will be deemed to have accepted and agreed the revised Privacy Policy then in effect by visiting our websites or using our services after such changes.