PRIVACY POLICY | SIMON’S BEACH RESORT

PRIVACY POLICY | SIMON’S BEACH RESORT

INTRODUCTION

Simon’s Beach Resort (“the Resort,” “we,” “our,” or “us”) is a private boutique beachfront resort located on the island of Ilashe, Lagos State, Nigeria. We are dedicated to providing an exceptional luxury beach experience for couples, groups, and individuals seeking relaxation, celebration, and leisure on the shores of Nigeria.

We value your trust and are committed to protecting the privacy and confidentiality of the Personal Data that is provided to us or collected by us during the course of our our hospitality operations, reservations, and digital interactions.

This Privacy Policy (“Policy”) applies to all personal data processed by the Resort in relation to our guests, visitors, customers, employees, vendors, business partners and any other individuals or user of our services. It covers both online and offline data collection and explains in detail – how we collect, use, store, share, and protect personal information obtained through our website booking platforms, direct communications, visit our resort, participate in our activities and in the course of delivering our services or accessing our website. It outlines your rights regarding your personal information and provides details on how to contact us should you have any questions or concerns about our privacy practices.

SCOPE OF THIS POLICY

This Policy governs the collection, use, storage, disclosure, and protection of personal information in connection with all our activities, including but not limited to:

• Accommodation reservations and check-in/check-out processing
• Curated packages: Baecation (Couples Beach Getaway), Squad Retreat (Overnight Group Getaway), Exclusive Resort Hire, Beach Day Party, Beach & Chill, Overnight Solo Stay, and Overnight Beach Celebration
• Private boat charter bookings and island transport arrangements
• Beachfront dining, bar, spa, and leisure facility usage
• Interaction with our website, online booking portal, and newsletter
• Any other service or experience delivered by Simon’s Beach Resort

It applies to guests, event clients, visitors, prospective guests who enquire about our offerings, and anyone else whose personal information we process in the ordinary course of our hospitality operations.

CONSENT FOR COLLECTION, USE AND DISCLOSURE

By accessing our website, reaching out to us, or making use of any of our services, you indicate that you have read and understood this Privacy Policy and agree to the collection and processing of your personal data as described herein. Where you share the personal information of another individual with us, you represent that you have obtained that person’s prior consent to do so.

This Policy will be reviewed and revised from time to time to remain consistent with applicable data protection legislation. It currently reflects the requirements of the Nigeria Data Protection Act (NDPA) 2023. Any updated version will be made available on our website with a clearly stated effective date. Unless you have withdrawn your consent, the most recent version of this Policy will apply to the processing of your personal data.

You retain the right to withdraw your consent at any time by reaching out to us using the contact details set out in this Policy. Please be aware that doing so may affect our ability to provide you with certain services. We encourage you to take the time to familiarize yourself with this Policy understanding how we handle your information allows us to deliver a better, more personalized experience while honoring your right to privacy.

WHAT WE MEAN BY “PERSONAL DATA”

Personal Data” means any information that is capable of identifying you, either on its own or in combination with other information, regardless of whether it was gathered online or offline and whether it relates to a guest, employee, partner, vendor, or any other individual. This includes, but is not limited to, a person’s name, identification number, location data, online identifier, or any characteristic that speaks to their physical, physiological, genetic, psychological, cultural, social, or economic identity.

What Personal Data We Collect

The personal information we collect varies depending on the nature of your interaction with us. Below is an overview of the categories of information we may hold:

• Identification Information: Name, date of birth, gender, nationality, passport number, national identification number (NIN), tax identification number (TIN), and other official identifiers.
• Contact Information: Email address, phone number, residential and business addresses and any next of kins or third-party required for emergency contact information.
• Gender: Male or Female
• Reservation and Stay Details: Check-in/check-out dates, room type, number of guests, special requests, Special accommodation requests, package selections (e.g., Baecation, Squad Retreat, Corporate Retreat, Day booking, and Exclusive Resort Hire), and other booking preferences.
• Financial and Payment Information: Bank account details, Billing addresses, transaction details, payment records, transaction records, invoices, payment references and bank account information where directly relevant to processing a payment or refund.
• Digital Information: IP address, device identifiers, browser type, and website usage analytics obtained through cookies and similar technologies when you visit https://Simon’sresort.com/.
• Security and Safety Data: CCTV footage captured within the resort premises, event spaces, and on our private boat charter, in accordance with our security protocols.
• Health or Special Requirements: Dietary preferences, allergies, or accessibility needs shared at the time of booking to facilitate your stay.

Note: We collect this information solely to ensure your comfort and safety during your visit. We will never use health-related information for any unrelated purpose.

• Communication Records: Feedback, complaints, inquiries, and any correspondence with our representatives. All such information is collectively referred to in this Policy as “Personal Data.”

HOW WE COLLECT AND USE YOUR PERSONAL DATA

We collect personal data through various lawful and transparent means, depending on how you interact with us and the nature of the services we provide. The data we collect enables us to operate efficiently, deliver our services effectively, and meet our legal and contractual obligations.

a.    How We Collect Your Personal Data

We gather personal information through several channels, depending on how you engage with us:

• Directly from you: When you make a reservation, complete an enquiry form, correspond with our team by phone, email, or in person, or provide information at check-in.
• Through our website: When you browse https://simonsresort.com or use our online booking portal, we automatically collect certain technical data through cookies and analytics tools.
• From third-party sources: In limited circumstances, we may receive your information from authorized partners such as travel agencies, payment processors, or booking platforms, solely where this is lawful and necessary.
• From CCTV systems: Surveillance footage is captured automatically in monitored areas of the resort for security and safety purposes.

b.    How We Use Your Personal Data

We use personal information only for legitimate, clearly defined purposes. Specifically, we may use your information to:

• Confirm, manage, and fulfil your accommodation reservation or event booking.
• Verify your identity at check-in and throughout your stay, as required by resort security and legal protocols
• Coordinate the specific arrangements included in your chosen package whether that is a romantic Baecation setup, a Squad Retreat, a Beach Day Party, an Overnight Beach Celebration, or a full Exclusive Resort Hire
• Process payments, issue receipts or invoices, and maintain accurate financial records
• Communicate with you before, during, and after your stay regarding arrangements, confirmations, and follow-up feedback
• Respond to enquiries, handle complaints, and provide general guest support
• Personalize your experience by accommodating dietary needs, accessibility requirements, or celebration preferences you have shared with us
• Maintain the safety and security of guests and resort premises, including through the operation of CCTV systems
• Send newsletters, promotional offers, and updates about new packages or events.  (you may opt out of these communications at any time)
• Comply with legal, regulatory, and contractual obligations under Nigerian law
• Detect, investigate, or prevent fraud, security breaches, or unlawful activity

LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA

Each time we collect Personal Data, we ensure that it is processed on a lawful basis. We will only use your Personal Data if and to the extent that applicable law allows. In compliance with the NDPA 2023, our processing of your Personal Data is based on one or more of the following lawful grounds:

• Your Consent: Where you have expressly agreed to the collection and use of your data for example, when you subscribe to our newsletter or share health-related preferences. You may withdraw consent at any time.
• Contractual Necessity: Where processing is necessary to enter into or perform a contract with you, or to take steps at your request before a contract is concluded. This includes using your personal data to manage reservations, confirm bookings, process payments, facilitate check-in and check-out, arrange boat transfers, deliver selected resort packages and services, and communicate with you about your stay or event.
• Legal Obligation: Where we are required by the law or regulatory authority to process or retain certain information for instance, for tax, accounting, or security compliance purposes.
• Legitimate Interests: Where we have a genuine operational or business reason to process your information, provided this does not override your fundamental rights. Before relying on this basis, we conduct a Legitimate Interest Assessment (LIA) as required under the NDPA General Application and Implementation Directive (GAID) 2025, to confirm that our purposes are proportionate and do not unfairly impact on your rights.
• Vital Interests: In exceptional circumstances, where processing is urgently necessary to protect your physical safety or that of another person on our premises.

WHO DO WE SHARE YOUR PERSONAL DATA WITH?

Your personal information will not be passed on to any third party unless doing so is genuinely necessary for the running of the resort, required by law, or expressly authorised by you. In every instance where sharing becomes necessary, we handle it with care, ensuring it is done lawfully, securely, and responsibly in line with Nigeria’s applicable data protection framework.

In the course of operating Simon’s Beach Resort including managing reservations, coordinating boat charter arrangements, processing payments, and delivering our full range of guest experiences we may share your personal data with affiliated entities, trusted service providers, financial institutions, professional advisers, regulatory bodies, government authorities, and operational partners, but only to the extent required to fulfil the purpose for which your information was originally collected.

We do not allow our third-party service providers to use your Personal Data for their own purpose and only permit them to process your Personal Data for specified lawful purposes and in accordance with our instructions. We will only transfer your Personal Data to a party/entity agreed by both parties where the need arises and where we have taken the required steps to ensure that your Personal Data is protected. Such steps may include placing the party we are transferring information to under contractual obligations to protect it to an adequate standard. These third parties are required to comply with our data protection policies and maintain the same level of security and confidentiality that we uphold.

For the avoidance of doubt, it is important to point out that we may disclose your personal information for the purposes of:

1. responding to requests from law enforcement agencies, regulators or courts, or to subpoenas, search warrants, or other legal requests;
   1. the prevention and/or detection of crime;
   1. establishing legal rights or to investigate or pursue legal claims;
   1. preventing risk of harm to an individual.

HOW LONG DO WE RETAIN YOUR DATA

We keep personal information only for as long as is necessary to fulfil the purpose for which it was collected, or as required by law. Our retention periods are guided by the nature of the information and the purposes for which it is held:

• Reservation and guest records are retained for a period consistent with our legal, tax, and audit obligations
• Financial and transactional data is held in accordance with Nigerian financial record-keeping requirements
• CCTV footage is retained for a reasonable period, typically not exceeding 30 days, unless required for an ongoing investigation or legal matter
• Marketing records are held until you opt out or we otherwise determine that continued retention is no longer warranted

Once personal information is no longer required and there is no legal or regulatory obligation to retain it, we will securely delete or anonymise it in a manner that renders it irrecoverable.

HOW DO WE PROTECT YOUR PERSONAL DATA

Protecting the personal information of our guests is a responsibility we take seriously. We employ a combination of technical and organisational safeguards to prevent unauthorised access, loss, misuse, alteration, or disclosure of your data. These include:

1. Secure, encrypted payment processing systems
2. Controlled access to guest information, limited to authorised personnel with a genuine operational need
3. Physical security measures at the resort, including access-controlled residential floors and 24-hour armed security personnel
4. Data protection training for staff members who handle guest information
5. Contractual data protection obligations placed on all third-party service providers

While we take every reasonable precaution, no method of electronic transmission or data storage is entirely infallible. Any information transmitted through our website or digital channels is shared at your own risk, and we encourage you to take appropriate precautions such as using secure networks and protecting your login credentials.

ACCURACY OF PERSONAL INFORMATION

We rely on the information you provide to deliver a seamless and personalised resort experience. We make every reasonable effort to ensure that personal information held on our systems is accurate and current. However, you bear responsibility for notifying us promptly of any changes to your contact details, identification information, or billing address.

By submitting personal information to us, you confirm that it is accurate and complete to the best of your knowledge at the time of submission.

YOUR RIGHTS

You are entitled to certain rights under NDPA 2023 with regards to the collection and processing of your Personal Data by us. These rights are:

• Right to Access: you have the right to request access to the Personal Data we hold about you, along with information on how it is being processed.
• Right to Rectification: you may request that we correct or update any inaccurate, incomplete, or outdated information about you.
• Right to Erasure (“Right to be Forgotten”): you may request that we delete your Personal Data when it is no longer necessary for the purpose for which it was collected, or where you withdraw your consent and no other lawful basis exists for processing.
• Right to Restrict Processing: you may request that we temporarily suspend or limit the processing of your data under certain circumstances for example, while we verify the accuracy of your information.
• Right to Data Portability: you may request a copy of your personal data in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller where technically feasible.
• Right to Object: you may object to the processing of your personal data for certain purposes, such as direct marketing or processing based on our legitimate interests.
• Right to Withdraw Consent: where processing is based on your consent, you may withdraw that consent at any time. Please note that this will not affect the lawfulness of processing carried out before the withdrawal.

To exercise your rights, please contact us via our Data Protection Officer (DPO) whose information is provided in the Contact Us section below.

CHILDREN’S PRIVACY

Simon’s Beach Resort welcomes families as well as couples and groups. However, our services are designed primarily for adults aged 18 and over. We do not knowingly collect or process personal information from individuals under the age of 18 without the verified consent of a parent or legal guardian.

If you are a parent or guardian and believe that your child has provided us with personal information without your knowledge or consent, please contact us immediately using the details below. Where we confirm that personal information has been inadvertently collected from a minor without appropriate consent, we will take prompt steps to delete such data.

INTERNATIONAL DATA TRANSFER

Simon’s Beach Resort is a Nigerian-based operation, and our data processing activities are primarily conducted within Nigeria. As of the effective date of this Policy, we do not routinely transfer personal information outside the country.

Should any transfer become necessary for example, in connection with a cloud-hosted platform or international service provider we will ensure that appropriate safeguards are in place in accordance with the NDPA 2023 and the GAID 2025. These may include data transfer agreements, assessments of the recipient country’s data protection adequacy, and other legally recognized mechanisms. Such transfers will only proceed under conditions permitted by applicable law, including where you have provided explicit consent or where the transfer is necessary for the performance of your contract with us.

DATA BREACHES AND INCIDENT RESPONSE

Simon’s Beach Resort has procedures in place to detect, investigate, and manage data security incidents. In the event of a breach that poses a risk to your rights and freedoms:

• We will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, in accordance with the NDPA 2023
• We will inform affected individuals within 7 days of confirming the nature and scope of the incident, describing the type of data involved, the likely consequences, and the remedial steps we have taken or intend to take

If you suspect that your personal information or access credentials have been compromised, please contact our Data Protection Officer immediately so that we can investigate and respond without delay.

CCTV AND RESORT SECURITY

Surveillance cameras are operational in designated public areas of Simon’s Beach Resort, including communal spaces, the pool deck, outdoor entertainment areas, and the private boat charter vessel. These systems are maintained for the safety and security of our guests, staff, and property.

CCTV footage may be reviewed and used for the purposes of security monitoring, incident investigation, crime prevention, and emergency response. Access to recorded footage is strictly limited to authorised personnel and, where legally required, law enforcement or regulatory bodies.

Recordings are retained for a reasonable period unless required for an active investigation, legal proceedings, or regulatory compliance. Notices are displayed in monitored areas of the resort to inform guests of the presence of CCTV.

CONTACT US

If you have any questions, concerns, or complaints regarding this Privacy Policy, please contact us via email: Simonsbeachresort@gmail.com

If you are dissatisfied with how we have handled your Personal Data, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) in accordance with the provisions of the NDPA 2023 and the General Application and Implementation Directive (GAID), 2025. You also have the right to contact us first to resolve any concerns before approaching the NDPC.

Last Updated: June 23^rd, 2026