Privacy Policy

DISCLAIMER

The Legendary Vacation Club is not owned, developed, marketed or sold by Hard Rock Limited and its affiliates, (collectively, "Hard Rock"). Hard Rock is not liable or obligated to any Member or Purchaser of the Legendary Vacation Club, and Hard Rock makes no warranty regarding the Legendary Vacation Club. The Members and Purchasers of the Legendary Vacation Club will not obtain any right to any Hard Rock trademark.

PRIVACY NOTICE

This Privacy Notice is issued in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties, its Regulations, and the General Guidelines for Privacy Notices (hereinafter, the “Law”), and governs the processing of the personal data of individuals who, as clients, prospects, or members, participate in or maintain a legal or commercial relationship with the vacation club program known as Legendary Vacation Club (hereinafter, the “Vacation Club”)

1. Identity of the Data Controller
Solaya Hospitality Management Group, S. de R.L. de C.V. (hereinafter, the “Controller”), with registered address at
Avenida Bonampak, Supermanzana 9, Manzana 2, Ground Floor, Tower N, Floors 7 to 11 and Tower S, Floor 7, Cancún, Quintana Roo, Mexico, C.P. 77503, is responsible for the processing of the personal data of the individuals (hereinafter, the “Individual”).

2. Means of Collecting Personal Data
We collect your personal data directly through:

• Physical or electronic forms completed by the individual, including those used to request information, register, participate in presentations, informational sessions, or affiliation processes, as well as for the preparation, execution, and administration of contracts, agreements, and other documents related to the Vacation Club.
• Our own communication and contact channels, such as websites, applications, contact centers, email, phone calls, text messages, instant messaging services, and other service channels used for the promotion, marketing, and provision of Vacation Club services.
• The capture of images and, where applicable, audio, through video surveillance systems installed in offices, commercial areas, or facilities related to the Vacation Club, for security and control purposes. 

We may also collect your personal data indirectly through:

• Affiliated companies, subsidiaries, commercial partners, or service providers involved in the promotion, marketing, affiliation, administration, or provision of Vacation Club services, to the extent that such transfer is necessary and permitted by applicable law.
• Third parties who refer, register, or provide information about the Individual, such as companions, partners,references, or persons who request information, presentations, or affiliation processes on the Individual’s behalf.
• Platforms, campaigns, events, or commercial prospecting mechanisms used to attract prospects interested in Vacation Club services.

What Personal Data Do We Collect?

The personal data processed by the Controller are grouped into the following categories:

1. Personal data
1.1 Identification and Contact Data: First and last name, Date of birth, Age, Marital status, Nationality, Occupation, Address, Telephone number, Email address, Fax number.

1.2 Demographic and General Data: Date of birth, Place of birth, Nationality, Age
1.3 Official Identification Data: Official identification documents, Unique Population Registry, Code (CURP), Social Security number.
 
2. Financial and/or Patrimonial Data: Credit or debit card information

The Controller informs that, for the purposes described in this Privacy Notice, it does not collect or process sensitive personal data, as defined under the Federal Law on the Protection of Personal Data Held by Private Parties. In cases where the Individuals are minors, personal data will be collected with the express authorization of the person who holds parental authority, guardianship, or legal representation.

3. For What Purposes Will We Use Your Personal Data?

The processing of personal information will be carried out in accordance with the principles of legality, quality, consent, information, purpose limitation, loyalty, proportionality, and accountability set forth in the Law.

Primary Purposes

The primary purposes that give rise to the processing of personal data and are necessary for the legal relationship between the Controller and the Individual include:
• To invite, contact, and manage the attendance of the Individual and, where applicable, their partner, to presentations, informational sessions, or experiences related to the Vacation Club.
• To identify and verify the Individual’s identity, as well as to create and maintain files, administrative, commercial, and contractual records related to Vacation Club services.
• To evaluate the Individual’s profile to determine their eligibility for or interest in Vacation Club products and services.
• To provide Vacation Club services, including formalization, preparation, administration, execution, and follow-up of contracts, agreements, and other related legal documents.
• To manage affiliation and enrollment processes, data updates, renewals, contractual modifications, and the handling of requests related to the membership.
• To maintain communication before, during, and after the affiliation process, including the sending of operational, contractual, administrative, or informational notices necessary for the provision of services.
• To manage payments, charges, invoices, collections, and other financial obligations arising from the contractual relationship with the Vacation Club.
• To address inquiries, clarifications, complaints, claims, or requests, as well as to follow up on incidents related to Vacation Club services.

Secondary Purposes

Additionally, the Controller informs that personal data may be processed for the following secondary purposes:
• Commercial prospecting, promotion, and offering of products, services, benefits, updates, or programs related to the Vacation Club.
•To prepare statistical, commercial, and market analyses, including segmentation studies, profiling, and customer behavior analysis.
• To evaluate the Individual’s profile for commercial purposes, including pre-qualification prior to sales presentations.
• To use the Individual’s image (photographs and/or video) for advertising, promotional, marketing, corporate image, and campaign purposes in printed, digital, or electronic media related to the Vacation Club.

If the Individual does not wish their personal data to be processed for these additional purposes, they may express
their refusal through a written request signed by the Individual or their authorized representative and sent to the
following email address: privacy@pamhotels.com. Refusal to allow the processing of personal data for these secondary purposes shall not be grounds for denying the provision of contracted services or access to the Vacation Club’s products, benefits, or programs.

Automated Processing of Personal Data The Controller informs that personal data are not used in automated decision-making processes, without human intervention that produce legal effects or significantly affect Individuals. However, for operational and service administration purposes, the Controller may use technological tools or systems to support the management of services provided to the Individual.

4. Automated Processing of Personal Data
The Controller informs that personal data are not used in automated decision-making processes, without human
intervention, that produce legal effects or significantly affect Individuals. However, for operational and service
administration purposes, the Controller may use technological tools or systems to support the management of
services provided to the Individual.

5. With Whom Do We Share Your Personal Information and for What Purposes?

Transfers of personal data, within or outside Mexican territory, may occur as necessary to fulfill the purposes described above, to the following third parties, who may act as data processors, following the direct instructions of the Controller. 

Third parties

Service providers of the Controller

Purposes

To carry out the contracted services, necessary for the provision of services to the Individual or for the fulfillment of the purposes previously described in this Privacy Notice. The personal data collected may be shared with:

• SMTouring
• AGILYSYS NV, LLC
• Mankara Technologies Inc.
• Sabre GLBL Inc.
• Worldpay, LLC
• ParGolf
• Book4Time, Inc.
• Odyssey Proyección Empresarial, S.A. de C.V.
• Oracle Hospitality LLC
• Nuvola, Inc.
• Inversiones Zahena, S.A.
• Inversiones Valozo, S.A.
• Hard Rock Limited
• Nobu LLC
• Marriot Switzerland Licensing Company, S.A.R.L.
• Interval International Inc.
• Resort Condominiums International de México, S. de
R.L. de C.V.
• Schonusa, LLC.
• Global Vacation Trade S.A. de C.V.
• 3rd Home Limited Co
• Arrivia, Inc.
• Yachtclub Vacations, S.A. de C.V.
• Flip.to

6. How Can You Access, Rectify or Cancel Your Personal Data, or Object to Its Use?
You have the right to know what personal data we hold about you, what we use it for, and the conditions under which it is used (Access). You also have the right to request the correction of your personal information if it is outdated, inaccurate, or incomplete (Rectification); to request that we delete it from our records or databases when you consider that it is not being used in accordance with the principles, duties, and obligations provided by applicable law (Cancellation); and to object to the use of your personal data for specific purposes (Objection). These rights are known as ARCO rights.

To exercise any of your ARCO rights, the Individual must submit a written request addressed to the Data Protection Office, either by email to privacy@pamhotels.com or in writing to Avenida Bonampak, Supermanzana 9, Manzana 2, Ground Floor, Tower N, Floors 7 to 11 and Tower S, Floor 7, Cancún, Quintana Roo, Mexico, C.P. 77503

When submitting a request to exercise ARCO rights, the following must be considered:

The applicant must be the Individual to whom the personal data belongs, or their legal representative. In both cases, identity must be duly accredited through official documentation (Voter Identification Card, Passport, Military Service, Card, or Professional License). If a legal representative exists, their identity and legal authority must be accredited by attaching the corresponding documents (Public Instrument such as a Power of Attorney, declaration made by the Individual in a personal appearance, or, where applicable, a power of attorney signed before two witnesses).

A. The request must state the name of the Individual and the means by which the response should be communicated, indicating whether the Individual consents to being contacted by email
B. In addition to documentation proving identity and legal authority, a clear and precise description of the personal data in respect of which one of the aforementioned rights is to be exercised must be provided, as well as any other element or document that facilitates the location of such personal data. Documentation required for the specific right to be
exercised must also be included, in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties.
C. The following specific requirements apply to each ARCO right:

i. ACCESS: Indicate the personal data to which access is requested and that are believed to be held in our databases.
ii. RECTIFICATION: Specify the corrections to be made and attach documentation supporting the request.
iii. CANCELLATION: Identify the personal data requested to be deleted.
iv. OBJECTION: Specify the personal data for which processing is opposed and the reasons for the alleged harm caused by such processing.

If the information provided in the request is insufficient or inaccurate, or if the required documents are not attached, the Data Protection Office may request additional information and/or documentation within a period not exceeding five (5) business days. The Individual will then have ten (10) business days from receipt of such request to provide the requested information.
 
If the request contains sufficient information, the resolution period will be twenty (20) business days from the date the request is received. This period may be extended once for an equal period, when justified by the circumstances of the case, in accordance with applicable law.

If the resolution is favorable, it will be implemented within fifteen (15) business days following notification of the decision. This period may also be extended once for an equal period, when justified by the circumstances, and the Individual will be notified through the previously selected contact method

Upon request of access to your Personal Information, it shall be given digitally. Upon request of expressly requesting it, your Information will be sent in the form of copies to your indicated address.
 
The means by which the individual may obtain the requested personal data through the exercise of the right of access may include simple copies, electronic documents, or any other selected medium.

For questions regarding the procedure and requirements for exercising ARCO rights, the Individual may contact the Data Protection Office, which will process such requests and address any questions regarding the processing of personal data. Contact details are as follows:

• Authorized office: Data Protection Office

• Address: Avenida Bonampak, Supermanzana 9, Manzana 2, Ground Floor, Tower N, Floors 7 to 11 and Tower

S, Floor 7, Cancún, Quintana Roo, Mexico, C.P. 77503

• Email: privacy@pamhotels.com

 
7. How Can You Revoke Your Consent for the Use of Your Personal Data?
 
The Individual may revoke the consent granted for the processing of their personal data at any time. However, the Individual should be aware that in certain cases it may not be possible to immediately comply with such request or to cease processing, due to legal obligations that require continued processing of personal data. Likewise, the Individual should consider that revoking consent for certain purposes may result in the inability to 
continue providing the requested services or the termination of the legal relationship with us.
 
To revoke consent, the Individual may follow the same procedure established for the exercise of ARCO rights, by sending an email to privacy@pamhotels.com or submitting a written request to Avenida Bonampak, Supermanzana 9, Manzana 2, Ground Floor, Tower N, Floors 7 to 11 and Tower S, Floor 7, Cancún, Quintana Roo, Mexico, C.P. 77503.
For questions regarding the procedure and requirements for revoking consent, the Individual may contact the Data Protection Office, which will process revocation requests and address any related inquiries. Contact details are as follows:
• Authorized office: Data Protection Office
• Address: Avenida Bonampak, Supermanzana 9, Manzana 2, Ground Floor, Tower N, Floors 7 to 11 and Tower
S, Floor 7, Cancún, Quintana Roo, Mexico, C.P. 77503
• Email: privacy@pamhotels.com
To submit a consent revocation request, the applicant must be the Individual or their legal representative, and identity must be duly accredited using official documentation (Voter Identification Card, Passport, Military Service Card, orProfessional License). If a legal  representative exists, their authority must be accredited through the corresponding documents (Public Instrument such as a Power of Attorney, declaration made by the Individual in a personal appearance, or, where applicable, a power of attorney signed before two witnesses). The resolution of a consent revocation request will be issued within twenty (20) business days from the date the request is received.

How Can You Limit the Use or Disclosure of Your Personal Data?

In order to limit the use or disclosure of personal data, the following options are available:
• Registration in the Public Registry to Avoid Advertising, administered by the Federal Consumer Protection Agency
(PROFECO), to prevent personal data from being used for advertising or promotional communications from providers
of goods or services. Additional information may be obtained through PROFECO’s official website or by contacting the
agency directly.
• Sending an email to privacy@pamhotels.com requesting that personal data not be processed for marketing,
advertising, or commercial prospecting purposes.

 
8. Use of Cookies
The Controller’s website uses cookies and other similar technologies that allow monitoring of user behavior in order to provide a better browsing experience and offer products and services aligned with user interests. Personal data collected through these technologies may include, without limitation: browser type, operating system, IP address, pages visited, browsing time, and usage preferences. The Individual may disable or adjust cookie settings directly through their browser. However, disabling cookies may affect the functionality of certain features of the website. For additional information regarding the use of cookies and similar technologies, the Individual may consult the Cookie Notice available on the Controller’s website.
 
How Can You Be Informed of Changes to This Privacy Notice?
 
This Privacy Notice may be modified, updated, or amended due to new legal requirements; changes in the products or services offered; updates to privacy practices; or changes to the business model. The Controller undertakes to keep the Individual informed of any changes through its website at www.legendaryvacationclub.com.
Notifications regarding changes or updates to this Privacy Notice will be carried out as follows:
• Publication of banners on the Controller’s website informing of the changes or updates.
• Any modification or update will become effective the day following its publication through the aforementioned means.

The Individual declares that they have read and understood this Privacy Notice and grants express, informed, and voluntary consent for the processing of their personal data, including sensitive personal data and, where applicable, personal data of minors, in accordance with the purposes described herein, except where otherwise permitted by law. Such consent shall be deemed granted upon acceptance of this Privacy Notice, without prejudice to the Individual’s right to revoke consent at any time in accordance with the procedure described above.
 

Last updated: January 1, 2026