MyPass - Privacy Policy


Introduction

Please read the following Privacy Policy carefully to understand how and why we use your personal data in order for you to access and browse our websites or mobile apps and use our services.


About this Policy

This Privacy Policy is issued for Farah Experiences LLC (“Farah”, “we”, “us”, “our”). Farah regularly collect and use personal data about individuals who visit our attractions, browse our websites or mobile apps and use our services. Personal data is any information that can be used, directly or indirectly, to identify you as an individual.


Your privacy is very important to us and we understand our responsibilities to protect your personal data in an appropriate and lawful manner and in accordance with applicable data protection regulations. This Privacy Policy should be read in conjunction with our Cookies Policy, which together provide you with details of how and why we collect and process your personal data when you are using MyPass.


For any privacy queries, you can contact us at any time at privacy@farahexperiences.com.


Farah Experiences LLC
P.O. Box 128717
Abu Dhabi
UAE
License Number: CN-1147824


  • What is MyPass?

    MyPass is a centralised authentication service provided and managed by Farah Experiences LLC which allows you to seamlessly connect to various services throughout Abu Dhabi where available. Once you have created a MyPass, you can use your MyPass to login to all services that operate MyPass without having to register again at each service. For example, you can use your MyPass to login to certain websites or mobile apps or to WiFi at designated attractions.



  • Who is responsible for protecting your personal data?

    As the entity responsible for collecting your information when you use MyPass, Farah is a Data Controller of your personal data. Our affiliates and partners that use MyPass will also be Data Controllers of your personal data where you use MyPass to engage with their services (for further information, please review sections 4 and 6 below). In certain circumstances (for example, where you use MyPass as part of our affiliates’ or partners’ services and your information is solely hosted within our digital platform as part of providing the MyPass service), Farah may also be acting as a Data Processor of your personal data.


    This Privacy Policy provides information on how and why we process your personal data in connection with providing MyPass, including how your personal data is shared with third parties such as our affiliates and partners who use MyPass at their attraction, on their website or mobile app or other services. This Privacy Policy is not intended to cover use of your personal data by those third parties; for further information on how those third parties use your personal data, please review the respective third party’s Privacy Policy on the relevant website, mobile app or WiFi service.


    This Policy is additional to and is not intended to override other notices or policies we may provide to you or the terms of any contract that you have with us (for example, specific attraction or ticket terms and conditions), or any rights you may have.



  • What personal data do we collect, and how, when you sign up to MyPass?

    Information we collect directly from you

    • Information that you personally provide to us when registering for or using MyPass may include:

      • your first name, last name, nationality, date of birth, country of residence, city of residence, e-mail address, telephone number;
      • your chosen marketing preferences and objections;
      • your preferred language and information about your preferences or interests;
      • general enquiry details and any other information or messages you decide to provide to us;
      • if purchasing certain services or an annual pass to one of our attractions, this will also include photograph/s and a copy of your emirates ID or passport;
      • if availing yourself of a special offer such as an employee benefit, the relevant employee details to verify eligibility;
      • first name, last name and date of birth for your family members, and their relationship to you, where you have chosen to add your family members’ details to your profile (where this option exists on a particular website or mobile app). If you give us personal information about other people (such as family members or friends), you should make sure you have their permission to do so;
      • credit or debit card and transaction details if make a payment for our products and services on any of our websites or mobile apps (where available), which we do not store and are provided directly to our payment solution provider via a secured connection. All credit or debit card details and transaction processing adheres to global data security standards to protect cardholder data;
      • for certain services, this may include special categories of personal data. For example:

        • where you consent to use FacePass, this may include your biometric information. The photo taken or uploaded for FacePass is used only to convert your face into a unique numerical identifier (your FacePass). For further information on the use of your personal data in connection with your FacePass, please review sections 4 and 6;
        • biometric information: as used in this Policy, biometric data includes “biometric identifiers” and “biometric information”. “Biometric identifier” means a scan of face geometry (Farah uses facial recognition for FacePass, please review section 4). Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.


    Information we collect indirectly

    We collect information you give us, information from your use of our products and services and information we get from third parties:

    • in some cases, information about you may be provided to us by a third party. For example, where you register for MyPass using your Facebook, Google or Apple account, we will receive certain information including your full name and email address in order to create your account;
    • this could also be relevant if a family member has registered for MyPass or enrolled you into certain MyPass services on your behalf. If you give us personal information about other people (such as family members or friends), you should make sure you have their permission to do so;
    • depending on the activity you are undertaking on MyPass, this information may include the same information as which you may have provided directly (as detailed within this section 3 above).


    Information we collect automatically

    • Information that we may collect automatically via cookies and other location based tracking mechanisms, when you are using our websites, mobile apps, WiFi or MyPass services. More information on the use of cookies is at section 9 below and in our Cookies Policy.
    • This information may include traffic data, location data, weblogs, communication data and the resources you access; for example, your IP address, device ID, device type, referrer URL, operating system and version, geolocation, email opens, push notifications, SMS clicks, browser type and browsing history.
    • Information may also be collected through campaign performance and engagement, including but not limited to information such as email opens, push notifications and SMS clicks.

  • How do we use your personal data?

    We will use your personal data for the following reasons:

    To provide your MyPass (Unique Customer Identity)

    • Where MyPass is available on the website, mobile app or WiFi service, when you choose to register for an account with us, we will collect your information to create a unique identifier for you called your MyPass, which is then used to authenticate you across the different services and enable you to enjoy a frictionless digital experience.
    • MyPass is a centralised authentication service provided and managed by Farah which allows you to seamlessly connect to various services throughout Abu Dhabi where available. Once you have created a MyPass, you can use your MyPass to login to all services that operate MyPass without having to register again at each service. For example, you can use your MyPass to login to certain websites or mobile apps or to WiFi at designated attractions.
    • In certain cases, we might use your location and activities for which you have used your MyPass for the purpose of creating a unique customer profile. For example, if you have connected to the Wi-Fi in an attraction using your MyPass and bought a ticket online for one of the attractions, we will associate these activities to your MyPass.
    • As detailed at section 6, your information may be shared with the other entities making use of MyPass.
    • Where you log in to MyPass with your Facebook, Google or Apple account details, those parties will receive information about your activity on our websites or mobile apps. For more details on the information that such parties receive and how they use this, please review their respective Privacy Policies at www.facebook.com/policy, www.policies.google.com and www.apple.com/legal/privacy/en-ww.


    To provide seamless digital experiences

    • Your MyPass information is collected and processed to enable you to enjoy a frictionless digital experience by allowing you to connect to various services seamlessly without having to manually register at multiple locations.


    To respond to you and perform the contract

    • We will use your information to process and respond to your requests, reservations or queries, when you register, subscribe or contact us, and to provide access to restricted parts of our websites or mobile apps if required. Where you purchase our services or products we use your information to enter and perform our contract with you.


    To improve our products and services

    • We use your information to provide content on our websites and mobile apps in the most effective way. Your information allows us to identify you as a user, remember your preferences and deliver an enhanced digital experience. Such data is not retained beyond your visit of the respective website page or mobile app, but may be kept in log files to allow us to maintain and improve our website or mobile app.


    To keep our services secure

    • Your information may be used to detect, investigate, prevent fraud and rectify potential errors in our Attractions, technology and against potential cyber-attacks or other abuse of our technology, and to prevent or mitigate any damages that may have been caused by such abuse.
    • While we take steps to maintain the security of your information, you should be aware of the many information security risks that exist and take appropriate care to help safeguard your information.


    FacePass and contactless services

    • FacePass services, including contactless access and contactless payment services, are provided by Farah at certain designated attractions on Yas Island (such as Ferrari World Abu Dhabi, Warner Bros. World™ Abu Dhabi and Yas Waterworld).
    • Contactless access involves the processing of your FacePass to identity you when entering the designated attractions; once your FacePass is enrolled you can enjoy easier and safer contactless entry to the attraction using your FacePass and without the need to scan your ticket or physically touch assets. The way this works is that you (or a parent or legal guardian, if the FacePass relates to a person under 18 years of age or a person of determination) can consent to enrol your FacePass. Enrolment may be done online after registering for MyPass on the Yas Island mobile app or website (where available), by uploading a photo of your face. Alternatively, enrolment may be done offline by completing the necessary requirements with guest relations at our designated Attractions and thereafter allowing the camera at the turnstiles to capture your photo.
    • Contactless payment involves the processing of your FacePass to identify you when making payments at operating food and retail outlets (where available) inside the designated attractions. The way this works is that (provided you are 18 or older) you can choose to link a debit or credit card to your FacePass through MyPass on the Yas Island mobile app or website (where available). Once this link is made you can enjoy making payments using your FacePass without the need to physically use the debit or credit card.
    • The photo taken or uploaded for FacePass is used only to convert your face into a unique numerical identifier (your FacePass) for means of facial recognition. Once authentication is confirmed, the photo is not stored beyond this purpose and cannot be reused or regenerated for any means. Due to different factors such as picture quality of device used, shading and lighting, your photo may be stored securely on systems within Farah’s premises for up to a maximum of four weeks to ensure authentication and accuracy of the photo. When this process is completed the photo is then removed. The unique numerical identifier is encrypted and the encrypted value is stored securely on systems within Farah’s premises and linked to your customer profile.
    • Contactless wristbands are being provided by Farah in conjunction with some of our affiliates or partners (for example, certain hotels in Abu Dhabi). Where such wristbands are issued, you can use these to access your hotel room and the designated attractions. Such wristbands may also be linked to your MyPass profile and may be used to access other services where available (for example, lockers at the Attractions). Contactless wristbands do not involve the processing of any biometric information.
    • The encrypted values are stored and processed solely for authentication purposes; in other words, when you are next making a contactless entry or contactless transaction your FacePass will be authenticated against the stored encrypted value and once matched the entry or transaction will be completed. Your FacePass and the encrypted values are not processed for any other reasons.
    • You can withdraw your consent for processing your FacePass and disable your payment information at any time by selecting the ‘Remove FacePass consent’ or ‘Manage your card’ options on the mobile app or website (where available). You can also contact us at privacy@farahexperiences.com. Where you withdraw your consent, such services will no longer be provided to you.


    WiFi services

    • To use WiFi services at available locations we may ask you to login with your MyPass and when you connect to the service we collect your mobile ID, device type and other location based data (where you have permitted collection of this in your chosen device settings) to enable us to provide these services to you in the most effective way. For example, this information allows your device to automatically connect to the WiFi and MyPass services without you having to manually connect to the network or service each time. In order to disable the automatic authentication, you can select ‘Forget this network’ from your WiFi or mobile device settings.


    Marketing

    • If you have provided your consent by opting in to receive personalised updates and offers, we may send you such updates and offers by email, SMS, mobile app notifications (only available via the mobile app where you have opted in to receiving them), WhatsApp, social media and post, or occasionally contact you by telephone. You may withdraw your consent to receiving such communications at any time by using the [‘unsubscribe’] link in any communication received, by contacting us at privacy@farahexperiences.com, or where the particular website or mobile app has the facility to create an account, by changing your marketing preferences within the account management function on the website or mobile app.
    • Our servers automatically protocol the consent gathering process to enable us to evidence that you have consented. For this purpose we will store the following information: email address, details of how and when consent was given, details of confirmation email sent and confirmation email clicked; including the date, time and IP address relating to the consent and clicked confirmation link, the wording of the consent and the information about the right to withdraw your consent at any time.
    • If you have opted in to hear from other companies in our group or our partners, you may also receive personalised updates and offers from such companies. You may withdraw your consent at any time by using the unsubscribe link in any communication received, by contacting us at privacy@farahexperiences.com, or where the particular website or mobile app has the facility to create an account, by changing your marketing preferences within the account management function on the website or mobile app.


    Personalised content, advertisements and services

    • Your personal information may be used to understand your customer journey and to provide you with personalised offers or advertisements. These offers or advertisements may be shown to you on our websites or mobile apps or the websites of third parties (for example, your chosen social media platforms).
    • Where we have permission to send marketing materials (as set out under Marketing in this section), these personalised offers and advertisements may be included within those updates and will be in accordance with your chosen marketing preferences.
    • Please note we do not carry out any automated decision making based on your information.


    Promotional or other activities

    • If (at your discretion) you decide to take part in any promotional activities such as employee benefits, competitions, surveys or interactive features of our services, your personal data may be processed to administer the activity or enable participation.


    Notifications

    • We may notify you of any changes or updates to your current services or subscriptions. For example, security alerts or important support or administration messages about your services or notices of when annual passes are due to expire.


    Legal obligations

    • We may have to process your information to comply with legal or regulatory obligations, where required by applicable laws. Information may be used to:

      • enforce our terms and conditions and other agreements, policies, and standards, including investigation of any potential violation thereof;
      • detect, prevent or otherwise address security, fraud or technical issues;
      • protect the rights, property or safety of us, our users, a third party or the public as required or permitted by law

      (including exchanging information with other companies and organisations for such purposes).


    Business analysis

    • We may use your information for our business purposes; for example, to carry out data analytics to assess consumer demands and trends.


    Aggregated or anonymised data

    • We may use your information to compile aggregated or anonymised data (data which does not identify you as an individual, such as statistical or demographic data), so that we can analyse and improve our products and services. However, if we combine aggregated data with your personal data so that it can identify you in any way, we treat the combined data as personal data and it will be used in accordance with this Privacy Policy.

  • What is the legal basis for processing your personal data?

    In most cases, we process your data at your request in order to enter into a contract with you and to perform our contract obligations (for example, to process your booking and issue your tickets). If the processing is not related to a contract, we will process your information on one of the following basis:

    • based on your explicit consent for us to do so (for example, when you use FacePass, or opted in to our mailing lists or promotions);
    • as required to comply with relevant legal or regulatory obligations (for example, to resolve disputes or enforce contracts);
    • where processing is mandatory for the establishment, exercise or protection of a right;
    • where data is publicly available;
    • as required to support the legitimate interests that we have as a business (for example, to carry out market research and analytics, protect against unlawful behaviour or online services (such as prevent fraud by ensuring tickets are in the hands of the purchaser), create a profile regarding your interactions, purchases and interests (such as to inform you of new services or attractions that may be of interest to you) and to further improve and market our products and services), provided always that such processing is carried out in a way that does not violate your fundamental privacy rights.


    With regard to special categories of personal data, such as the biometric information outlined at section 3, we require your explicit consent (or the consent of your parent or legal guardian) to process such information. Such consent can be withdrawn; however, this is likely to mean that the services that require consent (for example, FacePass) can no longer be provided to you. We will advise of such consequences of withdrawing your consent if you take this action. Please note that we will only rely on consent as a legal basis when we strictly require consent for processing. We will not rely on this legal basis in circumstances where we may rely on one of the other legal bases, as outlined above.



  • Who do we share your personal data with?

    Service providers

    We may share your information with third parties who provide a service to us. We do this where it is necessary for the service provider to have access to your information and solely for the purpose of them delivering that service to us. An example of this is when you purchase a service from us your payment details are processed by a third party payment solution provider.

    Our service providers include:

    • IT companies (e.g. hosting providers);
    • WiFi providers;
    • Payment solution providers;
    • Marketing or communication providers;
    • Developers;
    • Data analytics providers;
    • Survey or market research providers;
    • Professional advisers or auditors;
    • Regulators;
    • Insurers.

    Affiliates and partners



    Where you use your MyPass to access services provided by our affiliates or partners (for example, by using MyPass to sign into their website, mobile app or WiFi service), we share your information with those entities in order for those services to be delivered, and those entities will have access for the purpose of data analytics.


    If you opt-in to receiving marketing communications from our affiliates or partners when selecting your marketing preferences on our websites or mobile apps, we will share the information required in order for those affiliates and partners to contact you in the ways you have chosen.


    We also share information in connection with services we provide in conjunction with affiliates or partners; for example, to provide annual pass benefits, rewards or loyalty programs, or other benefits or services that you may wish to make use of.


    Other third parties

    We may also disclose your personal data:

    • internally, including any of the intra-group companies, our holding company and its subsidiaries where it is necessary to perform certain responsibilities efficiently as part of the service provided to you (for example, data may be accessible to certain types of persons involved within the operation of our services from our administration, IT, marketing or legal teams);
    • if required by applicable laws or regulations;
    • to government or supervisory bodies or agencies in response to their legitimate requests, or where it is in our legitimate interests to do so, even if such disclosure is not mandatory under law;
    • if you explicitly requested or authorised us to do so;
    • in the event we sell or merge whole or part of any business or assets, we would need to transfer your information to the acquiring company.

    We only share the information that is necessary for the required purpose so we do not disclose all of the information you provide to us and we do not sell, rent or lease your personal information to third parties under any circumstances.

    Aggregated or anonymised data may be shared with our service providers, affiliates or other third parties for the purpose of analytics and to improve products and services.

    The categories of third parties to whom we disclose your information may change from time to time. We will update this Privacy Policy before any such changes take effect.

  • Links to third party websites

    You may have accessed one of our websites by clicking a link on a third party website; for example, you may have clicked a link on one of our partners’ websites so that you could view package holiday options and were then redirected to our website. Similarly, our websites contain links to our partners’ websites.


    We also integrate our websites or mobile apps with third party products (for example, Google Analytics, Facebook, Twitter) to enable us to measure the performance of our websites and website content, present personalised offers and enable you to share, like and recommend pages to others via social media.


    We are responsible for protecting your personal data when you visit our websites but are not responsible for the websites of any third parties, and this Privacy Policy does not govern any third party websites. You are responsible for understanding how your personal data is used by third party websites and we recommend that you review the privacy policy on the relevant website.

  • Transfers outside of the EEA

    As a business located outside of the European Economic Area (“EEA”), we process your information outside of the EEA and in some cases (as described in section 6), your information may be transferred to and processed by third parties who are also located outside of the EEA.


    We will only transfer your information to such third parties where we have made arrangements to ensure that your data is treated securely in accordance with this Privacy Policy and applicable law.


  • Cookies

    Our websites use cookies which help us provide you with a better website and browsing experience, by enabling us to monitor which pages you find useful and which you do not. You can choose to accept or decline cookies; most web browsers will automatically accept them but you can usually modify your browser settings to decline cookies if you wish to; however, this may prevent you from taking full advantage of the website.


    More detailed information on our use of cookies and the options available to you is contained within our Cookies Policy.


  • Security

    We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place appropriate technical and organisational security measures to safeguard and secure the information we collect. Whilst we have implemented such measures, we cannot completely guarantee the security of your information; any transmission by you is at your own risk.


    We store your personal data in a centralised database hosted in the cloud, and affiliates or partners might have access to this database where such entities make use of MyPass.


    You are responsible for maintaining the confidentiality of any password or account details.


    Where you chose to click a link to any of the websites of our partners, advertisers and affiliates, please note that those websites have their own privacy policies and we do not accept any responsibility or liability for their policies or their security of your personal data. Please check their policies before you submit any personal data to those websites.


  • Retention

    Unless otherwise required by applicable law, we will retain your information for as long as is necessary for the relevant purpose outlined in this Privacy Policy. If you register for an account with us, your information will be retained for as long as your account is active and after closure for an additional period to administer any requests concerning your account. If you wish to delete your account or any data related to it, please contact us at privacy@farahexperiences.com.and we will execute your request.


  • How you can control your personal data

    You have certain rights in relation to your personal data as determined by applicable data protection laws.


    If you benefit from the rights of a data subject under the European Union General Data Protection Regulation 2016/679, or the Dubai International Financial Centre Data Protection Law No. 5 of 2020, you will have certain additional rights in relation to our handling of your personal information, including:


    You have the right at any time to:

    • be informed of the use of your personal data;
    • access, rectification or erasure of your personal data;
    • restrict and/or object to the processing of your personal data;
    • data portability;
    • not be subject to any decision based solely on automated processing of your personal data.


    You can exercise some of these rights when providing data to us at registration or purchase or when contacting us, by reviewing and selecting or deselecting the boxes on the forms you are required to complete. Where the particular website or mobile app has MyPass or the facility to register for an account, you can also exercise some of these rights via the account management tools on our website or mobile app.



    If at any time you wish to unsubscribe or opt out from any communications we have sent you based upon your selected preferences, you may do so by using the one click unsubscribe link on those communications.



    You can also contact us at privacy@farahexperiences.com.



    If you wish to discuss how we have handled your personal data, you can contact us at any time and we will investigate this. If you are not satisfied with the response or believe we are not processing your data in accordance with the applicable law you can refer the matter to any competent data protection authority.


  • Contacting us

    For any privacy related queries, you may contact us at any time at privacy@farahexperiences.com.


    Please note, for your safety and to allow us to make sure that we do not disclose any of your personal data to any unauthorised third parties, we may need to verify your identity and guarantee the adequate exercise of your rights. In doing so, we may request specific information and/or documents from you before we can properly respond to any request received concerning your data. All data and documents received from you in the process of responding to your requests will be used strictly for the purposes of analysing your request, authenticating your identity, and responding to your request in full.


  • Updates to this Privacy Policy

    We may change this Privacy Policy in whole or part at any time by updating this page and without prior notification to the extent permitted by applicable law. Please ensure you review this page from time to time to take notice of any such changes. Most changes are likely to be minor but for substantive changes, we may provide additional notice to you by either providing a pop up notice or similar statement on our website, or by sending you an email. Your further use of our services after a change to our Privacy Policy will be subject to the updated policy. We indicate at the bottom of the Privacy Policy when it was last updated.


 

Last updated: 22-Mar-2021