Privacy Policy

This Privacy Policy ("Policy") explains what information we collect, how we use it, with whom we share it, and the choices you have to control, access, and update your information when you browse our website, http://www.esbnyc.com, use the software or services that we offer through the website, or use wifi services at any Empire State Realty Trust Inc. ("ESRT") property (collectively, the "Services").

Who are we?
How do we collect information from you?
Cookies and other technologies
How do we use your information?
Who has access to your information?
Our Legal Bases for Processing and Sharing Your Information
Cross Border Transfer
How do we store and protect your information?
How long we retain your information
Your choices with respect to your information
Privacy of individuals under 18
Links to other websites and services
Browser Do Not Track
EU Data Subject Rights
Contact us
Changes to the Policy

1. Who are we?

Empire State Realty Trust, Inc. ("ESRT"), a leading real estate investment trust ("REIT"), owns, manages, operates, acquires, and repositions office and retail properties in Manhattan and the greater New York metropolitan area, including the Empire State Building, the world's most famous building. Headquartered in New York, New York, ESRT's office and retail portfolio covers 10.1 million rentable square feet, as of March 31, 2018, consisting of 9.4 million rentable square feet in 14 office properties, including nine in Manhattan, three in Fairfield County, Connecticut, and two in Westchester County, New York; and approximately 700,000 rentable square feet in the retail portfolio.

2. How do we collect information from you?

When you use the Services we collect information in three ways:
(1) information you provide to us - for example: when you use the "contact us" form on the website or when you submit an application to use our trademarked names and images;
(2) information we collect when you use the Services - using “cookies” and other technologies to assess how you use the Services; and
(3) information we receive from third parties – e.g. third-party analytics or advertising providers.
Information you provide to us:
When you use our Services, we collect information that you choose to share with us.
If you contact us or fill out an application, for example, to gain permission to use our trademarked name or images, you will need to provide us with contact information, such as your full name, phone number, and email address. We also collect any other information that you choose to provide, such as your comments or questions or the details of your requests.
If you purchase tickets on the website or at one of the ticketing kiosks at the Empire State Building, you will need to provide us with your name, email address, billing address, and payment card information, as well as contact information for yourself or for the individuals for whom you are purchasing tickets so that we may email them a ticket directly.
If you choose to connect to our wifi network while visiting an ESRT property, we will collect your email address for the purpose of sending emails to you about our products and services. You may also choose to login to the wifi network using your social login credentials, e.g., your Facebook ID and password. If you do this, we will receive information from your Facebook account, including your full name, email address, country of residence, and gender for the purpose of sending emails about our products and services.
You may opt out of receiving promotional emails from us at any time by clicking on the "Unsubscribe" link in the footer of any email or emailing optout@esbnyc.com.
Information we automatically collect when you use the Services:
When you use the Services, we collect log file information, which your browser or device automatically reports each time you interact with the Services. This information may include:

details about your use of the Services such as when you access our Services and when you return;
device information, such as hardware settings, web browser type, and language;
IP address;
identifiers associated with cookies or other technologies that may uniquely identify your device or browser;
times you access pages;
pages you view, searches you submit; and
pages you visited before or after navigating to our website.

3. Cookies and other technologies

When you use the Services, we or our third-party providers place a text file called a “cookie” in the browser directory of your computer’s hard drive. These may be session cookies, which expire once you close your browser, or persistent cookies, which stay on your device for a set period of time or until you delete them. We use these cookies to support the functionality of our website, including adjustments to content. Below is more detail about the types of cookies that we use:

Required: These cookies are required for the functioning of the website and may be used to implement security features or embed video or sound files.
Functional: These cookies record some of your activity on the website, as well as information about your device, such as what browser you are running and what pages you access. This information helps us and our third party service providers diagnose server and software errors, and in cases of abuse, track and mitigate the abuse.
Analytics: Our service providers, including Google Analytics, use cookies as part of their tools. These cookies allow our service providers and us to recognize and count the number of users of the website, see how they interact with the website and different functions, and determine how to improve the website.
Advertising: These cookies collect information in order to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers on websites that you visit, and in some cases selecting advertisements that are based on your interests.

Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to disable cookies on your browser (see below), but doing so may prevent you from using the full features of the Services. For information about your choices regarding these technologies, please see “Your Choices with Respect to your Information” below.
Google Analytics: We use Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics may set cookies on your browser or mobile device or read cookies that are already there to collect information. Google Analytics may also receive information about you from apps you have downloaded that partner with Google. Google Analytics collects information such as how and how often you use the Services. We use the information provided by Google Analytics to improve the Services. We do not combine the information collected through the use of Google Analytics with personal information. For more information regarding how Google collects, uses, and shares your information please visit http://www.google.com/policies/privacy/partners/.
Social media features: Our Services include social media features, such as Facebook or Twitter buttons. These features may collect your IP address, which page you are visiting while using our Services, and any Facebook cookies on your device (including your Facebook ID). These features may set cookies to enable the feature to function properly. Please note that the social media services may collect this information, even if you are not logged in to the relevant social media account when you are using the Services. Your interactions with these features are governed by the privacy policy of the company providing it.

4. How do we use your information?

We use the information we collect about you in order to improve our Services and provide you with features that interest and work well for you. We use the information to:

facilitate the purchase of tickets and provide you with our Services;
provide technical support for using the Services;
notify you of changes to our Services;
communicate with you about the Services by email, for example, to respond to your technical support inquiries;
personalize the Services by customizing the advertising content we provide you;
improve ad targeting and measurement (See the “Your Choices with Respect to your Information” section below for more information about our advertising practices and your choices);
develop new products and services and improve them and your experience with them;
seek your views or comments on the Services we provide;
send you information about our products or services and new offers which we think may interest you;
monitor and analyze trends and usage;
enhance the safety and security of our Services;
verify your identity or prevent or detect fraud or other unauthorized or illegal activity;
enhance the Services and your experience with them;
protect the rights, property, or safety of us, our users, or any other person or the copyright-protected content of the Services; and
enforce this Policy, the Terms of Use, and any other terms that you have agreed to.

We may analyze your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you and provide targeted advertising. (See the “Your Choices with Respect to your Information” section below for more information about your choices).

5. Who has access to your information?

We may share information collected about you in the following ways:
(1) With service providers, sellers, and partners;
(2) With analytics service providers and advertisers;
(3) With third parties for legal reasons;
(4) With third parties as part of an acquisition or liquidation; or
(5) Aggregated information with third parties.

With service providers, sellers, and partners:

We share information about you with service providers to perform functions and process your data and to help provide our Services, including hosting and storage providers or email service providers. In addition to using your information to help us provide our Services, service providers may use your personal information internally to improve their own services and may share it in connection with a sale, divestiture, or transfer of business assets; to protect their rights; or to comply with the law. In addition, our providers may share your personal information with their own third-party service providers. They may also combine the information about you that we share with them with contact and social media information related to you that they collect from publicly available sources or from third parties.

With analytics service providers and advertisers:

We let third parties use cookies, web beacons, and similar tracking technologies on our Services. They may collect information about how you use our Services and other websites and online services over time and across different services. This information may be used to, among other things, analyze and track data, determine the popularity of certain content, and better understand your online activity.
Some companies may use information collected on our Services to deliver advertisements on behalf of us or other companies, targeted to your interests and preferences, on other websites or apps you may visit or on your social media feed and to gauge their effectiveness. To learn about your choices regarding this sharing of your information please see “Your Choices with Respect to your Information” section below.

With third parties for legal reasons:

We would share information about you if we reasonably believe that disclosing the information is needed to:

comply with any valid legal process, governmental request, or applicable law, rule, or regulation;
investigate, remedy, or enforce potential violations of our Terms of Use or Privacy Policy;
protect the rights, property, and safety of us, our users, or others; or
detect and resolve any fraud or security concerns.

With third parties as part of an acquisition or liquidation:

If we are involved in a merger, asset sale, financing, corporate divestiture, reorganization, or acquisition of all or some portion of our business to another company, or if we undergo liquidation or bankruptcy proceedings, we may share your information with that company before and/or after the transaction closes or the proceedings are completed.

Aggregated information:

We also share with third parties—such as advertisers—aggregated or de-identified information and we do not limit our third-party providers from using, selling, licensing, distributing, or disclosing de-identified data.

6. Our Legal Bases for Processing and Sharing Your Information

We process your information and share it with third parties for the purposes described in this Policy, based on the following legal grounds:
(1) With your consent;
(2) For our legitimate interests;
(3) To fulfill our contractual obligations; and
(4) To comply with legal obligations.

With your consent:

We ask for your consent to process or share your information for specific purposes and you have the right to withdraw your consent at any time. For example, we ask for your consent to provide you with promotional information. We also ask for your consent to collect information through surveys.

For our legitimate interests:

We process and share your information for our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. For example, we process and share your information in order to help us:

Maintain and improve our Services;
Perform analytics and research aimed at improving the accuracy, effectiveness, usability, or popularity of the Services
Improve the content and features of the Services or develop new content and features;
Promote the Services;
Detect, prevent, or otherwise address fraud, abuse, security, or technical issues with the Services;
Protect against harm to the rights, property, or safety of ESRT, our customers, or the public as required or permitted by law; and
Enforce legal claims, including investigation of potential violations of applicable Terms of Use for the Services.

To fulfill our contractual obligations:

We process and share your information to provide a service you have requested under a contract. For example, we process your payment information when you purchase a ticket to visit the Empire State Building.

To comply with legal obligations:

We process and share your information when we have a legal obligation to do so, for example, if we’re responding to legal process or an enforceable governmental request.

7. Cross Border Transfer

We transfer, process, and store information about you on servers located in the United States. Therefore, your information may be transferred to, stored, or processed in the United States, whose data protection, privacy, and other laws may not provide the same level of protection as those in your country of residence. For example, government entities in the United States and other countries may have certain rights to access your personal information. If we transfer your information outside of your country of residence in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy.
By using the Services, you understand and consent to the collection, storage, processing, and transfer of your information to our facilities in the United States and to those third parties with whom we share it as described in this Policy.

8. How do we store and protect your information?

We take reasonable precautions to protect your information. Please keep in mind that the Internet is not a 100% secure medium for communication, and we cannot guarantee that the information collected about you will always remain private when using our Services. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk.

9. How long we retain your information

We will retain your information after you stop using Services to the extent that we are obliged to do so in accordance with applicable laws and regulations and/or as necessary to protect our legal rights or for certain business requirements.
Please note that even if you request that we delete your information, deletion by our third party providers may not be immediate and the deleted information may persist in backup copies for a reasonable period of time. Also, information that has already been shared with third parties may not be deleted by them.

10. Your choices with respect to your information

Updating your information: If you need to access, update, or delete other personal information that we may have, you can send a request to optout@esbnyc.com. To protect your privacy, before we give you access or let you update your information, we may ask you to verify your identity or provide additional information. We will try to update and allow you to access your information for free, but if it would require a disproportionate effort on our part, we may charge a fee. We will disclose the fee before we comply with your request. We may reject a request for a number of reasons, including, for example, that the request risks the privacy of other users, requires technical efforts that are disproportionate to the request, is repetitive, or is unlawful.
Emails: You can stop receiving promotional email communications – such as our newsletter – from us by clicking on the “unsubscribe link” provided in such communications. We will retain your email address in order to be able to abide by your opt out choice. We make efforts to promptly process all unsubscribe requests. You may not opt out of service-related communications. If you have any questions, you can contact us directly at optout@esbnyc.com. Unsubscribing or opting out of communications with us will not stop communications you receive from third parties separately. Please review their terms and conditions for relevant options for opting out of their communications.
Analytics: You can control the information provided to Google and opt out of certain ads provided by Google by using any of the methods set forth at http://www.google.com/policies/privacy/partners/ or using the Google Analytics opt out browser add-on at http://tools.google.com/dlpage/gaoptout?hl=en.
Cookies and other technologies: Persistent cookies can be removed by following your web browser’s directions. A session cookie is temporary and disappears after you close your browser. You can reset your web browser to refuse all cookies or to indicate when a cookie is being sent. However, some features of the Services may not function properly if the ability to accept cookies is disabled.
Turning off your browser’s cookies will also prevent web beacons from tracking your specific activity. The web beacon may still record an anonymous visit from your IP address, but unique information will not be recorded.
If you do not want to receive tracking pixels, you will need to disable HTML images in your email client, which may affect your ability to view images in other emails that you receive. To find out how to see what cookies have been set and how to reject and delete the cookies, please visit: http://www.aboutcookies.org.
Advertising: You can understand which third parties have currently enabled cookies for your browser or mobile device and how to opt-out of some of those cookies by visiting the Network Advertising Initiative’s website at http://optout.networkadvertising.org/#!/; or the Digital Advertising Alliance’s website at http://optout.aboutads.info/#!/ or, if you’re located in the European Union, at http://www.youronlinechoices.eu . For more information on mobile-specific opt-out choices, please visit http://www.networkadvertising.org/mobile-choices.
On your mobile device you may have features that allow you to opt out of some targeted advertising (“Limit Ad Tracking” on iOS devices or “Opt out of Interest-Based Ads” on Android). To learn more about how these opt-out features work, please review your device settings.
Even if you disable the tracking, keep in mind that you may still receive interest-based advertising, including from third parties with whom your information had been previously disclosed and that you may still receive advertising from third parties, though such advertising may not be based on your interests and preferences.

11. Privacy of individuals under 18

Use of the Services is limited to individuals aged 18 or to individuals aged 13-18 that have provided us with valid parental consent. In the event that we learn that we have collected personal information from an individual under 18 without valid parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us at ESRT Observatory TRS, L.L.C., 111 West 33rd Street, 12th Floor, New York, NY 10120, (212) 687-8700.

12. Links to other websites and services

We are not responsible for the practices employed by websites or services linked to or from our website, including the information or content contained in such websites or services, and this Policy does not apply to them. Your browsing and interaction on any third-party website or service, including those that have a link on our website, are subject to that third party’s own rules and policies. Please read the terms of such websites carefully and exercise care when providing your personal information.
The TripAdvisor Banner on our website contains content displayed on the TripAdvisor app and the treatment of such content is governed by the terms and policies of TripAdvisor.

13. Browser Do Not Track

The Services do not support Do Not Track ("DNT") at this time. DNT is a privacy preference you can set in your web browser to indicate that you do not want certain information about your web page visits tracked and collected across websites. For more details, including how to turn on Do Not Track, visit www.donottrack.us.

14. EU Data Subject Rights

Under the General Data Protection Regulation ("GDPR"), if you are an EU resident and we are processing your personal information, you have the following rights:

Right of access: You have the right to request a copy of the information that we hold about you.
Right of rectification: You have the right to have information that we hold about you that is inaccurate or incomplete corrected.
Right to be forgotten: In certain limited circumstances, you have the right to request that we erase from our records the information that we hold about you.
Right to restriction of processing: In certain limited circumstances, you have the right to restrict the processing of your information.
Right to withdraw consent: If you have provided consent for the processing of your information you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
Right of portability: In certain limited circumstances, you have the right to have the information we hold about you transferred to another organization.
Right to object: You have the right to object to certain types of processing of your information such as direct marketing (to the extent applicable).
Right to object to automated processing, including profiling: You have the right to not be subject to the legal effects of automated processing or profiling (to the extent applicable).
Right to lodge a complaint: You have the right to lodge a complaint to your country's data protection authority if you believe that we have not complied with the requirements of the GDPR with regard to your personal information.

15. Contact us

If you have any questions about this Policy or the Services, please contact us at: ESRT Observatory TRS, L.L.C., 111 West 33rd Street, 12th Floor, New York, NY 10120, (212) 687-8700.

16. Changes to the Policy

We may make changes to this Policy from time to time, in our sole discretion. When we make changes we deem material, we will provide you with prominent notice as appropriate under the circumstances, e.g., through the Services or by sending you an email. In some cases, we will notify you in advance of the changes taking effect. Please make sure you read any such notice carefully.
This Privacy Policy was last modified in June 2018.