Exposha Privacy Policy
At Exposha, we believe extraordinary journeys begin with trust. This Privacy Policy outlines how we collect, use, and safeguard your personal information when you interact with our services — including our website, bookings, and tours. By engaging with us, you agree to the practices described below.
1. Information We Collect
We collect only the data necessary to deliver and improve your travel experiences.
A. Personal Identification Data
Includes: Full name, email, phone number, billing address, passport details (for international trips), date of birth.
Purpose:
Booking confirmations and visa processing (GDPR lawful basis: Contractual Necessity).
Age verification for age-restricted activities (e.g., car rentals).
B. Travel-Specific Data
Includes: Itinerary preferences, accommodation requests, dietary restrictions, flight details, emergency contacts.
Purpose:
Personalizing tours (e.g., private guides, allergy-aware meals).
Health-related data (e.g., disabilities)
C. Payment Data
Includes: Credit card details (processed via PCI-DSS compliant gateways), billing history.
Storage: Card numbers are encrypted. We only retain the last four digits for verification.
D. Technical & Usage Data
Includes: IP address, device type, browser type, cookies, pages visited, booking funnel drop-off points.
Purpose:
Website performance optimization (e.g., fixing mobile booking bugs).
Analytics (via tools like Google Analytics with IP anonymization enabled).
E. Communications & Feedback
Includes: Emails, chat logs, survey responses, social media interactions.
Purpose:
Service improvement and issue resolution.
2. How We Use Your Data
Purpose Legal Basis (GDPR)
- Booking fulfillment
- Contractual Necessity
- Sending e-tickets
- Contractual Necessity
- Personalization
- Legitimate Interest
- Recommending similar tours
- Legitimate Interest
- Marketing*
- Consent
- Fraud prevention
- Legal Obligation
- Compliance (e.g., taxes)
- Legal Obligation
* Marketing emails always include an unsubscribe link.
3. Data Sharing & Third Parties
We only share your data when necessary and with proper protections in place:
Travel Partners – Hotels, and tour operators (under strict NDAs).
Payment Processors – (PCI-DSS compliant).
Legal Authorities – When legally required (e.g., customs, tax audits).
International Transfers – May occur under GDPR safeguards such as:
Standard Contractual Clauses (SCCs)
Privacy Shield-certified U.S. partners (where applicable)
4. Data Retention
We retain your data only for as long as necessary:
Active Customers: 5 years after last booking (for rebooking offers and legal compliance).
Inactive Accounts: Deleted after 3 years of inactivity.
5. Your Rights (GDPR & Global)
You have the right to:
Access & Portability: Request a copy of your data in CSV or PDF format.
Rectify: Correct inaccuracies in your information.
Erasure: Request deletion of your data ("Right to Be Forgotten").
Restrict Processing: Temporarily limit how your data is used.
Object: Refuse profiling or direct marketing.
Withdraw Consent: At any time (for health data or newsletters).
To exercise your rights:
Email us at info@exposha.com with the subject line: “Privacy Request”, along with a valid proof of ID. We will respond within 30 days.
6. Security Measures
We apply strong security protocols:
Encryption: AES-256 for stored data, TLS 1.2+ for data in transit.
Access Controls: Role-based staff permissions (e.g., only finance can view payment details).
Breach Protocol: We notify regulators within 72 hours and affected users if there's a high risk.
7. Cookies & Tracking
Essential Cookies: Enable core functions like login and bookings.
Optional Cookies: Analytics (enabled only after user opt-in).
Third-Party Cookies: Social media pixels (only activated with user consent).
You can manage cookies via your browser settings or our Cookie Preferences Dashboard.
8. Children’s Privacy
We do not knowingly collect personal data from children under the age of 16 without verified parental or guardian consent.
9. Policy Updates
We may update this Privacy Policy from time to time.
Minor changes will be posted here.
Significant changes (e.g., new data usage) will be communicated via email.
Contact Us
For privacy concerns, rights requests, or DPO inquiries:
📧 Email: info@exposha.com
1. Information We Collect
We only gather data essential to deliver and enhance your travel experiences:
A. Personal Identification Data
Includes: Full name, email, phone number, billing address, passport details (for international trips), date of birth.
Purpose:
Booking confirmations and visa processing (GDPR lawful basis: Contractual Necessity).
Age verification for age-restricted activities (e.g., car rentals).
B. Travel-Specific Data
Includes: Itinerary preferences, accommodation requests, dietary restrictions, flight details, emergency contacts.
Purpose:
Customizing tours (e.g., private guides, allergy-aware meals).
Health-related data (e.g., disabilities) is processed only with explicit consent (GDPR Article 9).
C. Payment Data
Includes: Credit card details (processed via PCI-DSS compliant gateways like Stripe), billing history.
Storage: Card numbers are encrypted; we store only the last 4 digits for verification.
D. Technical & Usage Data
Includes: IP address, device type, browser, cookies, pages visited, booking funnel drop-off points.
Purpose:
Website optimization (e.g., fixing mobile booking bugs).
Analytics via tools like Google Analytics (IP anonymization enabled).
E. Communications & Feedback
Includes: Emails, chat logs, survey responses, social media interactions.
Purpose: Improving services and resolving issues.
2. How We Use Your Data
PurposeLegal Basis (GDPR)
Booking fulfillment
Contractual Necessity
Sending e-tickets
Personalization
Legitimate Interest
Recommending similar tours
Marketing*
Consent
Newsletter opt-ins
Fraud prevention
Legal Obligation
ID verification
Compliance
Legal Obligation
Tax reporting
*Marketing emails include unsubscribe links.
3. Data Sharing & Third Parties
We share data only when necessary with:
Travel Partners: Airlines, hotels, and tour operators (strict NDAs in place).
Payment Processors: Stripe, PayPal (PCI-DSS compliant).
Legal Authorities: If required by law (e.g., customs, tax audits).
International Transfers: Data may cross borders under GDPR safeguards like:
Standard Contractual Clauses (SCCs) with vendors.
Privacy Shield-certified US partners.
4. Data Retention
We retain data only as long as needed:
Active Customers: 5 years post-last booking (for rebooking offers and tax records).
Inactive Accounts: Deleted after 3 years of inactivity.
Legal Requirements: Passport copies held for 10 years per immigration laws.
5. Your Rights (GDPR & Global)
You may:
Access/Portability: Request a copy of your data in CSV/PDF format.
Rectify: Update incorrect details (e.g., misspelled name).
Erasure: Ask for deletion ("Right to Be Forgotten").
Restrict Processing: Pause data use during disputes.
Object: Opt out of profiling or direct marketing.
Withdraw Consent: For health data or newsletters.
How to Exercise Rights:
Email privacy@exposha.com with "Privacy Request" and proof of ID. We respond within 30 days.
6. Security Measures
Encryption: AES-256 for stored data; TLS 1.2+ for transmissions.
Access Controls: Role-based staff permissions (e.g., only finance sees payment details).
Breach Protocol: Notify regulators (72 hours) and affected users if high risk.
7. Cookies & Tracking
Essential: Session cookies (login functionality).
Optional: Analytics (opt-in via cookie banner).
Third-Party: Social media pixels (only with consent).
Manage preferences via browser settings or our Cookie Dashboard.
8. Children’s Privacy
We do not knowingly collect data from users under 16 without parental consent.
9. Policy Updates
Changes will be posted here. Material updates (e.g., new data uses) will be emailed.
Contact Us
For privacy concerns or DPO requests:
📧 Email: dpo@exposha.com
📞 Phone: +[Number]
📍 Address: [Registered Legal Office]