Exposha Privacy Policy

1. Information We Collect

We only gather data essential to deliver and enhance your travel experiences:

A. Personal Identification Data

Includes: Full name, email, phone number, billing address, passport details (for international trips), date of birth.

Purpose:

Booking confirmations and visa processing (GDPR lawful basis: Contractual Necessity).

Age verification for age-restricted activities (e.g., car rentals).

B. Travel-Specific Data

Includes: Itinerary preferences, accommodation requests, dietary restrictions, flight details, emergency contacts.

Purpose:

Customizing tours (e.g., private guides, allergy-aware meals).

Health-related data (e.g., disabilities) is processed only with explicit consent (GDPR Article 9).

C. Payment Data

Includes: Credit card details (processed via PCI-DSS compliant gateways like Stripe), billing history.

Storage: Card numbers are encrypted; we store only the last 4 digits for verification.

D. Technical & Usage Data

Includes: IP address, device type, browser, cookies, pages visited, booking funnel drop-off points.

Purpose:

Website optimization (e.g., fixing mobile booking bugs).

Analytics via tools like Google Analytics (IP anonymization enabled).

E. Communications & Feedback

Includes: Emails, chat logs, survey responses, social media interactions.

Purpose: Improving services and resolving issues.

2. How We Use Your Data

PurposeLegal Basis (GDPR)

Booking fulfillment

Contractual Necessity

Sending e-tickets

Personalization

Legitimate Interest

Recommending similar tours

Marketing*

Consent

Newsletter opt-ins

Fraud prevention

Legal Obligation

ID verification

Compliance

Legal Obligation

Tax reporting

*Marketing emails include unsubscribe links.

3. Data Sharing & Third Parties

We share data only when necessary with:

Travel Partners: Airlines, hotels, and tour operators (strict NDAs in place).

Payment Processors: Stripe, PayPal (PCI-DSS compliant).

Legal Authorities: If required by law (e.g., customs, tax audits).

International Transfers: Data may cross borders under GDPR safeguards like:

Standard Contractual Clauses (SCCs) with vendors.

Privacy Shield-certified US partners.

4. Data Retention

We retain data only as long as needed:

Active Customers: 5 years post-last booking (for rebooking offers and tax records).

Inactive Accounts: Deleted after 3 years of inactivity.

Legal Requirements: Passport copies held for 10 years per immigration laws.

5. Your Rights (GDPR & Global)

You may:

Access/Portability: Request a copy of your data in CSV/PDF format.

Rectify: Update incorrect details (e.g., misspelled name).

Erasure: Ask for deletion ("Right to Be Forgotten").

Restrict Processing: Pause data use during disputes.

Object: Opt out of profiling or direct marketing.

Withdraw Consent: For health data or newsletters.

How to Exercise Rights:
Email privacy@exposha.com with "Privacy Request" and proof of ID. We respond within 30 days.

6. Security Measures

Encryption: AES-256 for stored data; TLS 1.2+ for transmissions.

Access Controls: Role-based staff permissions (e.g., only finance sees payment details).

Breach Protocol: Notify regulators (72 hours) and affected users if high risk.

7. Cookies & Tracking

Essential: Session cookies (login functionality).

Optional: Analytics (opt-in via cookie banner).

Third-Party: Social media pixels (only with consent).

Manage preferences via browser settings or our Cookie Dashboard.

8. Children’s Privacy

We do not knowingly collect data from users under 16 without parental consent.

9. Policy Updates

Changes will be posted here. Material updates (e.g., new data uses) will be emailed.

Contact Us

For privacy concerns or DPO requests:
📧 Email: dpo@exposha.com
📞 Phone: +[Number]
📍 Address: [Registered Legal Office]