Privacy Policy
Your privacy matters to us. This policy explains how Lavisa Travel & Tourism collects, uses, and protects your personal data across our Hotels, Flights, and Car Rental services.
Introduction
Lavisa Travel & Tourism LLC ("Lavisa Travel," "we," "us," or "our") is a travel agency registered in the United Arab Emirates, operating online travel booking services for hotels, flights, and car rentals.
This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website, booking platform, or any of our travel services. It applies to all users, including travelers, corporate clients, and website visitors.
Data Controller
Lavisa Travel & Tourism LLC
Dubai, United Arab Emirates
Email: privacy@lavisatravel.com
Phone: +971 55 887 1803
Scope
This policy covers all personal data processed through:
- Hotel bookings — search, reservation, guest details, and stay management
- Flight bookings — search, ticketing, passenger information, and itinerary management
- Car rental bookings — search, reservation, driver details, and rental management
- General website usage — browsing, account creation, and communications
Legal Framework
We comply with applicable data protection regulations, including:
- UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL)
- EU General Data Protection Regulation (GDPR) — for data subjects in the European Economic Area
- Dubai International Financial Centre (DIFC) Data Protection Law — where applicable
By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.
Information We Collect
We collect different types of personal information depending on which services you use. Below is a detailed breakdown organized by service module.
Hotel Booking Data
| Data Point | Purpose | Required |
|---|---|---|
| Guest full name | Reservation and check-in | Required |
| Email address | Booking confirmation and updates | Required |
| Phone number | Property contact and urgent notifications | Required |
| Nationality / country | Tax calculation and visa requirements | Required |
| Check-in / check-out dates | Reservation fulfillment | Required |
| Number of guests (adults/children) | Room allocation and pricing | Required |
| Room preferences | Service customization | Optional |
| Special requests (diet, accessibility) | Guest experience | Optional |
| Loyalty program ID | Points accrual | Optional |
| Credit card details | Payment and guarantee | Required |
Flight Booking Data
| Data Point | Purpose | Required |
|---|---|---|
| Passenger full name (as on passport) | Ticketing and airline requirements | Required |
| Date of birth | Passenger type and fare calculation | Required |
| Gender | Airline ticketing requirements | Required |
| Passport number and expiry | International travel compliance | International flights |
| Nationality | Visa and travel document verification | Required |
| Email and phone | E-ticket delivery and notifications | Required |
| Frequent flyer number | Mileage accrual | Optional |
| Seat and meal preferences | Service customization | Optional |
| Special assistance needs | Accessibility and medical requirements | Optional |
| Payment card details | Ticket purchase | Required |
Car Rental Data
| Data Point | Purpose | Required |
|---|---|---|
| Driver full name | Rental agreement | Required |
| Driver's license number and country | Driving eligibility verification | Required |
| Date of birth / age | Minimum age requirement | Required |
| Email and phone | Confirmation and pickup coordination | Required |
| Pickup / return locations and dates | Vehicle allocation | Required |
| Flight number (airport pickups) | Timing coordination | Optional |
| Additional driver information | Insurance coverage | Optional |
| Insurance preferences | Coverage selection | Optional |
| Payment card details | Payment and deposit | Required |
Data Collected Across All Services
| Data Type | Details | Collection Method |
|---|---|---|
| Account data | Name, email, password (hashed), preferences | Registration form |
| Payment data | Card number, expiry, billing address | Checkout (PCI-DSS compliant) |
| Device data | IP address, browser type, operating system, screen resolution | Automatic (server logs) |
| Usage data | Pages visited, search queries, booking funnel steps, click patterns | Automatic (analytics) |
| Location data | Approximate location from IP address | Automatic (IP geolocation) |
| Communication data | Support tickets, emails, chat messages | Customer interactions |
| Marketing preferences | Email opt-in, notification preferences | Consent forms |
How We Use Your Data
We process your personal data for the following purposes, each supported by a lawful basis:
| Purpose | Description | Legal Basis |
|---|---|---|
| Booking fulfillment | Processing hotel, flight, and car rental reservations; issuing confirmations, vouchers, and e-tickets | Contract |
| Payment processing | Charging for services, processing refunds, fraud detection | Contract |
| Customer support | Responding to inquiries, managing modifications and cancellations | Contract |
| Account management | Creating and maintaining your account, saving preferences | Contract |
| Communications | Booking updates, itinerary changes, travel alerts, check-in reminders | Contract |
| Marketing | Promotional offers, newsletters, personalized deals (with your consent) | Consent |
| Service improvement | Analytics, A/B testing, feature development, user experience research | Legitimate interest |
| Safety & security | Fraud prevention, platform security, abuse detection | Legitimate interest |
| Legal compliance | Tax reporting, regulatory requirements, law enforcement requests | Legal obligation |
No Automated Decision-Making
We do not use your personal data for automated decision-making or profiling that produces legal effects. Pricing is determined by our suppliers' availability systems, not by profiling individual users.
Third-Party Sharing
We share your personal data with selected third parties only when necessary to provide our travel services, process payments, or comply with legal requirements. We never sell your personal data to third parties for marketing purposes.
Travel Service Providers (API Partners)
To fulfill your bookings, we transmit relevant data to our technology and supplier partners. Each partner processes data under their own privacy policies.
| Partner | Service | Data Shared | Location |
|---|---|---|---|
| Hotelbeds Group | Hotel inventory and booking | Guest name, dates, room details, nationality, payment reference | Spain (EU) |
| Duffel | Flight search and ticketing | Passenger name, DOB, gender, passport details, contact info | United Kingdom |
| Amadeus | Global distribution system (flights) | Passenger name record (PNR), ticketing data | Spain (EU) |
| RentalCars / Booking Holdings | Car rental inventory and booking | Driver name, license details, pickup/return, contact info | Netherlands (EU) |
Payment Processors
Payment data is processed by PCI-DSS certified payment providers. We do not store full credit card numbers on our servers.
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Online card payments | Card details, billing address, transaction amount |
| PayPal | Alternative payment option | Email, transaction amount, billing info |
| Bank transfer | Direct wire transfers | Account name, transfer reference |
Other Third Parties
- Analytics providers (Google Analytics) — anonymized usage data to improve our services
- Email service providers — email address for transactional and marketing emails (with consent)
- Cloud hosting providers — encrypted data storage on secure infrastructure
- Legal authorities — when required by law, court order, or regulatory obligation
Data Processing Agreements
We maintain data processing agreements (DPAs) with all third-party processors, ensuring they handle your data in accordance with applicable privacy laws and our instructions.
Cookies & Tracking
We use cookies and similar technologies to provide, protect, and improve our services. This section explains what cookies we use, why, and how you can manage your preferences.
What Are Cookies?
Cookies are small text files placed on your device when you visit our website. They help us recognize your browser, remember preferences, and understand how you interact with our platform.
Cookie Categories
| Category | Purpose | Examples | Can Disable? |
|---|---|---|---|
| Essential | Required for the website to function. Login sessions, booking flow, security tokens. | Session ID, CSRF token, currency preference | No |
| Functional | Remember your choices and provide enhanced features. | Language preference, recent searches, saved filters | Yes |
| Analytics | Help us understand how visitors use our website to improve performance. | Google Analytics (_ga, _gid), page view tracking | Yes |
| Marketing | Used to deliver relevant advertisements and measure campaign effectiveness. | Meta Pixel, Google Ads remarketing | Yes |
Managing Cookie Preferences
You can control cookies in several ways:
- Cookie consent banner — When you first visit our site, you can accept or customize your cookie preferences
- Browser settings — Most browsers allow you to block or delete cookies through their settings menu
- Opt-out links — Google Analytics opt-out: tools.google.com/dlpage/gaoptout
Disabling Cookies May Affect Functionality
Blocking essential cookies will prevent booking functionality. Disabling functional cookies may affect features like saved preferences and recent searches.
Do Not Track (DNT)
We respect the "Do Not Track" browser signal. When DNT is enabled, we disable analytics and marketing cookies for your session.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes. Below are our standard retention periods.
| Data Category | Retention Period | Reason |
|---|---|---|
| Booking records | 7 years from booking date | UAE commercial law, tax compliance, dispute resolution |
| Customer accounts | Until deletion requested + 30-day grace period | Service provision |
| Payment transaction records | 7 years | Financial regulations, audit requirements |
| Payment card details | Tokenized only; purged after transaction | PCI-DSS compliance |
| Passport / ID details | 90 days after travel completion | Post-travel support, then securely deleted |
| Marketing consent records | Until consent withdrawn | Proof of consent |
| Customer support tickets | 3 years from resolution | Service quality and dispute resolution |
| Analytics data | 26 months | Service improvement (anonymized after expiry) |
| Server logs | 90 days | Security monitoring and incident response |
| Cookie data | Varies (session to 13 months) | Functionality and analytics |
When the retention period expires, data is either securely deleted or anonymized so it can no longer be associated with an individual. Anonymized data may be retained indefinitely for statistical analysis.
Data Security
We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.
Technical Safeguards
- Encryption in transit — All data transmitted between your browser and our servers is protected using TLS 1.3 encryption (HTTPS)
- Encryption at rest — Sensitive data (API credentials, personal identifiers) is encrypted using AES-256 encryption
- Payment security — Credit card processing complies with PCI-DSS standards; full card numbers are never stored on our servers
- Password protection — User passwords are hashed using bcrypt with unique salts; we cannot view or recover your password
- Database security — Databases are isolated, access-controlled, and regularly backed up to encrypted storage
Organizational Measures
- Access controls — Staff access to personal data is restricted on a need-to-know basis with role-based permissions
- Staff training — All team members receive regular data protection and security awareness training
- Vendor assessment — Third-party processors are evaluated for security practices before engagement
- Regular audits — We conduct periodic security reviews and vulnerability assessments
Incident Response
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware
- Notify affected individuals without undue delay if the breach poses a high risk
- Document the breach, its effects, and remedial actions taken
No System Is 100% Secure
While we use industry-standard safeguards, no method of electronic storage or transmission is completely secure. We encourage you to use strong passwords and avoid sharing account credentials.
Your Rights
Depending on your location and applicable law, you have specific rights regarding your personal data. We are committed to honoring these rights promptly and transparently.
Rights Under UAE PDPL
| Right | Description |
|---|---|
| Right to be informed | Know what personal data we collect and why before or at the time of collection |
| Right of access | Request a copy of your personal data held by us |
| Right to rectification | Correct inaccurate or incomplete personal data |
| Right to erasure | Request deletion of your data when it is no longer needed or consent is withdrawn |
| Right to restrict processing | Limit how we use your data in certain circumstances |
| Right to withdraw consent | Withdraw previously given consent at any time (this does not affect prior lawful processing) |
| Right to lodge a complaint | File a complaint with the UAE Data Office if you believe your data rights have been violated |
Additional Rights for EU/EEA Residents (GDPR)
If you are located in the European Economic Area, you also have:
- Right to data portability — Receive your data in a structured, commonly used, machine-readable format (JSON or CSV)
- Right to object — Object to processing based on legitimate interests, including direct marketing
- Right regarding automated decisions — Not be subject to decisions based solely on automated processing that produce legal effects
How to Exercise Your Rights
Submit a Data Rights Request
Email: privacy@lavisatravel.com
Subject line: "Data Rights Request - [Your Right]"
Include: Your full name, email address used with us, and specific request.
Response time: Within 30 calendar days. Complex requests may take up to 60 days with prior notice.
We may need to verify your identity before processing a request. We will not charge a fee unless a request is clearly unfounded or excessive. If we cannot fulfill a request, we will explain why within the same timeframe.
International Transfers
Lavisa Travel is based in the United Arab Emirates. By using our services, your data may be transferred to and processed in countries outside your country of residence, including the UAE and countries where our API partners and suppliers operate.
Where Your Data May Be Transferred
| Recipient | Country | Purpose | Safeguard |
|---|---|---|---|
| Hotelbeds Group | Spain (EU) | Hotel booking fulfillment | GDPR-compliant; EU data protection |
| Duffel | United Kingdom | Flight search and ticketing | UK GDPR; adequacy decision |
| Amadeus | Spain (EU) | GDS and flight data | GDPR-compliant; EU data protection |
| RentalCars | Netherlands (EU) | Car rental booking | GDPR-compliant; EU data protection |
| Stripe | United States | Payment processing | Standard Contractual Clauses (SCCs) |
| Google (Analytics) | United States | Website analytics | SCCs; Data Processing Amendment |
| Airlines (various) | Global | Ticketing and check-in | IATA standards; airline privacy policies |
| Hotels (various) | Global | Guest registration | Contractual obligations |
Transfer Safeguards
When transferring data outside the UAE or EEA, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) — EU-approved contractual provisions for international transfers
- Adequacy decisions — Transfers to countries recognized as providing adequate data protection
- Data processing agreements — Contractual obligations requiring recipients to protect data to equivalent standards
- Industry standards — IATA data handling standards for airline-related transfers
You may request information about the specific safeguards applied to your data transfers by contacting privacy@lavisatravel.com.
Policy Changes
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we do, we will revise the "Effective Date" at the top of this page.
How We Notify You
- Material changes (changes to what data we collect, new third-party sharing, or changes to your rights) — We will notify you via email and/or a prominent notice on our website at least 30 days before the changes take effect
- Non-material changes (wording clarifications, formatting, or minor corrections) — Updated on this page without prior notification
Your Continued Use
Your continued use of our services after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree with any changes, you may close your account and stop using our services. For material changes, we may ask you to review and actively acknowledge the updated policy.
Previous Versions
You may request a copy of any previous version of this Privacy Policy by contacting privacy@lavisatravel.com.
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please reach out through any of the channels below.
Privacy Inquiries
privacy@lavisatravel.com
For data rights requests, consent management, and privacy-related questions.
General Contact
info@lavisatravel.com
Phone: +971 55 887 1803
For booking support and general inquiries.
Office Address
Lavisa Travel & Tourism LLC
Dubai, United Arab Emirates
Complaint Escalation
If you are not satisfied with our response to your privacy concern, you have the right to escalate your complaint:
- UAE residents — File a complaint with the UAE Data Office under the Federal Decree-Law No. 45/2021
- EU/EEA residents — Lodge a complaint with your local Data Protection Authority (e.g., CNIL in France, ICO in the UK, BfDI in Germany)
Response Commitment
We aim to respond to all privacy-related inquiries within 30 calendar days. For complex requests, we may extend this to 60 days with prior notice explaining the reason for the extension.