Privacy and Cookies

    This privacy notice (hereinafter “Notice”) explains how Travely Reisibüroo OÜ (hereinafter “we” or “us”) processes personal data of the registered users of our web or mobile application (hereinafter “Application”) or social media pages and individuals to whom we offer travel services (hereinafter “Services”), individuals who visit our website https://travely.ee/(hereinafter 'Website”), and other individuals who contact us or whose personal data is processed in the course of our business activities

    This Notice describes the processing of personal data by us as a data controller. This means that we individually or along with others determine the purposes and means of the processing of personal data.

    I. DATA CONTROLLER

    Travely Reisibüroo OÜ

    Registry code: 16392189

    Address: Kai 1, 10111 Tallinn, Estonia

    Email: info@travely.ee

    2. PERSONAL DATA WE PROCESS

    2.1. Identification data, this includes your name, surname, and a date of birth.

    Sources of collection of data: we get this data when you create an account in our Application or send us a message via our Application or by e-mail. If you are a co-passenger of one of our customers, or if a customer books a trip in your name, we will receive your data from our customer.

    2.2. Contact data, this includes your email address and a phone number.

    Sources of collection of data: we get this data when you create an account in our Application or send us a message via our Application or by e-mail. If you are a co-passenger of one of our customers, or if a customer books a trip in your name, we will receive your data from our customer.

    2.3. User account data, this includes your name and email address, your user ID, social media single sign-on (SSO) data acquired from providers such as Google, Facebook (Meta) or Apple, as well as the user account password used for the Application.

    Sources of collection of data: we get this data when you create an account in our Application.

    If you select third-party provider, such as Facebook, Google or Apple for the user authentication, or choose to connect your Application account to your social media account, we receive certain personal data from these providers. The personal data, depending on the configuration of the third-party service, may include your name, email address, language preference, and profile picture. Read more about Google authentication from here and Facebook Login from Section 5 of this Notice.

    As far as Apple is concerned, they say that “Sign in with Apple” allows you to sign in to the Application without having to provide us with information that personally identifies you. Sign in with Apple also allows you to sign in to the Application via Website without having to provide us with any additional information that personally identifies you beyond information used by your browser for normal web functions. Instead, when you use Sign in with Apple, Apple provides us with a unique identifier, allowing you to keep your information private. This identifier is distinct for each app developer, to help prevent different developers from gathering and sharing information about you across apps. Read more about Sign in with Apple from here.

    2.4. Payment data, this includes payment amount, status, description, transaction ID.

    Sources of collection of data: we get this data when you make payments to us

    2.5. Correspondence data, this includes personal data contained in the correspondence with us.

    Sources of collection of data: we get this data when you send us a message either via our Application or by e-mail.

    2.6. Travel data, this includes travel destination and time, cost of travel service, hotel data and other relevant data regarding the purchased travel services, data regarding persons traveling with you.

    Sources of collection of data: we get this data when you book a trip through us. If you are a co-passenger of one of our customers, or if a customer books a trip in your name, we will receive your data from our customer.

    2.7. Contract data, this includes the date and the number of a contract (where relevant), as well as the written contract document. This data is generated upon conclusion of the contract or during its performance.

    Sources of collection of personal data: this data is generated upon conclusion of the contract (when you subscribe to for the using Application or order our Services) or during its performance.

    2.8. IT-related data, this includes your user ID, device name, login and logout data, activity logging, IP-address, system generated unique identifier(s), time zone, location.

    Sources of collection of personal data: we get this data from you when you download, install, and launch the Application on your device.

    2.9. Website visit data, this includes personal data which is processed upon visiting and using our Website. Depending on the particular cookie we use, the types of personal data may include e.g.: online identifiers, including cookie identifiers, IP addresses, device identifiers, client identifiers or session ID.

    Sources of collection of data: we get this data when you visit and use our Website.

    3. PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING

    When we process your personal data, we rely on the following legal grounds:

    3.1. Processing is necessary for the performance of a contract to which you are the party, or in order to take steps at your request prior to entering into a contract

    Purposes of processing

    Personal data that we process

    We process your personal data for the performance of the service contract between you and us (please see our Terms of Service available on our Website). This also applies to your sign-up process and system notifications about the Application.
    In other words, to allow you to sign up to using our Application and to provide you our Services we need to process certain personal data indicated in the section “personal data that we process”
    Identification data, contact data, user account data, contract data, payment data, travel data.

    3.2. Consent

    In some cases, we need your consent for data processing. You always have the right to withdraw the consent by sending us respective email (please Section 1 of this Notice for our contact details). As for cookies, you always have the right to withdraw the consent by changing your preferences on our Website. Withdrawal of the consent does not affect the legality of the processing of your personal data prior to withdrawal.

    Purposes of processing

    Personal data that we process

    Direct marketing. We send newsletters by email or SMS containing, among other things, the best offers from our partners in travel industry.

    Email address, phone number.

    3.3. Legitimate interests

    We process your personal data based on our legitimate interests for purposes described below. You have the right to ask clarifications regarding the processing based on the legitimate interests. You also have the right to send the objection, if you find that processing of your personal data for the purposes provided below prejudice your rights. Please see Section 1 of this Notice for our contact details.

    Purposes of processing

    Personal data that we process

    In the course of providing travel services, we sometimes need to process personal data of data subjects who are not our customers. These data subjects are, in particular, the co-travellers of our customers or persons to whom our customer has booked a trip. Such processing is necessary to enable us to fulfil our role as a travel agent vis-à-vis partner tour operators.

    Identification data, contact data, travel data.

    3.4. Processing necessary for compliance with a legal obligation

    We process personal data on this legal ground if the legal obligation for processing arises from the law.

    Purposes of processing

    Personal data that we process

    Accounting and tax administration.

    Identification data, contact data, data, payment data.

    4. CATEGORIES OF RECIPIENTS OF PERSONAL DATA AND TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

    In some cases, we may transfer your personal data to certain recipients who are categorized as follows:

    4.1. Independent controllers

    • Amadeus IT Group, S.A., a provider of ticketing and reservations platform Amadeus Global Distribution System (GDS). Read more about the data processing from Amadeus GDS Privacy Notice.
    • Banks and providers of payment services.
    • Providers of purchased travel services.
    • Law firms.

    4.2. Partners who provide the services to us, and who process the personal data on our behalf (data processors), e.g.:

    • Providers of ICT services (including providers of the Website and Application hosting services and other providers of cloud services);
    • Various contractors (IT development, support, accounting).

    4.3. Joint controllers as described in section 5 of this Notice.

    4.4. Public authorities and supervisory bodies, e.g., court, law enforcement authorities, Data Protection Inspectorate. We transfer your personal data to public authorities and supervisory bodies only if the law requires it.

    Unless necessary for the provision of services, we do not transfer your personal data outside of the European Union (EU) or the European Economic Area (EEA), nor to such third country or international organization, the level of data protection of which the European Commission has not considered adequate. If your personal data is transferred outside of the EU or EEA, such transfer of personal data will take place only upon appropriate legal basis, and we will take appropriate protective measures.

    You have the right to get additional information about the transfer of your personal data by sending us the relevant request using the contact details in Section 1.

    5. JOINT CONTROLLERSHIP

    5.1 Joint controllership with our following partner tour operators:

    a) TEZ Tour OÜ(https://www.teztour.ee/)b) Coral Travel Estonia OÜ(https://coraltravel.ee/)

    As required under the GDPR, joint controllers are required to determine their responsibilities for compliance with the obligations under the GDPR by means of an arrangement. The GDPR also requires that the essence of the arrangement must be made available to the data subjects.

    According to the arrangement, we, as a travel agent are responsible for the processing of all personal data in connection with the exercise of rights by the agent under the agreement with the tour operator, including the making of a reservation for travel services through the operator's reservation system or by e-mail.

    The tour operator is responsible for the processing of personal data received from us through the tour operator's reservation system or provided to us after the conclusion of the contract with the passenger and undertakes to comply with its rights and obligations under the GDPR when processing such personal data.

    You may exercise your rights under the GDPR in respect of and against either us or the relevant joint controller listed above.

    5.2 Joint controllership with Meta Platforms Ireland Ltd (the operator of Facebook)

    We are a joint controller with Meta Platforms Ireland Ltd (hereinafter Meta Ireland) in relation to the products and services listed below. We have concluded joint controller arrangements with Meta Ireland pursuant to Article 26 of the GDPR to determine the obligations with respect to the obligations under the GDPR concerning joint processing. For further information on how Meta Ireland processes personal data (the information required by Article 13(1)(a) and (b) of the GDPR), including the legal basis Meta Ireland relies on and the ways to exercise your rights against Meta Ireland, can be found in Meta Ireland’s Privacy Policy at https://www.facebook.com/about/privacy.

    a) Facebook Login

    Upon using Facebook Login, the “Event Data” is shared with Meta Ireland. The Event Data does include information collected and transferred when you access the Website or Application with Facebook Login. The Event Data includes online identifiers including IP addresses and, insofar as provided, Meta-related identifiers or device identifiers as well as information on opt-out/limited ad tracking status. Additional information about Meta Business Tools, including Event Data can be found here.

    Regarding personal data in the Event Data referring to your actions on our Website and Application which integrate Meta Business Tools for whose processing we and Meta Ireland jointly determine the means and purposes under the GDPR, we have agreed to be joint controllers. The joint controllership extends to the collection of such personal data via the Meta Business Tools and its subsequent transmission to Meta Ireland in order to be used for the purposes set under Sections 2.a.iii to 2.a.v.1 of Meta Business Tools Terms. For further information, please also click here.

    In relation to foregoing, we and Meta Ireland have:

    • entered into the Controller Addendum to determine the respective responsibilities for compliance with the obligations under the GDPR with regard to the joint processing (as specified in Meta’s Applicable Product Terms);
    • agreed that we are responsible for providing data subjects as a minimum with the information about the data processing related to Meta Business Tools (Facebook Login);
    • agreed that Meta Ireland is responsible for enabling data subjects’ rights under Articles 15-20 of the GDPR with regard to the personal data stored by Meta Ireland after the joint processing.
    b) Page Insights

    When you use Meta’s products, including Facebook Pages, (hereinafter 'Pages'), Meta collects and uses the information described in Meta's Privacy Policy. You can also read more about how Meta uses cookies and similar technologies in Meta’s Cookies Policy.

    For Pages, Meta provides statistics and insights to Page admins (like us) that help them understand the types of actions that people take on their Pages (hereinafter 'Page Insights'). Page Insights are aggregated statistics that are created from certain events logged by Meta servers when you interact with our Facebook page and the content associated with you. More information about the Insights Data can be found here.

    We have agreed with Meta Ireland to be joint controllers for the processing of such personal data in events for Page Insights (in case you visit our Facebook page). Please see the Page Insights Addendum here. We have also agreed with Meta Ireland that for any other processing of personal data in connection with our Facebook page and/or the content associated with it for which there is no joint determination of the purposes and means, Meta Ireland and, as the case may be, we, remain separate and independent controllers.

    According to the Page Insights Addendum, Meta has undertaken the obligation to make the essence of the Page Insights Addendum available to data subjects. This is currently done via the Information about Page Insights data page.

    6. RETENTION OF PERSONAL DATA

    We keep your personal data for the period necessary for the achievement of purposes stated in this Notice or until the law requires it. The retention periods for cookies are described in Section 8 below.

    Specific terms of retention can be exercised by accessing your personal data. Please see the explanation in the section “Your rights regarding the personal data”.

    7. YOUR RIGHTS REGARDING THE PERSONAL DATA

    Right of access to your data: you have the right to know, whether personal data concerning you are being processed or not, what is the purpose of processing and what are the categories of personal data. Besides, to whom the personal data is disclosed (especially the recipients in third countries), for how long the personal data is retained and what are your rights concerning rectification, erasure and restriction of the processing.

    Right of rectification: you have the right to demand rectification of the personal data concerning you if the data are inaccurate or incomplete.

    Right of erasure: in some cases, you have the right to demand erasure of the personal data concerning you, for example in case when you withdraw your consent and there are no other legal grounds for the processing of the personal data.

    Right to restrict the processing: in some cases, you have the right to restrict processing of the personal data concerning you for a certain time (e.g., if you have objected the processing of personal data).

    Right to object: you have the right to object the processing of personal data, which is processed based on the legitimate interest, including profiling (if relevant). Upon objection, we will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.

    Right to data portability: if processing of your personal data is based on your consent or the contract with us and the data processing is carried out by automated means, then you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. Also, you have the right to claim to transmit those personal data to another service provider if it is technically possible.

    Right to turn to us, supervisory authority, or a court: if you want to exercise the above-mentioned rights, please send us an email using the contact details in Section 1. If you find that your rights have been breached, you have the right to turn to the court and/or local data protection authority. Contact details for data protection authorities in the European Economic Area are available here

    8. COOKIES AND OTHER WEB TECHNOLOGIES

    We use all the cookies, except the 'essential' technical cookies, with your prior consent. You always have the right to withdraw the consent by changing your preferences on our Website. Should essential cookies process your personal data, we rely on our legitimate interests in processing of such data (see the section above that explains our legitimate interests).

    We may use both session cookies and persistent cookies. Session cookies or in other words non-persistent cookies are cookies that exist only temporarily while you browse our Website. Your web browser should delete these cookies when you close your browser. On the other hand, persistent cookies that we use expire at a specific date or after a specific length of time set by the third-party or us.

    For your convenience, we have categorised the cookies we use our Website by their purposes as follows:

    Strictly Necessary

    Strictly necessary cookies allow core website functionality such as user login and account management. The website cannot be used properly without strictly necessary cookies.

    Name

    Provider / Domain

    Expiration

    Description

    _GRECAPTCHA
    Google LLC
    .google.com
    6 months
    Cookie used by ReCaptcha functionality to allow anti-bot validation in different forms.
    Performance

    Performance cookies are used to see how visitors use the website, eg. analytics cookies. Those cookies cannot be used to directly identify a certain visitor.

    Name

    Provider / Domain

    Expiration

    Description

    _ga
    Google LLC
    .cookie-script.com
    1 year 1 month
    This cookie name is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports.
    Targeting

    Targeting cookies are used to identify visitors between different websites, eg. content partners, banner networks. Those cookies may be used by companies to build a profile of visitor interests or show relevant ads on other websites.

    Name

    Provider / Domain

    Expiration

    Description

    _fbp
    Meta Platform Inc.
    .cookie-script.com
    3 months
    Used by Meta to deliver a series of advertisement products such as real time bidding from third party advertisers
    Unclassified

    Name

    Provider / Domain

    Expiration

    Description

    [abcdef0123456789]{32}
    .cookie-script.com
    1 year

    9. AMENDMENT OF THIS NOTICE

    We have the right to amend this Notice unilaterally. We will notify of amendment of this Notice in the application, by email or in other manner.