Privacy and Cookies

I. DATA CONTROLLER

Travely Reisibüroo OÜ

Registry code: 16392189

Address: Kai 1, 10111 Tallinn, Estonia

Email: info@travely.ee

2. PERSONAL DATA WE PROCESS

2.1. Identification data, this includes your name, surname, and a date of birth.

Sources of collection of data: we get this data when you create an account in our Application or send us a message via our Application or by e-mail. If you are a co-passenger of one of our customers, or if a customer books a trip in your name, we will receive your data from our customer.

2.2. Contact data, this includes your email address and a phone number.

Sources of collection of data: we get this data when you create an account in our Application or send us a message via our Application or by e-mail. If you are a co-passenger of one of our customers, or if a customer books a trip in your name, we will receive your data from our customer.

2.3. User account data, this includes your name and email address, your user ID, social media single sign-on (SSO) data acquired from providers such as Google, Facebook (Meta) or Apple, as well as the user account password used for the Application.

Sources of collection of data: we get this data when you create an account in our Application.

If you select third-party provider, such as Facebook, Google or Apple for the user authentication, or choose to connect your Application account to your social media account, we receive certain personal data from these providers. The personal data, depending on the configuration of the third-party service, may include your name, email address, language preference, and profile picture. Read more about Google authentication from here and Facebook Login from Section 5 of this Notice.

As far as Apple is concerned, they say that “Sign in with Apple” allows you to sign in to the Application without having to provide us with information that personally identifies you. Sign in with Apple also allows you to sign in to the Application via Website without having to provide us with any additional information that personally identifies you beyond information used by your browser for normal web functions. Instead, when you use Sign in with Apple, Apple provides us with a unique identifier, allowing you to keep your information private. This identifier is distinct for each app developer, to help prevent different developers from gathering and sharing information about you across apps. Read more about Sign in with Apple from here.

2.4. Payment data, this includes payment amount, status, description, transaction ID.

Sources of collection of data: we get this data when you make payments to us

2.5. Correspondence data, this includes personal data contained in the correspondence with us.

Sources of collection of data: we get this data when you send us a message either via our Application or by e-mail.

2.6. Travel data, this includes travel destination and time, cost of travel service, hotel data and other relevant data regarding the purchased travel services, data regarding persons traveling with you.

Sources of collection of data: we get this data when you book a trip through us. If you are a co-passenger of one of our customers, or if a customer books a trip in your name, we will receive your data from our customer.

2.7. Contract data, this includes the date and the number of a contract (where relevant), as well as the written contract document. This data is generated upon conclusion of the contract or during its performance.

Sources of collection of personal data: this data is generated upon conclusion of the contract (when you subscribe to for the using Application or order our Services) or during its performance.

2.8. IT-related data, this includes your user ID, device name, login and logout data, activity logging, IP-address, system generated unique identifier(s), time zone, location.

Sources of collection of personal data: we get this data from you when you download, install, and launch the Application on your device.

2.9. Website visit data, this includes personal data which is processed upon visiting and using our Website. Depending on the particular cookie we use, the types of personal data may include e.g.: online identifiers, including cookie identifiers, IP addresses, device identifiers, client identifiers or session ID.

Sources of collection of data: we get this data when you visit and use our Website.

3. PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING

When we process your personal data, we rely on the following legal grounds:

3.1. Processing is necessary for the performance of a contract to which you are the party, or in order to take steps at your request prior to entering into a contract

3.2. Consent

In some cases, we need your consent for data processing. You always have the right to withdraw the consent by sending us respective email (please Section 1 of this Notice for our contact details). As for cookies, you always have the right to withdraw the consent by changing your preferences on our Website. Withdrawal of the consent does not affect the legality of the processing of your personal data prior to withdrawal.

3.3. Legitimate interests

We process your personal data based on our legitimate interests for purposes described below. You have the right to ask clarifications regarding the processing based on the legitimate interests. You also have the right to send the objection, if you find that processing of your personal data for the purposes provided below prejudice your rights. Please see Section 1 of this Notice for our contact details.

3.4. Processing necessary for compliance with a legal obligation

We process personal data on this legal ground if the legal obligation for processing arises from the law.

4. CATEGORIES OF RECIPIENTS OF PERSONAL DATA AND TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

In some cases, we may transfer your personal data to certain recipients who are categorized as follows:

4.1. Independent controllers

Amadeus IT Group, S.A., a provider of ticketing and reservations platform Amadeus Global Distribution System (GDS). Read more about the data processing from Amadeus GDS Privacy Notice.
Banks and providers of payment services.
Providers of purchased travel services.
Law firms.

4.2. Partners who provide the services to us, and who process the personal data on our behalf (data processors), e.g.:

Providers of ICT services (including providers of the Website and Application hosting services and other providers of cloud services);
Various contractors (IT development, support, accounting).

4.3. Joint controllers as described in section 5 of this Notice.

4.4. Public authorities and supervisory bodies, e.g., court, law enforcement authorities, Data Protection Inspectorate. We transfer your personal data to public authorities and supervisory bodies only if the law requires it.

Unless necessary for the provision of services, we do not transfer your personal data outside of the European Union (EU) or the European Economic Area (EEA), nor to such third country or international organization, the level of data protection of which the European Commission has not considered adequate. If your personal data is transferred outside of the EU or EEA, such transfer of personal data will take place only upon appropriate legal basis, and we will take appropriate protective measures.

You have the right to get additional information about the transfer of your personal data by sending us the relevant request using the contact details in Section 1.

5. JOINT CONTROLLERSHIP

5.1 Joint controllership with our following partner tour operators:

a) TEZ Tour OÜ(https://www.teztour.ee/)b) Coral Travel Estonia OÜ(https://coraltravel.ee/)

As required under the GDPR, joint controllers are required to determine their responsibilities for compliance with the obligations under the GDPR by means of an arrangement. The GDPR also requires that the essence of the arrangement must be made available to the data subjects.

According to the arrangement, we, as a travel agent are responsible for the processing of all personal data in connection with the exercise of rights by the agent under the agreement with the tour operator, including the making of a reservation for travel services through the operator's reservation system or by e-mail.

The tour operator is responsible for the processing of personal data received from us through the tour operator's reservation system or provided to us after the conclusion of the contract with the passenger and undertakes to comply with its rights and obligations under the GDPR when processing such personal data.

You may exercise your rights under the GDPR in respect of and against either us or the relevant joint controller listed above.

5.2 Joint controllership with Meta Platforms Ireland Ltd (the operator of Facebook)

We are a joint controller with Meta Platforms Ireland Ltd (hereinafter Meta Ireland) in relation to the products and services listed below. We have concluded joint controller arrangements with Meta Ireland pursuant to Article 26 of the GDPR to determine the obligations with respect to the obligations under the GDPR concerning joint processing. For further information on how Meta Ireland processes personal data (the information required by Article 13(1)(a) and (b) of the GDPR), including the legal basis Meta Ireland relies on and the ways to exercise your rights against Meta Ireland, can be found in Meta Ireland’s Privacy Policy at https://www.facebook.com/about/privacy.

a) Facebook Login

Upon using Facebook Login, the “Event Data” is shared with Meta Ireland. The Event Data does include information collected and transferred when you access the Website or Application with Facebook Login. The Event Data includes online identifiers including IP addresses and, insofar as provided, Meta-related identifiers or device identifiers as well as information on opt-out/limited ad tracking status. Additional information about Meta Business Tools, including Event Data can be found here.

Regarding personal data in the Event Data referring to your actions on our Website and Application which integrate Meta Business Tools for whose processing we and Meta Ireland jointly determine the means and purposes under the GDPR, we have agreed to be joint controllers. The joint controllership extends to the collection of such personal data via the Meta Business Tools and its subsequent transmission to Meta Ireland in order to be used for the purposes set under Sections 2.a.iii to 2.a.v.1 of Meta Business Tools Terms. For further information, please also click here.

In relation to foregoing, we and Meta Ireland have:

entered into the Controller Addendum to determine the respective responsibilities for compliance with the obligations under the GDPR with regard to the joint processing (as specified in Meta’s Applicable Product Terms);
agreed that we are responsible for providing data subjects as a minimum with the information about the data processing related to Meta Business Tools (Facebook Login);
agreed that Meta Ireland is responsible for enabling data subjects’ rights under Articles 15-20 of the GDPR with regard to the personal data stored by Meta Ireland after the joint processing.

b) Page Insights

When you use Meta’s products, including Facebook Pages, (hereinafter 'Pages'), Meta collects and uses the information described in Meta's Privacy Policy. You can also read more about how Meta uses cookies and similar technologies in Meta’s Cookies Policy.

For Pages, Meta provides statistics and insights to Page admins (like us) that help them understand the types of actions that people take on their Pages (hereinafter 'Page Insights'). Page Insights are aggregated statistics that are created from certain events logged by Meta servers when you interact with our Facebook page and the content associated with you. More information about the Insights Data can be found here.

We have agreed with Meta Ireland to be joint controllers for the processing of such personal data in events for Page Insights (in case you visit our Facebook page). Please see the Page Insights Addendum here. We have also agreed with Meta Ireland that for any other processing of personal data in connection with our Facebook page and/or the content associated with it for which there is no joint determination of the purposes and means, Meta Ireland and, as the case may be, we, remain separate and independent controllers.

According to the Page Insights Addendum, Meta has undertaken the obligation to make the essence of the Page Insights Addendum available to data subjects. This is currently done via the Information about Page Insights data page.

6. RETENTION OF PERSONAL DATA

We keep your personal data for the period necessary for the achievement of purposes stated in this Notice or until the law requires it. The retention periods for cookies are described in Section 8 below.

Specific terms of retention can be exercised by accessing your personal data. Please see the explanation in the section “Your rights regarding the personal data”.

7. YOUR RIGHTS REGARDING THE PERSONAL DATA

Right of access to your data: you have the right to know, whether personal data concerning you are being processed or not, what is the purpose of processing and what are the categories of personal data. Besides, to whom the personal data is disclosed (especially the recipients in third countries), for how long the personal data is retained and what are your rights concerning rectification, erasure and restriction of the processing.

Right of rectification: you have the right to demand rectification of the personal data concerning you if the data are inaccurate or incomplete.

Right of erasure: in some cases, you have the right to demand erasure of the personal data concerning you, for example in case when you withdraw your consent and there are no other legal grounds for the processing of the personal data.

Right to restrict the processing: in some cases, you have the right to restrict processing of the personal data concerning you for a certain time (e.g., if you have objected the processing of personal data).

Right to object: you have the right to object the processing of personal data, which is processed based on the legitimate interest, including profiling (if relevant). Upon objection, we will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.

Right to data portability: if processing of your personal data is based on your consent or the contract with us and the data processing is carried out by automated means, then you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. Also, you have the right to claim to transmit those personal data to another service provider if it is technically possible.

Right to turn to us, supervisory authority, or a court: if you want to exercise the above-mentioned rights, please send us an email using the contact details in Section 1. If you find that your rights have been breached, you have the right to turn to the court and/or local data protection authority. Contact details for data protection authorities in the European Economic Area are available here

8. COOKIES AND OTHER WEB TECHNOLOGIES

We use all the cookies, except the 'essential' technical cookies, with your prior consent. You always have the right to withdraw the consent by changing your preferences on our Website. Should essential cookies process your personal data, we rely on our legitimate interests in processing of such data (see the section above that explains our legitimate interests).

We may use both session cookies and persistent cookies. Session cookies or in other words non-persistent cookies are cookies that exist only temporarily while you browse our Website. Your web browser should delete these cookies when you close your browser. On the other hand, persistent cookies that we use expire at a specific date or after a specific length of time set by the third-party or us.

For your convenience, we have categorised the cookies we use our Website by their purposes as follows:

Strictly Necessary

Strictly necessary cookies allow core website functionality such as user login and account management. The website cannot be used properly without strictly necessary cookies.

Performance

Performance cookies are used to see how visitors use the website, eg. analytics cookies. Those cookies cannot be used to directly identify a certain visitor.

Targeting

Targeting cookies are used to identify visitors between different websites, eg. content partners, banner networks. Those cookies may be used by companies to build a profile of visitor interests or show relevant ads on other websites.

Unclassified

9. AMENDMENT OF THIS NOTICE

We have the right to amend this Notice unilaterally. We will notify of amendment of this Notice in the application, by email or in other manner.