Vacaciones eDreams, S.L. is a Spanish based company, with tax ID number ESB61965778. You can contact us through our Privacy Form for any data protection matter.

Thank you for using our Platforms. Your trust is the most important value to us, that is why in this Privacy Notice we are going to show you our responsibilities regarding the privacy and security of your data. The only thing you have to do is read it, and if you have any questions related to it, you can tell us about it in our Privacy Form .
After that, you’re all set to book your next adventure through us.

Automated Decisions: decision-based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (as defined under Article 22.1 EU General Data Protection Regulation; GDPR).
Note: As you will find explained below, we don’t make Automated Decisions.

Data Controller: anyone responsible for determining the purposes and means of processing your data.
Note: We are the Data Controllers of your data in the terms described in this Privacy Notice. If you choose to book a ticket through our Platforms, we will be sending your data to another Data Controller – the carrier or the provider of other services (e.g. booking partners or the global distribution systems), who will again use your data for their own purposes and based on their own means, as described in their own Privacy Notices (which is published on their website). You can see below the overview of Data Controllers categories with whom we might share the data. In any case, the disclosure of your data to any service provider will be done in accordance with the applicable laws. Each Data Controller is responsible for your data and, in case of an incident within its scope, must handle it and respond appropriately, as per the applicable law.

Data Processor: a third party that only helps to achieve the purposes determined by the Data Controller.
Note: We as a Data Controller use many third-party services to which we outsource some parts of our activities that we don’t do ourselves for various reasons such as cost-efficiency. A Data Processor is only allowed to process your data according to our documented instructions, and in compliance with the applicable law, so we are still in charge of your data, and they will not be able to process your data for any incompatible purpose.

Lawful Bases: Processing of your data shall be lawful only if at least one of these bases applies (Article 6 GDPR).
Note: For the six lawful bases covered in the law, we will essentially rely on Consent, Contract, Legal Obligation or Legitimate Interest. However, exceptionally, we might rely on Vital Interest or Public Task. You can find more information below.

Personal Data (in this Privacy Notice also referred essentially as “your data”): any information relating to a directly or indirectly identified or identifiable to you, as a natural person.

Platforms: all the services (websites, apps, call centre, etc.) that facilitate interactions between you and us.

Sensitive Personal Data: data related to racial origin, ethnic group, religion, health, sexual orientation and biometric data constitute special categories of data (as defined under Article 9 GDPR).
Note: As you will find explained below, we shall not process Sensitive Personal Data normally.

Third Countries: countries in which the GDPR regime is not applicable. Currently, by Third Countries, we mean all countries that lie outside of the European Economic Area (i.e. outside the European Union, Iceland, Liechtenstein and Norway).

You can contact the Data Protection Officer’s team through our Privacy Form to exercise any data protection right, to solve all the questions you may have regarding the processing of your data and/or for any data protection issue you would like to discuss with us. Please, note that we may ask you to verify your identity and request before taking further action on your request.

This includes completing and managing your booking, sending you communications by email, call or SMS in relation to your booking (e.g. confirmations, modifications and reminders), allowing us to respond to your queries. Such communications could be managed by us or by our travel partners.
We endeavour to show to you the most relevant travel data and help you in a personalized manner with your booking and post-booking.
We might save your data for future bookings to make it easier for you to finish a booking with us.
Please, bear in mind that the identification data we use is going to be your email that you introduce in your booking or account.

We might save your data for future bookings to make it easier for you to finish a booking with us, and recognize you when visiting our Platforms again, in order to improve your user experience. We will safely store your data for payment purposes, for example, for the eDreams Prime subscription fee.

This Privacy Notice shall apply to such data processing based on other travel-related services provided by us. During the contracting process, prior to or when filling in the data, we will inform you if there is any specific information that you should know apart from the one already covered in this Privacy Notice.

To respond to any query or request from you or any travel provider and handle it. We endeavour to maintain our best levels of customer service and we are attentive to the personal situation of each of our various customers in order to personalise our services.

To try to remember your search and contact you only once, in case you have not finalized a booking online, as we believe that this additional service benefits you, by allowing you to carry on with a booking without having to fill in your reservation details again.

To inform you how to contact us if you need assistance while you are away or other data that we feel might be useful to you in your planning or getting the best of your trip, or data of upcoming trips or a summary of previous bookings you made with us.

We may need to send you other administrative messages, which may include security alerts.

To invite you to provide a review of your experience or the travel provider, when you use our services, or to take part in market research with us. Please, bear in mind that this feedback may be available to other customers to help them make decisions about a product or a service. In case you agree to take part in market research, we will explain the data collected and how it would be further used.

To send you regular news of travel-related products and services. You can unsubscribe from email marketing communications easily and at any moment, just by clicking on the unsubscribe link included in each newsletter or other communication.

To administer any promotional activity where you participate. When you book with us, you are subscribed to our newsletters, unless you say otherwise before confirming your booking. Anyway, remember that you will be able to unsubscribe at any moment in each commercial communication, by clicking on the footer unsubscribe link.

We may show you customized offers on our Platforms or third-party platforms (including social media sites) and the content of the site displayed to you may be personalized. Such offers can be booked on our site, on co-branded sites, or other third-party offers or products we think you might find interesting.

Our staff may ask for authentications, ensuring that your reservation details are kept confidential.

Not all calls or chats are recorded and recordings are kept for a limited amount of time and automatically deleted thereafter (unless we have a legitimate interest to keep such recordings for a longer period, including fraud investigation and legal purposes).

Please, bear in mind that, when using a third party's feature, this third party may act as an independent Data Controller or as a Data Processor as per its corresponding Privacy Notice.

This is part of our drive to enhance the user experience, but can also be used for testing purposes, troubleshooting and improving the functionality and quality of our online travel services. The main goal here is to optimize our online Platforms to your needs, making our site easier and more enjoyable to use. We strive to use pseudonymized or anonymized data for these analytical purposes.

One example of this is our five-attempt password policy (if you incorrectly enter your password more than five times, we will block your account, requiring you to change your password).

Another example is our preventive stolen-credential control on the internet (if we might have any hint that your credentials could have been compromised, we may also block your account and ask you to reactivate it with a new password).

With these examples, among other actions, we protect your data and reduce fraud risk.

• Your Consent: you gave consent for a specific use of your data. We will always obtain Your Consent to collect and process your data unless another Lawful Basis applies. We will provide you with transparent information at the time that consent is obtained. This information will be provided in an accessible form, written in clear language. If the data is not obtained directly from you, then this information will be provided to you within a reasonable period after the data has been obtained.
• Contract: you have a contract or pre-contract with us. As an example, when booking an airline or hotel with us, we need relevant data to process your reservation.
• Legal Obligation: we have a Legal Obligation. Normally, accounting and tax regulations request to store necessary data for compliance purposes.
• Legitimate Interest: It’s in our legitimate interest, and it is judged not to affect your rights and freedoms in a significant way.

Other lawful bases, only exceptionally used:

• Vital Interest: You or a third party have a vital interest. We will not normally process data based on this legal basis, but if we do, we will let you know.
• Public Task: We have a public task to perform. We will not normally process data based on this legal basis, but if we do, we will let you know.

In any case, such an Automated Decision will not produce legal effects or similarly significantly affect you.

In case we shall make any Automated Decision we will apply all appropriate measures and inform you.

For example, your name, surname, gender, nationality, billing address, date of birth, email address and telephone number

Please, bear in mind that your email will be your identity data. We will be able to link your data based on your email.

For example, email and password (we never store the passwords in a non-encrypted form), price alerts, search history, specific settings, preferred choices and other details saved in your account. This also applies if you have an eDreams Prime account.

Usually, this means the payment card details. For example, credit card number, cardholder name and expiration date (we never store the credit card data in a non-encrypted form).

For example, number and expiration date of the ID and/or Passport, contact data, travel preferences, boarding passes or e-tickets.

Please, bear in mind that in the case you provide data from travel companions, you should have previously obtained the consent of other individuals before providing us with their data and travel preferences, as any access to view or change their data will be available only through your account or email.

For example, customer support cases, metadata and notes generated by our systems and agents.

For example, IP address, browser type, internet service providers, geographic location, technical data about the device, pages accessed and links clicked, the time and duration of request and visit, the method used to submit the request to the server.

Please note that we may associate this data with your account.

Some of this data may be collected by using different types of Cookies or similar technologies. For more information, please find our Cookies Notice.

One example for which we may collect and process such data would be if exceptional circumstances arose, such as a health emergency, where we might offer you the possibility to provide us with any relevant data in order to share it with the corresponding airline booked, for example, so as to smooth the check-in process or due to mandatory reasons.

In any case, the corresponding appropriate security measures will be implemented to protect your Sensitive Personal Data in line with this Privacy Notice.

Additionally, you may ask us to inform the airline, the hotel, etc. of a special service (such as a menu or an adapted room) which does not in itself constitute Sensitive Personal Data but which may imply or suggest data about your religion, health or other related data. In any case, this information will not be mandatory to provide in any of our booking funnels, so you are free to either provide it or not.

Minors may only use the service with the involvement, and approval of a parent or legal guardian. The limited cases where we might need to collect data would be as part of a booking, the purchase of other travel-related services, or in other exceptional circumstances (such as features addressed to families).

If we become aware that we have processed the data of a child without the valid consent of a parent or guardian, we will delete it.

E.g. contact data such as email, purchase or demographic data.

• Travel service provider you booked with Data controller (e.g. airlines or carriers, hotels, car rental companies, travel insurances, claims management service providers, travel business partners, etc.). In our Platform there might be services fully or partially provided by our travel business partners. Travel business partners’ Privacy Notices shall apply, and when so, you will find a link to them in the booking funnel.
• Other travel service providers which are necessary or provide an added value for the performance of our services Data controller Data Processor (e.g. the global distribution systems or computerised reservation systems, booking and ticketing agents, tour operators, travel meta searchers, etc.). They make it possible to offer you our services and help us in making all endeavours to have the best alternatives at the best price.
• Customer services and support tools Data Processor (e.g. customer communication tools, call centre agents, etc.). We work with customer support providers and tools in order to respond to our requests and manage the communications with you if needed.
• Payment and fraud services Data controller (e.g. payment processors, banks, fraud prevention and chargeback management services, etc.). When you pay in our Platform (as in any other) a set of long chains of technical operations need to happen before the payment request is accepted by your bank and notified to us. We use service providers to detect fraud risks. 
• Information security services Data Processor. We work with information security services to protect your data.
• IT infrastructure providers Data Processor (e.g. hosting service providers). They help us provide you with an available and secure Platform.
• Software solutions and engineers Data Processor. Software solutions and engineers help us work on a day to day basis and to continue improving our services. 
• Analytical service providers Data ProcessorThey provide us with the necessary data to understand the use within our Platform, see if there are any bugs or decide how we can improve our services.
• Customer Relationship Management and marketing solutions Data Processor Data Controller. They allow us to manage customised commercial communications. Some of them also help us display customised ads throughout the internet.
• Social platforms Data Controller. When login with your social media, clicking on a social media “like” button integrated into our Platforms by plugins, or using any social media services to interact with us, your data can be shared between us and the social media providers (e.g. your user names, email address, profile pictures, your contact, etc.). 
• Finance, administrative and legal services and tools Data Processor Data Controller(e.g. accounting systems, legal service providers, collection agencies, corporate insurances, etc.).

In particular, we centralize the processing of your data through the Spanish subsidiary eDreams International Network, SLU, acting as a joint Data controller and main establishment for data protection matters.

Our group of undertakings has a common Privacy Policy applying to all of them to ensure that any data processing carried out within our group, is made under the same level of security requirements and will be processed exclusively for the same purposes for which the data had been collected, according to the applicable laws.

We may need to further disclose your data to competent authorities to protect and defend our rights or properties, or the rights and properties of third parties.

For more information on this, please check the next section.

• We apply pseudonymisation and encryption of personal data, when appropriate. For example, when handling payment data, we comply with the Payment Card Industry Data Security Standards (PCI DSS) or when using our online Platforms your data is sent through a secure connection using Hypertext Transfer Protocol Secure (HTTPS) that encrypts your data through the Internet, avoiding anyone to steal your information in transit.
• We work to provide confidentiality, integrity, availability and resilience of processing systems and services. We have physical, electronic, and procedural security measures in place regarding the collection, storage, and disclosure of your data. Our security procedures mean that we may ask you to verify your identity before providing you with confidential information, and our Platforms offer security features that protect against unauthorized access and data loss.
• We make endeavours to be able to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• We implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Usually, we process your data for a maximum period of five years, since your last trip or any further action related to it ended or since you performed your last action while logged in with your account for the purposes described above.

Other specific terms might apply, such as a maximum term of three years for accountability purposes regarding data protection related interactions, or a maximum term of ten years for tax and accounting purposes.

If you provide us with your contact email address, but then you are unable to finish your booking, we will keep your email address only temporarily and, in any case, for a maximum period of seven days to help you with the booking if you are still interested.

For the purpose of customized offers, you will periodically get email offers from us, and in every email, there will be a clear and easy way to unsubscribe and therefore object to this type of processing. We will keep and use your data for this purpose until you unsubscribe.

Regarding Cookie duration please check our Cookie Notice.

Any service provider (such as the airline) acting as Data Controller will process your data in accordance with its own Privacy Notice and will be fully responsible for processing your data.

The disclosure of your data will be done, when applicable, in accordance with the applicable laws and that appropriate safeguards (in particular, the standard contractual clauses issued by the European Commission) are in place to ensure an adequate level of protection of the privacy and fundamental rights of individuals.

Do not share your Booking ID

When you make a booking you will be furnished with a Booking ID. This reference will be included in your booking confirmation email.

Please, always keep your Booking ID confidential. If you share it with third persons, they might access your data. If you travel with others and you do not want them to have access to your booking data it might be advisable that you carry out your booking separately. For example, we recommend you not to share this data or any other relating to your trip in social media.

Do not share your account data with anyone and use a unique and strong password

To make sure that access to your account on our Platforms is safe please do not share your log-in data with anyone.

When you finish using our Platforms, please make sure to log out of your session if someone else might access your device. Avoid connecting using your account from non trusted devices or networks like the ones in hotels, libraries or cyber coffees. If you do, please do not forget to log out once finished.

It is important that you protect yourself against unauthorized third-party access to your password and to your devices. We recommend that you use a unique strong password for your account that you do not use for other online accounts and you should renew it every reasonable period of time, such as once a year. Malicious actors may try to connect to your account using stolen credentials from other (non related to us) services.

Of course, apply the same approach for your email account, by using unique strong credentials (as is our secure touchpoint to send you “reset link passwords”).

Be cautious and protect yourself from internet fraud and “Phishing”

Please, always double check the sender of the emails and the links or documents attached to them. If you don’t trust or have doubts, do not open the attachments nor click on the links.

There is a broadly spread type of internet fraud practice known as “Phishing” aimed to illegally obtain your data by deception or by installing malware on your device and stealing your saved credentials.

“Phishing” are unsolicited emails that lead you to insert or confirm your passwords or bank details in a false or cloned website. Also, they try to make you download documents with malware, or install malicious software in your computer that will be used to steal your information, like your credentials.

These fraudsters pretend to be somebody of your trust, a bargain, somebody that needs urgent action from you, etc.

Be aware that we will not contact you or request for data or any actions from you through Whatsapp. If someone is contacting you through Whatsapp or a similar communication system, saying that is us, don't rely on it, block it, and consider reporting it to the police.  

Use only original software

You may want to download our applications from alternative markets. Applications on those markets are not uploaded by us, so they may contain malware used to steal your credentials.

Please use only the oficial applications from Google Play or Apple App Store.

You have the right to ask us to correct inaccurate or incomplete data about you (and which you cannot update yourself with your account settings or through our Customer Services).

You may request information relating to your data and copies of such data.

You may also be entitled to request copies of the data that you have provided to us in a structured, commonly used, and machine-readable format where technically feasible.

You may request to have your data deleted. We may not be able to erase it due to the fact that the data processing may be necessary for the performance of the contract between you and us, for our legitimate business interests (i.e. fraud prevention, security-enhancing), to comply with our Legal Obligations (i.e. legal reporting, auditing obligations). In any case, we will immediately erase it when we can do so. Because we protect our services from accidental or malicious loss and destruction, residual copies of your data may not be removed from our backup systems for a limited period of time (within a week).

You may require us not to process your data for certain specific purposes (including profiling) where such processing is based on legitimate interest, such as, for direct marketing. If you object to such processing, we will no longer process your data for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the exercise or defence of legal claims.

If we are processing your data based on Your Consent you may withdraw Your Consent at any time, specifying which consent you are withdrawing. Please note that the withdrawal of Your Consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.