First things first, who are we?
Hello! We are Vacaciones eDreams S.L., known by you as this Platform’s branding name. When this Privacy Notice mentions “we”, “us”, or “our”, it refers to Vacaciones eDreams, S.L. acting as Data Controller.
Our privacy promises:
- We value your privacy & data security
- We use data for your best travel experience with us
- You control your data
- Several Platforms, one Privacy Notice
Vacaciones eDreams, S.L. is a Spanish based company, with tax ID number ESB61965778. You can contact us through our Privacy Form for any data protection matter.
Thank you for using our Platforms. Your trust is the most important value to us, that is why in this Privacy Notice we are going to show you our responsibilities regarding the privacy and security of your data. The only thing you have to do is read it, and if you have any questions related to it, you can tell us about it in our Privacy Form.
After that, you’re all set to book your next adventure through us.
We have prepared this definitions section that will help you better understand this Privacy Notice:
Automated Decisions: decision-based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (as defined under Article 22.1 EU General Data Protection Regulation; GDPR).
Note: As you will find explained below, we don’t make Automated Decisions.
Data Controller: anyone responsible for determining the purposes and means of processing your data.
Note: We are the Data Controllers of your data in the terms described in this Privacy Notice. If you choose to book a ticket through our Platforms, we will be sending your data to another Data Controller – the carrier or the provider of other services (e.g. booking partners or the global distribution systems), who will again use your data for their own purposes and based on their own means, as described in their own Privacy Notices (which is published on their website). You can see below the overview of Data Controllers categories with whom we might share the data. In any case, the disclosure of your data to any service provider will be done in accordance with the applicable laws. Each Data Controller is responsible for your data and, in case of an incident within its scope, must handle it and respond appropriately, as per the applicable law.
Data Processor: a third party that only helps to achieve the purposes determined by the Data Controller.
Note: We as a Data Controller use many third-party services to which we outsource some parts of our activities that we don’t do ourselves for various reasons such as cost-efficiency. A Data Processor is only allowed to process your data according to our documented instructions, and in compliance with the applicable law, so we are still in charge of your data, and they will not be able to process your data for any incompatible purpose.
Lawful Bases: Processing of your data shall be lawful only if at least one of these bases applies (Article 6 GDPR).
Note: For the six lawful bases covered in the law, we will essentially rely on Consent, Contract, Legal Obligation or Legitimate Interest. However, exceptionally, we might rely on Vital Interest or Public Task. You can find more information below.
Personal Data (in this Privacy Notice also referred essentially as “your data”): any information relating to a directly or indirectly identified or identifiable to you, as a natural person.
Platforms: all the services (websites, apps, call centre, etc.) that facilitate interactions between you and us.
Sensitive Personal Data: data related to racial origin, ethnic group, religion, health, sexual orientation and biometric data constitute special categories of data (as defined under Article 9 GDPR).
Note: As you will find explained below, we shall not process Sensitive Personal Data normally.
Third Countries: countries in which the GDPR regime is not applicable. Currently, by Third Countries, we mean all countries that lie outside of the European Economic Area (i.e. outside the European Union, Iceland, Liechtenstein and Norway).
Who is the Data Protection Officer?
We have a common Data Protection Officer who watches over all processing carried out with respect for your privacy and the applicable regulations at all times.
You can contact the Data Protection Officer’s team through our Privacy Form to exercise any data protection right, to solve all the questions you may have regarding the processing of your data and/or for any data protection issue you would like to discuss with us. Please, note that we may ask you to verify your identity and request before taking further action on your request.
Why do we process your data?
The main purpose is to offer you travel related mediation services . This includes the following:
Lawful bases: #Contract #Legitimate Interest
During the purchase process, we ask you only for the data that we need to provide you with our mediation services to contract travel products. The booking process can be done on any of our Platforms.
This includes completing and managing your booking, sending you communications by email, call or SMS in relation to your booking (e.g. confirmations, modifications and reminders), allowing us to respond to your queries. Such communications could be managed by us or by our travel partners.
We endeavour to show to you the most relevant travel data and help you in a personalized manner with your booking and post-booking.
We might save your data for future bookings to make it easier for you to finish a booking with us.
Please, bear in mind that the identification data we use is going to be your email that you introduce in your booking or account.
Lawful bases: #Contract #Your Consent #Legitimate Interest
You can create a user account on our Platforms. We use your data to manage your account and with the objective to show you the most relevant travel booking and post-booking experience, allowing you to do many useful things, as covered in the General terms and conditions.
We might save your data for future bookings to make it easier for you to finish a booking with us, and recognize you when visiting our Platforms again, in order to improve your user experience. We will safely store your data for payment purposes, for example, for the eDreams Prime subscription fee.
Lawful bases: #Contract #Your Consent #Legitimate Interest
We may offer you other travel-related services based on our role as a travel agent.
This Privacy Notice shall apply to such data processing based on other travel-related services provided by us. During the contracting process, prior to or when filling in the data, we will inform you if there is any specific information that you should know apart from the one already covered in this Privacy Notice.
Lawful bases: #Contract #Your Consent #Legitimate Interest
Apart from the communications already mentioned in the “Booking” subsection, we can get in touch with you by the different means provided by you, and for the following purposes:
To respond to any query or request from you or any travel provider and handle it. We endeavour to maintain our best levels of customer service and we are attentive to the personal situation of each of our various customers in order to personalise our services.
To try to remember your search and contact you only once, in case you have not finalized a booking online, as we believe that this additional service benefits you, by allowing you to carry on with a booking without having to fill in your reservation details again.
To inform you how to contact us if you need assistance while you are away or other data that we feel might be useful to you in your planning or getting the best of your trip, or data of upcoming trips or a summary of previous bookings you made with us.
We may need to send you other administrative messages, which may include security alerts.
To invite you to provide a review of your experience or the travel provider, when you use our services, or to take part in market research with us. Please, bear in mind that this feedback may be available to other customers to help them make decisions about a product or a service. In case you agree to take part in market research, we will explain the data collected and how it would be further used.
Lawful bases: #Legitimate Interest #Your Consent
We use your data for marketing purposes.
To send you regular news of travel-related products and services. You can unsubscribe from email marketing communications easily and at any moment, just by clicking on the unsubscribe link included in each newsletter or other communication.
To administer any promotional activity where you participate. When you book with us, you are subscribed to our newsletters, unless you say otherwise before confirming your booking. Anyway, remember that you will be able to unsubscribe at any moment in each commercial communication, by clicking on the footer unsubscribe link.
We may show you customized offers on our Platforms or third-party platforms (including social media sites) and the content of the site displayed to you may be personalized. Such offers can be booked on our site, on co-branded sites, or other third-party offers or products we think you might find interesting.
Call and chat recordings
Lawful bases: #Legitimate Interest #Your Consent
We may process calls and online communications for quality control, analytics, staff training and legal dispute purposes when you contact our customer services.
Our staff may ask for authentications, ensuring that your reservation details are kept confidential.
Not all calls or chats are recorded and recordings are kept for a limited amount of time and automatically deleted thereafter (unless we have a legitimate interest to keep such recordings for a longer period, including fraud investigation and legal purposes).
Please, bear in mind that, when using a third party's feature, this third party may act as an independent Data Controller or as a Data Processor as per its corresponding Privacy Notice.
Improving our services or developing new services
Lawful basis: #Legitimate Interest
We use data for analytical purposes.
This is part of our drive to enhance the user experience, but can also be used for testing purposes, troubleshooting and improving the functionality and quality of our online travel services. The main goal here is to optimize our online Platforms to your needs, making our site easier and more enjoyable to use. We strive to use pseudonymized or anonymized data for these analytical purposes.
Promotion of a safe and trustworthy service
Lawful bases: #Legal Obligation #Legitimate Interest
In order to create a trustworthy environment for you, your fellow travellers, our business partners and our travel providers, we may use data for the detection and prevention of fraud and other illegal or unwanted activities, as well as for security purposes (e.g. authentication of users and bookings). For such purposes, we may have to stop or put on hold certain bookings.
One example of this is our five-attempt password policy (if you incorrectly enter your password more than five times, we will block your account, requiring you to change your password).
Another example is our preventive stolen-credential control on the internet (if we might have any hint that your credentials could have been compromised, we may also block your account and ask you to reactivate it with a new password).
With these examples, among other actions, we protect your data and reduce fraud risk.
Lawful bases: #Legal Obligation #Legitimate Interest
In certain cases, we may need to use your data to handle and resolve legal disputes, for regulatory investigations and compliance, to enforce our General terms and conditions or to comply with lawful requests from law enforcement.
Which lawful basis do we rely on?
The main Lawful Bases commonly used are #Your Consent #Contract #Legal Obligation #Legitimate Interest
- Your Consent: you gave consent for a specific use of your data. We will always obtain Your Consent to collect and process your data unless another Lawful Basis applies. We will provide you with transparent information at the time that consent is obtained. This information will be provided in an accessible form, written in clear language. If the data is not obtained directly from you, then this information will be provided to you within a reasonable period after the data has been obtained.
- Contract: you have a contract or pre-contract with us. As an example, when booking an airline or hotel with us, we need relevant data to process your reservation.
- Legal Obligation: we have a Legal Obligation. Normally, accounting and tax regulations request to store necessary data for compliance purposes.
- Legitimate Interest: It’s in our legitimate interest, and it is judged not to affect your rights and freedoms in a significant way.
Other lawful bases, only exceptionally used:
- Vital Interest: You or a third party have a vital interest. We will not normally process data based on this legal basis, but if we do, we will let you know.
- Public Task: We have a public task to perform. We will not normally process data based on this legal basis, but if we do, we will let you know.
We don't make Automated Decisions
We don't make Automated Decisions based on profiles, beyond the legitimate interest of fraud prevention and the customization of your user experience, marketing and advertising.
In any case, such an Automated Decision will not produce legal effects or similarly significantly affect you.
In case we shall make any Automated Decision we will apply all appropriate measures and inform you.
What types of data do we process?
There are different origins where the data mainly can come from Data you give to us & Data we collect from you The following are categories of data relating to a person (categories are not exclusive, data may transcend multiple categories):
Identification & Contact data
Data you give to us Data used to identify you as a natural person and/or data we use to contact you.
For example, your name, surname, gender, nationality, billing address, date of birth, email address and telephone number
Please, bear in mind that your email will be your identity data. We will be able to link your data based on your email.
Account & Settings data
Data you give to us Data that you generate while using your account.
For example, email and password (we never store the passwords in a non-encrypted form), price alerts, search history, specific settings, preferred choices and other details saved in your account. This also applies if you have an eDreams Prime account.
Data you give to us Data that you give us to execute the payment.
Usually, this means the payment card details. For example, credit card number, cardholder name and expiration date (we never store the credit card data in a non-encrypted form).
Travel related data
Data you give to us during the booking process, all that you choose in the order form and what you later change or purchase as an addition to the original order.
For example, number and expiration date of the ID and/or Passport, contact data, travel preferences, boarding passes or e-tickets.
Please, bear in mind that in the case you provide data from travel companions, you should have previously obtained the consent of other individuals before providing us with their data and travel preferences, as any access to view or change their data will be available only through your account or email.
Data you give to us Data we collect from you Data from all of the text and voice communications exchanged between you and us in connection to your requests.
For example, customer support cases, metadata and notes generated by our systems and agents.
Browsing & Device data
Data we collect from you Data that we may automatically collect from your device when you visit our Platforms.
For example, IP address, browser type, internet service providers, geographic location, technical data about the device, pages accessed and links clicked, the time and duration of request and visit, the method used to submit the request to the server.
Please note that we may associate this data with your account.
Some of this data may be collected by using different types of Cookies or similar technologies. For more information, please find our Cookies Notice.
Why don’t we process Sensitive Personal Data?
We strive to limit the circumstances in which we collect and process Sensitive Personal Data. Please avoid providing us with Sensitive Personal Data unless it is strictly necessary and specifically requested.
One example for which we may collect and process such data would be if exceptional circumstances arose, such as a health emergency, where we might offer you the possibility to provide us with any relevant data in order to share it with the corresponding airline booked, for example, so as to smooth the check-in process or due to mandatory reasons.
In any case, the corresponding appropriate security measures will be implemented to protect your Sensitive Personal Data in line with this Privacy Notice.
Additionally, you may ask us to inform the airline, the hotel, etc. of a special service (such as a menu or an adapted room) which does not in itself constitute Sensitive Personal Data but which may imply or suggest data about your religion, health or other related data. In any case, this information will not be mandatory to provide in any of our booking funnels, so you are free to either provide it or not.
What happens with the data belonging to children?
Our services aren’t intended for minors, as described in our General terms and conditions.
Minors may only use the service with the involvement, and approval of a parent or legal guardian. The limited cases where we might need to collect data would be as part of a booking, the purchase of other travel-related services, or in other exceptional circumstances (such as features addressed to families).
If we become aware that we have processed the data of a child without the valid consent of a parent or guardian, we will delete it.
Data we collect from third parties
We lawfully obtain data about you from business partners and other independent third-party sources (e.g. contact data such as email, purchase or demographic data).
Who will be the recipients of your data?
We might have to share your data with third parties which might normally act as Data controller or Data Processor depending on their circumstances (i.e. on their purposes and type of data they process, their relationship with them, you and us, their responsibilities under the law, etc.). We are selecting hereinbelow their main categories.
In order to provide you with our services, we need to share your data with third parties. We will define and regulate the data transfer or processing contractually when required by law with the appropriate security measures.
- Travel service provider you booked with Data controller (e.g. airlines or carriers, hotels, car rental companies, travel insurances, claims management service providers, travel business partners, etc.). In our Platform there might be services fully or partially provided by our travel business partners. Travel business partners’ Privacy Notices shall apply, and when so, you will find a link to them in the booking funnel.
- Other travel service providers which are necessary or provide an added value for the performance of our services Data controller Data Processor (e.g. the global distribution systems or computerised reservation systems, booking and ticketing agents, tour operators, travel meta searchers, etc.). They make it possible to offer you our services and help us in making all endeavours to have the best alternatives at the best price.
- Customer services and support tools Data Processor (e.g. customer communication tools, call centre agents, etc.). We work with customer support providers and tools in order to respond to our requests and manage the communications with you if needed.
- Payment and fraud services Data controller (e.g. payment processors, banks, fraud prevention and chargeback management services, etc.). When you pay in our Platform (as in any other) a set of long chains of technical operations need to happen before the payment request is accepted by your bank and notified to us. We use service providers to detect fraud risks.
- Information security services Data Processor. We work with information security services to protect your data.
- IT infrastructure providers Data Processor (e.g. hosting service providers). They help us provide you with an available and secure Platform.
- Software solutions and engineers Data Processor. Software solutions and engineers help us work on a day to day basis and to continue improving our services.
- Analytical service providers Data ProcessorThey provide us with the necessary data to understand the use within our Platform, see if there are any bugs or decide how we can improve our services.
- Customer Relationship Management and marketing solutions Data Processor Data Controller. They allow us to manage customised commercial communications. Some of them also help us display customised ads throughout the internet.
- Social platforms Data Controller. When login with your social media, clicking on a social media “like” button integrated into our Platforms by plugins, or using any social media services to interact with us, your data can be shared between us and the social media providers (e.g. your user names, email address, profile pictures, your contact, etc.).
- Finance, administrative and legal services and tools Data Processor Data Controller(e.g. accounting systems, legal service providers, collection agencies, corporate insurances, etc.).
Our group companies
We share your data within our group companies for internal purposes relating to management centralization.
In particular, we centralize the processing of your data through the Spanish subsidiary eDreams International Network, SLU, acting as a joint Data controller and main establishment for data protection matters.
We might disclose your data to law enforcement insofar as it is required by law or is strictly necessary for the prevention, detection or prosecution of criminal acts and fraud or if we are otherwise legally obliged to do so, which will act as #Data Controllers.
We may need to further disclose your data to competent authorities to protect and defend our rights or properties, or the rights and properties of third parties.
(transparently informed to you and with Your Consent to the disclosure, where applicable).
These recipients might be outside the EEA, implying international data transfers. For more information on this, please check the next section.
How do we protect your data?
While no online service can guarantee absolute security, we design our systems and devices with your security and privacy in mind. We work to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including for example the following ones.
- We apply pseudonymisation and encryption of personal data, when appropriate. For example, when handling payment data, we comply with the Payment Card Industry Data Security Standards (PCI DSS) or when using our online Platforms your data is sent through a secure connection using Hypertext Transfer Protocol Secure (HTTPS) that encrypts your data through the Internet, avoiding anyone to steal your information in transit.
- We work to provide confidentiality, integrity, availability and resilience of processing systems and services. We have physical, electronic, and procedural security measures in place regarding the collection, storage, and disclosure of your data. Our security procedures mean that we may ask you to verify your identity before providing you with confidential information, and our Platforms offer security features that protect against unauthorized access and data loss.
- We make endeavours to be able to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- We implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
We will keep your data for as long as we deem it necessary to enable you to use our services, to provide our services to you, to comply with the applicable laws, resolve disputes with any parties and otherwise as necessary to allow us to conduct our business (including, to detect and prevent fraud or other illegal activities). All your data we retain will be subject to this Privacy Notice.
Usually, we process your data for a maximum period of five years, since your last trip or any further action related to it ended or since you performed your last action while logged in with your account for the purposes described above.
Other specific terms might apply, such as a maximum term of three years for accountability purposes regarding data protection related interactions, or a maximum term of ten years for tax and accounting purposes.
If you provide us with your contact email address, but then you are unable to finish your booking, we will keep your email address only temporarily and, in any case, for a maximum period of seven days to help you with the booking if you are still interested.
For the purpose of customized offers, you will periodically get email offers from us, and in every email, there will be a clear and easy way to unsubscribe and therefore object to this type of processing. We will keep and use your data for this purpose until you unsubscribe.
Regarding Cookie duration please check our Cookie Notice
International data transfers
Our servers are located within the European Union. However, to facilitate our global operations (i.e. by means of service providers) the transmission of your data to the recipients described above may include transfers of your data to third countries whose data protection laws might not be as comprehensive as those of the countries within the European Union.
For transfers to recipients in countries, we rely on the decision of the adequate level of protection, on appropriate safeguards, or on the exception of (pre)contract necessity or any other which might apply from time to time.
Any service provider (such as the airline) acting as Data Controller will process your data in accordance with its own Privacy Notice and will be fully responsible for processing your data.
The disclosure of your data will be done, when applicable, in accordance with the applicable laws and that appropriate safeguards (in particular, the standard contractual clauses issued by the European Commission) are in place to ensure an adequate level of protection of the privacy and fundamental rights of individuals.
What further efforts can you easily do to protect your data?
We make serious efforts to care for and protect your data when you share it with us. Below you can find some recommendations on how to keep your data safe on your side.
Do not share your Booking ID
When you make a booking you will be furnished with a Booking ID. This reference will be included in your booking confirmation email.
Please, always keep your Booking ID confidential. If you share it with third persons, they might access your data. If you travel with others and you do not want them to have access to your booking data it might be advisable that you carry out your booking separately. For example, we recommend you not to share this data or any other relating to your trip in social media.
Do not share your account data with anyone and use a unique and strong password
To make sure that access to your account on our Platforms is safe please do not share your log-in data with anyone.
When you finish using our Platforms, please make sure to log out of your session if someone else might access your device. Avoid connecting using your account from non trusted devices or networks like the ones in hotels, libraries or cyber coffees. If you do, please do not forget to log out once finished.
It is important that you protect yourself against unauthorized third-party access to your password and to your devices. We recommend that you use a unique strong password for your account that you do not use for other online accounts and you should renew it every reasonable period of time, such as once a year. Malicious actors may try to connect to your account using stolen credentials from other (non related to us) services.
Of course, apply the same approach for your email account, by using unique strong credentials (as is our secure touchpoint to send you “reset link passwords”).
Be cautious and protect yourself from internet fraud and “Phishing”
Please, always double check the sender of the emails and the links or documents attached to them. If you don’t trust or have doubts, do not open the attachments nor click on the links.
There is a broadly spread type of internet fraud practice known as “Phishing” aimed to illegally obtain your data by deception or by installing malware on your device and stealing your saved credentials.
“Phishing” are unsolicited emails that lead you to insert or confirm your passwords or bank details in a false or cloned website. Also, they try to make you download documents with malware, or install malicious software in your computer that will be used to steal your information, like your credentials.
These fraudsters pretend to be somebody of your trust, a bargain, somebody that needs urgent action from you, etc.
Be aware that we will not contact you or request for data or any actions from you through Whatsapp. If someone is contacting you through Whatsapp or a similar communication system, saying that is us, don't rely on it, block it, and consider reporting it to the police.
Use only original software
You may want to download our applications from alternative markets. Applications on those markets are not uploaded by us, so they may contain malware used to steal your credentials.
Please use only the oficial applications from Google Play or Apple App Store.
How can you control your data?
We want you to be in control of how your data is used by us. You can do it in different ways:
Managing your account data
You may access and update some of your data through your account settings or Customer Services.
Exercising your data protection rights
Rectify your data
You have the right to ask us to correct inaccurate or incomplete data about you (and which you cannot update yourself with your account settings or through our Customer Services).
Access or port your data
You may request information relating to your data and copies of such data.
You may also be entitled to request copies of the data that you have provided to us in a structured, commonly used, and machine-readable format where technically feasible.
Erasure or block your data
You may request to have your data deleted. We may not be able to erase it due to the fact that the data processing may be necessary for the performance of the contract between you and us, for our legitimate business interests (i.e. fraud prevention, security-enhancing), to comply with our Legal Obligations (i.e. legal reporting, auditing obligations). In any case, we will immediately erase it when we can do so. Because we protect our services from accidental or malicious loss and destruction, residual copies of your data may not be removed from our backup systems for a limited period of time (within a week).
Object or limit the use of your data
You may require us not to process your data for certain specific purposes (including profiling) where such processing is based on legitimate interest, such as, for direct marketing. If you object to such processing, we will no longer process your data for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the exercise or defence of legal claims.
Withdrawing Your Consent
If we are processing your data based on Your Consent you may withdraw Your Consent at any time, specifying which consent you are withdrawing. Please note that the withdrawal of Your Consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.
Exercise your rights through our Privacy Form.
You can also contact the Spanish Data Protection Authority or any other applicable supervisory authority.
Depending on your local applicable regulations applying, we are providing additional information. Please review if applicable.
Our UK Representative is Opodo Limited with tax ID number 766445988. Contact us through our Privacy Form, to exercise a specific right or for other data protection comments or suggestions.
Depending on which state you reside in, different laws might apply (such as California or Virginia).
Contact us through our Privacy Form (see the previous section), to exercise a specific right or for other data protection comments or suggestions.
We allow third parties to collect your data through our Platforms and share it with third parties for the business purposes described in this Privacy Notice (including without limitation advertising and marketing on our Platforms and elsewhere based on users’ online activities over time and across our Platforms, services, and devices). Remember that you can block certain Cookies, for these purposes, as described in our Cookies Notice.
Updates and previous versions
We might amend this Privacy Notice from time to time to make sure it’s up-to-date. Do not hesitate to visit this page regularly and you will know exactly where you stand. We will note the date that revisions were last made to this Privacy Notice at the bottom of this page, and any revisions will take effect upon posting.
Last Updated: December 2021
June 2019 - November 2021