Privacy Policy

Actualizat la: 20.08.2025

Last updated: February 2025

The purpose of this Privacy Policy is to inform you about the processing of your personal data by us and about your rights when you book or organize a travel service, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation – hereinafter referred to as “GDPR”).

1. Who is responsible for data processing and how can you contact us?

The Data Controller is Program Travel SRL, a Romanian company registered with the Bucharest Trade Registry under number J2024044799005, VAT ID 50950007, with headquarters in Bucharest, Sector 1, Bd. Mareșal Alexandru Averescu 15 B/C, 2nd floor (“Controller”).

If you have any questions regarding data protection, you may contact us at: [email protected] (mailto:[email protected])
📍 Address: Bucharest, Sector 1, Bd. Mareșal Alexandru Averescu 15 B/C, 2nd floor
📞 Phone: +40 732 153 392
✉️ Email: [email protected] (mailto:[email protected])

2. What data do we collect and from what sources?

We process the data we receive as part of our contractual relationship with you or on the basis of your consent. Most data is provided directly by you when booking a trip or placing an order (including through travel agencies, advertising partners, insurers, or other service providers).

If you provide us with personal data of other individuals (e.g. other travelers), you must ensure that they have given their consent and are aware of how their data will be processed.

The following categories of personal data may be processed:

  1. Identification/authentication data (name, surname of all travelers, transaction number, username, passwords, ID/passport data)
  2. Demographic data (age, date of birth of all travelers)
  3. Physical characteristics (salutation, gender of all travelers)
  4. Contact details (address, email, phone number, correspondence)
  5. Financial details (IBAN, credit card number)
  6. Travel data (type of trip, price, destination, travel date, duration, hotels, flights, travel history)
  7. Special information you provide (mobility aids, dietary requirements, pregnancy, if applicable)
  8. Promotional and sales data (history of promotional offers, new offers of interest)
  9. Preferences (your travel preferences, reviews)
  10. Behavioral data (website usage, location)
  11. Family relationships (families with children)
  12. Complaint or crisis-related data

3. What is the legal basis and purpose of processing your data?

3.1 Contractual necessity (Art. 6(1)(b) GDPR)

We process your data to prepare offers, conclude and perform travel contracts, organize trips, manage complaints or crises, provide customer portals, contact forms, or promotional campaigns.

3.2 Legal obligations (Art. 6(1)(c) GDPR)

We process your data to comply with travel and tax legislation, identity verification, fraud prevention, risk management, and reporting duties.

3.3 Vital interests (Art. 6(1)(d) GDPR)

In emergency situations, your data may be processed to protect your vital interests or those of others (e.g. evacuation lists).

3.4 Legitimate interests (Art. 6(1)(f) GDPR)

We may process your data to ensure business continuity, IT security, product development, quality management, sales, marketing, fraud prevention, or to establish/defend legal claims.

3.4.1 Direct marketing

We may process your data for direct marketing purposes (e.g. tailored emails about your trips). You may opt out at any time, in accordance with Art. 21 GDPR.

3.5 Consent (Art. 6(1)(a) GDPR)

If you consent, we may process your data for promotional purposes (e.g. newsletters, phone campaigns). Consent can be withdrawn at any time without affecting previous lawful processing.

4. Who receives your personal data?

Data is only shared in line with GDPR requirements, with:

5. How long do we store your data?

Data is processed for the duration of our business relationship and according to legal retention obligations (e.g. fiscal, travel, archiving laws). After mandatory retention periods expire, data is deleted, destroyed, or anonymized.

6. Is your data transferred outside the EU/EEA?

Yes, only when strictly necessary (e.g. for bookings with non-EU providers, embassies, airlines). Transfers are made under GDPR exceptions (Art. 49) or based on Standard Contractual Clauses approved by the European Commission.

7. What are your rights under GDPR?

You have the following rights:

8. Am I obliged to provide personal data?

Yes, only the data necessary to establish, perform, or terminate a contract, or required by law. Without such data, we may not be able to conclude or perform the travel service.

9. Automated decision-making and profiling

We may use automated processing (profiling) to evaluate your travel preferences and interests, as well as to assess potential fraud or payment risks. These are based on legitimate interest under Art. 6(1)(f) GDPR.

10. Applicability

This Privacy Policy applies only to Program Travel SRL. If you access third-party websites via links, their own privacy policies apply.

11. Data Protection Officer

If you have questions about data protection, please contact:
📧 [email protected] (mailto:[email protected])

⚖️ Note: This is an informative English translation. In case of disputes, the Romanian version prevails.