4. Privacy Policy
4.1 Introduction to Data Protection
We are committed to safeguarding your privacy and personal data in compliance with Singapore’s Personal Data Protection Act 2012 (PDPA) and other relevant laws. This section explains how we collect, use, disclose, and protect your information.
4.2 Data Protection Officer
We have appointed a Data Protection Officer (DPO), registered with the Personal Data Protection Commission (PDPC) Singapore, as required under the PDPA.
4.3 Personal Data We Collect
Information You Provide
- Account Information: Name, email, phone, date of birth, nationality, gender, profile picture, preferences, username, and password.
- Booking Information: Travel dates, destinations, number of travelers and their details, special requirements (e.g., dietary, accessibility), emergency contacts.
- Payment Information: Card details (processed securely), billing address, payment history, and transaction records.
- Travel Documentation: Passport and visa details, expiry dates, travel insurance.
- Communication Data: Messages via the Platform, customer service interactions, survey responses, feedback.
Information Automatically Collected
- Device & Usage Info: IP address, device type, browser, OS, app version, language settings, time zone.
- Platform Activity: Visited pages, session length, search and booking history, click patterns, and interactions.
- Location Data: Approximate location via IP; precise location only if you consent.
Information from Third Parties
We may receive data from:
- Tour operators and service providers
- Payment processors
- Connected social media platforms
- Marketing partners and affiliates
4.4 How We Use Your Personal Data
- Service Provision (Contractual Necessity): Account management, bookings and payments, communication facilitation, support, and refunds.
- Legal Compliance: Adherence to Singapore Tourism Board regulations, anti-money laundering/terrorism financing measures, legal requests, and record-keeping.
- Legitimate Business Interests: Improving services and Platform operations, conducting analytics and research, fraud prevention.
- Marketing (With Consent): Sending promotions, personalizing content, market research, and retargeting ads.
4.5 Legal Basis for Processing
Under PDPA, processing is based on:
- Consent: For activities where you've explicitly agreed.
- Contract: Necessary to fulfill your service requests.
- Legal Obligation: Required by law.
- Legitimate Interests: For operations balanced by your rights.
4.6 Data Sharing and Disclosure
- Tour Operators & Service Providers: Booking and traveler details, contact information, and payment confirmations (excluding full card data).
- Business Partners: Payment partners, support providers, analytics partners (using anonymized data), hosting providers.
- Legal Authorities: Courts, law enforcement, regulators, or emergencies for safety/security reasons.
- Business Transfers: Data may be transferred in mergers or acquisitions with safeguards.
- With Your Consent: For any additional data-sharing purposes.
4.7 International Data Transfers
- Cross-Border Transfers: May occur outside Singapore, safeguarded by adequacy frameworks, standard contractual clauses, binding corporate rules, or your explicit consent.
- Processing Locations: Primarily in Singapore, and in countries with PDPA-level protections or additional safeguards.
4.8 Data Security
- Security Measures: SSL/TLS encryption, secured servers, restricted access, penetration testing, staff training, and multi-factor authentication.
- Data Breach Response: We will identify and contain breaches, notify the PDPC within 72 hours if required, inform affected users promptly, and take remedial action.
4.9 Data Retention
We retain personal data only as needed to provide services, meet legal obligations, resolve disputes, or enforce agreements:
| Data Type | Retention Period |
|---|---|
| Account Data | 7 years after account closure |
| Booking Records | 7 years after travel completion |
| Payment Data | As required by financial regulations |
| Marketing Data | Until consent withdrawn |
| Technical Logs | 12 months |
Data will be securely deleted or anonymized after the applicable retention period.
4.10 Your Rights Under the PDPA
You have the right to:
- Access: Confirm processing, access your data, and receive details on its use/sharing.
- Correction: Request amendments to inaccurate or incomplete information.
- Portability: Obtain a structured copy of your data for transfer.
- Withdrawal of Consent: Withdraw consent for any specific processing (e.g., marketing, location, social), at any time.
- Exercise Rights: Submit requests via account settings.
4.11 Marketing and Communications
- Consent-Based Marketing: Promotional emails and communications are only sent with your consent. You can manage preferences in your account or unsubscribe via email links.
- Do Not Call Compliance: We respect Singapore's Do Not Call Registry and will not contact registered numbers without permission.
4.12 Children’s Privacy
Our Platform is not intended for children under 13. We do not knowingly collect data from children under 13. If discovered, data will be deleted and accounts may be terminated. For users aged 13–17, parental consent is required and additional protections apply.
4.13 Third-Party Links and Services
Our Platform may include links to third-party sites and services. This Privacy Policy does not cover those third parties—please review their privacy policies independently before sharing personal information.