1. What we collect

Account information — name, email, hashed password when you register.

Flight booking information — passenger names, dates of birth, passport/ID numbers, contact phone, and billing address collected at checkout.

Hotel booking information — guest names, contact email and phone, room preferences, special requests.

Shop order information — name, email, shipping address, and phone collected when you purchase merchandise.

Payment information — credit/debit card details. Card numbers are processed directly by our payment processors (Stripe for flights and shop; LiteAPI for hotels) and are never stored on our servers.

Usage data — IP address, browser type, pages visited, search queries, device information collected automatically when you use the website.

Location data — approximate location inferred from your IP address to personalise flight search results (nearest airport) and determine your region for cookie-consent preferences. We do not access precise GPS location.

Error and diagnostic data — when errors occur, our self-hosted error tracking service (BugSink) may collect technical details such as error messages, browser/device info, and IP address to help us identify and fix issues.

2. How we use it

• Process and confirm flight, hotel, and shop bookings on your behalf.
• Send booking confirmation, itinerary, e-ticket, and order confirmation emails.
• Notify you of schedule changes, cancellations, or status updates.
• Send shop order status changes and shipping updates.
• Verify your identity and prevent fraud.
• Personalise your experience (e.g. show flights from your nearest airport).
• Improve the platform with cookie-less analytics (Umami) and aggregated cross-domain analytics (Google Analytics 4 — only when you have consented).
• Diagnose and fix errors using our self-hosted error tracking (BugSink).
• Convert prices to your local currency via exchangerate-api.
• Provide live chat support via our self-hosted Chatwoot widget.
• Provide visa-requirement guidance on flight search results via the Travel Buddy API.
• Comply with legal obligations.

3. Who we share with

We share your personal data only as necessary to provide the Service:

• Duffel Technologies Ltd — flight booking technology. Passenger data is transmitted to Duffel and onward to airlines to complete your booking.
• Airlines — your booking details are shared with the operating carrier as required to issue your ticket.
• LiteAPI— hotel booking technology and merchant of record for hotels. Guest data is transmitted to LiteAPI and onward to the hotel. Card details for hotel bookings are processed by LiteAPI’s payment processor and are never stored on our servers.
• Hotels and accommodation providers — your reservation details are shared with the property so they can prepare your room and contact you.
• Stripe — payment processor for flights and shop purchases. Billing details are shared with Stripe to process payments securely.
• Printify — print-on-demand fulfilment partner for the shop. Your name, shipping address, and order details are shared to produce and deliver your merchandise.
• Resend — transactional email provider. Your email is shared to deliver booking confirmations, order updates, and account notifications.
• Google (NextAuth + OAuth) — when you sign in with Google, your email and profile information are received from Google to authenticate your account.
• Google Analytics 4 — aggregated, cross-domain usage analytics (only when you have given analytics consent via the cookie banner). Pseudonymous identifiers and IP truncated to country level.
• exchangerate-api — no personal data is sent. Used server-side to fetch currency-conversion rates.
• Travel Buddy API — your passport-issuing country (set in account preferences) is sent to look up visa requirements. No personal identifiers are shared.
• Chatwoot(self-hosted at chat.palapavibez.com) — live chat. When you open chat your name, email, and the page you’re on are shared so agents can help.
• BugSink (self-hosted at bugs.palapavibez.com) — error tracking. Technical error data may include IP address and browser info. Self-hosted on our own servers; not sent to third parties.
• Umami Analytics (self-hosted at analytics.palapavibez.com) — cookie-less site usage statistics. Does not set cookies, does not collect personal data, self-hosted on our own servers.
• Uptime Kuma (self-hosted at status.palapavibez.com) — uptime monitor. Only pings public endpoints; no customer data is shared.
• Cloudflare — DNS, WAF, edge routing. Sees standard request metadata (IP, user agent, requested URL). We do not deliberately share any customer-volunteered data with Cloudflare beyond what every HTTP request inherently contains.
• Legal obligations — we may disclose information if required by law or court order.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

4. Legal basis for processing (EU / UK)

If you are located in the European Union or United Kingdom, we process your personal data under the following legal bases (GDPR Art. 6):

• Contract performance — processing booking information, passenger details, and payment to fulfil your booking or shop order.
• Legitimate interests — fraud prevention, security monitoring, and platform improvement.
• Legal obligation — retaining financial records as required by applicable law.
• Consent — analytics cookies and marketing communications (where you have opted in). You may withdraw consent at any time.

5. How long we keep it

We minimise data retention. Each category of data has a specific lifetime — once that window passes, we delete or anonymise the data automatically through a scheduled retention job.

Delete your account yourself. Sign in and go to Account → Settings → Delete account. This calls our DELETE /api/user/delete-account endpoint, which removes your user record, sessions, saved passengers, and profile, and anonymises associated bookings (order numbers preserved for accounting; PII stripped). A confirmation email is sent and your session is revoked immediately.

If you can’t sign in or prefer email, contact [email protected] and we will process the request manually within 30 days.

6. Your rights

You have the following rights regarding your personal data:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure(“right to be forgotten”) — request deletion of your data, subject to legal obligations.
• Restriction of processing — ask us to limit how we use your data in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interests or for direct marketing.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Self-service paths:

• Access & portability (GDPR Art. 15 & 20): sign in and visit Account → Settings → Export my data to download a JSON file containing every record we hold about you — bookings, payments, profile, addresses, and password version (not the hash).
• Erasure (GDPR Art. 17): see Section 5 above.
• Rectification & preferences: update your name, email, phone, address, currency, and language under Account → Settings.

For all other requests (restriction, objection, withdrawal of consent) email [email protected]. We will respond within 30 days (one calendar month as required under GDPR).

EU/UK residents also have the right to lodge a complaint with your national data-protection authority. A list of EU DPAs is available at edpb.europa.eu. UK residents may contact the ICO.

7. California residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we collect, use, and share.
• Right to delete — request deletion of personal information we have collected from you (subject to exceptions).
• Right to correct — request correction of inaccurate personal information.
• Right to opt-out of sale/sharing — we do not sell or share your personal information for cross-context behavioural advertising.
• Right to non-discrimination — we will not discriminate against you for exercising any CCPA right.

To submit a CCPA request, email [email protected]with the subject line “CCPA Request”. We will respond within 45 days.

8. Cookies

We use cookies and similar technologies to operate the website, remember your preferences, and analyse traffic. See our Cookie Policy for full details.

9. Security

We use multiple layers of security to protect your data:

• Encryption in transit. All connections are over HTTPS (TLS 1.2+).
• Encryption at rest. Sensitive personal data — passport numbers, date of birth, phone, passport expiry, nationality, shipping address, billing address, and hotel-guest contact info — is encrypted in our database using AES-256-GCM with a server-held key. The encryption key is stored separately from the database and protected by a 2-person recovery procedure.
• Password hashing. Passwords are hashed using bcrypt (rounds = 12). Raw passwords are never stored, logged, or transmitted in any reversible form.
• Session security. JWT-based sessions with a per-user revocation marker so password changes invalidate all active sessions immediately.
• Webhook verification. All inbound webhooks from Stripe, Duffel, Printify, and LiteAPI are cryptographically verified before any business logic runs.
• Rate limiting, fraud monitoring, and CSP on all sensitive endpoints.

No method of transmission or storage is 100% secure and we cannot guarantee absolute security. We notify supervisory authorities within 72 hours of becoming aware of a qualifying breach (see Section 10).

10. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33). If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (GDPR Art. 34).

11. Children’s privacy

The Service is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe we have collected data from a child, please contact us and we will delete it promptly.

12. International data transfers

Your data may be processed in countries outside your own. The processors we use are located in:

• Duffel — United Kingdom.
• LiteAPI — Hong Kong and the European Union.
• Stripe — United States and Ireland (depending on the Stripe entity responsible for your region).
• Printify — United States, with print partners in the US, EU, UK, and other regions depending on destination.
• Resend — United States.
• Google (OAuth, GA4) — United States.
• exchangerate-api, Travel Buddy — United States.
• Cloudflare — global edge with US headquarters.
• Our database, Umami, BugSink, Chatwoot, Uptime Kuma — self-hosted in the European Union (Germany).

Transfers are carried out using appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission where applicable, ensuring your data receives an equivalent level of protection wherever it is processed.

13. Changes

We may update this Privacy Policy. Material changes are tracked in the policy changelogand we will notify you by email or by displaying a notice on the website. The “Updated” date at the top reflects the most recent revision.

14. Contact

For privacy-related questions or requests: [email protected] or use our contact form.