PRIVACY STATEMENT FOR USERS

0. FREQUENTLY ASKED QUESTIONS

0.1 Why does Voya ask for my personal data

The reason we ask you for personal details is to offer you a smooth and seamless experience to (complete the) purchase, book(ing), order, use, facilitate and/or consume (consummation of) your travel product as offered by our travel partners (with which you wish to make a reservation, order or purchase).

Voya acts in this respect as data controller and is responsible for the personal data it collects. Voya will share the relevant personal information with the relevant travel provider with which you have made a reservation, purchase or order, which shall also act as (co-) data controller upon receipt of the relevant information. Voya and each travel provider shall each be solely responsible for the processing of personal data by itself or on its behalf in accordance with applicable data protection laws.

Furthermore, Voya may share certain personal information with its affiliated group companies (e.g. for customer service) and trusted subcontractors. Voya is responsible for these parties (which act as data processor subject to a data processor agreement with Voya).

0.2 What personal data do I need to provide to Voya

Voya collects and processes personal information that is legally required by travel providers or governmental authorities, based on local regulations. For this purpose, we may ask you to provide certain personal data, such as your full name, email address, telephone number, date and place of birth, gender, nationality, driver's license/passport/ID details (including your picture), credit card details, loyalty/membership program number and those of the people in your company and any (email/telephone) correspondence with Voya. Voya may also ask for certain sensitive data (e.g. health data) and additional information such as your travel-related preferences and restrictions, which can enhance your experience. You have full control over the information you choose (not) to share, but please note not all services may be available to you if we do not have the relevant information from you. 

0.3 What are my rights in respect of my personal data

You will have all rights granted by applicable law, such as the right to know what information we hold, the right to be forgotten, and the right to amend, correct, delete, or block your personal information. See Clause 7 for more information.

0.4 How does Voya protect my personal data

We have implemented a range of procedures and measures to prevent unauthorized access to, and the misuse of, your personal data that we process. See Clause 5 for more information.

0.5 How long will Voya hold on my personal data

We will collect and process your personal information in accordance with this privacy statement and retain your personal data for as long as necessary to manage our business relationship with you, provide our services to you, and comply with applicable laws, including those related to document retention. We will also retain some data to resolve disputes or claims with third parties and, if necessary, to conduct our business. See Clause 6 for more information.

1. INTRODUCTION AND SCOPE

1.1 About Voya

1.1.1 Voya AI, Inc (trading as 'Voya') is a company incorporated under the laws of Delaware and having its registered office at 433 Plaza Real, Suite 275, Boca Raton, Florida 33432, USA (hereafter 'we', 'us', 'our', or 'Voya').

1.1.2 We collect personal data via our platform (website/app) and service and act in that respect as data controller. 

1.1.3 The personal data that Voya collects in relation to its users depends on the context of the business relationship and their interaction with Voya, the choices the user makes, and the products, services and functions they use.

1.2 Privacy statement and acceptance

1.2.1 This privacy statement explains how Voya processes your personal data. "You", "your" or "User" means you, the user of our service as made available on our website/app (including any other natural person of whom the personal data is provided to Voya).

1.2.2 This privacy statement applies to every group company of Voya that is responsible for or involved in the processing of a User's personal data. Depending on the nature of the business relationship, various group companies of Voya may be responsible for the processing of that personal data.

1.2.3 To the extent permitted or required by law, by signing up for, registering (including uploading or otherwise enabling your personal data) and/or using our services, you hereby (i) accept, acknowledge (to have read and understood) and agree to this privacy statement, and (ii) give your explicit consent to Voya to collect, use, transfer, disclosure or process the personal data as from time to time provided or otherwise made available to us for purposes and to such recipients and locations as described in the privacy statement.

1.2.4 This privacy statement is governed by and construed in accordance with Delaware law. To the extent permitted by mandatory law, any dispute arising in connection with this Privacy Statement shall be submitted for arbitration in accordance with Clause 14.3 of our terms and conditions [link],  which is herby deemed to be incorporated by reference. 

1.2.5 This privacy statement forms and integral part of the terms and conditions and must be read in conjunction therewith.

2. DATA COLLECTION

2.1 Personal data that Voya collects

2.1.1 Personal data that you – as a User – (may) provide to us, such as:

Personal details

We collect relevant contact information from Users, such as first and last name, place/date of birth (if required), (email) addresses, (mobile) telephone numbers, credit card details (if required), ID/passport/driver's license details, loyalty number, preferences or special requests, etc.

Sensitive Data 

We may from time to time request you to provide certain Sensitive Data (e.g. personal data revealing health data (e.g. disability, medical/physical) limitations and illnesses). If certain sensitive data is requested on a voluntarily basis, there is no obligation to provide any requested Sensitive Data and any disclosure of such requested Sensitive Data is at your sole discretion and requires your explicit consent. However, certain Sensitive Data may be required by governmental rules and regulations. If you do not or cannot provide the requested or required Sensitive Data, you may not be able to (fully) use our services, or use and consummate the transaction, service or product for which you use our services (e.g. immigration, country entry, boarding, etc).

Financial data

We collect data necessary for payment and billing purposes (including your bank details, bank account number, credit/ debit card, and VAT number) and data otherwise required for invoice processing.

Travel history and transactional data

We collect information about transactions enabled by us to build a history of the traveller's trips. To enrich this data, we may ask the traveller to provide information about other trips they have taken and managed outside of our platform. This will enable the traveller to keep all of their travel information in one place and use it to improve their future travel experiences.

Profiling data

We may ask you to provide (on voluntarily basis) information in respect of any food allergies, favourite cuisines, general food preferences, contact details and identity documents, which information we may use for profiling purposes to help you make sure each traveler's experience is as personalized as possible.

Other data

When a User communicates with Voya, we collect and process information about this communication. During calls with our customer service (including when being in queue or on hold), live listening and calls can be recorded for quality control and training purposes. These recordings can also be used for claims handling and fraud detection.

Recordings are kept for a limited time before they are automatically deleted unless Voya has a legitimate interest in keeping the recording for longer. This only happens in exceptional cases, such as for fraud investigation, compliance, and legal purposes.

2.2 Information We Collect Automatically

2.2.1 Depending on the business relationship, Voya may also automatically collect information, some of which may be personal data. This data is collected when a User uses online services such as a registration form or a user account.

The data collected may include:

- Language settings

- IP address

- Place

- Device settings

- Device operating system

- Log information

- Time of use

- URL requested

- Status report

- User-agent (information about the browser version)

- Browsing history

- Browsing behaviour

- The type of data being viewed

2.3 Personal Information You Provide Us About Others or without our request

2.3.1 By sharing the personal data of other persons (such as family members or other people who travel in your company), you confirm that these persons have been informed about the use of their personal data by Voya in accordance with this privacy statement. You also confirm that you have obtained all necessary consents as required by applicable laws and regulations.

2.3.2 Unless explicitly requested by us, we discourage you from providing (sensitive) personal data at your own initiative. If you choose to disclose without our explicit request, we accept and assume through your self-disclosure your explicit and unconditional consent to process and use that information as described in, and subject to this Privacy Policy.

2.4 Other information we receive from other sources

Travel related information (itinerary)

If you (choose to) use our Service, you give consent to the collection and process of your travel related data (e.g. place and date of your reservation, purchase order, loyalty program or travel plans) from the relevant (travel) suppliers with which you may have made a reservation or purchase and which work with Voya in order for you to enjoy a seamless travel experience.

Data related to requests from law enforcement and tax authorities

Law enforcement or tax authorities may contact Voya with additional information about Users in the event that they are affected by an investigation.

Fraud detection & prevention, risk management & compliance

In certain cases, and as permitted by applicable law, Voya may need to collect data from third-party sources for fraud detection and prevention, risk management, and compliance purposes (e.g. sanction/PEP screening).

Financial payment data

We integrate with third-party payment service providers such as Adyen and Stripe, for example, to facilitate electronic payments between you, Voya and trip providers. These service providers share payment information so we can administer and handle your trip reservation.

2.5 Minors

2.5.1 Voya recognizes the importance of protecting the privacy of minors. If you are under the age of 16 (for some countries, higher age may apply), you may only use our services with the explicit consent of a parent or guardian and parental or guardian consent is verified prior to any processing of their data. Voya does not knowingly collect or process personal data from minors without such consent.

2.5.2 Parents or guardians may contact Voya at [email protected] to:

- Verify or withdraw consent provided for a minor.

- Request access to, adjustment of or deletion of the minor’s personal data.

2.5.3 We employ robust measures to ensure that the personal data of minors is processed with heightened security and limited retention periods. Data collected for minors is only used to facilitate their travel-related activities and will not be used for marketing, profiling, or any purpose not directly related to the requested service. We shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child. We may offer certain parental controls that allow you to manage your child’s interaction with specific features of the app.

2.6 Cross border transfers

2.6.1 As a U.S.-based company serving users worldwide, we may transfer your data to and from other countries. We ensure appropriate safeguards are in place, including standard contractual clauses when required by law.

3. PROCESSING PURPOSES AND SHARING

3.1 Purposes

3.1.1 Voya uses the previously described information about Users, some of which may be personal data, where relevant, for the following purposes:

A. Registration and administration

Voya uses account information, contact details, and financial information to manage and maintain the business relationship with the User and to render its service to you. This also applies to registration and verification purposes.

B. Render its service (including customer service)

Voya uses the information provided by Users, which may include personal data (including Sensitive Data), to support its services. For example, it can be used to process the relevant personal information of Users by sending it to the travel provider, guiding the users, automating certain tasks for them, and responding to requests, questions, or comments from Users or travel provider.

We only use and disclose Sensitive Data as necessary in connection with the performance of services and the provision of goods, compliance with federal, state, or local laws, and as otherwise permitted by applicable privacy and data security laws.

C. Other activities, including marketing and profiling

If a potential User has not yet completed the online registration, Voya may send a reminder to complete the registration process. We believe that this extra service is useful for our (future) Users because it allows them to complete the registration without having to re-enter all registration details.

Voya may invite Users to complete travel related reviews, ratings and scores and attend (online) events, seminars, webinars that may be relevant or interesting to them or where they can share travel experiences. We may also use personal data to provide and host online forums that allow Users to find answers to frequently asked questions about the range and use of Voya's products and services.

Marketing (e.g. newsletters): To the extent relevant to the business relationship, Voya uses personal data for communication, including providing information about its systems or product updates, sending Voya newsletters, and inviting Users to participate in references, promotions, or for other marketing communications. When we use personal information to send direct marketing messages electronically, we offer an opt-in option.

Profiling: Any profiling is for general purposes (e.g. personalize experience) and not used for automated decision making.

D. Communication with users

Voya has (access to) communication with you (telephone, chatbot, email, platform). We also use automated systems to review, scan and analyze communications for the following purposes:

- Safety

- Fraud prevention

- Compliance with legal and regulatory requirements

- Research nasty possible misconduct

- Product development and improvement

- Research

- Customer engagement (including providing information or offers to guests that we think may be of interest to them)

- Customer or technical support

Communications sent or received using Voya's means of communication are received and stored by Voya. We do not record all calls. If a call is recorded, each recording is kept for a limited time before being automatically deleted. This is the case unless we have determined that it is necessary to keep the recording for fraud investigation or legal purposes.

E. Analysis, improvement and research

Voya uses the information provided to us, which may include personal data, for analytical purposes. This is part of our commitment to improve Voya's products and services and to improve the user experience.

This data can also be used for testing purposes, troubleshooting and improving the functionality and quality of Voya's online services. We may also record some live sessions using tools such as Hotjar and invite users to participate in surveys and other market research from time to time.

Certain Users may be invited to join a user forum to communicate with Voya and/or to exchange experiences with other Users.

Please refer to the information Voya provides when you are invited to participate in a survey, market research or to join an online platform to understand how your personal data may be treated differently than described in this Privacy Statement.

Your personal data may be used by us to develop and enhance our machine learning models and artificial intelligence systems to improve our services. 

Some features of our Services use artificial intelligence to provide suggestions, recommendations or automated responses. We will always inform you when you are interacting with or receiving output generated by AI. You retain the right to request human review of significant decisions made using AI.

F. Security, fraud detection, and prevention

We process the information provided to us, which may include personal data, to investigate, prevent and detect fraud and other illegal acts. This may include personal data that a User has provided to Voya, for example for verification purposes as part of the registration process, personal data collected automatically, or personal data obtained from external sources (including from guests).

Voya may also use personal data to facilitate investigation and enforcement by competent authorities, if necessary. For these purposes, personal data may be shared with law enforcement authorities.

Voya may also use personal data for risk assessment and security purposes, including user authentication, and we use external service providers for third-party risk management. These providers help us assess the business risk profile of our Users. They may also provide us with due diligence reports from third parties, which, as permitted by applicable law, may contain potential information about criminal convictions and owner or User violations.

G. Legal, regulatory and compliance

In certain cases, Voya must use the information provided (which may include personal data) to handle and resolve legal disputes or for regulatory investigations, risk management, and compliance. We may also use it to enforce our agreement(s) with Users or to resolve any complaint or claim involving a User, and in accordance with internal rules and procedures.

In addition, we may need to share information about Users (including personal data) where required to do so by law or strictly necessary to respond to requests from competent authorities. This includes tax authorities, courts, other government and public authorities, or local municipalities. 

Finally, Voya may use personal data for anti-money laundering verification and KYC (know your client) related purposes and obligations (including sanction screening for 'politically exposed persons' (PEPs) and sanctioned individuals).

If we use automated means to process personal data that produces legal effects or significantly affects you or other natural persons, we will take appropriate measures to safeguard your or the other person's rights and freedoms. This includes the right to human intervention.

3.2 Legal grounds

3.2.1 First of all, Voya strongly believes that the User should be in control of its personal data. Therefore and save as set out otherwise below, Voya will at all times obtain your consent before processing personal data for any services you wish to use from Voya, including for marketing and profiling purposes or as otherwise required by law.

3.2.2 Purpose A and B: In addition to the consent, Voya assumes the legal basis that the processing of personal data for purposes A and B is also necessary for the execution of the agreement between the User and Voya. If the required information is not provided, Voya will not be able to work with a User and provide its service, nor will we be able to provide customer service.

3.2.3 Purposes C to G: Voya relies on its legitimate interest to provide its services to, or obtain services from Users, to prevent fraud and to improve its services. When we use personal data to serve the legitimate interest of Voya or a third party, we will always balance the rights and interests of the data subject and the protection of their information against the rights and interests of Voya and/or the third party.

3.2.4 Purpose F and G: Voya also relies, where applicable, on compliance with legal obligations (such as lawful law enforcement requests) or the protection of vital interests (e.g. airport security and border control). 

3.2.5 The collection and process of any Sensitive Data will be strictly under the condition of your prior explicit (active) consent (including at the time of requesting the consent, disclosure of the purpose and use). See paragraph 11 for more information.

3.2.6 Important notice: you can at all times withhold or withdraw your consent without detriment. If you wish to object to the processing as set out under C to G and cannot find a way to opt out directly (for example in your account settings), please contact Voya at [email protected].

3.2.7 Important notice: Insofar Voya will conduct decision-making based on profiling or solely automated decision-making (which produces legal effects or similarly significantly affects the data subject), it shall require the prior explicit consent from the User (including stipulate the purpose).

4. SHARE WITH OTHERS

4.1 Sharing with affiliated group companies

4.1.1 To support the use of Voya services, your information (which may include personal data) may be shared with or within Voya affiliates. This is done for the purposes described below, subject to any contractual terms.

The purposes for sharing data within the Voya group of companies are:

A. to offer, provide or make available services and products (including supplier management) and to provide support (such as completing reservation/booking, canceling, changing and/or managing, account management, and any customer service, billing, and collection);

B. to prevent, detect and investigate fraud and other illegal activities;

C. for analytical, quality, and product improvement purposes (including monitoring conversations by live listening or recording for quality and training purposes);

D. marketing activities (including news items) from which you can easily unsubscribe or unsubscribe) and to personalize online services (including personalized offers and promotions);

E. communication purposes (by email, telephone, or post) for the above purposes (including survey, market research, reviews, or ratings) or as necessary under our agreement with you;

F. legal purposes, including the handling of complaints, claims, legal claims, and for the detection of fraud (in which cases any telephone conversations may be recorded);

G. to ensure compliance with applicable laws or law enforcement.

With a view to purpose A, and insofar as applicable, Voya relies on the legal basis that the processing of personal data is necessary for the performance of the agreement with you for the purchase, booking, reservation, order, or use of the product or service as offered by the travel provider.

Voya further relies on its legitimate interest and that of its group companies to receive, process, and share personal data as described under B to G. This is to provide services to or obtain services from Users, including to improve the services and prevent fraud or other illegal acts. When personal data is used to serve the legitimate interest of Voya or a third party, Voya will always balance the rights and interests of the person concerned in protecting their personal data and the rights and interests of Voya or the third party.

For purpose G, Voya also relies on compliance with legal obligations where applicable (such as lawful law enforcement requests or enforcing its terms and conditions for use of the service).

Finally, where needed under applicable law, Voya will obtain your consent prior to processing your personal data, including for email marketing purposes or as otherwise required by law.

If you wish to object to the processing as set out under B to G, and cannot find a way to unsubscribe directly (for example in your account settings), please contact Voya at [email protected].

4.2 Sharing with third parties

4.2.1 We share Users' information (which may include personal data) with third parties, as permitted by law and as described below:

(a) Travel providers. We may transfer, disclose, share or otherwise enable your personal data with travel providers to allow them to offer, facilitate or provide their product or service to you. Depending on the product or service used, ordered or booked by you, the details we share can include your name, contact and payment details, ID/passport information, the names of the people accompanying you and any other information or preferences you specified when you book, order or use the relevant service or product of the relevant travel provider. The travel providers shall also act as (co-) data controller upon receipt of the relevant information. Voya and each travel provider shall each be solely responsible for the processing of personal data by itself or on its behalf in accordance with applicable data protection laws.

(b) Service providers (including suppliers, auxiliaries, and subcontractors). We share personal information with selected third-party service providers to provide our products and services, billing/collection, prevent and detect fraud, store data and otherwise support our business processes, or so that they can conduct business on our behalf.

(c) Payment providers and other financial institutions. In order to process payments between a User and Voya, relevant personal data may be shared with payment providers (e.g. Stripe, Inc) and other financial institutions.

(d) Screening of sanctions lists or risk management as required by applicable law.

(e) Forced disclosure. When required by law, strictly necessary for the performance of our services, in legal proceedings, or to protect our rights or the rights of users, we disclose personal data to law enforcement agencies, research organizations, users, or group companies.

As applicable and unless indicated otherwise, for purposes (a), (b) and (c) Voya relies on the legal basis that the processing of personal data is necessary for the performance of a contract, and for purposes (a) to (e), Voya relies on its legitimate interests to share, process, enable and receive personal data, and, where applicable, for (d) and (e) on compliance with legal obligations (such as lawful law enforcement requests).

Travel providers may further process your personal data outside our control. Travel providers may also ask for additional personal data, for instance to provide additional services, or to comply with local restrictions. If available, please read the privacy statement of the relevant travel provider to understand how they process your personal data.

4.3 Sharing and disclosure of aggregated data

4.3.1 We may share information with third parties in an aggregated form and/or another form in which the recipient cannot identify you, for example for industry analysis or demographic profiling.

5. SECURITY AND PROTECTION

5.1 You have access to your personal data via your Account.

5.2 We have procedures in place to prevent unauthorized access to and misuse of personal data. 

5.3 We use appropriate business systems and procedures to protect and secure information, including personal data. We also use security procedures and technical and physical restrictions to access and use the personal information on our servers. Only authorized personnel have access to personal data in the context of their work. 

5.4 We ensure that all third parties engaged to process personal data on our behalf are bound by industry-standard data processing agreements that incorporate customary data protection provisions.

5.5 We combine people, processes and technology to protect your personal data and respect your privacy and have taken the following measures and actions:

- maintain a comprehensive framework of security policies, procedures and protocols;

- keep staff alert to security risks through security training and awareness activities;

- use up-to-date security technologies such as encryption and data leakage prevention to help guard against unauthorised data disclosure or destruction;

- maintain inventories to provide oversight over processes, systems and data assets; 

- use multiple systems for fraud prevention/detection and continuous system monitoring including for security purposes;

- use identity and access management and other logical and physical access restrictions to control that only authorised personnel can access personal data

- maintain and test protocols to respond to reports about possible incidents and data breaches;

- verify and enhance our security systems, procedures and protocols on a recurring basis, and

- last but not least: retention practices to keep and, where possible under applicable law, dispose of personal data.

6. DATA RETENTION

6.1 We retain personal data for as long as it is deemed necessary to manage the business relationship with a User, to provide Voya services to a User, and to comply with applicable laws (including those relating to the retention of documents ), disputes, or claims with any parties, and if otherwise necessary to enable us to conduct our business.

6.2 Upon termination of the agreement with you, we will delete all your personal data in any event after 2 years after termination of the agreement (or for certain relevant personal information such longer period as required by law).

6.2 Any personal data we hold about you as a User is subject to this privacy statement and our internal retention guidelines. If you have any questions about the specific retention periods for the different types of personal data we process, please contact Voya at [email protected].

7. YOUR CHOICES AND RIGHTS

7.1 Depending on where you are located or the entity of Voya that processes your personal data, different rights may apply to the processing of that data, as set out in this privacy statement. As applicable:

-You can ask us for a copy of the personal data we hold about you,

-You can notify us of any changes to your personal information, or you can ask us to correct the personal information we hold about you,

-In certain situations, you can ask us to delete, block, amend, or restrict the personal information we hold about you, or you can object to certain ways in which we use your personal information,

-In certain situations, you can also ask us to send the personal data you provide to us to a third party.

7.2 Where we use your personal information based on your consent, you have the right to withdraw that consent at any time, subject to applicable law. Where we process your personal data on the basis of legitimate interest or public interest, you also have the right to object at any time, subject to applicable law.

7.3 Regardless of your location or the Voya entity you have a contract with, we rely on our Users to ensure that the personal information we hold is complete, accurate, and current. Always inform us in good time of any changes or inaccuracies in your personal data.

7.4 To protect your privacy and security, we will verify your identity before responding to such request, and your request will be answered within a reasonable timeframe. We may not be able to allow you to access certain personal data in some cases e.g. if your personal data is connected with personal data of other persons, or for legal reasons. In such cases, we will provide you with an explanation why you cannot obtain this information. We may also deny your request for deletion or rectification of your personal data if you have future/ongoing service with us or due to statutory provisions, especially those affecting our accounting processes, processing of claims, for fraud detection or prevention purposes, and mandatory data retention, which may prohibit deletion or anonymization. This includes retaining your personal data for a period of 120 days after your last checkout to handle any post-booking matters such as in the case of complaints or claims, for fraud prevention, trade sanction reasons, legal claims or requests.

7.5 How to exercise your rights: If you wish to object to the processing of your personal data, withhold your consent or otherwise wish to exercise your right and cannot find a way to opt out directly on our platform (for example in your account settings), please contact Voya at [email protected].

8. THIRD PARTIES WE USE

8.1 All third parties engaged by Onramper are contractually obligated to comply with applicable data protection laws (such as the GDPR) and are only permitted to process personal data for the specified purposes and under strict confidentiality obligations. A full list of subprocessors and their roles may be made available upon request.

8.2 We use the following third parties, which act as our data processor (unless indicated otherwise), subject to an appropriate data processing agreement.

- We use Google Analytics in respect of the Product Usage Data to analyse your usage of our Platform; this data might be stored on Google Analytics’ servers. Information gathered to use Google Analytics as described in this privacy policy, is stored by Google Analytics, which has earned the independent security standard ISO 27001 certification.

- Any information processed on, or through, Amazon Web Services are similarly secure by way of compliance with applicable industry-standard certifications and best practices. AWS has achieved numerous internationally-recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27701 for privacy.

- To enhance your experience with Onramper, we may utilise Hotjar to record user sessions. This tool helps us understand how users interact with Onramper, but will never record your personal data. Hotjar only tracks user’s navigation (e.g. where they click, scroll their mouse, or move in between pages) and protects user information by blurring images that are uploaded, and decoding text (e.g. numbers will appear as asterixis; ‘***’). All user session recordings are completely anonymous; IP/MAC addresses will not be shared.

- We integrate with third-party payment service providers such as Adyen and Stripe, for example, to facilitate electronic payments between you, Voya and trip providers. These service providers share payment information so we can administer and handle your trip reservation.

- Data is stored in secure databases managed by our trusted service providers, including Go Highlevel CRM.

- We use Go Highlevel for CRM and marketing services.

9. AI AND MACHINE LEARNING

9.1 Reason and purpose of AI and ML

9.1.1 We are always looking for opportunities to innovate and improve the customer experience by using new technologies such as artificial intelligence ("AI") systems. We currently use AI and machine learning ("ML") for the following purposes:

Improving our services 

We use AI to improve our services. This includes the identification of trends, monitoring the operations of the platform, troubleshooting our websites and apps as well as achieving performance and cost efficiencies. Personal data may be used to develop and train AI systems such as generative AI models which enable you to use natural language to ask questions about a trip or service and receive AI generated relevant responses or itinerary suggestions. AI systems will also be utilised to improve the effectiveness of the other purposes set out in this privacy notice.

AI Trip Planner and Interactive chats

We may use AI to develop and offer interactive chats and the Booking.com AI Trip Planner which allow you to ask questions about a trip or service and receive AI generated relevant responses or itinerary suggestions. The AI Trip Planner will use any personal data you share with it and your search and booking history on our platform to make tailored recommendations to you. We may use the above information to develop, train and fine-tune our AI systems.

Promotion of a safe and trustworthy service and prevention of fraud

Machine learning AI systems monitor our platforms for fraud attempts, complaints and possible traveller or trip provider misconduct at a much faster rate and with greater accuracy than could be achieved manually. The AI systems scan transactions and content on our platform for risk indicators. Transactions and content which are identified as indicative of higher fraud risk are flagged for human review.

Showing you the most relevant content

We use additional AI systems to improve the customer experience and personalization on our platform. This includes the use of AI to predict the optimal/most relevant category of products for you and bring the best options to your attention. This may include sending you details of a trip we think you would be interested in (where you have consented to this communication) and ranking search results to put the best matches to the top of your feed.

9.2 Legal basis

9.2.1 The legal basis of using AI/ML will usually follow the overall purpose of processing set out in Clause 3. Beyond the reasons set out in Clause 3 (including preventing and detecting fraud attempts), we may have a legitimate interest in developing AI systems to reduce our costs, improve the efficiency and quality of our processing and provide better products for our customers. We consider whether your rights and freedoms are not unduly infringed upon by the processing of your personal data and only proceed where this legitimate interest is not overridden by your rights.

9.2.2 Where required by mandatory law, we will seek your consent.

9.3 Data protection principles

9.3.1 We assess our AI systems against data protection principles, such as minimisation, accuracy, and purpose limitation. We take steps to prevent harm and biases from our use of AI. In some cases, we may complete decision-making without human review but only after we have assessed that the decision would not result in a significant effect on you.

9. COOKIES AND TRACKING TECHNOLOGY

9.1 We may from time to time use cookies or tracking pixels, including 

- Cookies for website functionality and analytics, and

- Pixels for advertising and performance measurement.

9.2 See our cookie policy for more information.

10. CONTACT US

10.1 If you have any questions, wishes, or comments about how we process your personal data, or if you would like to exercise any of the rights you have under this Privacy Statement, please contact us at [email protected]. You can also contact your local data protection authority.

10.2 We handle privacy-specific questions, requests, and concerns reported to us using internal policies and procedures based on applicable privacy laws, regulations and guidelines. We regularly review and improve this policy and procedures, also taking into account User feedback.

11. CHANGES TO THIS PRIVACY STATEMENT

This privacy statement may be amended or supplemented from time to time. If we intend to make material changes or changes that affect you, we will always contact you in advance. An example of this type of change would be if we started processing your personal data for purposes not described above. 

12. GLOSSARY: 

The attached glossary explains the important terms to help you better understand this document.

Version: 29 August 2025.

APPENDIX 1 – Glossary and definitions

Some useful terms and definitions:

"Algorithm" means a computational procedure or set of instructions and rules designed to perform a specific task, solve a particular problem, or produce a machine learning or AI model.

"Anonymization" means the process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual.

"Automated processing" means a processing operation that is performed without any human intervention.

"Caching" means the saving of local copies of downloaded content, reducing the need to repeatedly download content.

"Cookie" means a small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already.

"Data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"Data controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.  

"Data minimisation": The principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfil that purpose. 

"Data processor" means a natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller.

"Personal data" means any information that relates to an identified or identifiable living individual (e.g. name, address, email, etc). Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data (e.g. location data, IP data, ID number, etc). Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

"PEP" (politically exposed person) means any of the following persons: (i) head of state, head of government, minister, deputy minister or state secretary, (ii) member of Parliament or member of a similar legislative body, (iii) member of the board of a political party, (iv) member of a Supreme Court, Constitutional Court or other high-level court that gives rulings against which, except in exceptional circumstances, no appeal is possible, (v) member of a court of audit or a board of directors of a central bank, (vi) ambassador, agent or senior officer of the armed forces, (vii) member of the management, supervisory or administrative bodies of a state-owned company, (viii) director, deputy director, member of the board of directors or person holding an equivalent position at an international organization, or (ix) any of their family members (child, sibling or parent) or their spouse or partner.

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

"Travel provider" (or "travel partner, "supplier") means the provider of a travel (related) product or service (such as airline, car rental, accommodation provider, attraction, security/border controls and assistance (e.g. immigration, airport security, priority lane, travel assistance), travel agent, tour operator, corporate travel provider, etc).