Personal Data Collected and Reasons
Ecotravel maintains a database with the registration of its customers/visitors and this information is stored for 20 years, after the first contact. The data presented in this database are entirely the data provided by the customers themselves at the time of their booking or later requests for booking purposes and it is collected under the terms approved by the National Data Protection Commission by Ecotravel, the entity responsible for the file, with headquarters at Rua do Passeio Alegre, no. 20 - 4150-570, Porto, Portugal.
When the customer makes a reservation or a booking on this website, Ecotravel automatically registers certain personal data that the customer consented. The type of data saved will be information such as "name", "contact" and/or "email address". In some cases, we may need more sensitive personal data such as: "citizen's card number and/or passport number". All information about personal data requested serve exclusively to organize the requested tours or tourist services. All personal data provided will be treated as being of a "sensitive" nature and, therefore, deserve the utmost respect and care from Ecotravel.
Regarding to online bookings, the customer can make the payment by credit card VISA/Mastercard online. For this reason, the customer will be redirected to the Redunicre website, a partner and certified entity that processes payments, where you will be asked to enter your card details. Consequently, Redunicre and our bank are the only entities that process the data of the customer's card and guarantee the transmission of encrypted data. Ecotravel only receives the information with the result of the authorization and instructions to proceed with the order.
In no circumstances we can ask about philosophical or political beliefs, party or trade union affiliation, religious belief, private life and racial or ethnic origin, as well as data on the health or sexual life (including genetic data) of customers. When you are organizing the requested trip, the customer can provide us other important information, such as dietary requirements and food intolerances, medical conditions, disabilities or other special information similar to previous ones, in order to ensure that specific needs are met.
Thus, Ecotravel guarantees that it has implemented and will continue to develop the mandatory measures of technical and organizational nature to ensure the security of the data that is provided, in order to prevent its alteration, loss, unauthorized treatment and/or access, being aware of the sensitive nature of the data stored and the risks to which they are exposed.
If the customer wishes to exercise the rights of access, rectification, cancellation or opposition that the GDPR grants them, it can do it through the website or send an email to email@example.com.
Other Ways to Obtain Personal Data
Ecotravel also reserves the right to collect personal data in the following circumstances: if the user responds to a promotion through this website, if he completes a questionnaire, subscribes the newsletter or other Marketing material, reports a problem, among other situations similar to the previous ones. In this case, we may keep a record of your email address, with the option of “unsubscribe”. Or, alternatively, you can send us an email to firstname.lastname@example.org.
Personal data obtained by outsourced sources:
In addition to this data provided by the user/customer, we may receive information from other suppliers and certified partners, to whom we point the responsibility to ensure the full compliance with the privacy policies required by the GDPR.
- if you book one of our programs through a travel agent or third-party tour operator, certain personal data (as applicable to your booking) will be shared with Ecotravel in order to provide the services that the customer has requested (even if this commercial relationship doesn’t come to an end);
- if the customer provides us feedback through a social media channel or other feedback tool or software, the feedback (but not the personal data) will be processed by that company and shared with Ecotravel;
- if you contact Ecotravel at [+351] 226 191 090, our telephone management software partner keeps a record and shares the information exclusively with Ecotravel. The data collected are: "telephone/mobile number", "date" and "duration" of the call, "network information". If you contact us through any of the phones/mobile phones available in the company, your number may be associated with your booking/request (if there is no business relationship, the number will be forgotten);
- if you contact Ecotravel through the conversion window on the website (Zendesck Chat), this partner will retain the history of your conversations with Ecotravel through this software, the number of visits to the website, the page of the website where you are, your computer system, IP location and duration of your visit to the website. This guarantees to share solely with us the personal data of our users;
- we may also record your visits to this website, including (but not limited to) traffic data, location data, IP address, operating system, and browser type. These are statistical data about the actions and the navigation standards of our users and does not identify any individual.
Transfer of the Obtained Personal Data:
When a customer fills out a form on our website and/or ends the booking process with Ecotravel, some personal information provided will need to be transmitted, processed and stored by relevant third-parties, such as:
- travel partners such as airlines companies, airports, hotels, insurance companies and ground support agents, tour or fluvial operators, among other touristic services suppliers related to the request. Some of these third-parties may be located outside the European Economic Area, and these organizations may not be subject to the same level of control as the European GDPR;
- data and technology management partners that enable us to administer the services we provide (external CRM for organizing/monitoring leads and for improving the experience of customers; and Optitravel - billing tool agency management software);
- credit card or ATM payment facilitators, which help us to process customer payments and to assist us in detecting and preventing fraudulent payments or bookings (Redunicre, IfThenPay, EasyPay and Pagtur);
- email Marketing platforms, ensuring the encryption of our databases, which include subscriber "name" and "email address";
- government agencies or other authorities in Portugal (or in other countries) in order to ensure the safety of one's own and other passengers. At this point we include immigration, border control, security and anti-terrorism officials. Even if it is not mandatory to provide information to these authorities, we may exercise our right to assist them when we deem it appropriate.
Treatment and Storage of Personal Data
Some personal data obtained by registering on our website or given by customers who have established a business relationship with Ecotravel will need to be processed and stored in secure and certified systems, as a result of a combination of our own protected systems and supplier’s reliable systems.
The personal data that we store are treated with the legally required degree of protection to guarantee its security and prevent its alteration, loss, treatment or unauthorized access. For this purpose, we use backups in Google Drive and Network Attached Storage (NAS), a device that stores and shares data from multiple computers that can be accessed remotely.
The registrations on our website are also encrypted, following GDPR standards, in peripheral control technical infrastructures, namely by network firewalls, private circuits and VPNs that comply with security requirements. The computer servers are located in a Datacenter operator, which performs a digital information protection service of the hosted servers. The service includes backup of files, their conservation according to the defined policy and the restore at Ecotravel's request.
Ecotravel hereby commits itself to:
- safeguard the personal data provided to it by means of legally enforceable security measures of a technical and organizational nature that guarantee its security, thus avoiding its alteration, loss, treatment or unauthorized access, in accordance with the technology used at any given moment, the nature of the data and the possible risks to which they are exposed;
- use or apply the data obtained exclusively for the purposes duly authorized and for which the customer consented;
- ensure that data are handled only by workers whose intervention is necessary for allowing the service, and they are bound by the duty of secrecy and confidentiality. If the the information needs to be disclosed to third-parties, they are obliged to preserve the confidentiality.
Use of Personal Data in Marketing
If you do not make a booking or ask a request with Ecotravel, we will only send you information and offers by email if you subscribe our newsletter (double opt-in), to receive our information and/or promotions. In this way, only users who have expressly agreed to receive marketing material will be in these databases.
This personal data ("name" and "email address") is shared with a secure and certified external platform, from which we manage the database and send out Email Marketing. We will not share this data to third-parties with whom we do not have protocol, which do not guarantee us the security and encryption of the database and which are not Email Marketing and Marketing Automation companies. We imply to our partners the strict follow-up of the GDPR standards, the confidentiality of the stored data and it is clearly forbidden to divulge them.
If you choose not to receive more Marketing information, you can unsubscribe from the newsletter and, consequently, it will be automatically erased from our databases for Marketing purposes.
Retention of Personal Data
Rights of Individual Relative to Personal Data Provided:
Any user or customer that provided your personal data has several rights with respect to the information that you have granted, in accordance with the RGDP law, such as:
- right to access your personal information: at any time, you have the right to request access to your personal data maintained by Ecotravel, free of charge. We may require proof of identity and sufficient information about your interactions with us, in order to find your information. If someone makes the request on your behalf, that person will have to provide written and signed confirmation that you have been given authority. We reserve the right of not providing you with a copy, if it includes personal information of other people or if we have a legitimate reason to retain it;
- right to correct and update your personal information: the accuracy of your information is important to us. Thus, at any time, you may change your name or email address (or other relevant personal information) by sending us an email to email@example.com or by contacting us (+351 226 191 090);
- right to withdraw consent: at any time, the customer/user can revoke their consent and prohibit us from using hist data. If you wish to withdraw your consent to receive any direct marketing by which you have previously consented, you may remove your subscription by clicking the unsubscribe button on our newsletters. Alternatively, you can send us an email to firstname.lastname@example.org or get in touch with us. If you wish to withdraw your consent for the processing of any special category of special data, you must contact our team (email@example.com or +351 226 191 090). We advise that if you want that we stop processing this information during your booking or trip, this means that we may not be able to provide all or part of the services you requested. Consequently, if we have to cancel your reservation or other booking, you may have to pay the respective cancellation fee;
- right to delete your personal information or restrict its processing: you may request us to remove your personal information from our systems by email or in writing. Since we have no legitimate reason (legal and commercial basis) to continue processing or maintaining your personal information, we will make reasonable efforts to fulfill your request as quickly as possible. While we may not permanently remove your information as quick as you wish (for software delays or other similar issues), you may request to restrict the processing of your data. If the processing is restricted, we can only use your personal information if we have your prior consent or if we are legally authorized to do so. In order to simplify the removal of your personal data, we are developing a tool that allows the automatic removal of it;
- right to transfer your personal information to a structured data file: at any time, you can ask us to send your personal data directly to another service provider. And we will do so if this is technically possible for us. We reserve the right of not providing a copy of your personal information if it contains personal data of other people or if we have another licit reason to withhold such information;
Our Approach to Personal Data Security
While we do our best to protect your personal data, and always acting according with strict GDPR standards, the transmission of information over the Internet is not entirely secure. Therefore, we cannot totally guarantee the security of your data transmitted to our website. When we receive your information, we take all reasonable and legal steps to mantain your personal information protected and to try to prevent any unauthorized access, use or loss of your data, implementing appropriate security measures and limiting access, including internal access. All information that you provide is stored on our secure servers and any payment transaction will be encrypted using TLS technology. We do not store customer card data, and when we give a password (personal and non-transferable) to a customer to access a reserved area of our website, he must save it and he will be responsible for keeping this password confidential.
In addition, if we detect any breach or suspicion about violation of personal data, we will notify the competent authorities immediately, as required by law.
Links from Our Website to Other Websites
The cookies that we use do not extract information from the user's hard drive, do not steal personal information, or do not read cookie files created by suppliers/competitors.
These are cookies that are essential for the properly work of the website and allow customers to make a booking or to check the availability, permitting us to access the booking requests.
_ga, _gat, __utma, __utmb, __utmc, __utmz
Statistics Cookies: they mantain anonymous data about the use of our website, in order to analyze and improve the service provided.
_hjClosedSurveyInvites, _hjDonePolls, _hjMinimizedPolls, _hjDoneTestersWidgets, _hjMinimizedTestersWidgets, _hjIncludedInSample
Statistics Cookies: mantain details of visitor behavior patterns anonymously and randomly.
SID, LOGIN_INFO, PREF, SSID, HSID, VISITOR_INFO1_LIV
Cookies used by YouTube to store user preferences and some of them contain enough information to be followed.
Google Adwords and Remarketing by Google
Cookies used in online campaigns.
Conversation Cookies: Cookies to store "Zopim Live Chat" (Zendesk), used to provide a live service window on our websites. It requires the use of two types of cookies: identification of the device during the visits and to store user preferences.
Purpose of the Personal Data
Personal data is obtained for the following purposes:
- activity linked to a travel agency or tour operator;
- provide important information to suppliers chosen for the service requested by the customer;
- send SMS messages with intentions exclusively related to the booking and trip’s logistics;
- management, administration, extension and improvement of services in which the user decides to subscribe and register;
- study of users' use of the services;
- verification, update and development of statistical systems and analyzes;
- advertising, promotion and commercial prospecting activities if duly accepted by the user.
The user/customer of the website www.cruzeiros-douro.pt/en allows Ecotravel to treat the personal data. In addition, the user expressly agrees that personal data may be transferred to:
- national and international authorities responsible for tourism, terrorism or crimes against human rights for their own security purposes;
- any legal entity affiliated or owned by Ecotravel or the tourist companies that provide the contracted service, being obliged to use it only for a correct execution of each service requested by the customer;
- any third-party certified that complies with the GDPR standards, in order to guarantee the security of the personal data, the management and organization of the booking and customer process and platforms associated with Marketing activities.