First things first,
who are we?
Hello! We are Vacaciones eDreams S.L., known by you as this Platform’s branding name. When this
Privacy Notice mentions “we”, “us”, or “our”, it refers to Vacaciones eDreams, S.L. acting as
Our privacy promises:
- We value your privacy & data security
- We use data for your best travel experience with us
- You control your data
- Several Platforms, one Privacy Notice
Vacaciones eDreams, S.L. is a Spanish based company, with tax ID number ESB61965778. You can
contact us through our Privacy Form for any data protection matter.
Thank you for using our Platforms. Your trust is the most important value to us, that is
why in this Privacy Notice we are going to show you our responsibilities regarding the
privacy and security of your data. The only thing you have to do is read it, and if you have
any questions related to it, you can tell us about it in our Privacy Form.
After that, you’re all set to book your next
adventure through us.
We have prepared this definitions section that will help you better understand this Privacy
Automated Decisions: decision-based solely on automated processing,
including profiling, which produces legal effects concerning him or her or similarly
significantly affects him or her (as defined under Article 22.1 EU General Data Protection
Note: As you will find explained below, we don’t make Automated
Data Controller: anyone responsible for determining
the purposes and means of processing your data.
Note: We are the Data Controllers of
your data in the terms described in this Privacy Notice. If you choose to book a ticket
through our Platforms, we will be sending your data to another Data Controller – the carrier
or the provider of other services (e.g. booking partners or the global distribution
systems), who will again use your data for their own purposes and based on their own means,
as described in their own Privacy Notices (which is published on their website). You can see
below the overview of Data Controllers categories with whom we might share the data. In any
case, the disclosure of your data to any service provider will be done in accordance with
the applicable laws. Each Data Controller is responsible for your data and, in case of an
incident within its scope, must handle it and respond appropriately, as per the applicable
Data Processor: a third party that only helps to achieve the
purposes determined by the Data Controller.
Note: We as a Data Controller use many
third-party services to which we outsource some parts of our activities that we don’t do
ourselves for various reasons such as cost-efficiency. A Data Processor is only allowed to
process your data according to our documented instructions, and in compliance with the
applicable law, so we are still in charge of your data, and they will not be able to process
your data for any incompatible purpose.
Lawful Bases: Processing
of your data shall be lawful only if at least one of these bases applies (Article 6 GDPR).
Note: For the six lawful bases covered in the law, we will essentially rely on Consent,
Contract, Legal Obligation or Legitimate Interest. However, exceptionally, we might
rely on Vital Interest or Public Task. You can find more information below.
Personal Data (in this Privacy Notice also referred essentially as “your
data”): any information relating to a directly or indirectly identified or
identifiable to you, as a natural person.
Platforms: all the
services (websites, apps, call centre, etc.) that facilitate interactions between you and
Sensitive Personal Data: data related to racial origin,
ethnic group, religion, health, sexual orientation and biometric data constitute special
categories of data (as defined under Article 9 GDPR).
Note: As you will find explained
below, we shall not process Sensitive Personal Data normally.
Countries: countries in which the GDPR regime is not applicable. Currently, by
Third Countries, we mean all countries that lie outside of the European Economic Area (i.e.
outside the European Union, Iceland, Liechtenstein and Norway).
Who is the Data Protection Officer?
We have a common Data Protection Officer who watches over all processing carried out with respect
for your privacy and the applicable regulations at all times.
You can contact the Data Protection Officer’s team through our Privacy Form to exercise any data protection right, to solve all
the questions you may have regarding the processing of your data and/or for any data
protection issue you would like to discuss with us. Please, note that we may ask you to
verify your identity and request before taking further action on your request.
Why do we process your
The main purpose is to offer you travel related mediation services . This includes
During the purchase process, we ask you only for the data that we need to provide you with our
mediation services to contract travel products. The booking process can be done on any of our
This includes completing and managing your booking, sending you communications by email, call
or SMS in relation to your booking (e.g. confirmations, modifications and reminders),
allowing us to respond to your queries. Such communications could be managed by us or by our
We endeavour to show to you the most relevant travel data and help you
in a personalized manner with your booking and post-booking.
We might save your data for
future bookings to make it easier for you to finish a booking with us.
Please, bear in
mind that the identification data we use is going to be your email that you introduce in
your booking or account.
Lawful bases: #Contract #Your Consent #Legitimate Interest
You can create a user account on our
Platforms. We use your data to manage your account and with the objective to show you the most
relevant travel booking and post-booking experience, allowing you to do many useful things, as
covered in the General terms and conditions
We might save your data for future bookings to make it easier for you to finish a booking
with us, and recognize you when visiting our Platforms again, in order to improve your user
experience. We will safely store your data for payment purposes, for example, for the Opodo
Prime subscription fee.
Lawful bases: #Contract #Your Consent #Legitimate Interest
We may offer you other travel-related
services based on our role as a travel agent.
This Privacy Notice shall apply to such data processing based on other travel-related
services provided by us. During the contracting process, prior to or when filling in the
data, we will inform you if there is any specific information that you should know apart
from the one already covered in this Privacy Notice.
Lawful bases: #Contract #Your Consent #Legitimate Interest
Apart from the communications already
mentioned in the “Booking” subsection, we can get in touch with you by the different means
provided by you, and for the following purposes:
To respond to any query or request from you or any travel provider and handle it. We
endeavour to maintain our best levels of customer service and we are attentive to the
personal situation of each of our various customers in order to personalise our services.
To try to remember your search and contact you only once, in case you have not
finalized a booking online, as we believe that this additional service benefits you, by
allowing you to carry on with a booking without having to fill in your reservation details
To inform you how to contact us if you need assistance while you are away or
other data that we feel might be useful to you in your planning or getting the best of your
trip, or data of upcoming trips or a summary of previous bookings you made with us.
We may need to send you other administrative messages, which may include security alerts.
To invite you to provide a review of your experience or the travel provider, when
you use our services, or to take part in market research with us. Please, bear in mind that
this feedback may be available to other customers to help them make decisions about a
product or a service. In case you agree to take part in market research, we will explain the
data collected and how it would be further used.
Lawful bases:#Legitimate Interest #Your Consent
We use your data for marketing purposes.
To send you regular news of travel-related products and services. You can unsubscribe from
email marketing communications easily and at any moment, just by clicking on the unsubscribe
link included in each newsletter or other communication.
To administer any
promotional activity where you participate. When you book with us, you are subscribed to our
newsletters, unless you say otherwise before confirming your booking. Anyway, remember that
you will be able to unsubscribe at any moment in each commercial communication, by clicking
on the footer unsubscribe link.
We may show you customized offers on our Platforms
or third-party platforms (including social media sites) and the content of the site
displayed to you may be personalized. Such offers can be booked on our site, on co-branded
sites, or other third-party offers or products we think you might find interesting.
Call and chat recordings
Lawful bases: #Legitimate Interest #Your Consent
We may process calls and online communications
for quality control, analytics, staff training and legal dispute purposes when you contact our
Our staff may ask for authentications, ensuring that your reservation details are kept
Not all calls or chats are recorded and recordings are kept for a
limited amount of time and automatically deleted thereafter (unless we have a legitimate
interest to keep such recordings for a longer period, including fraud investigation and
Please, bear in mind that, when using a third party's feature, this
third party may act as an independent Data Controller or as a Data Processor as per its
corresponding Privacy Notice.
Improving our services or developing new services
Lawful basis: #Legitimate Interest
We use data for analytical
This is part of our drive to enhance the user experience, but can also be used for testing
purposes, troubleshooting and improving the functionality and quality of our online travel
services. The main goal here is to optimize our online Platforms to your needs, making our
site easier and more enjoyable to use. We strive to use pseudonymized or anonymized data for
these analytical purposes.
Promotion of a safe and trustworthy service
Lawful bases: #Legal Obligation #Legitimate Interest
In order to create a trustworthy
environment for you, your fellow travellers, our business partners and our travel providers, we
may use data for the detection and prevention of fraud and other illegal or unwanted activities,
as well as for security purposes (e.g. authentication of users and bookings). For such purposes,
we may have to stop or put on hold certain bookings.
Lawful bases: #Legal Obligation #Legitimate Interest
In certain cases, we may need to use your
data to handle and resolve legal disputes, for regulatory investigations and compliance, to
enforce our General terms and conditions or to comply with lawful requests from law enforcement.
Which lawful basis do we rely on?
The main Lawful Bases commonly used are #Your Consent
#Contract #Legal Obligation
- Your Consent: you gave consent for a specific use of
your data. We will always obtain Your Consent to collect and process your data
unless another Lawful Basis applies. We will provide you with transparent information at
the time that consent is obtained. This information will be provided in an accessible
form, written in clear language. If the data is not obtained directly from you, then
this information will be provided to you within a reasonable period after the data has
- Contract: you have a contract or pre-contract with us. As
an example, when booking an airline or hotel with us, we need relevant data to process
- Legal Obligation: we have a Legal Obligation.
Normally, accounting and tax regulations request to store necessary data for compliance
- Legitimate Interest: It’s in our legitimate interest, and
it is judged not to affect your rights and freedoms in a significant way.
Other lawful bases, only exceptionally used:
- Vital Interest: You or a third party have a vital
interest. We will not normally process data based on this legal basis, but if we do, we
will let you know.
- Public Task: We have a public task to perform. We will not
normally process data based on this legal basis, but if we do, we will let you know.
We don't make Automated Decisions
We don't make Automated Decisions based on profiles, beyond the legitimate interest of fraud
prevention and the customization of your user experience, marketing and advertising.
In any case, such an Automated Decision will not produce legal effects or similarly
significantly affect you.
In case we shall make any Automated Decision we will apply
all appropriate measures and inform you.
What types of data do we
There are different origins where the data mainly can come from Data you give to
us & Data we collect from you The following are categories of
data relating to a person (categories are not exclusive, data may transcend multiple categories):
Identification & Contact data
Data you give to us Data used to identify you as a natural person
and/or data we use to contact you.
For example, your name, surname, gender, nationality, billing address, date of birth, email
address and telephone number
Please, bear in mind that your email will be your
identity data. We will be able to link your data based on your email.
Account & Settings data
Data you give to us Data that you generate while using your account.
For example, email and password (we never store the passwords in a non-encrypted form), price
alerts, search history, specific settings, preferred choices and other details saved in your
account. This also applies if you have an eDreams Prime account.
Data you give to us Data that you give us to execute the payment.
Usually, this means the payment card details. For example, credit card number, cardholder
name and expiration date (we never store the credit card data in a non-encrypted form).
Travel related data
Data you give to us during the booking process, all that you choose in
the order form and what you later change or purchase as an addition to the original order.
For example, number and expiration date of the ID and/or Passport, contact data, travel
preferences, boarding passes or e-tickets.
Please, bear in mind that in the case you
provide data from travel companions, you should have previously obtained the consent of
other individuals before providing us with their data and travel preferences, as any access
to view or change their data will be available only through your account or email.
Data you give to us Data we collect from
you Data from all of the text and voice communications exchanged between you and us
in connection to your requests.
For example, customer support cases, metadata and notes generated by our systems and agents.
Browsing & Device data
Data we collect from you Data that we may automatically collect from
your device when you visit our Platforms.
For example, IP address, browser type, internet service providers, geographic location,
technical data about the device, pages accessed and links clicked, the time and duration of
request and visit, the method used to submit the request to the server.
note that we may associate this data with your account.
Some of this data may be
collected by using different types of Cookies or similar technologies. For more information,
please find our Cookies Notice.
Why don’t we process Sensitive Personal Data?
We strive to limit the circumstances in which we collect and process Sensitive Personal Data.
Please avoid providing us with Sensitive Personal Data unless it is strictly necessary and
One example for which we may collect and process such data would be if exceptional
circumstances arose, such as a health emergency, where we might offer you the possibility to
provide us with any relevant data in order to share it with the corresponding airline
booked, for example, so as to smooth the check-in process or due to mandatory reasons.
In any case, the corresponding appropriate security measures will be implemented to
protect your Sensitive Personal Data in line with this Privacy Notice.
Additionally, you may ask us to inform the airline, the hotel, etc. of a special service
(such as a menu or an adapted room) which does not in itself constitute Sensitive Personal
Data but which may imply or suggest data about your religion, health or other related data.
In any case, this information will not be mandatory to provide in any of our booking
funnels, so you are free to either provide it or not.
What happens with the data belonging to children?
Our services aren’t intended for minors, as described in our General
terms and conditions
Minors may only use the service with the involvement, and approval of a parent or legal
guardian. The limited cases where we might need to collect data would be as part of a
booking, the purchase of other travel-related services, or in other exceptional
circumstances (such as features addressed to families).
If we become aware that we
have processed the data of a child without the valid consent of a parent or guardian, we
will delete it.
Data we collect from third parties
We lawfully obtain data about you from business partners and other independent third-party
sources (e.g. contact data such as email, purchase or demographic data).
Who will be the
recipients of your data?
We might have to share your data with third parties which might normally act as Data controller or Data Processor depending on
their circumstances (i.e. on their purposes and type of data they process, their relationship with
them, you and us, their responsibilities under the law, etc.). We are selecting hereinbelow their
In order to provide you with our services, we need to share your data with third parties. We will
define and regulate the data transfer or processing contractually when required by law with the
appropriate security measures.
- Travel service provider you booked with Data
controller (e.g. airlines or carriers, hotels, car rental companies, travel
insurances, claims management service providers, travel business partners, etc.). In our
Platform there might be services fully or partially provided by our travel business
partners. Travel business partners’ Privacy Notices shall apply, and when so, you
will find a link to them in the booking funnel.
- Other travel service providers which are necessary or provide an added value
for the performance of our services Data controller Data Processor (e.g. the global distribution systems or
computerised reservation systems, booking and ticketing agents, tour operators, travel
meta searchers, etc.). They make it possible to offer you our services and help us in
making all endeavours to have the best alternatives at the best price.
- Customer services and support tools Data
Processor (e.g. customer communication tools, call centre agents, etc.). We
work with customer support providers and tools in order to respond to our requests and
manage the communications with you if needed.
- Payment and fraud services Data controller
(e.g. payment processors, banks, fraud prevention and chargeback management services,
etc.). When you pay in our Platform (as in any other) a set of long chains of technical
operations need to happen before the payment request is accepted by your bank and
notified to us. We use service providers to detect fraud risks.
- Information security services Data Processor.
We work with information security services to protect your data.
- IT infrastructure providers Data Processor
(e.g. hosting service providers). They help us provide you with an available and secure
- Software solutions and engineers Data
Processor. Software solutions and engineers help us work on a day to day
basis and to continue improving our services.
- Analytical service providers Data
ProcessorThey provide us with the necessary data to understand the use within
our Platform, see if there are any bugs or decide how we can improve our services.
- Customer Relationship Management and marketing solutions Data Processor Data Controller. They
allow us to manage customised commercial communications. Some of them also help us
display customised ads throughout the internet.
- Social platforms Data Controller. When login
with your social media, clicking on a social media “like” button integrated
into our Platforms by plugins, or using any social media services to interact with us,
your data can be shared between us and the social media providers (e.g. your user names,
email address, profile pictures, your contact, etc.).
- Finance, administrative and legal services and tools Data Processor Data Controller(e.g.
accounting systems, legal service providers, collection agencies, corporate insurances,
Our group companies
We share your data within our group companies for internal purposes relating to management
In particular, we centralize the processing of your data through the Spanish subsidiary
eDreams International Network, SLU, acting as a joint Data
controller and main establishment for data protection matters.
processing carried out within our group, is made under the same level of security
requirements and will be processed exclusively for the same purposes for which the data had
been collected, according to the applicable laws.
We might disclose your data to law enforcement insofar as it is required by law or is strictly
necessary for the prevention, detection or prosecution of criminal acts and fraud or if we are
otherwise legally obliged to do so, which will act as #Data Controllers.
We may need to further disclose your data to competent authorities to protect and defend our
rights or properties, or the rights and properties of third parties.
(transparently informed to you and with Your Consent to the disclosure, where applicable).
These recipients might be outside the EEA, implying international data transfers. For
more information on this, please check the next section.
How do we protect your
While no online service can guarantee absolute security, we design our systems and devices with
your security and privacy in mind. We work to implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk, including for example the
- We apply pseudonymisation and encryption of personal data, when appropriate. For
example, when handling payment data, we comply with the Payment Card Industry Data
Security Standards (PCI DSS) or when using our online Platforms your data is sent
through a secure connection using Hypertext Transfer Protocol Secure (HTTPS) that
encrypts your data through the Internet, avoiding anyone to steal your information in
- We work to provide confidentiality, integrity, availability and resilience of
processing systems and services. We have physical, electronic, and procedural security
measures in place regarding the collection, storage, and disclosure of your data. Our
security procedures mean that we may ask you to verify your identity before providing
you with confidential information, and our Platforms offer security features that
protect against unauthorized access and data loss.
- We make endeavours to be able to restore the availability and access to personal data in
a timely manner in the event of a physical or technical incident.
- We implement a process for regularly testing, assessing and evaluating the effectiveness
of technical and organisational measures for ensuring the security of the processing.
We will keep your data for as long as we deem it necessary to enable you to use our services, to
provide our services to you, to comply with the applicable laws, resolve disputes with any
parties and otherwise as necessary to allow us to conduct our business (including, to detect and
prevent fraud or other illegal activities). All your data we retain will be subject to this
Usually, we process your data for a maximum period of five years, since your last trip or any
further action related to it ended or since you performed your last action while logged in
with your account for the purposes described above.
Other specific terms might
apply, such as a maximum term of three years for accountability purposes regarding data
protection related interactions, or a maximum term of ten years for tax and accounting
If you provide us with your contact email address, but then you are unable
to finish your booking, we will keep your email address only temporarily and, in any case,
for a maximum period of seven days to help you with the booking if you are still
For the purpose of customized offers, you will periodically get email
offers from us, and in every email, there will be a clear and easy way to unsubscribe and
therefore object to this type of processing. We will keep and use your data for this purpose
until you unsubscribe.
Regarding Cookie duration please check our Cookie
International data transfers
Our servers are located within the European Union. However, to facilitate our global operations
(i.e. by means of service providers) the transmission of your data to the recipients described
above may include transfers of your data to third countries whose data protection laws might not
be as comprehensive as those of the countries within the European Union.
to recipients in countries, we rely on the decision of the adequate level of protection, on
appropriate safeguards, or on the exception of (pre)contract necessity or any other which might
apply from time to time.
Any service provider (such as the airline) acting as Data Controller will process your data
in accordance with its own Privacy Notice and will be fully responsible for processing your
The disclosure of your data will be done, when applicable, in accordance with
the applicable laws and that appropriate safeguards (in particular, the standard contractual
clauses issued by the European Commission) are in place to ensure an adequate level of
protection of the privacy and fundamental rights of individuals.
What further efforts can you easily do to protect your data?
We make serious efforts to care for and protect your data when you share it with us. Below you
can find some recommendations on how to keep your data safe on your side.
Do not share your Booking ID
When you make a booking you will be
furnished with a Booking ID. This reference will be included in your booking confirmation
Please, always keep your Booking ID confidential. If you share it with third
persons, they might access your data. If you travel with others and you do not want them to
have access to your booking data it might be advisable that you carry out your booking
separately. For example, we recommend you not to share this data or any other relating to
your trip in social media.
Do not share your account data with anyone and
use a unique and strong password
To make sure that access to your
account on our Platforms is safe please do not share your log-in data with anyone.
When you finish using our Platforms, please make sure to log out of your session if someone
else might access your device. Avoid connecting using your account from non trusted devices
or networks like the ones in hotels, libraries or cyber coffees. If you do, please do not
forget to log out once finished.
It is important that you protect yourself against
unauthorized third-party access to your password and to your devices. We recommend that you
use a unique strong password for your account that you do not use for other online accounts
and you should renew it every reasonable period of time, such as once a year. Malicious
actors may try to connect to your account using stolen credentials from other (non related
to us) services.
Of course, apply the same approach for your email account, by
using unique strong credentials (as is our secure touchpoint to send you “reset link
Be cautious and protect yourself from internet fraud
Please, always double check the sender of
the emails and the links or documents attached to them. If you don’t trust or have
doubts, do not open the attachments nor click on the links.
There is a broadly
spread type of internet fraud practice known as “Phishing” aimed to illegally
obtain your data by deception or by installing malware on your device and stealing your
“Phishing” are unsolicited emails that lead you to
insert or confirm your passwords or bank details in a false or cloned website. Also, they
try to make you download documents with malware, or install malicious software in your
computer that will be used to steal your information, like your credentials.
fraudsters pretend to be somebody of your trust, a bargain, somebody that needs urgent
action from you, etc.
Be aware that we will not contact you or request for data or
any actions from you through Whatsapp. If someone is contacting you through Whatsapp or a
similar communication system, saying that is us, don't rely on it, block it, and consider
reporting it to the police.
Use only original software
You may want to download our applications from alternative markets. Applications
on those markets are not uploaded by us, so they may contain malware used to steal your
Please use only the oficial applications from Google Play or Apple App
How can you control
We want you to be in control of how your data is used by us. You can do it in different ways:
Managing your account data
You may access and update some of your data through your account settings or Customer Services.
Exercising your data protection rights
Rectify your data
You have the right to ask us to correct inaccurate or incomplete data about you (and which
you cannot update yourself with your account settings or through our Customer Services).
Access or port your data
You may request information relating to your data and copies of such data.
also be entitled to request copies of the data that you have provided to us in a structured,
commonly used, and machine-readable format where technically feasible.
Erasure or block your data
You may request to have your data deleted. We may not be able to erase it due to the fact
that the data processing may be necessary for the performance of the contract between you
and us, for our legitimate business interests (i.e. fraud prevention, security-enhancing),
to comply with our Legal Obligations (i.e. legal reporting, auditing obligations). In
any case, we will immediately erase it when we can do so. Because we protect our services
from accidental or malicious loss and destruction, residual copies of your data may not be
removed from our backup systems for a limited period of time (within a week).
Object or limit the use of your data
You may require us not to process your data for certain specific purposes (including
profiling) where such processing is based on legitimate interest, such as, for direct
marketing. If you object to such processing, we will no longer process your data for these
purposes unless we can demonstrate compelling legitimate grounds for such processing or such
processing is required for the exercise or defence of legal claims.
Withdrawing Your Consent
If we are processing your data based on Your Consent you may withdraw Your Consent
at any time, specifying which consent you are withdrawing. Please note that the withdrawal
of Your Consent does not affect the lawfulness of any processing activities based on
such consent before its withdrawal.
Exercise your rights through our Privacy Form.
You can also contact the Spanish Data Protection
Authority or any other applicable supervisory authority.
Depending on your local applicable regulations applying, we are providing additional information.
Please review if applicable.
Our UK Representative is Opodo Limited with tax ID number 766445988. Contact us through our Privacy Form, to exercise a specific right or for other data protection
comments or suggestions.
Depending on which state you reside in, different laws might apply (such as California or
Contact us through our Privacy Form (see the previous section), to exercise a specific right
or for other data protection comments or suggestions.
We allow third parties to collect
your data through our Platforms and share it with third parties for the business purposes
described in this Privacy Notice (including without limitation advertising and marketing on our
Platforms and elsewhere based on users’ online activities over time and across our Platforms,
services, and devices). Remember that you can block certain Cookies, for these purposes, as
described in our Cookies Notice.
Updates and previous
We might amend this Privacy Notice from time to time to make sure it’s up-to-date. Do not hesitate to
visit this page regularly and you will know exactly where you stand. We will note the date that
revisions were last made to this Privacy Notice at the bottom of this page, and any revisions will
take effect upon posting.
Last Updated: December 2021
2019 - November 2021