Privacy Policy

1.1 Introduction

EXC Tours ("We," "Us," "Our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, store, and protect the personal data of users ("You," "User") of our website https://exc.tours/ (the "Website") and the services offered through it, in compliance with applicable data protection laws, primarily the UAE Federal Decree Law No. 45 of 2021 Regarding the Protection of Personal Data ("PDPL").

This policy applies to personal data collected when you browse our Website, make inquiries, book tours or services, or otherwise interact with us online.

1.2 Data Controller Information

The entity responsible for the processing of your personal data (the Data Controller) under the PDPL is:

For any privacy-related questions, concerns, or requests to exercise your data protection rights, please contact us at:

Email: [Insert Dedicated Privacy Email Address, e.g., [email protected]]

Phone: [Insert Contact Phone Number, optional]

Address:

Data Protection Officer (DPO):

[Option 1: If DPO is appointed] We have appointed a Data Protection Officer (DPO) who can be contacted at [Insert DPO Contact Details].

[Option 2: If DPO is not mandatory/appointed yet] While not currently mandated for our scale of operations under PDPL 14, we take data protection seriously. For inquiries, please use the contact details above. [Consider appointing one proactively as operations grow or if processing sensitive data like dietary needs, which could imply health/religion 2, becomes regular, aligning with best practices 17].

1.3 Personal Data We Collect

We collect personal data that you provide directly to us, data collected automatically when you use our Website, and data obtained from third parties like our payment processor. The types of personal data we collect include:

• Information You Provide:

• Contact Information: Full Name (First Name, Surname), Email Address, Phone Number.
• Demographic Information: Country of Residence.
• Booking Information: Details of the tours or services you book, dates, number of participants, and any specific requests or preferences you provide (e.g., dietary requirements 2, special assistance needs). Note: Certain requests like dietary needs might inadvertently reveal sensitive personal data (e.g., related to health or religion).16 We process such data only as necessary for the booking and with appropriate care, relying on your explicit provision of this information as consent where required.
• Communication Data: Records of your correspondence with us (e.g., emails, chat logs).

• Information Collected Automatically:

• Usage Data: Information about how you interact with our Website, such as pages visited, time spent on pages, links clicked, and referring website addresses.
• Device and Connection Information: IP address, browser type and version, operating system, device type, unique device identifiers.18 This data is often collected via cookies and similar technologies (see our Cookie Notice for details).

• Information from Third Parties:

• Payment Information: When you make a payment, our payment processor, Stripe, collects payment details such as credit/debit card numbers, expiry dates, CVC codes, and billing addresses. EXC Tours does not store your full payment card number but receives transaction confirmation and limited details (e.g., card type, last four digits) from Stripe.7
• Verification Information: If identity verification is required for certain services, Stripe or another third-party provider might collect identification documents or biometric data directly from you.7

It is crucial to list all data points accurately. The definition of Personal Data under PDPL is broad 19, and transparency about all collection, including via tools like Stripe, is essential.17

1.4 How We Use Your Personal Data (Purposes of Processing)

We process your personal data only for specific, explicit, and legitimate purposes, including:

• Providing Services: To process and manage your tour bookings, reservations, and payments; to fulfill our contractual obligations to you.
• Communication: To send booking confirmations, updates, reminders, invoices, and respond to your inquiries and requests for customer support.
• Payment Processing: To facilitate secure payment processing through our third-party provider, Stripe.7
• Website Operation and Improvement: To operate, maintain, and improve the functionality and performance of our Website; to analyze usage patterns and trends to enhance user experience.18
• Personalization: To personalize your experience on the Website (e.g., remembering preferences), subject to your consent where required (e.g., via functionality cookies).
• Security and Fraud Prevention: To protect the security of our Website and systems; to detect and prevent fraud, unauthorized access, and other illegal activities.7
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests within the UAE.10
• Marketing Communications: To send you newsletters, promotional offers, and information about our services or special deals, only where you have given your explicit prior consent (opt-in) to receive such communications.21 You can withdraw your consent at any time.

1.5 Legal Basis for Processing (UAE PDPL & GDPR Considerations)

We rely on the following legal bases under the UAE PDPL 17 to process your personal data:

• Consent: Where required by law, such as for sending direct marketing communications 22 or processing certain types of sensitive personal data (if applicable), or for using non-essential cookies. You have the right to withdraw your consent at any time.
• Performance of a Contract: Processing necessary to enter into or fulfill the booking contract with you, including processing your booking details, communicating confirmations, and facilitating payment.17
• Compliance with Legal Obligations: Processing necessary to comply with our legal and regulatory obligations under UAE law (e.g., financial record-keeping, responding to legal requests).
• Protection of Public Interest / Judicial Procedures: In specific circumstances where processing is necessary to protect public interest or related to legal claims or judicial/security procedures.19

It is important to note that unlike the EU's GDPR, the UAE PDPL does not explicitly list "legitimate interests" as a primary independent legal basis for processing personal data.20 Therefore, our processing activities are primarily justified under Consent, Contractual Necessity, or Legal Obligation as defined by PDPL. If we process data of individuals in the EU, we also ensure compliance with applicable GDPR bases.

1.6 Data Sharing and Disclosure

We do not sell your personal data. We may share your personal data with the following categories of third parties only when necessary for the purposes outlined above:

• Tour Suppliers and Operators: We share necessary booking information (e.g., name, contact details, booking specifics, special requests) with the third-party hotels, transport providers, activity operators, and guides who will deliver the services you have booked.
• Payment Processors: We share transaction information with Stripe, Inc. to process your payments securely and prevent fraud. Stripe may also collect and use your data for its own purposes as outlined in their Privacy Policy.5 Users should be aware that Stripe acts both as a processor for EXC Tours and as a controller for certain activities like fraud detection and its Link service 7, as required by their terms.5
• Technology Service Providers: We use third-party companies for services such as website hosting, data storage, email delivery, customer support tools, and website analytics (e.g., Google Analytics). These providers process data on our behalf and under our instructions.18
• Legal and Regulatory Authorities: We may disclose your personal data if required by law, court order, or other legal process in the UAE, or if necessary to protect our rights, property, or safety, or the rights, property, or safety of others.20
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction, subject to confidentiality agreements and compliance with applicable law.

We ensure that third parties receiving personal data provide adequate levels of protection and use the data only for the specified purposes.

1.7 Data Security

We implement appropriate technical and organizational security measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Secure Socket Layer (SSL)/Transport Layer Security (TLS) encryption for data transmitted over the internet.18
• Access controls to limit access to personal data to authorized personnel on a need-to-know basis.
• Regular security assessments and updates.
• Secure storage environments.
• Measures like pseudonymization where appropriate.17

Payment information is handled securely by Stripe, which complies with Payment Card Industry Data Security Standards (PCI-DSS).23 While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure.

1.8 Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including providing you with Services, resolving disputes, enforcing our agreements, and complying with our legal, accounting, or reporting obligations.16

Booking information may be retained for a period necessary to comply with financial regulations and limitation periods for legal claims in the UAE. Data collected solely based on consent (e.g., for marketing) will be retained until you withdraw your consent. Anonymized data may be kept for longer periods for statistical purposes.

1.9 Data Subject Rights (under UAE PDPL)

Under the UAE PDPL, you have several rights regarding your personal data. Subject to certain conditions and exceptions provided by law, you have the right to:

To exercise any of these rights, please contact us using the details provided in Section 2.2. We will respond to your request in accordance with the PDPL requirements and timeframes. We may need to verify your identity before processing your request. You also have the right to lodge a complaint with the UAE Data Office if you believe your rights have been violated.14

This clear presentation of rights fulfills transparency obligations under PDPL 16 and empowers users.

1.10 Cross-Border Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside the United Arab Emirates, where our Suppliers, service providers (like Stripe), or servers may be located.15 Data protection laws in these countries may differ from those in the UAE.

We will only transfer your personal data outside the UAE in compliance with the PDPL.19 This means transfers will occur only if:

• The recipient country has been deemed by the UAE authorities to provide an adequate level of data protection.
• Appropriate safeguards are in place, such as standard contractual clauses approved by the UAE Data Office or binding corporate rules (where applicable). Stripe, for example, utilizes Standard Contractual Clauses (SCCs) for transfers.5
• Your explicit consent is obtained for the transfer, after being informed of the potential risks (where other safeguards are not feasible and the transfer doesn't contradict public interest).19
• The transfer is necessary for specific reasons outlined in the PDPL, such as performance of a contract in your interest, legal claims, or protection of public interest.19

We take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which it is processed. Complying with these PDPL-specific transfer rules is mandatory when using international providers like Stripe or overseas tour operators.19

1.11 Cookies and Tracking Technologies

Our Website uses cookies and similar technologies to enhance user experience, analyze site performance, and support certain functionalities. For detailed information about the cookies we use, their purposes, and how you can manage your preferences, please see our Cookie Notice [Link to Cookie Notice page].18

1.12 Children's Privacy

Our Website and Services are not directed towards individuals under the age of 18 (or the relevant age of majority). We do not knowingly collect personal data from children without verifiable parental consent. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information. The PDPL does not specify a clear age threshold for parental consent, unlike GDPR 20, but we adopt a precautionary approach.

1.13 Data Breach Notification

In the unfortunate event of a personal data breach that is likely to prejudice the privacy, confidentiality, and security of your data, we will notify the UAE Data Office and affected individuals as required by and in accordance with the PDPL and its Executive Regulations.14

1.14 Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post any changes on this page and update the "Effective Date" at the top. We encourage you to review this Policy periodically. For significant changes, we may provide more prominent notice (e.g., a notification on the Website).

1.15 Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or our data handling practices, or if you wish to exercise your data protection rights, please contact us at: