Vacaciones eDreams S.L. is a Spanish-based company, with tax ID number ESPB61965778. You can contact us through our Privacy Form for any data protection matter.

We commit to processing your data in accordance with the applicable data protection laws, including the observation of the data processing principles (such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability), and to only processing your data for the purposes explained to you in this Privacy Notice or as informed in the corresponding data collection process, in line with the lawful bases as explained below (in section 2.10).

Automated Decisions: decision-based solely on automated processing, including profiling, which produces legal effects concerning the individual or similarly significantly affects them (as defined under Article 22.1 EU General Data Protection Regulation - GDPR).
Note: As you will find explained below (in section 2), we don’t make Automated Decisions

Data Controller: anyone responsible for determining the purposes and means of processing your data.
Note: We are the Data Controllers of your data in the terms described in this Privacy Notice. If you choose to book a trip through our Platforms, we will be sending your data to other Data Controllers – the carrier or the provider of other services (e.g. booking partners or the global distribution systems), who will again use your data for their own purposes and based on their own means, as described in their own Privacy Notices (which is published on their websites). You can see below the overview of Data Controllers categories with whom we might share the data. In any case, the disclosure of your data to any service provider will be done in accordance with the applicable laws. Each Data Controller is responsible for your data and, in case of an incident within its scope, must handle it and respond appropriately, as per the applicable law.

Data Processor: a third party that only helps to achieve the purposes determined by the Data Controller.
Note: We as a Data Controller use many third-party services to which we outsource some parts of our activities that we don’t do ourselves for various reasons such as cost-efficiency. A Data Processor is only allowed to process your data according to our documented instructions, and in compliance with the applicable law, so we are still in charge of your data, and they will not be able to process your data for any incompatible purpose.

Data Rights: everyone has the right to the protection of their personal data . When we use the term “Data Rights”, we refer in short to the applicable data protection rights.
Note: Data protection regulations allow you to exercise your rights to be informed, access, rectification, erasure, restrict processing, object, to withdraw your consent, data portability and rights related to automated decision making and profiling, when applicable.

Lawful Bases: processing of your data shall be lawful only if at least one of these bases applies (Article 6 GDPR).
Note: For the six lawful bases covered in the law, we will essentially rely on Consent, Contract, Legal Obligation or Legitimate Interest. However, exceptionally, we might rely on Vital Interests or Public Tasks. You can find more information below (in section 2).

Personal Data (in this Privacy Notice also referred to essentially as “your data”): any information relating to a directly or indirectly identified or identifiable to you, as a natural person.

Platforms: all the services (websites, apps, call centre, etc.) that facilitate interactions between you and us.

Sensitive Personal Data: data related to racial origin, ethnic group, religion, health, sexual orientation and biometric data constitute special categories of data (as defined under Article 9 GDPR).
Note: As you will find explained below (in section 3.7), we don’t need to process Sensitive Personal Data normally.

Third Countries: countries in which the GDPR regime is not applicable. Currently, by Third Countries, we mean all countries that lie outside of the European Economic Area (i.e. outside the European Union, Iceland, Liechtenstein and Norway).

This includes completing and managing your booking, assessing ancillary products, sending you contractual-based communications by email, call or SMS in relation to your booking (e.g. confirmations, modifications and reminders), and responding to your queries. Such communications could be managed by us or by our travel partners. In this sense, we endeavour to show to you the most relevant travel data and help you in a personalised manner with your booking and post-booking. These processing activities are necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.

We might save your data for future bookings to make it easier for you to finish a booking with us. This processing is necessary for legitimate interest purposes, namely, we have a commercial interest to facilitate further booking reservations. However, please note that your payment data will only be saved for future bookings if you have a Prime subscription, since it will be necessary for the performance of the contract to which you are a party, otherwise you will have to provide us with your consent for the use of payment data for future bookings. Remember that a Prime subscription requires to have at least one valid credit card assigned to it in order to manage the subscription payment. In case you want to stop paying for it, you will have to cancel your Prime subscription in your account or through our Customer Service, in accordance with the Prime terms and conditions.

We may as well ask you when needed for your consent in order to retrieve the booking information that you have already provided so you don’t have to enter your data again in the same booking process.

We also may use your geolocation to provide a better search experience for you, in order to pre-populate the "origin" field of the search form. This processing of personal data is only possible if you consent to it.

Please, bear in mind that the identification data we use internally is the email that you introduce in your booking or account. If you believe that we are processing a wrong email address, please contact our Customer Service team as soon as possible.

These processing activities related to the user account are necessary for the performance of a contract to which you are a party.

Likewise, we might save your data for future bookings to make it easier for you to finish a booking with us, and recognise you when visiting our Platforms again, in order to improve your user experience. This processing is necessary for legitimate interest purposes, namely, we have a commercial interest to facilitate further booking reservations. Bear in mind that if you object to being recognised when visiting our Platforms, this might limit the appearance of specific offers or advantages that would have been targeted to you in case you wouldn’t have objected to this processing.

Additionally, we remind you that in case you have a Prime account, we will safely store your payment data amongst the payment methods of your Prime accountThis processing activity is necessary for the performance of a contract to which you are a party.

This Privacy Notice shall apply to such data processing based on other travel-related services provided by us. This processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.

We may request your authorisation to process your personal data for certain purposes related to our travel-related services, such as contacting you through specific instant messaging platforms different from those stated in the “Booking” subsection (e.g. Whatsapp, Telegram, etc.), or in order to send information previously requested by travel services providers. For those cases, we will process your personal data once you provide us with your consent.

To contact you whenever a travel service provider is not going to be able to provide you with the service (e.g. due to bankruptcy, insolvency, or equivalent) and it might affect your booking. This processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.

To respond to any query or request from you or any travel service provider and to handle it by any of our contact channels (e.g. email, phone, social media, chatbot, etc.). We endeavour to maintain our best levels of customer service and we are attentive to the personal situation of each of our various customers in order to personalise our services. If the processing is related to the services provided, the processing is necessary for the performance of a contract to which you are a party.

To try to remember your search and contact you immediately after, in case you have not finalised a booking online, as we believe that this additional service benefits you, by allowing you to carry on with a booking without having to fill in your reservation details again. This processing is necessary for legitimate interest purposes, since we have a commercial interest in facilitating further booking reservations.

To inform you how to contact us if you need assistance while you are away or other data that we feel might be useful to you in your planning or getting the best of your trip, or data of upcoming trips or a summary of previous bookings you made with us. This processing is necessary for legitimate interest purposes, since we have a commercial interest to facilitate further booking reservations.

We may need to send you other administrative messages, which may include security alerts. This processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.

To invite you to participate in a market research, or to ask you to provide a review of your experience with us and with the travel service provider. Please, bear in mind that those feedbacks may be available to other customers to help them make decisions about a product or a service. In case you agree to take part in market research, we will explain the data collected and how it would be further used. For those cases in which you take part in a market research survey with us, we will process your personal data once you provide us with your consent. However, if we ask you for a review of your experience with us or the travel service provider, the processing of your personal data will be necessary for legitimate interest purposes, since we have an interest in knowing your customer satisfaction degree and quality perception regarding the services that you have received.

Otherwise, most of the time we will use your identification and contact data pseudonymised (e.g. hashing your data) for this purpose, and we will rely on our legitimate interests as long as you are our customer to show you our travel-related products and services to those already hired by you. This will only be done if you have an account with the corresponding digital company that provides online advertising services, and they have the possibility to match your details in a secure way based on their terms and conditions applying to your account with them.

Not all calls or chats are recorded. However, when you contact Customer Service, due to contractual and legal purposes, we must record them, albeit they are kept for a limited amount of time and automatically deleted thereafter (unless we have a legitimate interest to keep such recordings for a longer period, including fraud investigation and legal purposes). These processing activities are necessary for the performance of a contract to which you are a party.

With regard to those calls and online communications recorded for quality purposes, those processing activities are necessary for preserving our legitimate interest in improving the quality of our services.

We remind you that our staff may as well ask for authentication questions, ensuring that your reservation details are kept confidential.

In certain jurisdictions, we need to request your consent in order to record the call (e.g. when the call is being made from Germany).

This is part of our drive to enhance the user experience. By user experience, we concretely mean:

• testing and troubleshooting purposes, and
• improving the functionality and quality of our online travel services.

The processing of your personal data will be necessary for legitimate interest purposes, since, we have an interest in improving the network and information security, and since we have an interest in improving the quality of our services, respectively.

Finally, we will also elaborate anonymised statistics regarding the overall conversion rate of the website. This processing is necessary for legitimate interests purposes, since we have a commercial interest to assess the percentage of users that have become customers.

One example of this is our five-attempt password policy (if you incorrectly enter your password more than five times, we will block your account, requiring you to change your password).

Another example is our preventive stolen-credential control on the internet (if we might have any hint that your credentials could have been compromised, we may also block your account and ask you to reactivate it with a new password).

With these examples, among other actions, we protect your data and reduce fraud risk. As some of these security measures are compulsory by law and international standards, the corresponding personal data processing is necessary for compliance with a legal obligation to which we are subject. In other cases, we have deployed security measures that require the processing of personal data for legitimate interest purposes, since we have an interest in preventing fraud.

This processing is necessary for legitimate interest purposes, since we have an interest in preventing fraud and defending our rights and interests.

• Your Consent: you gave consent for a specific use of your data. We will always obtain your consent to collect and process your data unless another Lawful Basis applies. We will provide you with transparent information at the time that consent is obtained. This information will be provided in an accessible form, written in clear language. If the data is not obtained directly from you, then this information will be provided to you within a reasonable period after the data has been obtained.
• Contract: you have a contract or pre-contract with us. As an example, when booking an airline or hotel with us, or when accepting our General terms and conditions or any other of our terms (e.g. Prime terms and conditions), we need relevant data to process your reservation or handling your account respectively.
• Legal Obligation: we have a legal obligation. Normally, accounting and tax regulations requires the storage of necessary data for compliance purposes.
• Legitimate Interest: it’s in our legitimate interest, and it is judged not to affect your rights and freedoms in a significant way.

Other lawful bases, only exceptionally used:

• Vital Interest: You or a third party have a vital interest. We will not normally process data based on this legal basis, but if we do, we will let you know.
• Public Task: We have a public task to perform. We will not normally process data based on this legal basis, but if we do, we will let you know.

As mentioned before, such an Automated Decision will not produce legal effects or similarly significantly affect you. In case we shall make any Automated Decision we will apply all appropriate measures and inform you.

For example, your name, surname, gender, nationality, billing address, date of birth, email address and telephone number

Please, bear in mind that your email will be your identity data. We will be able to link your data based on your email.

For instance, email and password (we never store the passwords in a non-encrypted form), price alerts, search history, specific settings, preferred choices and other details saved in your account. This also applies if you have an eDreams Prime account.

Usually, this means the payment card details. For example, credit card number, cardholder name and expiration date (we never store the credit card data in a non-encrypted form).

For example, the number and expiration date of the ID and/or Passport, contact data, travel preferences, boarding passes or e-tickets.

Please, bear in mind that in the case you provide data from travel companions, you should have previously obtained the consent of other individuals before providing us with their data and travel preferences, as any access to view or change their data will be available only through your account or email.

Such as customer support cases, metadata and notes generated by our systems and agents.

For example, IP address, browser type, internet service providers, geographic location, technical data about the device, pages accessed and links clicked, the time and duration of request and visit, and the method used to submit the request to the server.

Please note that we may associate this data with your account.

Some of this data may be collected by using different types of Cookies or similar technologies. For more information, please find our Cookies Notice.

One example for which we may collect and process such data would be if exceptional circumstances arose, such as a health emergency, where we might offer you the possibility to provide us with any relevant data in order to share it with the corresponding airline booked, for example, so as to smooth the check-in process or due to mandatory reasons.

In any case, the corresponding appropriate security measures will be implemented to protect your Sensitive Personal Data in line with this Privacy Notice.

Additionally, you may ask us to inform the airline, the hotel, etc. of a special service (such as a menu or an adapted room) which might constitute Sensitive Personal Data because they may imply or suggest data about your religion, health or other related data. In any case, this information will not be mandatory to provide in any of our booking funnels, so you are free to either provide it or not

The limited cases where we might need to collect minors’ data would be as a booking passenger.

If we become aware that we have processed the data of a child without the valid consent of a parent or guardian, we will delete it.

• Travel service provider you booked with Data controller (e.g. airlines or carriers, hotels, car rental companies, touristic services providers, etc.). In our Platform, there might be services fully or partially provided by our travel business partners. Travel business partners’ terms & conditions and privacy notices shall apply, and when so, you will find a link to them in the booking funnel.
• Other travel service providers which are necessary or provide an added value for the performance of our services Data controller Data Processor (e.g. travel insurances, global distribution systems or computerised reservation systems, booking and ticketing agents, tour operators, travel meta searchers, travel and check-in service providers, calendar solutions,, claims management service providers, etc.). They make it possible to offer you our services and help us in making all endeavours to have the best alternatives at the best price. When we share your data with other Data Controllers in this way, you'll get an opportunity to review their privacy policy and terms and conditions first, so you can understand how that service provider will use your data.
• Customer services and support tools Data Processor (e.g. customer communication tools, call centre agents, etc.). We work with customer support providers and tools in order to respond to your requests and manage communications with you if needed.
• Payment and fraud services Data controller(e.g. payment processors, banks, fraud prevention and chargeback management services, etc.). When you pay on our Platform (as in any other) a set of long chains of technical operations need to happen before the payment request is accepted by your bank and notified to us. We also use service providers to detect fraud risks.
• Information security services Data Processor. We work with information security services to protect your data.
• IT infrastructure providers Data Processor (e.g. hosting service providers). They help us provide you with an available and secure Platform.
• Software solutions and engineers Data Processor. Software solutions and engineers help us work on a day-to-day basis and to continue improving our services.
• Analytical service providers Data ProcessorThey provide us with the necessary data to understand the use within our Platform, see if there are any bugs or decide how we can improve our services.
• Customer Relationship Management and marketing solutions Data Processor Data Controller. They allow us to manage customised commercial communications. Some of them also help us display customised ads throughout the internet. Other purposes are enabling interest-based content or targeted advertising throughout your online experience (e.g. web, email, connected devices, in-app, etc).
• Social platforms Data Controller. When login with your social media, clicking on a social media “like” button integrated into our Platforms by plugins, or using any social media services to interact with us, your data can be shared between us and the social media providers (e.g. your user names, email address, profile pictures, your contact, etc.).
• Finance, administrative and legal services and tools Data Processor Data Controller (e.g. accounting systems, legal service providers, collection agencies, corporate insurances, etc.).

In particular, we centralise the processing of your data through the Spanish subsidiary eDreams International Network, SLU, acting as a Data Controller for internal administrative purposes. Likewise, we share your data as customers with other companies from our group, in order to manage the services provided by us as Data Controller, and for accountability purposes as a group of undertakings, including financial, fiscal and legal duties. Those companies that are included in our group of companies are detailed in our General terms and conditions Our group of undertakings has a common group privacy policy applying to all of them to ensure that any data processing carried out within our group, is made under the same level of security requirements and will be processed exclusively for the same purposes for which the data had been collected, according to the applicable laws.

We may need to further disclose your data to competent authorities to protect and defend our rights or properties, or the rights and properties of third parties. We are also required by law to share your information with administrative bodies when we are providing you our Online Travel Agency’s services under certain circumstances.

These recipients might be outside the European Economic Area (EEA), implying international data transfers. For more information on this, please see below (section 5.3).

Some examples of security measures we implement are as follows:

• We apply pseudonymisation and encryption of personal data, when appropriate. For example, when handling payment data, we comply with the Payment Card Industry Data Security Standards (PCI DSS) or when using our online Platforms your data is sent through a secure connection using Hypertext Transfer Protocol Secure (HTTPS) that encrypts your data through the Internet, avoiding anyone to steal your information in transit.
• We work to provide confidentiality, integrity, availability and resilience of processing systems and services. We have physical, electronic, and procedural security measures in place regarding the collection, storage, and disclosure of your data. Our security procedures mean that we may ask you to verify your identity before providing you with confidential information, and our Platforms offer security features that protect against unauthorised access and data loss.
• We make endeavours to be able to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• We implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

Usually, we process your data for a maximum period of five years, since your last trip or any further action related to it ended or since you performed your last action related to your account for the purposes described above. With regard to unfinished bookings, we might store the information for a year for security and fraud prevention, unless we need to store it for longer periods to fulfil our legal obligations.

Other specific terms might apply, such as a maximum term of three years for accountability purposes regarding data protection-related interactions, or a maximum term of ten years for tax and accounting purposes.

If you provide us with your contact email address, but then you are unable to finish your booking, we will keep your email address only temporarily and, in any case, for a maximum period of seven days to help you with the booking if you are still interested.

For the purpose of customised offers, you will periodically get email offers from us, and in every email, there will be a clear and easy way to unsubscribe and therefore object to this type of processing. We will keep and use your data for this purpose until you unsubscribe or after two years since the last interaction with us (e.g. performing a search, performing a booking, or updating your Prime membership).

For those processing activities based on your consent, we will store your personal data for as long as such processing activities are necessary for the purpose for which they were collected, unless you withdraw your consent or request their deletion prior to that date and there is no legal or judicial mandate to keep the personal data.

Regarding Cookies duration please check our Cookie Notice.

Any service provider (such as the airlines) acting as Data Controller will process your data in accordance with their own privacy notice and will be fully responsible for processing your data.The disclosure of your data will be done, when applicable, in accordance with the applicable laws and appropriate safeguards (in particular, the standard contractual clauses issued by the European Commission) are in place to ensure an adequate level of protection of the privacy and fundamental rights of individuals.

The international transfer of data onto the Computer Reservation System, aggregators and Global Distribution Systems that are not located in the European Union, as well as its use by international airlines, hotels, train companies, or car rentals, for the purpose of providing the appropriate service provided by us, is a transfer necessary for the performance of the contract between you and us in accordance with the corresponding derogation of the applicable data protection regulations.

Do not share your Booking ID

When you make a booking you will be assigned with a Booking ID. This reference will be included in your booking confirmation email.

Please, always keep your Booking ID confidential. If you share it with third persons, they might access your data. If you travel with others and you do not want them to have access to your booking data it might be advisable that you carry out your booking separately. For example, we recommend you not to share this data or any other relating to your trip on social media.

Do not share your account data with anyone and use a unique and strong passwordTo make sure that access to your account on our Platforms is safe please do not share your log-in data with anyone.

When you finish using our Platforms, please make sure to log out of your session if someone else might access your device. Avoid connecting using your account from non-trusted devices or networks like the ones in hotels, libraries or cyber coffees. If you do, please do not forget to log out once finished.

It is important that you protect yourself against unauthorised third-party access to your password and to your devices. We recommend that you use a unique strong password for your account that you do not use for other online accounts and you should renew it every reasonable period of time, such as once a year. Malicious actors may try to connect to your account using stolen credentials from other (non-related to us) services.

Of course, apply the same approach for your email account, by using unique strong credentials (as is our secure touchpoint to send you “reset link passwords”).

Be cautious and protect yourself from internet fraud and “Phishing”

Please, always double-check the sender of the emails and the links or documents attached to them. If you don’t trust or have doubts, do not open the attachments or click on the links.

There is a broadly spread type of internet fraud practice known as “Phishing” aimed to illegally obtain your data by deception or by installing malware on your device and stealing your saved credentials.

“Phishing” is unsolicited emails that lead you to insert or confirm your passwords or bank details on a false or cloned website. Also, they try to make you download documents with malware, or install malicious software on your computer that will be used to steal your information, like your credentials.

These fraudsters pretend to be somebody of your trust, a bargain, somebody that needs urgent action from you, etc.If you have doubts regarding any communication that you might have received by someone saying that is us, please, contact us through our chat in our Help Center.

Use only original software

You may want to download our applications from alternative markets. Applications on those markets are not uploaded by us, so they may contain malware used to steal your credentials.

Please use only the oficial applications from Google Play or Apple App Store.

You have the right to ask us to correct inaccurate or incomplete data about you (and which you cannot update yourself with your account settings or through our Customer Service).

You may request information relating to your data and copies of such data.

You may also be entitled to request copies of the data that you have provided to us in a structured, commonly used, and machine-readable format where technically feasible.

You may request to have your data deleted. In some cases, we may not be able to erase it due to the fact that the data processing may be necessary for the performance of the contract between you and us, for our legitimate business interests (i.e. fraud prevention, security-enhancing), or to comply with our legal obligations (i.e. legal reporting, auditing obligations). In any case, we will immediately erase them when we can do so. Because we protect our services from accidental or malicious loss and destruction, residual copies of your data may not be removed from our backup systems for a limited period of time (within a week).

You may require us not to process your data for certain specific purposes (including profiling) where such processing is based on legitimate interest, such as for direct marketing. If you object to such processing, we will no longer process your data for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the exercise or defence of legal claims. You can object at any time to the following processing activities of your personal data described in section 3:

• Storing your data for future bookings to make it easier for you to finish a booking with us.
• Elaborating anonymised statistics regarding the overall conversion rate of the website.
• Storing your search and contact in case you have not finalised a booking online.
• Recognising you when visiting our Platforms again.
• Informing you how to contact us if you need assistance while you are away, or other data that we feel might be useful to you in your planning.
• Asking you for a review of your experience with us or the travel provider.
• Sending you regular news of travel-related products and services (we remind you that you can also unsubscribe at any moment in each commercial communication, by clicking on the footer’s unsubscription link).
• Showing you customised categorised offers on our Platforms, or in third-party platforms
• Using call or chat recordings for quality purposes and training.
• Improving our services or developing new services.

Exceptionally, this right is not susceptible to be satisfied for the purpose of promotion of a safe and trustworthy service, since we rely on a compelling legitimate interest of protecting from any potential fraud or attack against the provision of our services.

If we are processing your data based on your consent you may withdraw your consent at any time, specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal. You can withdraw at any time your consent to the following processing activities of your personal data described in section 3:

• Saving your payment data for future bookings in those cases in which you are not a Prime member.
• Retrieving the booking information that you have already provided so you don’t have to enter your data again in the same booking process.
• Using your geolocation to pre-populate the "origin" field of the search form.
• Sending you discount codes, deal alerts and a birthday surprise with eDreams newsletter.
• For certain purposes related to our travel-related services, such as contacting you through specific instant messaging platforms, or in order to send information previously requested by travel services providers.
• When you take part in a market research survey with us.