Privacy Policy

Effective date: 23 October 2025

This Privacy Policy explains how Tisreotour (“Tisreotour,” “we,” “us”) collects, uses, shares, and safeguards personal data when you use our website, newsletters, and related services (the “Services”). It complements our Terms of Use and is designed to meet key global standards, including the EU/UK GDPR, California CCPA/CPRA, and India’s DPDP Act (2023) as implemented and updated over time. We also describe regional rights and how to exercise them.

1) Who we are & how to contact us

• Controller: tisreotour.com
• Privacy contact: contact@tisreotour.com

2) What we collect (by category)

We only collect the minimum data needed for each purpose.

A. Identification & contact
Name, email, country, preferred language; if you create an account or subscribe.

B. Device & usage
IP address (truncated or full, depending on security need), user agent, referrer/UTM, timestamps, pages viewed, clicks, scroll depth, and approximate location derived from IP. We do not collect precise GPS unless you explicitly allow it in your browser.

C. Content you provide
Comments, reviews, photos, itinerary notes, messages to us (including support and legal notices), and survey responses.

D. Commercial & partner interactions
Outbound clicks on affiliate links, booking/referral IDs, and whether a purchase occurred (we never see your full card number—payment and bookings occur with third parties on their terms).

E. Communications
Email open/interaction data for deliverability and basic analytics (open/failed/bounce).

F. Sensitive data
We do not seek to collect sensitive data (e.g., health, religion). If you voluntarily share it in UGC, we treat it with heightened care and may remove it if unnecessary to your request.

Children
Our Services are not directed to children under 13, and we do not knowingly collect their data. If you believe a child under 13 has provided personal data, contact us and we’ll delete it without delay. (See COPPA references.) 

3) Why we collect it (purpose) + our legal bases (GDPR)

We rely on GDPR legal bases as defined in Regulation (EU) 2016/679.

4) Cookies & similar tech (your choices)

We use a consent banner in the EU/EEA/UK (and where required elsewhere). Categories:

• Strictly necessary (always on): session management, load balancing, consent log.
  
• Analytics (opt-in where required): page views, engagement, referrers.
  
• Advertising/affiliate (opt-in where required): frequency capping, measurement, and anonymous attribution; cross-context behavioral ads only with valid consent/opt-out options.
  

Under the EU ePrivacy rules, storing/reading non-essential cookies (and similar tech such as local storage/fingerprinting) generally requires prior consent. 

Global Privacy Control (GPC) & opt-out preference signals (California): If your browser sends a recognized opt-out signal (e.g., GPC), we treat it as a valid request to opt-out of “sale”/“sharing” for cross-context behavioral advertising. You can still use our on-site controls. 

5) Do we “sell” or “share” personal information?

• We do not sell personal information for money.
• We may “share” data for cross-context behavioral advertising as defined by California law only if you consent (where required) and subject to your right to opt-out at any time (including via GPC). See Your Rights below. 

6) Where data comes from

• Directly from you (forms, comments, emails).
• Automatically from your device/browser (see 2B).
• From partners (affiliate networks provide aggregate conversion signals tied to a click ID, not full payment details).

7) How we share data (processors & disclosures)

We use vetted service providers under written contracts (data processing addenda) for: hosting/CDN, security, analytics, email delivery, content moderation/anti-spam, and affiliate measurement. They must follow our instructions, keep data confidential, and implement appropriate security. We also disclose data if required by law or to protect rights, users, or the public.

8) International transfers

If we transfer EU/UK personal data outside the EEA/UK, we use approved safeguards:

• EU/UK Standard Contractual Clauses or UK IDTA/Addendum; and
  
• Where a U.S. recipient maintains a current EU-U.S. Data Privacy Framework (and UK/Swiss extensions) certification, we may rely on that adequacy decision. The European Commission adopted the DPF adequacy decision on 10 July 2023, and in September 2025 the EU General Court upheld it against a legal challenge (case T-553/23), providing added certainty for transatlantic transfers. 

9) Retention (how long we keep data)

We keep data only as long as necessary for the stated purposes or as required by law:

• Web server logs: up to 90 days (security/abuse), then aggregated.
• Analytics events: 13 months (trend analysis), then aggregated/anonymized.
• Newsletter list: until you unsubscribe or your email bounces; suppression list retained to honor opt-outs.
• UGC/comments: retained while published; we can delete/anonymize on request where feasible.
• Legal/compliance records: as required by applicable limitation periods.
  

10) Security

We use industry-standard safeguards: TLS in transit; encryption at rest for key stores; least-privilege access; audit logging; periodic vulnerability scanning; and supplier reviews. No method is 100% secure; we will notify authorities and affected users of breaches when required by law.

11) Your privacy rights (region-specific)

• EU/EEA & UK (GDPR/UK GDPR): access, rectification, erasure, restriction, portability, and objection; right to withdraw consent; and the right to lodge a complaint with your supervisory authority. 
• California (CCPA/CPRA): right to know, delete, correct, opt-out of sale/sharing, limit the use of sensitive personal information, and non-discrimination. We honor opt-out preference signals (e.g., GPC). 
• India (DPDP Act, 2023): rights to access, correction, erasure, grievance redressal, and consent withdrawal via a consent manager (once notified). As of the date above, the DPDP Act is in force, and the Draft DPDP Rules 2025 were published for consultation; final rules/notifications continue to roll out—our practices will align as they take effect. 

How to exercise your rights: email [contact@tisreotour.com] with your request and region. We will verify your identity, respond within applicable timelines, and maintain a record of requests as required by law.

12) Advertising, affiliates & measurement (precision)

• Affiliates: When you click an affiliate link, the partner may place a limited-life identifier (e.g., click ID) to attribute a booking or purchase. We don’t see your full payment details.
• Ads/cross-context advertising: If we deploy such ads, we request consent where required and provide opt-out controls (including GPC). If you opt-out, we will still show contextual ads (no tracking).
• Email marketing: Only if you opt-in; every email includes an unsubscribe link.
• No profiling with significant effects: We don’t make decisions that produce legal or similarly significant effects using solely automated processing.
  

13) User-generated content (UGC)

If you submit comments, stories, or photos, they may display publicly with your chosen handle. Do not post personal data you wouldn’t want public. We moderate per our Terms and applicable law (e.g., content rules under the EU DSA are separate from this Privacy Policy).

14) Third-party links

Our site links to external sites (e.g., booking tools, tourism boards). Their privacy policies apply. Review them before providing data.

15) Regional disclosures & mechanisms

• EU/UK cookies: Prior consent for non-essential cookies/trackers; easy withdrawal in the banner/settings. 
• California: “Do Not Sell or Share” link where applicable; we honor GPC/opt-out signals. 
• Cross-border transfers: SCCs/IDTA; DPF where partners are certified and appropriate.
• Children’s data (US): We don’t knowingly collect from children under 13 and comply with COPPA.
  

16) Data subject request workflow (how we handle your request)

1. Verify identity: email verification link or minimal additional info.
2. Scope: confirm which right you’re invoking and the data systems involved.
3. Respond within: EU/UK — 1 month (extendable), California — 45 days (extendable), India — per DPDP Rules once notified.
4. Fulfill: provide data, correct, delete, or explain denial grounds with appeal instructions.
5. Record: maintain a log of requests (minimal data) to meet audit/tracking duties.
   

17) Your controls

• Cookie & tracking settings
• Opt-out of sale/sharing (California)
• Global Privacy Control: honored automatically when detected.
• Email preferences: unsubscribe in any message.
• UGC deletion: request removal at [contact@tisreotour.com].
  

18) Data storage locations

We host in US and may use geographically distributed CDNs. Transfers follow Section 8 safeguards.

19) Changes to this Policy

We’ll post updates here and, if changes are material, provide reasonable notice (e.g., banner/email). The “Effective date” shows the latest version.

20) How to complain

• EU/EEA: Contact your local data protection authority (DPA).
• UK: Information Commissioner’s Office (ICO).
• California: California Privacy Protection Agency (CPPA) or Attorney General.
• India: Once DPDP Rules finalize, you may approach the Data Protection Board of India or other designated bodies as applicable.
  

Key legal references (informational)

• GDPR (EU/UK): core legal bases and data subject rights. EUR-Lex 
• EU ePrivacy (cookies/trackers) & guidance: consent for non-essential storage/access. EUR-Lex+1 
• California CPRA/CCPA: final regulations (opt-out preference signals/GPC) and CA AG guidance. California Privacy Protection Agency+1 
• EU-U.S. DPF: adequacy decision; 2025 General Court ruling upholding it. European Commission+1 

India DPDP Act & Draft Rules 2025: MeitY draft and reporting on status/notification timelines. MeitY+1