ccpa-privacy-policy

Privacy Notice for Personal Data used for Interest-Based Advertising and Third-Party Marketing

Last update: 6th of July, 2020

We have updated our privacy policy by adopting this notice to make sure that you are aware how your personal data is processed for advertising and marketing purposes and you know what rights you have with regard to your personal data used in this context. This notice supplements our privacy policy available at breathintravel.com. This notice applies to your personal data collected through the website available at breathintravel.com and the related services (collectively, the “Website”).

Our compliance with applicable laws

We process your personal data for digital marketing and advertising purposes in compliance with the current applicable data protection and e-privacy laws. For example, if you are based in the State of California (US), we will comply with the California Consumer Privacy Act (CCPA); if you are a resident of the EU, we will comply with our obligations set out in the EU General Data Protection Regulation (GDPR).

Interest-based advertising

You may be served targeted interest-based advertisements on this Website and other websites on the Internet by the advertising networks we cooperate with. Such advertisements are generated on the basis of your use of this Website, other websites on the Internet, and the data generated by cookies installed in your browser. You can control how such advertisements are shown to you or opt-out from targeted advertising by consulting the section “Consent and opting-out from advertising and third-party marketing and sale of personal data” below.

Selling your personal data

We do not directly sell your personal data to third parties. However, some of your personal data, including online identifiers (e.g., cookie-generated data and IP addresses) may be used for advertising, marketing, and monetisation purposes (e.g., programmatic advertising, retargeting, third-party marketing, profiling, or cross-device tracking). To make sure that you have full transparency and control over your personal data, we provide you with a possibility to manage your personal data used for such purposes as described in this notice below.

From what sources do we obtain personal data?

We obtain your personal data from the following categories of sources:

Directly from you. For example, if you submit certain personal data directly to us when registering on the Website, completing the necessary forms, concluding a contract with us, or contacting us.
Directly or indirectly through your activity on our Website. When you visit our Website, we automatically collect technical information about your use of the Website.
From third parties. We may receive information about your from third parties to whom you have previously provided your personal data.

Types and purposes of personal data

We regularly collect information that may be associated with you, as a natural person, or your device. We use your personal data only for specified and legitimate purposes that are listed below. In short, we will use personal data collected for advertising and marketing purposes only to provide you with the requested services, create and manage our marketing campaigns, and conduct research about our business activities. Please note that the term “personal data” does not include de-identified information about you (i.e., data that does not allow us to identify you, as a natural person, or your device in any manner). When you visit the Website, we collect certain technical information about your use of the Website and your online identifiers provided by your devices, applications, tools, and protocol. Such information may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create your profile and identify you.

Online identifiers. The online identifiers collected by us include the following personal and non-personal data:

your IP address, cookie-generated data (for more information on our use of cookies, please refer to our cookie policy available at https://breathintravel.com/privacy-policy/), ID of your device, your browser type, your operating system, activity logs, browsing history, search history, interest-related data, interactions with other websites, and other online behaviour data. We use your online identifiers for analytics, marketing, and advertising purposes, namely, to:

Analyse what kind of users access and use the Website;
Examine the relevance, popularity, and engagement rate of our content;
Investigate and help prevent technical errors, bugs, security issues and abuse;
Develop and provide additional features and services;
Personalise the Website for your specific needs;
Market you our products and services;
Show you advertisement that you may be interested in.
The lawful basis on which we rely when processing such personal data are ‘pursuing our legitimate business interests’ (i.e., to ensure security and analyse and promote our business) and ‘your consent’.

Unique identifiers. When you submit your personal data to us through the Website or by communicating with us directly, it contains your unique identifiers, such as: your name, email address, phone number. If you choose to login to the Website by using your social media account, your social media provider may share with us certain information about you as it is permitted by the settings of your social media account (e.g., your full name, email address, birth date, image, and list of your contacts). We use your unique identifiers to:

Provide you with the requested services;
Perform our contractual obligations;
Enable you to use the Website;
Reply to your enquiries;
Comply with our legal obligations; and
Conduct research about our business activities.
The lawful bases on which we rely when processing such personal data are ‘performing a contract with you’ and ‘pursuing our legitimate business interests’ (i.e., to administer, analyse and promote our business).

Geo-location data. If the functionality of the Website permits it, we may collect the physical location of your device, if it is necessary for providing our location-based services or for other legitimate purposes that you will be informed about in advance. Please note that such data will be collected only if you provide us with your prior consent. We do not collect your precise geo-location data without your prior consent or if you disable such a functionality of the Website.

Sensitive data. When you use the Website, we do not collect special categories of personal data (“sensitive data”) from you, such as your health information, opinion about your religious and political beliefs, racial origins, membership of a professional or trade association, or information about your sexual orientation, unless you decide to provide such sensitive data to us, at your own sole discretion. Please note that the provision of sensitive data is optional and you may choose what sensitive data you would like to share. Your sensitive data will be kept in strict confidentiality. The legal basis on which we rely when processing sensitive data (if any) is ‘your consent’.

Children. The Website should not be accessed and used by children under the age of 16. Therefore, we do not knowingly collect personal data from persons under 16.

Aggregated and de-identified data. If we combine your non-personal data with your personal data and such a combination allows us to identify you, we will handle such aggregated data as personal data. If, for security purposes, we remove any identifiable elements from your personal and it becomes impossible to associate such data with an identified or identifiable natural person, the de-identified data will not be considered personal data and we may use it for any business purpose.

Repurposing your personal data. We will not collect additional personal data or use your personal data for purposes that are materially different, unrelated, or incompatible with the initial purposes of your personal data specified in this notice. If we would like to repurpose your personal data (i.e., to use it for purposes that are different than the purposes for which such personal data was initially collected), we will notify you in advance and, if necessary seek your consent for the new purposes.

Failure to provide personal data. If you decide to refrain from submitting your personal data when requested, we may not be able to perform the requested operation and you may not be able to use the full functionality of the Website, receive our services, or get our response.

Storage period

Your personal data will be stored in our databases only as long as such personal data is necessary for its primary purpose. As soon as the data is no more necessary, you request us to delete your personal data, or you opt-out from our advertising and marketing campaigns and there is no other legal basis for storing your personal data (e.g., our legal obligations), we will delete your personal data from our systems in a secure manner. We will also put reasonable efforts to ensure that any third parties that received your personal data from us also delete it from their systems. Your non-personal data may be retained by us for as long as necessary for its purposes.

Disclosure of personal data to third parties

In certain instances described in this section, we disclose your personal data to third parties, if it is necessary for marketing and advertising purposes. For example, the disclosure may be necessary for

Enabling our third-party service providers to provide services on our behalf;

Complying with our contractual obligations;
Providing you with the requested information and services;
Pursuing our legitimate business interests (to administer, analyse, and promote our business);
Sending you relevant notifications;
Complying with our legal obligations;
Creating and implementing our marketing campaigns; and
Enforcing our legal rights.

If you provide your prior consent to a specific disclosure, we may disclose your personal data to other third parties that you will be informed about before consenting.

Safeguards that we use when disclosing your personal data to third parties. To make sure that the personal data that we disclose to third parties is safe and secure, we make sure that the recipient third party guarantees an adequate level of protection for your personal data (e.g., the recipient is a Privacy-Shield certified entity, has information security certificates, and adheres to the current data protection laws) or we conclude a data processing agreement with it that ensures such protection.

List of third parties that may have access to your personal data. The third parties that may have access to your personal data used for marketing and advertising purposes include the entities listed at https://iabeurope.eu/vendor-list-tcf-v2-0/ .

Your Rights and Choices

List of your rights. You have the right to control your personal data used for marketing and advertising purposes. If your personal data is not necessary for any other lawful purpose, you can ask us to:

Get a copy of the categories of personal data that we store;
Get a list of purposes for which your personal data is processed;
Rectify inaccurate personal data;
Move your personal data to another processor;
Delete your personal data from our systems;
Object and restrict processing of your personal data;
Withdraw your consent, if you have provided one;
Opt-out from marketing and advertising;
Get information about the sale of your personal data (if any) and opt-out from it; and
Process your complaint regarding your personal data.
Consent and opting-out from advertising and third-party marketing and sale of personal data. Depending on the country where you reside, advertisements are served and third-party marketing activities are conducted on an opt-in or opt-out basis. For example:

If you are based in the EU, your cookie-related data will be collected only if you provide us with your opt-in consent through the cookie consent banner available on our Website. If you do not provide your consent for marketing, statistics, and other non-essential cookies, we will serve you essential (i.e., strictly necessary technical) cookies only.

If you are a consumer based in the State of California (US), you personal data will be collected and used for marketing purposes until you opt-out. It means that, if you wish to opt-out from the collection and use of your personal data for advertising and marketing purposes and/or sale of your personal data to third parties, you have to use any of the available CCPA opt-out tools. The description of such tools for websites and applications and further instructions can be consulted at https://www.privacyrights.info. You can request us to stop selling your personal data (only if we do so) by clicking on the “Do Not Sell My Personal Data” link that will be made available on the Website. The link will direct you to the webpage that will allow you to submit your request. We will follow the “Do-not-sell” and “Do-not-track” signals from your browser plug-in, privacy setting, or any other mechanism enabled by you.
Despite your location, you can consult the universal guides powered by the Digital Advertising Alliance available at https://youradchoices.com and Network Advertising Initiative (NAI) available at https://www.networkadvertising.org. They provide you with more information and instructions on how to manage your personal data used for interest-based marketing and advertising purposes.

Exercising your rights. If you would like to exercise any of your rights listed above, please contact us by email at [email protected] and explain in detail your request. When sending your request, please make sure to provide sufficient information that allows us to reasonably verify you and properly understand, evaluate, and respond to your request. To make sure that your request is legitimate, we reserve the right to ask you more information for verification purposes. You will receive our response by email (unless requested otherwise by you) within a reasonable timeframe but no later than 30 calendar days (if more time is reasonably necessary, we will inform you). If your right(s) cannot be exercised, we will inform you about the reasons of our denial. Your requests can be submitted free-of-charge 2 times per calendar year. If your requests are excessive, repetitive, or manifestly unfounded, we will provide you with a cost estimate before completing your request.

Exemptions. You may not be able to exercise your rights listed above, especially the deletion of your personal data, if your personal data is necessary for any legitimate purpose, such as if we need it to:

Perform our contractual obligations (e.g., complete a transaction ordered by you);
Ensure security and safety of our business and the Website, including detecting security incidents and protecting it against malicious activities;
Repair errors to the Website;
Enforce our legal rights;
Comply with our legal obligations;
Support our internal operations; and
For any other purposes permitted by the applicable law.
Please note that we regularly audit our systems and delete personal data that is not relevant for its purpose. Thus, you may not be able to exercise your rights if your personal data has been previously deleted from our systems.

Launching a complaint with a supervisory authority. If you decide to launch a complaint about the way your personal data is processed by us, please contact us first and express your concerns – we will investigate your complaint as soon as possible. If you are not satisfied with the outcome of your complaint, you have the right to lodge a complaint with your data protection authority.

Making requests on your behalf (authorised agents). The request to exercise your rights can be submitted to us by you personally or by a person legally authorised to act on your behalf (e.g., an individual registered with the California Secretary of State). You may also make a request on behalf of your minor child.

Non-discrimination. If you decide to exercise any of your rights listed in this section, we will not discriminate against you. It means that we will not (i) deny any goods and services, (ii) charge you different prices, (iii) deny any discounts or benefits, (iv) impose penalties, or (v) provide you with a lower quality goods and services.

Security measures

In order to keep your personal data safe and secure, we implement organisational and technical information security measures. They allow us to protect your personal data from loss, misuse, falsification, unauthorised access, and disclosure. We use secured networks, strong passwords, encryption, firewalls, limited access to your personal data by our staff, and anonymisation of personal data. In case a serious breach occurs, we will take reasonable measures to mitigate the breach, as required by the applicable law. Our liability for any security breach will be limited to the highest extent permitted by the applicable law.

Contact information

You can contact us if you have any questions about our privacy and security practices or if you would like to exercise your rights by using the following contact details:

Email: [email protected]