Privacy Policy
Last updated July 2026
This policy explains what personal data ZaraTrip collects, why, and your rights over it. We aim to collect the minimum needed to book and service your travel.
Data we collect
- Account: email, name, password (stored only as a secure hash).
- Passenger details needed for a booking: names, date of birth, contact details, and travel document details where the airline requires them.
- Booking and payment records (we never store full card numbers or CVV).
- Technical data: IP address, device/browser info, used for security and fraud checks.
How we use it
To create and service your bookings, process payments and refunds, provide customer support, prevent fraud, comply with legal obligations, and — only with your consent — send marketing.
Sharing
We share the data necessary to fulfil your booking with the relevant airlines and with our aggregation and payment partner, Duffel, who acts as a data processor under a data-processing agreement. We do not sell your personal data.
Card data
Card details are captured directly by our PCI-DSS-compliant payment partner’s components and never touch our servers (SAQ-A posture).
Your rights
Where the GDPR applies, you have rights to access, correct, delete, restrict, or port your data, and to withdraw consent. We honour right-to-erasure requests by anonymising bookings while retaining the minimal financial records the law requires. Email privacy@zaratrip.com.
Retention & security
We keep personal data only as long as needed for the purposes above or as required by law. Data is encrypted in transit (TLS) and at rest, with document details held under column-level encryption.
This is a starter template — have it reviewed by a qualified privacy/GDPR advisor before public launch.