ZaraTrip
← Home

Privacy Policy

Last updated July 2026

This policy explains what personal data ZaraTrip collects, why, and your rights over it. We aim to collect the minimum needed to book and service your travel.

Data we collect

  • Account: email, name, password (stored only as a secure hash).
  • Passenger details needed for a booking: names, date of birth, contact details, and travel document details where the airline requires them.
  • Booking and payment records (we never store full card numbers or CVV).
  • Technical data: IP address, device/browser info, used for security and fraud checks.

How we use it

To create and service your bookings, process payments and refunds, provide customer support, prevent fraud, comply with legal obligations, and — only with your consent — send marketing.

Sharing

We share the data necessary to fulfil your booking with the relevant airlines and with our aggregation and payment partner, Duffel, who acts as a data processor under a data-processing agreement. We do not sell your personal data.

Card data

Card details are captured directly by our PCI-DSS-compliant payment partner’s components and never touch our servers (SAQ-A posture).

Your rights

Where the GDPR applies, you have rights to access, correct, delete, restrict, or port your data, and to withdraw consent. We honour right-to-erasure requests by anonymising bookings while retaining the minimal financial records the law requires. Email privacy@zaratrip.com.

Retention & security

We keep personal data only as long as needed for the purposes above or as required by law. Data is encrypted in transit (TLS) and at rest, with document details held under column-level encryption.

This is a starter template — have it reviewed by a qualified privacy/GDPR advisor before public launch.