Privacy Policy
What personal data we collect, why, how long we keep it, and how you can see, correct, or delete it. Plain English first; the legal-specific sections follow.
What this privacy policy says in plain English
- ✓We collect: name, email, phone (optional), trip preferences. Payment data goes straight to VTCPay/bank — we don't store card numbers.
- ✓We use it: to send your quote, deliver your trip, and reply to your post-trip survey.
- ✓We keep it: 36 months from quote (no booking) · 7 years from trip end (booking, for tax/insurance audit).
- ✓We don't sell your data. Ever.
- ✓Your rights (GDPR + VN PDPL): access · correction · deletion · export · object · withdraw consent. Email privacy@asiatravellinksdmc.com.
1.Who's the data controller
Asia Travel Links DMC (registered office [REGISTERED_ADDRESS], tax code [TAX_CODE]). Our Data Protection Officer is the ATL DMC Privacy Team, reachable at dpo@asiatravellinksdmc.com.
2.What data we collect
| Category | Examples | Source | Purpose |
|---|---|---|---|
| Contact | Name, email, phone, preferred messaging app | You · forms | Quote reply · trip logistics |
| Trip preferences | Dates, party, budget, interests, dietary, accessibility | You · forms | Build itinerary |
| Travel documents | Passport, visa details (visa/hotel pre-registration) | You · secure upload | Visa · hotel |
| Trip behavioural | Hotels stayed, activities done | Our trip records | Follow-up trips |
| Reviews & photos | Post-trip review text, photos | You · voluntarily | /testimonials |
| Site analytics | Pages, scroll, clicks (anonymised IP) | Cookies | Improve usability |
| Payment | Card / bank details | You → VTCPay / bank · never to us | Transaction ID only |
3.Legal basis (GDPR Art 6)
- Quote requests — (Art 6(1)(b)) necessary to take pre-contract steps
- Trip delivery — (Art 6(1)(b)) contract performance
- Marketing emails after trip — (Art 6(1)(a)) explicit opt-in
- Site analytics — (Art 6(1)(f)) legitimate interest, anonymised
- Tax & legal retention — (Art 6(1)(c)) legal obligation
4.VN PDPL 2023 basis
For Vietnamese-resident data subjects, processing is grounded in: explicit consent (Art 9), contract performance (Art 11), legal obligation (Art 11), and legitimate interest (Art 11). See Data Protection Notice for the full VN-specific section.
5.How long we keep it
| Data | Retention | Why |
|---|---|---|
| Quote (no booking) | 36 months from last contact | Repeat customer service |
| Booking + trip data | 7 years from trip end | Vietnamese tax + insurance audit |
| Payment records (transaction ID) | 7 years | Vietnamese tax |
| Site analytics | 14 months aggregated · 60 days raw | Google Analytics default |
| Newsletter list | Until you unsubscribe | Marketing consent |
| Job applications (not hired) | 6 months | Reconsideration window |
| Reviews & photos (you share) | Permanent unless you delete | Permanent display |
6.Who we share data with
- Hotel partners — name, dates, dietary, accessibility
- Tour guides — name, party, dietary, special interests
- VTCPay / bank — payment transaction (transaction ID only on our side)
- Visa authorities — passport if you use our visa service
- Insurance broker — name + trip cost
- Google Analytics 4 — anonymised IP + events
- Meta WhatsApp Cloud API — phone IF you opt in
- Cloudflare — IP + request metadata for DDoS protection
- InMotion / Cloudflare R2 — encrypted-at-rest storage
We do NOT share with: data brokers, AdTech, OTAs, lead aggregators.
7.International transfers
Some processors (Google, Meta, Cloudflare) are in the US — we rely on EU Standard Contractual Clauses (SCCs) for GDPR Art 46 transfer adequacy. For VN PDPL Art 35 cross-border transfers, ATL is registered with the Ministry of Public Security s data protection registry under registration [MPS_REG_NUMBER].
8.Your rights
Under GDPR (EU residents) and VN PDPL (VN residents), you can:
- Access — request a copy of all data we hold
- Rectify — correct inaccurate data
- Erase — delete your data (subject to tax retention exception)
- Restrict — pause specific processing
- Object — to legitimate-interest processing
- Port — machine-readable format
- Withdraw consent — one click for any consent-based processing
- Not be subject to automated decision-making — we don t profile
To exercise: privacy@asiatravellinksdmc.com (reply within 7 days, fulfil within 30).
9.Right to complain
EU residents may complain to your national supervisory authority. VN residents may complain to the Ministry of Public Security. We d rather you talk to us first: dpo@asiatravellinksdmc.com.
10.Cookies
See separate Cookie Policy for the full cookie inventory, retention, and how to disable.
11.Children
This site is not designed for children under 16. We do not knowingly collect data from minors. If you discover that a child has provided data, email privacy@asiatravellinksdmc.com and we will delete it.
12.Security
We encrypt data in transit (TLS 1.3) and at rest (AES-256). Access to PII is restricted to ATL staff who need it (trip coordinators, accounting). All staff sign a confidentiality NDA. We log access and review quarterly. In the event of a data breach affecting your personal data, we will notify you within 72 hours per GDPR Art 33 + VN PDPL Decree 13 Art 23.
13.Changes to this policy
Material changes notified by email (if we have your address) + a 30-day banner on the homepage. Cosmetic edits (typo, link update) shown only in the "Last updated" date.
Questions about this policy?
Privacy queries get a 7-day reply guarantee. For complex GDPR/PDPL data-subject-access requests, expect 30 days fulfilment with progress updates along the way.