Privacy Policy

At ATV Rainbow Mountain, we collect personal information with transparency and strict adherence to the principle of necessity, which means we only request data that is truly essential and directly related to providing quality tourism services. The personal information we collect includes basic identification data such as your full name, valid email address for communications and booking confirmations, telephone number for coordination and contact in case of emergencies, and optionally, location information that helps us personalize recommendations and optimize logistics for your tours. This collection occurs through various channels: online booking forms on our website, direct telephone communications with our customer service team, email exchanges, interactions at our physical offices, and survey responses that help us understand your preferences and expectations. Additionally, in compliance with best digital practices, we implement anonymized analytics systems that collect aggregate non-identifying data about website usage, navigation patterns, pages visited, session duration, traffic sources, and general user behavior. This anonymous information, which cannot be associated with any specific individual, is invaluable for identifying areas for improvement in site usability, detecting technical issues, optimizing interface design, and developing new functionalities that respond to our users' real needs. We guarantee that any personal data collection is preceded by clear, accessible information about the purpose of collection, the legal basis that supports it, the retention period, and your rights as data subject, always ensuring your informed consent before processing your personal information.

The personal information we collect is processed for specific, legitimate, and clearly defined purposes that have been previously communicated to you and for which we have obtained your explicit consent. The primary purposes include: comprehensive management of your reservations, which encompasses creating and confirming bookings, assigning tour dates and times, coordinating with local service providers such as guides, drivers, and lodging establishments, and maintaining updated records of your travel preferences; sending booking confirmations, payment receipts, detailed itineraries, and pre-trip reminders that ensure you have all necessary information at the right time; personalized customer service that allows us to recognize you in future interactions, remember your preferences regarding language, dietary restrictions, accessibility needs, and prior experiences to continually improve the service we provide; development of promotional offers, exclusive discounts, and special packages that align with your demonstrated interests and previous travel patterns, always respecting your preferences regarding commercial communications; analysis of aggregate and anonymized data to identify trends, popular destinations, peak seasons, customer satisfaction, and areas requiring improvement; compliance with legal and fiscal obligations including accounting records, tax reporting, and regulatory documentation required by Peruvian and international tourism authorities; and prevention, detection, and investigation of fraudulent activities, suspicious transactions, or behaviors that may threaten the security of our systems or other users. All use of your personal information strictly adheres to the purposes for which it was originally collected, and we will never use your data for purposes incompatible with the originals without first obtaining your new explicit and informed consent.

The security and protection of your personal data constitutes an absolute priority at ATV Rainbow Mountain, which is why we have implemented a comprehensive, multi-layered security architecture that combines advanced technological measures, rigorous organizational procedures, and continuous personnel training. From a technical perspective, we employ robust data encryption both in transit (using SSL/TLS protocols version 1.2 or higher for all communications between your browser and our servers) and at rest (encrypting databases and storage systems that contain sensitive personal information); state-of-the-art firewalls configured with strict rules that filter incoming and outgoing traffic, blocking unauthorized access attempts; intrusion detection and prevention systems (IDS/IPS) that continuously monitor our network for suspicious or anomalous patterns indicative of cyberattacks; secure automated backup systems that regularly replicate critical data to geographically separated locations, enabling rapid recovery in case of disasters or incidents; strong authentication systems including complex passwords, multi-factor authentication for administrative access, and session management with automatic timeout. From an organizational standpoint, we apply the principle of least privilege, ensuring that only personnel with legitimate operational necessity can access personal data, and only to the extent strictly required for their functions; comprehensive confidentiality agreements signed by all employees, contractors, and service providers with access to personal information; security awareness training programs for all personnel addressing topics such as phishing identification, social engineering, secure password management, and incident reporting; documented security policies and procedures regularly reviewed and updated to reflect emerging threats and technological evolution; and periodic security audits conducted by both internal teams and independent external specialists who evaluate the effectiveness of our controls and recommend improvements.

At ATV Rainbow Mountain, we recognize and actively respect your fundamental rights as personal data subject, ensuring you have meaningful, practical, and exercisable control over your information at all times. Your right of access allows you to request and receive complete, clear, and understandable information about what personal data we hold about you, how we obtained it, for what purposes we process it, with whom we share it, how long we will retain it, and what security measures we apply to protect it. The right of rectification empowers you to request immediate correction of any inaccurate, incomplete, misleading, or outdated data appearing in our records, ensuring that the information we maintain accurately reflects your current reality. The right to deletion (also known as "right to be forgotten") allows you to request erasure of your personal data when they are no longer necessary for the purposes for which they were collected, when you withdraw your consent on which processing is based, when you object to processing and there are no overriding legitimate grounds, or when processing is unlawful. The right of opposition grants you the faculty to express your refusal to certain data processing, especially for direct marketing purposes, without needing to provide justification. The right to restriction of processing enables you to request suspension of processing operations under certain circumstances, such as while verifying the accuracy of contested data or evaluating whether there are legitimate grounds that override your objection. Your consent for data processing must always be freely given, specific, informed, and unambiguous, obtained through clear affirmative action that indicates your express and conscious agreement with the processing of your personal data for specified purposes. Furthermore, you have the unconditional right to withdraw any consent previously granted at any time, although such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal. To exercise any of these rights, we provide multiple accessible channels: dedicated web forms, specific privacy email address, toll-free telephone lines, and written communications to our registered offices, guaranteeing response within legally established timeframes (typically 10 to 20 business days) with complete, reasoned, and understandable explanations.

At ATV Rainbow Mountain we maintain a strict confidentiality policy and do not share, sell, rent, or disclose your personal data to third parties without your express and informed consent. The only exceptions to this rule occur in specific and justified circumstances: when legally required by competent authorities through court order or duly substantiated official request; when strictly necessary to complete transactions and services you have requested, such as sharing booking information with transportation providers, hotels, or local tour guides participating in delivery of the contracted service; or when we must collaborate with payment processors to execute financial transactions securely. In all these cases, we require our providers and collaborators to sign confidentiality and data processing agreements that guarantee the same level of protection we apply, clearly establishing permitted purposes for information use, required security measures, and prohibitions on secondary use or unauthorized disclosure of your personal data.

Our website employs cookies and similar tracking technologies for various legitimate purposes that benefit your browsing experience. Cookies are small text files stored on your device that allow us to recognize you on subsequent visits, remember your language preferences, display settings, shopping cart items, and other customized options that enhance your site experience. We use analytical cookies that help us understand how visitors interact with our website, which pages they visit most frequently, how long they remain in each section, which links they use, and where they encounter navigation difficulties. This aggregated and anonymized information allows us to identify areas for improvement, optimize site performance, correct usability errors, and develop new functionalities that respond to our users' real needs. We also employ marketing cookies that, with your consent, enable us to show you relevant advertising based on your interests and browsing behavior. You can manage your cookie preferences at any time through your browser settings or through our cookie management panel available on the site.

In the context of our international tourism operations, it may be necessary to transfer your personal data to other countries where our service providers, business partners operate, or where we maintain technological infrastructure. We are aware that different jurisdictions have different levels of personal data protection, which is why we apply strict protocols and robust safeguards in all international information transfers. This includes verification that recipient countries have data protection legislation considered adequate, implementation of standard contractual clauses approved by data protection authorities, adoption of appropriate technical and organizational measures that guarantee a level of security equivalent to what we provide locally, and rigorous compliance with international regulations such as European GDPR and American privacy regulations. We conduct continuous assessments of risks associated with each transfer and maintain detailed records of all international data transfers to ensure traceability and regulatory compliance at all times.

We apply the principle of data minimization in retention, which means we retain your information only for the period strictly necessary to fulfill the specific purposes for which it was collected. Retention periods are determined considering multiple factors: the nature of the tourism service provided, the need to maintain historical transaction records to ensure service traceability, our legal and fiscal obligations that may require retention of certain information for specific periods established by law (such as payment receipts, invoices, and accounting records), the existence of pending disputes or claims that may require evidence preservation, and the operational relevance of information for improving our services. Once the applicable retention period has elapsed and all legal obligations have been fulfilled, we proceed with secure deletion or irreversible anonymization of your personal data, using methods that guarantee the impossibility of recovery or reconstitution of deleted information. We maintain documented retention policies that specify applicable periods for each data category and secure deletion procedures.

Our commitment to transparency involves keeping you constantly informed about any changes or modifications we make to this privacy policy. When we make substantial updates that significantly affect how we process your personal data, modifications to processing purposes, changes in information recipients, or alterations to your rights, we will proactively notify you through various channels: we will send direct communications to your registered email address, publish prominent notices on our website, and in cases of major changes, we may request your renewed consent to continue processing your data under the new conditions. Each updated version of the policy will include the date of last modification clearly visible, and we will maintain an historical archive of previous versions available for your consultation. This transparent communication practice ensures you are always aware of how we handle your personal information and can make informed decisions about the continuity of our business relationship.

We understand that questions, inquiries, or concerns may arise related to our privacy policy, processing of your personal data, or exercise of your rights as data subject. To address all these needs, we have established multiple direct and accessible communication channels. Our specialized privacy and data protection support team is available and trained to provide you with professional assistance, answer your questions with clarity and precision, guide you through procedures for exercising your rights, and resolve any situation or incident related to handling of your personal information. You can contact us via our official email address dedicated exclusively to privacy matters, through specific contact forms available on our website, or through direct telephone lines we make available during extended business hours. We commit to responding to all inquiries within a reasonable maximum timeframe, providing understandable explanations and effective solutions to your requirements, always with the professionalism and confidentiality your information deserves.

ATV Rainbow Mountain operates under a comprehensive regulatory compliance framework that spans multiple jurisdictions. We strictly adhere to Law No. 29733 - Personal Data Protection Law of Peru and its regulations, which establishes guiding principles for lawful processing of personal information in Peruvian territory. Additionally, we implement measures to comply with international standards such as the General Data Protection Regulation (GDPR) of the European Union, considering we receive European visitors; and various U.S. regulations including the California Consumer Privacy Act (CCPA) to protect the rights of California residents. This multi-jurisdictional approach ensures we apply global best practices in data protection regardless of our clients' geographic origin. We maintain continuous updates to our procedures to adapt to legislative changes, conduct periodic compliance assessments, and actively collaborate with data protection authorities when required. All our personnel receive regular training on applicable privacy regulations, ensuring safe, responsible, and legally compliant practices at all times.

Although we implement all reasonable and technologically advanced security measures to protect your data, we recognize that no system is completely infallible and there is a possibility that security incidents may occur. In the event of any security violation, data breach, unauthorized access, loss, alteration, or improper disclosure of personal information we handle, we immediately activate our security incident response protocol. This protocol includes: immediate assessment of the incident's scope and severity, rapid containment to prevent further data exposure, forensic investigation to determine causes and responsibilities, implementation of corrective measures to address identified vulnerabilities, and detailed documentation of the entire process. In accordance with applicable legal obligations, we will notify data protection authorities without undue delay when the incident presents risks to the rights and freedoms of affected persons. Likewise, we will directly communicate with affected data subjects when the incident is likely to generate a high risk to their rights, providing clear information about the nature of the incident, categories of compromised data, measures adopted, and recommendations to mitigate potential adverse impacts.

The retention of your personal data is governed by clearly defined criteria that balance business operational needs with respect for your privacy and applicable legal requirements. We establish differentiated retention periods according to data category and nature: booking and transaction information is retained for the time required by fiscal and accounting regulations (typically between 5 and 10 years depending on jurisdiction); marketing communications data is maintained while you keep your consent active to receive them; basic contact information is retained while an active or potential business relationship exists; and website access and activity logs are retained for shorter periods oriented primarily toward security and service improvement. Personal data of minors receive special treatment with more restrictive retention periods. Once established retention periods are fulfilled and all legal obligations satisfied, we systematically proceed with permanent deletion through secure erasure of digital media, physical destruction of documents, or where applicable, through irreversible anonymization that makes re-identification of the data subject impossible.

We guarantee your fundamental right to know what personal information we maintain about you and to keep it accurate and up-to-date. The right of access allows you to request and obtain a complete copy of all your personal data we process, including details about collection sources, processing purposes, recipients or categories of recipients with whom we share information, anticipated retention periods, and existence of automated decisions if any. This access is facilitated through simple, well-documented, and completely free procedures, available both through our website and through direct communication with our privacy team. The right of rectification empowers you to request immediate correction of any inaccurate, incomplete, misleading, or outdated data appearing in our records. We process these rectification requests diligently, updating information across all our systems and, where appropriate, notifying corrections made to third parties with whom we have previously shared incorrect data, thus ensuring propagation of accurate information throughout the entire processing chain.

We recognize that minors deserve special and enhanced protection regarding processing of their personal data. Our tourism services are designed primarily for adults, but we understand that families with minors book our tours. When we process information of persons under 18 years old (or the age of majority that corresponds according to applicable jurisdiction), we implement additional safeguards including: mandatory obtaining of verifiable consent from parents or legal guardians before collecting or processing any minor's data; strict limitations on information categories we collect, restricting ourselves to what is strictly necessary for providing the tourism service; prohibition of using minors' data for profiling, direct marketing, or automated decisions; implementation of especially robust technical and organizational measures to protect this sensitive information; specific training for our personnel on minor data protection; and simplified procedures for parents or guardians to exercise the minor's rights, including access, rectification, and deletion of information. We maintain separate and specially protected records for minor data.

ARCO rights (Access, Rectification, Cancellation, and Opposition) constitute fundamental pillars of your control over your personal data, and at ATV Rainbow Mountain we actively facilitate their exercise through clear, accessible procedures without unnecessary bureaucratic obstacles. The right of Access allows you to know what data of yours we possess, how we use it, and with whom we share it; the right of Rectification empowers you to correct inaccurate or incomplete information; the right of Cancellation (or deletion) allows you to request erasure of your data when they are no longer necessary for the purposes that motivated their collection, when you withdraw your consent, when you object to processing and there are no legitimate grounds that justify it, or when processing is unlawful; and the right of Opposition authorizes you to express your refusal to processing of your data for specific purposes, particularly for direct marketing. To exercise any of these rights, you can contact us through specifically enabled channels: ARCO request web form, dedicated email, or postal communication addressed to our offices. We process these requests free of charge and without unjustified delays, responding within legally established timeframes (typically 10 to 20 business days depending on complexity), and providing reasoned and understandable responses.

The right to data portability represents a modern manifestation of control you exercise over your personal information in the digital age. This right empowers you to receive personal data you have provided to us in a structured, commonly used, and machine-readable format (such as CSV, JSON, or XML files), and to directly transmit that data to another data controller without us being able to prevent it. This right applies specifically to data you directly provided to us based on your consent or contract execution, and which is subject to automated processing. Portability facilitates your freedom to change service providers without losing control of your historical information, thus promoting a healthier competitive environment. When you request portability of your data, we will provide the information in a technically accessible format within a reasonable timeframe. When technically possible, and if you request it, we can transmit your data directly to the new controller you designate. This transfer process is carried out under strict security measures, identity verification, and authorization confirmation, ensuring your data reaches only the legitimate recipient you have designated.

Our operations in Peruvian territory are strictly governed by Law No. 29733 - Personal Data Protection Law and its Regulations approved by Supreme Decree No. 003-2013-JUS, which establish the legal framework for lawful, proportional, and transparent processing of personal data in Peru. We rigorously comply with the ten guiding principles established in this legislation: principle of legality (we process data only with valid legal basis), consent (we obtain informed authorization from the data subject), purpose (we use data only for determined and legitimate purposes), proportionality (we collect only necessary data), quality (we maintain accurate and updated data), security (we implement appropriate technical and organizational measures), resource provision (we facilitate protection mechanisms), adequate protection level (we guarantee protection in international transfers), confidentiality (we protect professional secrecy), and retention (we delete data when no longer necessary). We have registered our personal data banks with the National Authority for Personal Data Protection, designated an internal privacy officer, implemented documented processing policies, and establish written agreements with all our data processors. We maintain open channels with the data protection authority for consultations, notifications, and collaboration in investigations when required.

Considering that a significant portion of our clients comes from the United States, we have adapted our data protection standards to comply with the complex matrix of applicable U.S. regulations at federal and state levels. At the federal level, we apply provisions of the Federal Trade Commission Act (FTC Act) that prohibits unfair or deceptive business practices in handling consumer information. Regarding state regulations, we implement the most stringent provisions of laws such as the California Consumer Privacy Act (CCPA) and its expanded version California Privacy Rights Act (CPRA), which grant California residents specific rights including knowing what data is collected, accessing copies of their data, requesting deletion, opting out of data sharing for certain purposes, and not being discriminated against for exercising their rights. We also consider requirements of the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and other emerging state privacy laws. For U.S. clients, we provide specific privacy notices, clear opt-out mechanisms, "Do Not Sell My Personal Information" links, and simplified processes for exercising privacy rights. We maintain detailed records of data categories collected, sources, usage purposes, and third parties with whom we share information, as required by these regulations.

Your consent for personal data processing is always revocable, and we have designed clear, accessible procedures without obstacles to facilitate exercise of this fundamental right. Consent revocation can be exercised at any time and requires no justification, although it is important to understand that such revocation will not affect the lawfulness of processing we carried out previously based on the consent you granted. To revoke your consent, you can use multiple channels we have specifically enabled: direct "unsubscribe" links included in each marketing email we send you; user preference panels accessible from your account on our website; specific web forms for consent revocation; direct communication with our privacy team via email or telephone; or written notification addressed to our offices. Once we receive your revocation request, we process the change immediately (in most cases within 24-48 hours), updating all our systems to reflect your new preference, ceasing data processing that depended on revoked consent, and confirming in writing that your request has been attended to. It is important to note that revocation of consent for certain processing activities could limit or make impossible our ability to provide you with certain services that depend on processing of that data.

Our website may contain links, hyperlinks, or references to third-party websites, including social networks, associated blogs, complementary booking platforms, tourism service providers, business partners, government authorities, and other external resources we consider relevant or useful for our users. It is essential to understand that we exercise no control over content, privacy practices, cookie policies, or security measures implemented by these third-party sites, and therefore cannot assume responsibility for how such sites collect, use, share, or protect your personal information. Each website has its own privacy policies and terms of use that govern your interaction with them. We strongly recommend that, before providing any personal information to a third-party site, you carefully review its privacy policy, terms and conditions, and security practices. Inclusion of a link on our site does not imply endorsement, warranty, or representation about reliability, accuracy, or suitability of said external site. We conduct periodic reviews of external links we publish, removing those that have become inactive, problematic, or present evident risks to users, but we cannot guarantee permanent compliance of all linked sites with adequate privacy and security standards.

The personal data protection landscape is dynamic and constantly evolving, with new regulations emerging, technologies developing, security risks evolving, and best practices continuously perfecting. Recognizing this changing reality, we commit to periodically reviewing, evaluating, and updating our privacy policy to ensure it remains aligned with current legal regulations, reflects international best practices in data protection, incorporates technological advances in security measures, and effectively responds to reasonable privacy expectations of our users. These review processes include internal compliance audits, privacy impact assessments, analysis of security incidents reported in the tourism industry, consultations with legal experts specialized in data protection, and consideration of feedback received from our clients and data protection authorities. Updates may derive from legislative changes, modifications in our services or business models, implementation of new data processing technologies, identification of new privacy risks, or simply as a result of our continuous pursuit of improvement. We maintain a versioned record of all policy iterations, available for historical consultation, allowing users to trace evolution of our privacy commitments over time.

The principle of data minimization constitutes a central axis of our privacy protection philosophy and guides all our personal information collection and processing activities. This fundamental principle establishes that we only collect, process, and retain personal information that is strictly necessary, adequate, and relevant to fulfill the specific and legitimate purposes we have previously communicated. We systematically avoid collection of excessive, redundant, unnecessary, or irrelevant data that does not add real value to the service we provide you or that exceeds originally established purposes. Before incorporating any new data field in our forms or systems, we conduct rigorous assessments to determine its real necessity, considering whether less invasive alternatives exist to achieve the same objectives, and documenting justification for its collection. This "minimal collection" approach not only better protects your privacy by limiting personal information exposure, but also reduces our own security risks by decreasing the volume of sensitive data we must protect, simplifies compliance with data protection obligations, and facilitates exercise of your rights by maintaining more manageable and auditable information repositories. We periodically review data we maintain to identify and eliminate information that has ceased to be necessary for our legitimate purposes.

Privacy Impact Assessments (PIAs) constitute systematic and structured tools we employ proactively to identify, analyze, evaluate, and mitigate potential risks to privacy and personal data protection before implementing new projects, technological systems, business processes, or data processing that may present significant risks to individuals' rights and freedoms. These assessments are mandatory when we contemplate processing special categories of sensitive data, conducting automated user profiling, implementing surveillance or tracking technologies, transferring large volumes of personal data, combining or correlating datasets from multiple sources, or adopting emerging technologies whose privacy implications are not fully understood. The assessment process includes: detailed description of proposed data processing; identification and consultation with relevant stakeholders including potentially affected users; analysis of processing necessity and proportionality; systematic identification of privacy risks (unauthorized access, misuse, inadvertent disclosure, discrimination, etc.); assessment of likelihood and impact of each risk; proposal of technical and organizational measures to mitigate identified risks; and complete documentation of conclusions and decisions. PIAs are reviewed and approved by our privacy team before proceeding with implementations, and in high-risk cases, may require prior consultation with the data protection authority.

We have developed and implemented a comprehensive data security incident management program that establishes clearly defined operational protocols, specific roles and responsibilities, and escalated response procedures to detect, contain, investigate, remediate, and report any security event that could compromise confidentiality, integrity, or availability of personal data in our custody. This program includes continuous monitoring capabilities of our systems through intrusion detection tools, security log analysis, and automatic alerts for anomalous behaviors. When an incident is detected or we are notified of one, we immediately activate our response team that executes a structured process: initial containment to prevent damage propagation; preservation of digital evidence for forensic analysis; preliminary assessment of scope and severity; internal notification to senior management; detailed forensic investigation to determine root cause, attack vectors, compromised data, and affected systems; implementation of technical remediations to close exploited vulnerabilities; service and data recovery from backups when necessary; and exhaustive incident documentation. We rigorously comply with legal notification obligations to data protection authorities (typically within 72 hours of incident knowledge) and communication to affected data subjects when the incident presents risks to their rights. We conduct post-incident analysis to extract lessons learned and continuously improve our defenses.

Independent and systematic verification of our compliance with data protection regulations, internal policies, industry best practices, and commitments acquired with our clients is conducted through a structured audit program that combines periodic internal reviews with external assessments conducted by independent specialized auditors. Internal audits are executed with regular frequency (typically quarterly or semi-annually) by designated personnel from our compliance department who have no direct operational responsibilities over audited processes, thus ensuring independence and objectivity. These internal reviews examine aspects such as: accuracy and completeness of our processing activity records; effectiveness of implemented technical and organizational controls; compliance with data retention and deletion policies; adequacy of security measures; timely response to data subject rights requests; validity of obtained consents; and conformity of agreements with data processors. Additionally, we contract independent external audits executed by firms specialized in data protection and cybersecurity, which provide objective assessments, identify compliance gaps not detected internally, offer recommendations based on market best practices, and issue certifications or conformity reports. Audit findings are reported to senior management, formally documented, incorporated into corrective action plans with defined responsible parties and deadlines, and followed until complete resolution. This continuous audit process ensures transparency, accountability, and constant improvement in our data protection practices.

We adopt a philosophy of continuous improvement in all aspects related to personal data protection and user privacy, recognizing that security and privacy are not static states achieved once and remaining unchanged, but dynamic processes requiring constant adaptation, proactive evolution, and permanent refinement facing emerging threats, changing technologies, and growing user expectations. This commitment to continuous improvement materializes through multiple initiatives: periodic reviews of our policies, procedures, and technical controls to identify strengthening opportunities; active monitoring of industry trends, new security threats, discovered vulnerabilities, and emerging attack techniques; participation in professional privacy and security communities to exchange knowledge and best practices; sustained investment in training and professional development of our personnel on data protection topics; regular technological updating of our security systems, encryption tools, backup solutions, and data management platforms; incorporation of feedback received from our users, audits, data protection authorities, and security incidents; and implementation of "privacy by design" principles in all our new projects. We maintain a documented privacy improvement roadmap, with clear objectives, defined success metrics, allocated resources, and implementation timelines, ensuring continuous improvement is not just an abstract concept but a tangible and measurable practice.

Any transfer or transmission of personal data, whether within our own systems, to external service providers, between different countries, or in response to legitimate authority requests, is executed through secure channels and under strict protocols designed to safeguard information confidentiality, integrity, and availability in transit. We employ robust and updated encryption technologies, including transport layer security protocols (TLS/SSL) version 1.2 or higher for web communications, end-to-end encryption for sensitive data transmissions, virtual private networks (VPN) for remote connections of our personnel, and secure file transfer protocols (SFTP, FTPS) for bulk data exchanges. Before any significant transfer, we conduct risk assessments to determine data sensitivity, identify potential threats during transmission, and select transfer methods appropriate to risk level. We implement multi-factor authentication to verify data recipient identity, role-based access controls to limit who can initiate transfers, detailed logging of all data transfers to maintain traceability and facilitate audits, and integrity verification processes through checksums or cryptographic hashes that guarantee data was not altered during transmission. For physical transfers of storage media, we employ full disk encryption, documented chains of custody, secure and traceable courier services, and secure erasure procedures for temporary devices once transfer is completed.

Access control to sensitive personal data constitutes a critical first line of defense against unauthorized access, and therefore we have implemented robust, multi-level authentication mechanisms based on recognized security standards that ensure only properly authorized users can access personal information in our custody. These mechanisms include: multi-factor authentication (MFA) that combines something the user knows (password), something the user possesses (security token, verification code sent to mobile), and potentially something the user is (biometrics) for users with access to critical systems; robust password policies that require minimum length, complexity (uppercase, lowercase, numbers, special characters), prohibition of common or previously compromised passwords, and periodic rotation; centralized identity management (IAM) that maintains unique user records, facilitates agile access provisioning and deprovisioning, and enables privilege audits; role-based access control (RBAC) that assigns permissions according to specific job functions following the principle of least privilege (users receive only the access strictly necessary to perform their responsibilities); sessions with automatic timeout after periods of inactivity; complete logging of all successful and failed authentication attempts to detect suspicious patterns; automatic account lockout after multiple failed access attempts; and secure credential recovery processes that verify identity through multiple channels before restoring access. Our personnel with access to personal data receives specific training on credential protection.

We clearly distinguish between personal data processing strictly necessary for providing tourism services you contract (such as reservation management, logistical coordination, billing) and use of your data for additional commercial or advertising purposes such as direct marketing, profiling for advertising segmentation, purchase behavior analysis, or sharing with business partners for joint promotions. For these commercial use purposes, we request additional, specific, informed, unambiguous, and separate consent from consent for basic processing necessary for the service. This commercial consent is obtained through active opt-in mechanisms (checkboxes that must be explicitly checked, never pre-checked), with clear and accessible explanations about: what type of commercial communications you will receive, with what approximate frequency, what data categories will be used to personalize messages, what business partners might participate in communications, and how you can withdraw your consent at any time. We strictly respect your decision if you choose not to provide this commercial consent, guaranteeing that such refusal will not negatively affect your ability to contract and receive our tourism services under the same conditions as other clients. We implement clear segmentation in our systems to distinguish users who have consented to receive commercial communications from those who have not, ensuring only the former receive such communications. We facilitate multiple simple mechanisms to withdraw commercial consent, including "unsubscribe" links in each advertising email, preference panels in your user account, and direct response to any communication requesting exclusion. Commercial consent withdrawal is processed immediately and we confirm its effectiveness.