Privacy Policy — Website
Date: May 12, 2026 | Version: 1.0
We use the term “pseudonymized” when data is no longer directly attributable to you, but could still be linked back to you through additional information (such as a hashed identifier or a cookie ID). We only use the term “anonymous” when re-identification is technically irreversible. Under the GDPR, pseudonymized data remains personal data, while truly anonymous data falls outside the GDPR.
1. Scope of This Policy
This Policy covers the Cabana Trips Website only. If you use our iOS App, a separate Privacy Policy applies that you can read inside the App. Where the Website refers you to an external service or affiliate partner, that partner's own privacy policy applies as soon as you leave our Website.
2. Data We Process on Our Servers
To provide the Website, we process the following categories of personal data on our servers within the EU. Per category we list the data, the purpose, the legal basis, and the retention period.
Account & Vacation Data
If you create an account on the Website, we process your email address, a hashed password, your account preferences, and the trip data you create or save (such as itineraries, destinations, dates, and bookings). This data is stored on our servers within the EU.
Legal basis: Article 6(1)(b) GDPR — necessary for the performance of our agreement with you (providing your account and Website functionality).
Retention: For as long as your account is active. After account deletion (which you can request at any time via the Website or via info@cabanatrips.com), your data is deleted within 30 days, except for transaction metadata that we are legally required to keep (see Hotel Booking below).
AI Travel Assistant
When you use the AI travel assistant, your travel preferences (such as destination, dates, and number of travelers) are sent pseudonymously to generate personalized travel suggestions. No names, email addresses, or account identifiers are attached to these conversations. Chat sessions are stored temporarily and encrypted on our servers.
Legal basis: Article 6(1)(a) GDPR — your consent (you actively start an AI conversation). You can withdraw consent at any time by closing or deleting the session.
Retention: By default, chat sessions automatically expire and are deleted after 1 hour of inactivity. If you opt in to saving your session, it is retained for up to 90 days and then automatically deleted.
Analytics
We collect pseudonymized usage statistics (such as pages viewed, approximate region derived from IP, browser type, and session duration) to understand how the Website is used and how to improve it. IP addresses are truncated/hashed before storage.
Legal basis: Depends on the analytics setup you accept. If we use “privacy-friendly” analytics that meet the Dutch Data Protection Authority's exception criteria, we rely on Article 6(1)(f) GDPR — legitimate interest, no cookie consent required. For any analytics that does not meet those criteria, we rely on Article 6(1)(a) GDPR — your consent given through the cookie banner.
Retention: 24 months, after which records are deleted or further aggregated to a fully anonymous level.
Feedback & Support
When you voluntarily submit feedback or a support request via the Website, we collect your name, email address, and message so we can assist you.
Legal basis: Article 6(1)(b) GDPR (handling a support request you initiated) and Article 6(1)(f) GDPR (our legitimate interest in improving the Website based on user feedback).
Retention: 36 months after the last contact, unless an active case requires longer retention (for example a complaint, dispute, or legal claim).
Web Push Notifications
If you grant the Website permission to send web push notifications, a pseudonymous push subscription identifier is stored to deliver trip reminders and flight alerts.
Legal basis: Article 6(1)(a) GDPR — your consent (your browser asks for explicit notification permission).
Retention: For as long as notifications remain enabled. The subscription is deleted when you revoke permission in your browser or after 12 months of inactivity.
Flight Alerts
When you enable flight tracking, your flight number, departure date, and route are sent to our servers for real-time status updates. This data is linked only to your pseudonymous push or account identifier.
Legal basis: Article 6(1)(a) GDPR — your consent (you actively enable tracking for a specific flight).
Retention: Until the scheduled flight date plus 30 days, then automatically deleted.
Hotel Booking
When you book a hotel through the Website, your guest details (name, contact data, stay dates) and payment information pass through our server and are forwarded securely to our hotel affiliate partner to complete the reservation. We do not store your credit card details on our systems.
Legal basis: Article 6(1)(b) GDPR — necessary for the performance of the booking contract you enter into.
Retention: Transaction metadata (booking ID, dates) is retained for 7 years to comply with Dutch fiscal record-keeping obligations (art. 52 AWR). Guest details on our servers are deleted once the booking is confirmed; the affiliate partner retains the booking under their own privacy policy.
Server Logs & Security
Our web server automatically records limited technical data such as truncated IP address, user-agent string, requested URL, and timestamp. We use these logs to operate the Website, detect abuse, and investigate security incidents.
Legal basis: Article 6(1)(f) GDPR — our legitimate interest in the security and reliability of the Website.
Retention: 14 days for general logs; up to 12 months for logs flagged in a security investigation.
3. Cookies & Similar Technologies
The Website uses cookies and similar technologies (such as local storage and pixels). Under the ePrivacy Directive (Dutch Telecommunications Act, art. 11.7a) we ask your consent for any cookie that is not strictly necessary. The first time you visit the Website you see a cookie banner that lets you accept, reject, or customize categories. You can change your choices at any time via the “Cookie settings” link in the footer.
Strictly necessary cookies
Required for core functionality (e.g. login session, security tokens, language preference, cookie-consent record). These are always active because the Website cannot function without them.
Legal basis: Article 6(1)(f) GDPR + ePrivacy exemption — no consent required.
Preference cookies
Remember your settings, such as preferred currency or display options, so the Website behaves the way you expect on a return visit.
Legal basis: Article 6(1)(a) GDPR — consent via the cookie banner.
Statistics (analytics) cookies
Pseudonymized analytics to measure pageviews, traffic sources, and aggregate usage. We do not use these for personal profiling or cross-site tracking.
Legal basis: Article 6(1)(a) GDPR — consent via the cookie banner, unless we operate a privacy-friendly analytics setup that meets the Dutch Data Protection Authority's exception criteria, in which case we rely on Article 6(1)(f) GDPR — legitimate interest.
Marketing cookies
Used by our advertising network partner and our affiliate partners to measure ad performance and to attribute referrals (e.g. recording that you arrived at a partner's website via Cabana Trips). These cookies may be placed by third parties; we do not control what they collect on their own sites.
Legal basis: Article 6(1)(a) GDPR — consent via the cookie banner. You can refuse marketing cookies without losing access to the Website.
Managing your choices
You can withdraw or change your cookie consent at any time via “Cookie settings” in the footer. You can also block or delete cookies through your browser settings; note that this may affect the functionality of the Website.
4. Advertising
On the free version of the Website we may display non-personalized advertisements served by our advertising network partner. Premium subscribers do not see advertisements. Where personalized advertising would require it, we only place advertising cookies after explicit consent via the cookie banner (see Section 3 “Marketing cookies”).
Legal basis: Article 6(1)(f) GDPR for non-personalized advertising (legitimate interest in funding the free Website); Article 6(1)(a) GDPR for any personalized advertising (your consent).
5. Partners & Third-Party Services
We help you find travel services through partners for hotels, flights, tours, activities, eSIMs, camping, car rental, transfers, and audio tours. When you click through to a partner, you leave our Website and that partner's privacy policy applies.
Data Processing Agreements: All external parties that process personal data on our behalf (for example our AI provider, flight data provider, hotel affiliate partner, advertising network partner, analytics partner, web push delivery infrastructure, and cloud/hosting provider) are bound by Data Processing Agreements (DPAs) under Article 28 GDPR. These agreements contractually require those parties to apply appropriate technical and organizational security measures, restrict use of the data to our documented instructions, and assist us in fulfilling data-subject rights.
6. External Data & AI Disclaimer
To enhance your travel experience, the Website integrates data from external services for maps, weather, flight information, restaurants, and AI-powered suggestions. We are not the source of this data.
7. Data Protection Impact Assessment (DPIA)
For processing activities that may pose a higher privacy risk — specifically AI-driven travel suggestions and automated recommendations — we have carried out a Data Protection Impact Assessment in accordance with Article 35 GDPR. The DPIA identifies the risks, the mitigation measures (such as pseudonymization, short retention periods, opt-in consent, and contractual safeguards with our AI provider), and the residual risk after mitigation. A summary of the DPIA is available on request via info@cabanatrips.com.
8. International Data Transfers
Our servers are located within the EU. Certain features (such as AI processing and advertising) may involve data processing outside the EU. In such cases, transfers take place only under Article 44–49 GDPR safeguards, namely: (a) adequacy decisions of the European Commission, (b) Standard Contractual Clauses (SCCs) approved by the European Commission with supplementary measures where required, or (c) certification under the EU-US Data Privacy Framework. You can request an overview of the transfer mechanisms applied to your data via info@cabanatrips.com.
9. Browser Permissions
The Website may ask your browser for the following permissions, each only when needed and each based on Article 6(1)(a) GDPR (your consent, granted through the browser prompt):
- Location (Geolocation API): To show nearby activities and restaurants. Location data is processed in your browser and is not stored persistently or sent to our servers, unless you save a result to your account.
- Notifications (Web Push): For trip reminders and flight alerts. See Section 2 “Web Push Notifications” for retention details.
- Camera / Microphone: If you use scan or voice features, your browser will ask permission. Audio and image data is processed in your browser; only the result (e.g. extracted text) is sent to our servers when you confirm.
You can revoke any of these permissions at any time via your browser's settings (typically under “Site settings” or “Permissions”).
10. Your Rights
Under the GDPR (Articles 15–22) you have the following rights:
- Access (Art. 15) — view your data and request a copy
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — have your data deleted, including deletion of your account via the Website
- Portability (Art. 20) — export your trip data in a machine-readable format
- Object (Art. 21) — object to processing based on legitimate interest
- Restriction (Art. 18) — restrict processing in certain circumstances
- Withdraw consent (Art. 7(3)) — change your cookie choices in “Cookie settings”, or revoke browser permissions via your browser
To exercise any of these rights, contact us at info@cabanatrips.com. We respond within one month of receipt of a verifiable request (extendable by a further two months for complex requests, in line with Article 12(3) GDPR). We may need to verify your identity before we can comply.
You can manage and delete your account directly via the Website's account settings.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or the supervisory authority of your country of residence.
11. Children's Privacy
The Cabana Trips Website is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact info@cabanatrips.com and we will delete the data without delay.
12. Changes
We may update this Privacy Policy from time to time. The latest version is always available on the Website with the date of last update. For material changes that affect the lawfulness of processing (for example a change of legal basis or a new category of data), we will notify you on the Website before the change takes effect and, where required, ask for renewed consent.
13. Contact
Questions about this Privacy Policy or your rights? Contact us:
Cabana Trips
Haarlem, The Netherlands
info@cabanatrips.com
Supervisory authority: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
© 2026 Cabana Trips. All rights reserved.