Privacy Policy & GDPR

Introduction

ITINERARIUM TRAVEL SRL respects the privacy rights of its clients and is committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and applicable Romanian legislation.

This Privacy Policy describes how we collect, use, store and protect your personal information.

Data Controller

The controller of personal data is ITINERARIUM TRAVEL SRL, VAT: RO35435458, Registration No: J12/181/2016, Romania.

What Data We Collect

We collect and process the following categories of personal data:

  • Identification data: name, surname, personal ID (when necessary)
  • Contact data: email address, phone number, postal address
  • Travel information: preferences, desired destinations, budget
  • Payment data: information necessary for payment processing
  • Technical data: IP address, browser type, cookies (with your consent)

Purpose of Data Processing

We process your personal data for the following purposes:

  • Execution of the tourism services contract
  • Communication with you and provision of requested information
  • Payment processing and invoice issuance
  • Improvement of our services
  • Direct marketing (only with your explicit consent)
  • Fulfillment of legal obligations (accounting, tax reporting)

Legal Basis for Processing

We process your data based on the following legal grounds:

  • Performance of the contract concluded with you
  • Your consent (for marketing and cookies)
  • Legal obligations (accounting, tax legislation)
  • Legitimate interest of the operator (service improvement)

Data Sharing

Your data may be shared with:

We never sell or rent your personal data to third parties for marketing purposes.

  • Tourism service providers (hotels, airlines, tour operators)
  • Payment processors and banking institutions
  • Public authorities (when required by law)
  • IT and hosting service providers

Storage Period

We keep your personal data only for the period necessary to fulfill the purposes for which it was collected:

After these periods expire, data is securely deleted or anonymized.

  • Contractual data: 5 years from contract completion (according to tax legislation)
  • Marketing data: until consent withdrawal
  • Technical data (cookies): according to Cookie Policy

Your Rights

In accordance with GDPR, you have the following rights:

  • Right of access - to obtain confirmation that we process your data
  • Right to rectification - to correct inaccurate data
  • Right to erasure ('right to be forgotten')
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing (especially for marketing)
  • Right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP)

Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, destruction or modification.

Access to personal data is restricted only to employees and partners who need this information to perform their duties.

Data Protection Contact

For any questions regarding the processing of your personal data or to exercise your rights, please contact us through the Contact page or directly at the dedicated data protection email address.

Last updated: November 2025