Privacy Policy

This Privacy Policy describes how personal data of users who use the Ceibo Travel platform (hereinafter, the "Platform") is collected, used, and protected.

We are committed to protecting users’ privacy and processing their personal data in accordance with the highest international data protection standards, applying principles of lawfulness, transparency, data minimization, confidentiality, and security.

For the purposes of this Privacy Policy, the following terms shall have the meanings assigned below:

• ●Personal Data: any information that identifies or may identify a natural person, directly or indirectly.
• ●Sensitive Personal Data: information revealing aspects related to health, including data related to vaccines and their validity periods.
• ●Processing: any operation or set of operations performed on personal data, such as collection, storage, use, modification, consultation, erasure, or destruction.
• ●User: any person who accesses or uses the Platform.
• ●Controller: the natural or legal person who determines the purposes and means of the processing of personal data.
• ●Technology Provider: a third party that provides infrastructure, storage, authentication, or support services necessary for the operation of the Platform.

Through the Platform, and depending on the User’s use, we may collect the following personal data:

• ●Identification data: first and last name.
• ●Contact data: email address.
• ●Travel and documentation data: nationality, passport issuing country, and passport expiration date.
• ●Travel-related health data: information on required vaccines and expiration dates.

Providing certain data is optional. The User may use certain Platform functionalities without creating an Account or without uploading sensitive data. However, some specific features may require the creation of an Account and the provision of additional information in order to function properly.

The User declares that the data provided is truthful, current, and relates to their own person.

We use the User’s personal data for the following purposes:

• ●To create, manage, and maintain the User’s Account.
• ●To provide personalized information regarding visa requirements, documentation, and entry conditions for different countries.
• ●To store and manage travel, passport, and vaccination information uploaded by the User.
• ●To send reminders related to passport, visa, and vaccine expiration dates.
• ●To display the User’s progress within the Platform’s functionalities.
• ●To respond to inquiries and provide support.
• ●To improve the operation, security, and overall user experience of the Platform.
• ●To detect, prevent, and address misuse, unauthorized access, or security incidents.

Personal data is not used for purposes other than those described herein.

Personal data is processed only when there is a valid legal basis and in accordance with internationally recognized principles, including:

• ●Transparency and fairness in processing.
• ●Purpose limitation.
• ●Data minimization.
• ●Accuracy and data updating.
• ●Security and confidentiality.

The legal bases enabling processing include, among others:

• ●The User’s free, informed, and explicit consent.
• ●The necessity to provide the service requested by the User.
• ●The protection of the Platform’s operation and security.

The User may withdraw consent at any time, without retroactive effect.

Information related to vaccines and their expiration dates constitutes sensitive personal data, as it is related to the User’s health.

Such data will be processed under enhanced protection criteria and only under the following conditions:

• ●It will be used exclusively to inform about applicable health requirements for travel and to send related reminders.
• ●Processing is based on the User’s explicit consent, granted by voluntarily uploading such information.
• ●It will not be used for advertising, commercial purposes, or profiling.
• ●It will not be shared with third parties, except for technology providers essential to the operation of the Platform and subject to strict confidentiality and security obligations.

The User may delete this information at any time.

Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected or until the User requests its deletion.

The Controller may retain minimal information where reasonably necessary to address claims, comply with applicable obligations, or protect rights.

The Controller adopts reasonable technical and organizational measures proportionate to the risk to protect personal data, including:

• ●Encryption of data in transit.
• ●Restricted and controlled access.
• ●Use of secure technological infrastructure provided by specialized third parties.
• ●Periodic security controls and reviews.

Notwithstanding the above, the User acknowledges that no system is completely infallible.

Personal Data will not be sold or commercialized.

It may be processed by technology providers that provide infrastructure or support services, acting under the Controller’s instructions and subject to contractual confidentiality and security obligations.

In the event of international data transfers, the Controller will adopt reasonable contractual and organizational measures to ensure an adequate level of protection.

The User may exercise the following rights with respect to their personal data, as recognized by international data protection standards:

• ●Access their personal data.
• ●Request rectification of inaccurate or incomplete data.
• ●Request deletion of their data.
• ●Withdraw consent at any time.
• ●Request restriction of or object to processing.
• ●Request data portability, where technically feasible.

Requests may be submitted by writing to privacy@ceibo.me and will be addressed within a reasonable timeframe.

The Platform may use technical and functional cookies strictly necessary for its proper operation and to improve the user experience.

The Platform is not intended for persons under 18 years of age. Personal data of minors is not intentionally collected. If such a situation is detected, the data will be deleted immediately.

The Controller may amend this Privacy Policy at any time. Updated versions will be published on the Platform and will enter into force upon publication.

This Policy establishes general principles for the protection of personal data applicable on a global level. Specific legal provisions of certain jurisdictions may, where applicable, be developed through supplementary annexes or addenda.