Privacy Policy
Version 1.2 — Last updated: 09.05.2026
1. Who is the data controller
The data controller is AVANGARDE TOURISM S.R.L., operator of the Avangarde Tourism brand, with registered office at Bd. Dacia nr. 43, Bucharest, Romania, Tax ID 51421373, Trade Register no. J2025016843005.
Data protection contact: avangardetourism@gmail.com.
General contact: avangardetourism@gmail.com, phone +40 739 340 724.
2. Purpose of this policy
This Policy explains how we collect, use, store, and protect the personal data of users, tourists, persons included in bookings, collaborators, providers, and persons who interact with the platform.
3. Data we may process
We may process the following categories of data, depending on how you interact with the platform:
- Identity data: name, date of birth, nationality, sex, travel document data.
- Contact data: email, phone, address.
- Account data: user ID, encrypted password, preferences, authentication history.
- Booking data: destination, period, number of persons, preferences, requested services, accommodation, transport, insurance.
- Payment data: payment status, amount, payment method, transaction identifiers. We do not store full card data — payment is processed by an external processor (Stripe).
- Technical data: IP, browser, operating system, device, logs, cookies and similar identifiers.
- Communications: messages, requests, complaints, feedback, correspondence.
- Data about other persons included in the booking, provided by the person making the booking.
- Special data, only where necessary and provided voluntarily: allergies, medical restrictions, disabilities, special assistance, or other health information.
4. Purposes and legal bases
| Purpose | Indicative legal basis |
|---|---|
| Account creation and management | Contract performance / pre-contractual measures |
| Preparing personalised offers | Pre-contractual measures at the user's request |
| Processing bookings and delivering tourist services | Contract performance |
| Payments, invoicing, and accounting | Legal obligation / contract performance |
| Transmitting data to providers | Contract performance / legitimate interest / legal obligation |
| Assistance, complaints, and refunds | Contract performance / legal obligation / legitimate interest |
| Direct marketing | Consent or legitimate interest, within legal limits |
| Analytics/marketing cookies | Consent, where required |
| Security, fraud prevention, and audit | Legitimate interest / legal obligation |
| Special data for medical or assistance requirements | Explicit consent or another basis permitted by law |
5. Data about other persons
If you provide data about other persons included in a booking, you confirm that you have the right to provide that data and that you have informed them about this Policy. For minors, data must be provided by a parent, guardian, or legal representative.
6. Special data and medical requirements
We process special data only where necessary for organising the trip or where the user provides it voluntarily and gives explicit consent (for example for food allergies, reduced mobility assistance, medical requirements, or other special needs). This data is accessible only to the persons and providers who need it to deliver the services. Details: Special Data Information & Consent.
7. Who we may share data with
We may share personal data with:
- Hotels, accommodation providers, carriers, guides, partner agencies, insurers, local organisers, and other providers involved.
- Payment processors, banks, and anti-fraud services (Stripe).
- IT, hosting, CRM, email, communication, analytics, and support providers.
- Independent collaborators and authorised agents, only to the extent necessary for their role.
- Legal, tax, accounting, and audit advisers.
- Public authorities, courts, or competent institutions, where legally required.
We do not sell your personal data to third parties. All third-party processors are bound by GDPR-compliant data processing agreements. Details: DPA & Confidentiality Annex.
8. Collaborators and data access
Independent collaborators, internal agents, and providers are given access only to the data necessary for their role. They must comply with confidentiality obligations, processing instructions, and security rules. Access may be monitored and revoked.
9. Transfers outside the European Economic Area
Some tourist services may involve transmitting data to providers outside the European Economic Area (for example hotels, local operators, or carriers in the chosen destination). In such cases, the transfer may be necessary for the performance of the travel contract or may be carried out on the basis of appropriate safeguards, as applicable.
10. Retention period
| Data category | Indicative period |
|---|---|
| Account data | For the duration of the account and thereafter as necessary to defend rights |
| Booking data | For the duration of the contract and thereafter in accordance with applicable legal and fiscal deadlines |
| Financial/accounting data | In accordance with applicable legal obligations (10 years, Romanian fiscal legislation) |
| Complaints and correspondence | For the duration of resolution and thereafter as necessary for evidence and defence of rights |
| Marketing data | Until consent is withdrawn or objection is raised |
| Special data | Only as long as necessary for the stated purpose, with subsequent deletion or restriction |
| Technical logs | A limited period, determined based on security and operational needs |
11. Rights of the data subject
Under GDPR, you have the following rights:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate or incomplete data.
- Right to erasure: request deletion of your data where there is no compelling reason for its continued processing.
- Right to restriction of processing: request that we restrict processing in certain circumstances.
- Right to data portability: receive your data in a structured, machine-readable format.
- Right to object: object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent: withdraw consent at any time where processing is based on consent.
To exercise your rights, contact us at avangardetourism@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro.
Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal, nor does it affect processing based on other legal grounds.
12. Data security
We implement appropriate technical and organisational measures to protect your personal data: access control, authentication, TLS encryption for transmissions, bcrypt hashing for passwords, logs, backups, access limitation, internal policies, training of authorised personnel, and incident procedures. Access to personal data is restricted exclusively to authorised personnel.
13. Automated decisions and profiling
We do not make automated decisions with significant legal effect on users. We may use preferences and usage data to personalise offers or communications, only within the conditions permitted by law.
14. Cookies
We use essential cookies for the platform's operation, session authentication, and security. With your consent, we may also use preference, analytics, and marketing cookies. Full details, including the list of cookies and consent options: Cookie Policy.
15. Updates
We may update this Policy. The applicable version will be published on the platform with its effective date. We will notify you of significant changes by email or through a visible notice on the platform.
16. Contact
For questions, concerns, or to exercise your rights:
AVANGARDE TOURISM S.R.L. — Data Protection
Bd. Maraști 59, Bucharest, Romania
Email: avangardetourism@gmail.com
Phone: +40 739 340 724
Related GDPR documents:
