Close map

Privacy Policy

Last modified: May 25, 2018

We have recently updated our Privacy Policy to comply with the new requirements set out by the EU General Data Protection Regulation and to make it easier to read. The updated Privacy Policy will automatically come into effect for all existing users on May 25, 2018. Your continued use of our site from that day on will be subject to our new Privacy Policy.


Welcome to our Privacy Policy!

We have created this document to describe how we collect information from our users and what we do with their personal data, and also to tell you our contact details.

Who are we? What do we do?

Elvoline is an online service provider allowing you to book hotel rooms and other services all over the world.

Elvoline (from now on the website) is an online hotel reservation platform operated by Elvoline S.à r.l. Grand Duchy of Luxembourg that uses the latest technology to connect users with a global network of hotel providers.

This network enables Elvoline to provide its customers with a wide range of opportunities to book hotel rooms of the affiliated hotel providers worldwide.

The purpose of the Privacy Policy is to ensure the compliance of Elvoline’s data processing activities with the provisions of the (EU) 2016/679 regulation of the European Parliament and the of Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; the General Data Protection Regulation (GDPR).

Also this policy aims to provide adequate information to the customers of Elvoline on the data management processes i.e. the methods to collect, use, disclose and otherwise process personally identifiable information ("personal data") about individuals visiting the website (hereinafter the "visitors") and those using the services of Elvoline (hereinafter the "customers").

On occasion, Elvoline revises this Privacy Policy to reflect changes in the law, its personal data collection and use practices, the features of the website, or advances in technology. The effective date noted at the beginning of the Privacy Policy indicates the time of the last modification.

The Data Controller

Who decides "How" and "Why" is your personal data is processed?

How to contact us?

The company in the position of making decisions regarding processing the personal data of visitors and customers, the "Data Controller", is the owner and operator of Elvoline:

Elvoline S.à r.l.
44, Avenue John F. Kennedy, L-1855
Luxembourg City, Grand Duchy of Luxembourg
Registered Company Number: B186165

Legal representative:

Mr. David Süte, Chief Executive Officer via

If you have any question or comments regarding this Privacy Policy, or in general, about our privacy practices contact us via or via mail to the address indicated above.

Elvoline is proud to inform every visitor and customer that a dedicated colleague is in charge of ensuring privacy rights and GDPR compliant privacy practises.

The Data Protection Officer can directly be reached out via email at

The information Elvoline collects from visitors and customers

What personal data do we process?

We collect, use, share, transfer, and store different types of your personal data as a result of your visit to and/or purchases on our site.

We collect information from you (your name, preferred contact details, the names of people travelling with you and your payment information) to reserve hotel rooms for you on your behalf. Also, we use cookies to provide you with a better experience and to collect traffic information on our website for analysis. We are eager to minimise the use of your personal data and to keep it safe.

What we don’t do: we don’t transfer the data we collect from visitors, and we only transfer the necessary information about our customers to execute your booking order reliably and securely.

Elvoline collects personal data from the visitors of the website and from their customers that Elvoline stores in their browser using cookies (for broader information, please read the Cookie Policy).

During room booking, customers provide their personal data by filling in forms of profile information, booking information and billing information. Once the customer makes a reservation, the information is transferred to the concerned hotel provider, the selected hotel, the contracted customer support and the anti-fraud service provider in order to fulfil the resulting contractual obligations.

Furthermore, registered members may complete the address book on their profile page with their billing information. The personal data of the registered members is stored for future use with the customers' consent in accordance with Article 6(1)(a) of GDPR. Elvoline stores this information for 2 years after the last activity of the member as the inactive accounts are deleted 2 years after the last sign-in of the account holder.

The personal data Elvoline collects from the customers making reservations include the IP address, name, nationality, address, phone number, credit card number and e-mail address.

Elvoline also collects referenced personal information that Elvoline can link to the customers' personal data. These are your log-in name and password, your search preferences related to specific searches and information Elvoline cannot avoid receiving such as the telemetry information that your browser sends to us including the IP address that you use at the time.

Elvoline collects information about you in server logs: IP address, type and language of your browser, your time zone and the referral site from where you are arriving at the website (in case there’s any).

Elvoline also collects personal data that customers decide to share with the Customer Support. This information can be a further personal e-mail, the services associated with your stay, your comments or opinions about a hotel and your conversations with the Support representative.

Elvoline does not collect sensitive personal information from their customers such as their ethnicity.

The storage of the information

Where do we store your data?

We store your data in our data centre with encrypted cloud backup.

All data collected by Elvoline are processed and stored on its servers located in Bettembourg, Luxembourg. Elvoline keeps its backups in Amazon Web Services.

Elvoline stores personal data in its recognisable form for the shortest necessary amount of time to achieve its business purposes and to comply with its legal obligations. Elvoline is dedicated to minimalise the usage of personal data in the spirit of GDPR.

Security Measures

Is your data safe?

Yes, we have put in place procedures to prevent unauthorised access to, and the misuse of your personal data.

To prevent unauthorised access, Elvoline maintains strict technical and organisational procedures (both physical and logical) to protect personal data against accidental or unlawful destruction, accidental loss, alteration or unauthorised disclosure or access. Elvoline uses Transport Layer Security Technology to protect credit card transactions by encrypting credit card information during transit.

In-house data processing

How do we use your data?

We process your personal data internally to open and maintain member accounts, to manage the stored data and to improve the site as well as to send marketing emails to those who subscribe to our newsletter.

First and foremost, Elvoline uses the personal data that their customers provide to create and maintain member accounts.

In addition, the accounts are also a way to exercise control over personal data by managing the profile information. You are in control of what you use to complete your profile and can choose the information you wish to share with us.

In order to improve the user experience, Elvoline uses personal information for analytical and statistical purposes.

To better understand what the customer needs, Elvoline compiles the collected information to detect general trends regarding the users. This also helps to generate statistical reports.

Elvoline uses the registration e-mail addresses to send communications to customers relating to their accounts and to inform customers about changes in the terms of use of Elvoline.

Elvoline sends private e-mails with offers and promotion with marketing and advertising purposes to customers who signed up for the newsletter.

Elvoline release managers cannot avoid processing personal data during database maintenance or the deployment of new releases.

Data Transfer to Third Parties

With whom we share your data? Why?

To make sure our service is working well in every way, we use the help of professionals in their respected fields. Therefore, we transfer some of your data to them. Our partners are obliged to process your data in strict compliance with the laws and regulations in force.

Since we offer rooms worldwide, we may need to transfer your information outside the European Union.

In accordance with Article 6(1)(f) of the GDPR, Elvoline may transfer its customers’ personal data to third parties which are employed to perform services on Elvoline’s behalf.

These parties include web hosting services, hotel providers, hotels, customer support and services to handle payment transactions.

Cloud backup – to ensure the business continuity of Elvoline and to meet the requirements of geolocation security, Elvoline keeps its backups using Amazon Web Services ("AWS") services provided by Amazon Web Services Inc. Elvoline transfers these backups to AWS under the obligation of confidentiality and non-accessibility and that these backups are never stored or transferred outside of the European Economic Area ("EEA") .

Payment providers – When a charge-back is requested from a customer regarding his/her reservation Elvoline has to share certain information with the payment service provider and the relevant financial institution to handle the charge-back claims. This can also include among others the copy of the reservation confirmation or the IP address used to make the reservation. Furthermore, information can be shared with relevant financial institutions if Elvoline considers it strictly necessary for fraud detection and prevention purposes.

Customer support – Moreover, Elvoline also shares personal data with their customer support to provide customer service to the travellers. Elvoline also shares personal data with their Risk Management Team to ensure the security of financial transaction in accordance with Article 6(1)(b) of GDPR.

Customer service – Elvoline’s international customer support is provided from Budapest operated by Docler SSC. Ltd. Sharing the booking details of the customers with the customer support team allows Elvoline to respond to customers’ requests whenever it is needed.

Anti-Fraud Analytics – To prevent fraud and other illegal or unwanted activities, Elvoline applies anti-fraud services carried out by Docler Holding S.à r.l. which incorporates automated fraud detection analysis. Elvoline might retain some of your personal information as necessary for our legitimate business interests, such as fraud detection and prevention and enhancing safety. For example, if we close or suspend your account for fraud or illegal activities, we may retain certain information about you to prevent you from opening a new account in the future. Such information shall also be kept available in case of ongoing judicial proceedings/and or investigations.

All such third parties will be under an obligation to maintain the security and confidentiality of your personal data and to process the personal data in accordance with GDPR regulations.

Hotel providers and hotels – As Elvoline's offers hotel rooms worldwide, it has partnered with Hotel Providers to provide a comprehensive set of hotel choices to its customers. These Hotel Providers themselves have a contractual relationship with the hotels in the countries of their interest.In the course of the operation and exploitation of the site and the provision of the services, your personal information may be transferred outside of the European Economic Area ("EEA") to our affiliated companies or to third parties data processors located in word wide for the purposes specified in this Privacy Policy. In order to perform the desired travel agent function, Elvoline shares the customer's personal data with third parties to perform service contracts in accordance with Article 6(1)(b) of GDPR.

Elvoline sends the 'guest details' (name and the country that issued the passport) provided by the customer to the hotel provider, which in turn forwards that information to the hotel to book the room. When a Hotel Provider resides outside the European Union, the reservation data is transferred out of the European Union even if the hotel itself is located within the European Union and vice versa. If Elvoline transfer your personal data outside of the EEA, we endeavor to ensure that your rights and freedoms in respect of the processing of your personal data are adequately and appropriately protected. For this purpose, we utilize the Standard Contractual Clauses approved by the European Commission that you can find here. However, you must pay special attention when the chosen hotel is outside of the EEA hence, a portion of your personal data required to book your reservation in the hotel of your choice. Whenever you visit a country where your rights and freedoms are not fully respected, there is a risk that your personal data is treated the same way. Elvoline provides the hotel with your personal data to the same extent as you should do when you would check-in to your room in person at the same hotel.

Obligatory Data Transfer

In some cases, Elvoline has to use the customer's personal data to resolve legal issues, e.g. regulatory audits and compliance, police investigations or to enforce the terms of use of the Elvoline reservation service could be expected. If a party of an above described legal procedure is located outside of the European Union, the personal data will be transferred to a third country.

Exercising Data Subject Rights

What are your data privacy rights?

You have the right to control the personal data we keep about you. You may request information about the personal data we store about you. You may rectify erogenous personal data. You may request the deletion of your personal data or its transfer to a third a party. You may also protest against the way we process your data. To exercise these rights, contact us by filling in the form below or by e-mail.

Elvoline does its best to explain what your rights are and how you can exercise them. If, despite of our below explanations, you are still unsure about the actions you can take or the conditions of exercise of your rights, do not worry, our Support Team will provide you with all the assistance you need when exercising your rights.

You may also contact us, at any time, before exercising any of your rights, and we will reply to your request as quickly as possible. Please note that we created a specific interface called “Privacy Rights” in your account settings in order for you to be able to easily exercise certain of your rights.

Our Support Team will provide you with information on actions taken within one month of the day of receipt of your request. Only in exceptional circumstances, when we face complex or a high number of requests, we may extend this period of response up to 60 days.

Please note that rights may be exercised free of charge. However, unfounded or excessive requests, in particular because of their repetitive character, will lead to the payment of a fee.

Data access and data portability

You have the right to access the personal information that we hold about you by requesting a copy of your personal data free of charge through the “Data Download” section in your account settings.

Upon verification of your identity, your request will be sent to our Support Team. If we consider that your request is manifestly unfounded or excessive (for example, because you requested a copy of your data numerous times in a short period of time), we may refuse to act or charge a reasonable fee taking into account the administrative costs for providing you the information.

In certain cases, you may also be entitled to request copies of personal information that you have provided to us in a structured, commonly used, and machine-readable format and/or request us to transmit this information to another service provider (where technically feasible). For this purpose, you can send an email to

Rectification of inaccurate or incomplete data

The registered customers can update their profile anytime including the personal data they provided. Also, you have the right to request that we correct any inaccuracies in your personal data, that you cannot edit yourself. For this purpose, you can send an email to

Data retention and erasure

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our legal obligations. If you no longer want us to use your information, you can request that we erase your personal information and close your account. In such case, please select “Forget my Data” in the “Privacy Rights” section of your account settings.

Your request will be sent to our Support Team who will contact you to learn more about your request. However, if you face any difficulties, please contact us at any time.

Please note that if you request the erasure of your personal information:

  • We might retain some of your personal information as necessary for our legitimate business interests, such as fraud detection and prevention and enhancing safety. For example, if we close or suspend your account for fraud or illegal activities, we may retain certain information about you to prevent you from opening a new account in the future. Such information shall also be kept available in case of ongoing judicial proceedings/and or investigations.
  • We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, we may keep some of your information for tax, legal reporting and auditing obligations. Please note that according to Luxembourg legislation financial related information shall be kept for a period of ten years.
  • Some copies of your information (e.g., log records) may remain in our database, but are disassociated from personal identifiers.
  • In order to protect our site and your personal information from accidental or malicious loss and destruction, we have backup systems. Residual copies of your personal information may not be removed from our backup systems for a limited period of time.

Right to object

  • Applicable law may entitle you to require us not to process your personal information for certain specific purposes where such processing is based on legitimate interest. If you object to such processing we will stop processing your personal data for these purposes.

In specific situations, we may have to refuse the execution of your request. This would be the case where we have legitimate grounds to continue such processing or if we have to establish, exercise or defend legal claims.

Please keep in mind that objecting to the use of your data might disable the use of your account.

  • Please note that you may, at any time, ask us to stop sending you marketing emails by opting-out in your account settings.

Right to restriction of processing

You have the right to request that we hold your personal data in “limbo”, while other challenges are resolved.

Basically, you can ask us to put on hold the use of your data in 4 cases:

  • If you contest the fact that the personal data we hold about you is accurate: in this case, the processing operations in relation to this data will be put on hold for the period during which this is verified.
  • You have objected to a processing activity based on legitimate interest(s): in this case, you can require the processing operation to be put on hold while we verify the grounds for processing.
  • You consider that the processing is unlawful but you object to erasure and request restriction, instead.
  • We have no further need for the data but you require it to establish, exercise, or defend legal claims.

Despite your request, we may still continue the processing of your personal data if we have to establish, exercise, or defend our legal claims. We will notify you before lifting a restriction.

Right to lodge a complaint with a supervisory authority

If you consider that our processing of your personal data infringes the GDPR or any other applicable national laws, you have the right to lodge a complaint with a supervisory authority, (in particular in the Member State where you live, place of work or of an alleged infringement of the GDPR). As the operator of Elvoline is incorporated in the Grand-Duchy of Luxembourg, data subjects may lodge their complaint with the National Commission for Data Protection of the Grand-Duchy of Luxembourg (Commission nationale pour la protection des données, CNPD for short) by completing the CNPD’s online form ( or contacting them via post (1, avenue du Rock ‘n’ Roll, L-4361 Esch-sur-Alzette, Luxembourg) or by phone (+352 26 10 60 – 1)


We may occasionally amend this Privacy Policy to reflect changes to our services and the way we handle your personal information or changes in the applicable laws.

If we make changes we consider important, we will let you know by placing a notice on the relevant site and/or contact you using other methods such as email.

To the extent permitted by applicable law, such changes will be applicable from the time they are published on our site, unless we specify a date of entry into force. Your continued use of our site from that day on will be subject to the new Privacy Policy.

A special note about children

People under the age of 16 are not eligible to use any services on our site.

As Elvoline is a service designed to be used by adults, Elvoline does processes personal data of children under 16 even with the consent and approval of their parents or legal guardians. Instead of the personal data of children we use "Child A", "Child B" and so on whenever it is required to book hotel rooms.