Last modified: May 25, 2018
We have created this document to describe how we collect information from our users and what we do with their personal data, and also to tell you our contact details.
Who are we? What do we do?
Elvoline is an online service provider allowing you to book hotel rooms and other services all over the world.
Elvoline (from now on the website) is an online hotel reservation platform operated by Elvoline S.à r.l. Grand Duchy of Luxembourg that uses the latest technology to connect users with a global network of hotel providers.
This network enables Elvoline to provide its customers with a wide range of opportunities to book hotel rooms of the affiliated hotel providers worldwide.
Also this policy aims to provide adequate information to the customers of Elvoline on the data management processes i.e. the methods to collect, use, disclose and otherwise process personally identifiable information ("personal data") about individuals visiting the website (hereinafter the "visitors") and those using the services of Elvoline (hereinafter the "customers").
Who decides "How" and "Why" is your personal data is processed?
How to contact us?
The company in the position of making decisions regarding processing the personal data of visitors and customers, the "Data Controller", is the owner and operator of Elvoline:
Elvoline S.à r.l.
44, Avenue John F. Kennedy, L-1855
Luxembourg City, Grand Duchy of Luxembourg
Registered Company Number: B186165
Mr. David Süte, Chief Executive Officer via email@example.com
Elvoline is proud to inform every visitor and customer that a dedicated colleague is in charge of ensuring privacy rights and GDPR compliant privacy practises.
The Data Protection Officer can directly be reached out via email at firstname.lastname@example.org
What personal data do we process?
We collect, use, share, transfer, and store different types of your personal data as a result of your visit to and/or purchases on our site.
What we don’t do: we don’t transfer the data we collect from visitors, and we only transfer the necessary information about our customers to execute your booking order reliably and securely.
During room booking, customers provide their personal data by filling in forms of profile information, booking information and billing information. Once the customer makes a reservation, the information is transferred to the concerned hotel provider, the selected hotel, the contracted customer support and the anti-fraud service provider in order to fulfil the resulting contractual obligations.
Furthermore, registered members may complete the address book on their profile page with their billing information. The personal data of the registered members is stored for future use with the customers' consent in accordance with Article 6(1)(a) of GDPR. Elvoline stores this information for 2 years after the last activity of the member as the inactive accounts are deleted 2 years after the last sign-in of the account holder.
The personal data Elvoline collects from the customers making reservations include the IP address, name, nationality, address, phone number, credit card number and e-mail address.
Elvoline also collects referenced personal information that Elvoline can link to the customers' personal data. These are your log-in name and password, your search preferences related to specific searches and information Elvoline cannot avoid receiving such as the telemetry information that your browser sends to us including the IP address that you use at the time.
Elvoline collects information about you in server logs: IP address, type and language of your browser, your time zone and the referral site from where you are arriving at the website (in case there’s any).
Elvoline also collects personal data that customers decide to share with the Customer Support. This information can be a further personal e-mail, the services associated with your stay, your comments or opinions about a hotel and your conversations with the Support representative.
Elvoline does not collect sensitive personal information from their customers such as their ethnicity.
Where do we store your data?
We store your data in our data centre with encrypted cloud backup.
All data collected by Elvoline are processed and stored on its servers located in Bettembourg, Luxembourg. Elvoline keeps its backups in Amazon Web Services.
Elvoline stores personal data in its recognisable form for the shortest necessary amount of time to achieve its business purposes and to comply with its legal obligations. Elvoline is dedicated to minimalise the usage of personal data in the spirit of GDPR.
Is your data safe?
Yes, we have put in place procedures to prevent unauthorised access to, and the misuse of your personal data.
To prevent unauthorised access, Elvoline maintains strict technical and organisational procedures (both physical and logical) to protect personal data against accidental or unlawful destruction, accidental loss, alteration or unauthorised disclosure or access. Elvoline uses Transport Layer Security Technology to protect credit card transactions by encrypting credit card information during transit.
How do we use your data?
We process your personal data internally to open and maintain member accounts, to manage the stored data and to improve the site as well as to send marketing emails to those who subscribe to our newsletter.
First and foremost, Elvoline uses the personal data that their customers provide to create and maintain member accounts.
In addition, the accounts are also a way to exercise control over personal data by managing the profile information. You are in control of what you use to complete your profile and can choose the information you wish to share with us.
In order to improve the user experience, Elvoline uses personal information for analytical and statistical purposes.
To better understand what the customer needs, Elvoline compiles the collected information to detect general trends regarding the users. This also helps to generate statistical reports.
Elvoline sends private e-mails with offers and promotion with marketing and advertising purposes to customers who signed up for the newsletter.
Elvoline release managers cannot avoid processing personal data during database maintenance or the deployment of new releases.
With whom we share your data? Why?
To make sure our service is working well in every way, we use the help of professionals in their respected fields. Therefore, we transfer some of your data to them. Our partners are obliged to process your data in strict compliance with the laws and regulations in force.
Since we offer rooms worldwide, we may need to transfer your information outside the European Union.
In accordance with Article 6(1)(f) of the GDPR, Elvoline may transfer its customers’ personal data to third parties which are employed to perform services on Elvoline’s behalf.
These parties include web hosting services, hotel providers, hotels, customer support and services to handle payment transactions.
Cloud backup – to ensure the business continuity of Elvoline and to meet the requirements of geolocation security, Elvoline keeps its backups using Amazon Web Services ("AWS") services provided by Amazon Web Services Inc. Elvoline transfers these backups to AWS under the obligation of confidentiality and non-accessibility and that these backups are never stored or transferred outside of the European Economic Area ("EEA") .
Payment providers – When a charge-back is requested from a customer regarding his/her reservation Elvoline has to share certain information with the payment service provider and the relevant financial institution to handle the charge-back claims. This can also include among others the copy of the reservation confirmation or the IP address used to make the reservation. Furthermore, information can be shared with relevant financial institutions if Elvoline considers it strictly necessary for fraud detection and prevention purposes.
Customer support – Moreover, Elvoline also shares personal data with their customer support to provide customer service to the travellers. Elvoline also shares personal data with their Risk Management Team to ensure the security of financial transaction in accordance with Article 6(1)(b) of GDPR.
Customer service – Elvoline’s international customer support is provided from Budapest operated by Docler SSC. Ltd. Sharing the booking details of the customers with the customer support team allows Elvoline to respond to customers’ requests whenever it is needed.
Anti-Fraud Analytics – To prevent fraud and other illegal or unwanted activities, Elvoline applies anti-fraud services carried out by Docler Holding S.à r.l. which incorporates automated fraud detection analysis. Elvoline might retain some of your personal information as necessary for our legitimate business interests, such as fraud detection and prevention and enhancing safety. For example, if we close or suspend your account for fraud or illegal activities, we may retain certain information about you to prevent you from opening a new account in the future. Such information shall also be kept available in case of ongoing judicial proceedings/and or investigations.
All such third parties will be under an obligation to maintain the security and confidentiality of your personal data and to process the personal data in accordance with GDPR regulations.
Elvoline sends the 'guest details' (name and the country that issued the passport) provided by the customer to the hotel provider, which in turn forwards that information to the hotel to book the room. When a Hotel Provider resides outside the European Union, the reservation data is transferred out of the European Union even if the hotel itself is located within the European Union and vice versa. If Elvoline transfer your personal data outside of the EEA, we endeavor to ensure that your rights and freedoms in respect of the processing of your personal data are adequately and appropriately protected. For this purpose, we utilize the Standard Contractual Clauses approved by the European Commission that you can find here. However, you must pay special attention when the chosen hotel is outside of the EEA hence, a portion of your personal data required to book your reservation in the hotel of your choice. Whenever you visit a country where your rights and freedoms are not fully respected, there is a risk that your personal data is treated the same way. Elvoline provides the hotel with your personal data to the same extent as you should do when you would check-in to your room in person at the same hotel.
What are your data privacy rights?
You have the right to control the personal data we keep about you. You may request information about the personal data we store about you. You may rectify erogenous personal data. You may request the deletion of your personal data or its transfer to a third a party. You may also protest against the way we process your data. To exercise these rights, contact us by filling in the form below or by e-mail.
Elvoline does its best to explain what your rights are and how you can exercise them. If, despite of our below explanations, you are still unsure about the actions you can take or the conditions of exercise of your rights, do not worry, our Support Team will provide you with all the assistance you need when exercising your rights.
You may also contact us, at any time, before exercising any of your rights, and we will reply to your request as quickly as possible. Please note that we created a specific interface called “Privacy Rights” in your account settings in order for you to be able to easily exercise certain of your rights.
Our Support Team will provide you with information on actions taken within one month of the day of receipt of your request. Only in exceptional circumstances, when we face complex or a high number of requests, we may extend this period of response up to 60 days.
Please note that rights may be exercised free of charge. However, unfounded or excessive requests, in particular because of their repetitive character, will lead to the payment of a fee.
You have the right to access the personal information that we hold about you by requesting a copy of your personal data free of charge through the “Data Download” section in your account settings.
Upon verification of your identity, your request will be sent to our Support Team. If we consider that your request is manifestly unfounded or excessive (for example, because you requested a copy of your data numerous times in a short period of time), we may refuse to act or charge a reasonable fee taking into account the administrative costs for providing you the information.
In certain cases, you may also be entitled to request copies of personal information that you have provided to us in a structured, commonly used, and machine-readable format and/or request us to transmit this information to another service provider (where technically feasible). For this purpose, you can send an email to email@example.com
The registered customers can update their profile anytime including the personal data they provided. Also, you have the right to request that we correct any inaccuracies in your personal data, that you cannot edit yourself. For this purpose, you can send an email to firstname.lastname@example.org
We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our legal obligations. If you no longer want us to use your information, you can request that we erase your personal information and close your account. In such case, please select “Forget my Data” in the “Privacy Rights” section of your account settings.
Your request will be sent to our Support Team who will contact you to learn more about your request. However, if you face any difficulties, please contact us at any time.
Please note that if you request the erasure of your personal information:
In specific situations, we may have to refuse the execution of your request. This would be the case where we have legitimate grounds to continue such processing or if we have to establish, exercise or defend legal claims.
Please keep in mind that objecting to the use of your data might disable the use of your account.
You have the right to request that we hold your personal data in “limbo”, while other challenges are resolved.
Basically, you can ask us to put on hold the use of your data in 4 cases:
Despite your request, we may still continue the processing of your personal data if we have to establish, exercise, or defend our legal claims. We will notify you before lifting a restriction.
If you consider that our processing of your personal data infringes the GDPR or any other applicable national laws, you have the right to lodge a complaint with a supervisory authority, (in particular in the Member State where you live, place of work or of an alleged infringement of the GDPR). As the operator of Elvoline is incorporated in the Grand-Duchy of Luxembourg, data subjects may lodge their complaint with the National Commission for Data Protection of the Grand-Duchy of Luxembourg (Commission nationale pour la protection des données, CNPD for short) by completing the CNPD’s online form (https://cnpd.public.lu/en/droits/faire-valoir/formulaire-plainte.html) or contacting them via post (1, avenue du Rock ‘n’ Roll, L-4361 Esch-sur-Alzette, Luxembourg) or by phone (+352 26 10 60 – 1)
If we make changes we consider important, we will let you know by placing a notice on the relevant site and/or contact you using other methods such as email.
People under the age of 16 are not eligible to use any services on our site.
As Elvoline is a service designed to be used by adults, Elvoline does processes personal data of children under 16 even with the consent and approval of their parents or legal guardians. Instead of the personal data of children we use "Child A", "Child B" and so on whenever it is required to book hotel rooms.