Kala Travel Agency Inc.

Data Handling Protocols & Guidelines

1. Purpose

These protocols outline how Kala Travel Agency Inc. (“Kala Travel Agency”) collects, stores, processes, shares, and protects customer data—including personal information such as phone numbers—shared via our website, booking platforms (e.g., GetYourGuide), email, phone, or in person.

Our goal is to maintain privacy, comply with relevant laws, and ensure customer trust.

2. Scope

These guidelines apply to:

• All employees, contractors, and representatives of Kala Travel Agency

• All systems used to store or process customer information

• All customer data obtained through:

  • Kala Travel Agency website

  • GetYourGuide

  • Email, SMS, phone calls, WhatsApp

  • Social media inquiries

  • In-person bookings

  • Partner booking systems

3. Categories of Data We Collect

Customer data may include:

3.1 Personal Identification

• Full name

• Phone number

• Email address

• Billing address

• Government ID (when required for travel reservations)

3.2 Travel Information

• Trip preferences

• Booking history

• Destination details

• Payment confirmations

3.3 Technical & Website Data

• IP addresses

• Cookies and usage analytics

• Device and browser information

4. Data Collection Protocols

4.1 Consent & Transparency

• Customers must be informed when their data is being collected.

• Consent must be obtained for marketing communications.

• Website privacy notices must clearly explain data practices.

4.2 Data Minimization

Only collect data strictly necessary for:

• Booking travel

• Customer support

• Legal compliance

5. Data Storage & Security Guidelines

5.1 Secure Storage

• Customer data must be stored only in approved, encrypted systems (e.g., protected CRM).

• Personal identifiers (phone numbers, emails) must not be stored on unencrypted personal devices.

5.2 Access Control

• Access to customer data is limited to employees who require it to perform their job duties.

• Access logs should be maintained where possible.

5.3 Password Practices

• Strong, unique passwords must be used for all systems containing customer data.

• Multi-factor authentication (MFA) must be enabled where available.

5.4 Physical Security

• Printed documents containing customer information must be kept in locked storage.

• Physical documents must be shredded when no longer required.

6. Data Handling & Usage Guidelines

6.1 Internal Use Only

Employees may use customer data solely for:

• Booking travel services

• Customer support

• Communicating travel updates

• Fraud prevention

• Legal requirements

6.2 Prohibited Uses

Employees must never:

• Share customer data externally without authorization

• Store customer data in personal email accounts, personal cloud storage, or unsecured applications

• Use customer phone numbers for personal contact

• Discuss customer information in public or unsecured locations

6.3 Data Accuracy

• Customer information may only be updated with customer authorization.

• All data corrections must be properly documented.

7. Sharing Data With Third Parties

7.1 Authorized Vendors

Customer data may be shared with third parties only when:

• It is essential to complete the customer’s travel booking (e.g., airlines, hotels, GetYourGuide)

• The third party meets privacy and security standards comparable to Kala Travel Agency

• A data processing agreement or equivalent legal arrangement is in place

7.2 GetYourGuide-Specific Requirements

When handling customer data via GetYourGuide:

• Use only the platform’s secure messaging and dashboard tools.

• Do not export customer data outside the platform unless required for booking purposes.

• Follow GetYourGuide’s privacy and communication guidelines.

• Customer contact information may only be used for:

  • Booking confirmation

  • Service updates

  • Responding to customer inquiries

Marketing communication requires explicit customer consent.

8. Website Data Protocols

8.1 Secure Website Practices

• All website pages must use SSL/HTTPS.

• Forms collecting personal data must be encrypted.

• Only approved plugins and analytics tools may be used.

8.2 Cookies & Tracking

• A cookie banner must clearly explain data usage.

• Customers must be allowed to opt out of non-essential tracking.

9. Data Retention & Deletion

9.1 Retention Periods

• Booking records: 7 years (legal and tax compliance)

• Marketing data: retained until the customer opts out

• Customer support communications: 2 years

9.2 Secure Disposal

• Digital data must be permanently deleted from systems no longer in use.

• Physical records must be securely shredded.

9.3 Customer Requests

Customers may request:

• A copy of their personal data

• Correction of inaccurate information

• Data deletion, where legally permitted

All requests must be completed within 30 days.

10. Data Breach Response Protocol

10.1 Immediate Actions

If a data breach is suspected:

1. Notify management and the Data Protection Officer immediately.

2. Secure and isolate affected systems.

3. Document all relevant details.

10.2 Notification Requirements

• Customers must be notified if their personal information is compromised.

• Regulatory authorities must be notified when legally required.

11. Employee Training & Compliance

• All employees must complete annual privacy and data security training.

• Employees must sign a confidentiality agreement.

• Policy violations may result in disciplinary action or termination.

12. Policy Review

This policy must be reviewed annually or whenever changes occur to:

• Data protection laws

• Company systems

• Business operations