Privacy Notice

 

Hello! We are Liligo Metasearch Technologies S.A.S., known by you as this Platform’s branding name. When this Privacy Notice mentions “we”, “us”, or “our”, it refers to Liligo Metasearch Technologies S.A.S. acting as Data Controller.

Our privacy promises

  • We value your privacy & data security
  • We use data for your best travel experience with us
  • You control your data
  • Several Platforms, one Privacy Notice

Thank you for using our Platforms. Your trust is our most important value, that is why in this Privacy Notice we are going to show you our responsibilities regarding the privacy and the security of your data. The only thing you have to do is read it, and if you have any questions related to it, you can tell us about it here

After that, you’re all set to find your next adventure with us!

1. First things first, who are we?

Whenever this Privacy Notice mentions “we”, “us”, or “our”, it refers to Liligo Metasearch Technologies S.A.S. acting as Data Controller. 

Liligo Metasearch Technologies is a French-based company, with tax ID number FR91483314134.

We commit to processing your data in accordance with the applicable data protection laws, including the observation of the data processing principles (such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability), and to only processing your data for the purposes explained to you in this Privacy Notice or as informed in the corresponding data collection process, in line with the lawful bases as explained below.

Who is the Data Protection Officer?

We have a Data Protection Officer who watches over all processing carried out with respect for your privacy and the applicable regulations at all times.

You can contact the Data Protection Officer’s team here: [email protected].

Definitions for a better understanding of this Privacy Notice

For a better understanding of this Privacy Notice we have prepared a definitions section that includes the following concepts: Automated Decisions, Data Controller, Data Processor, Data Rights, Lawful Bases, Personal Data, Platforms, Sensitive Personal Data and Third Countries.

Detailed information:

  • Automated Decisions: decision-based solely on automated processing, including profiling, which produces legal effects concerning the individual or similarly significantly affects them (as defined under Article 22.1 EU General Data Protection Regulation - GDPR).

Note: As you will find explained below, we don’t make Automated Decisions.

  • Data Controller: anyone responsible for determining the purposes and means of processing your data.

Note: We are the Data Controllers of your data in the terms described in this Privacy Notice. If you choose to book a trip through our Platforms, we will be sending your data to other Data Controllers – the carrier or the provider of other services (e.g. airlines, hotels, etc.), who will again use your data for their own purposes and based on their own means, as described in their own Privacy Notices (which is published on their websites). You can see below the overview of Data Controllers categories with whom we might share the data. In any case, the disclosure of your data to any service provider will be done in accordance with the applicable laws. Each Data Controller is responsible for your data and, in case of an incident within its scope, must handle it and respond appropriately, as per the applicable law.

  • Data Processor: a third party that only helps to achieve the purposes determined by the Data Controller. 

Note: We as a Data Controller use many third-party services to which we outsource some parts of our activities that we don’t do ourselves for various reasons such as cost-efficiency. A Data Processor is only allowed to process your data according to our documented instructions, and in compliance with the applicable law, so we are still in charge of your data, and they will not be able to process your data for any incompatible purpose. 

  • Data Rights: everyone has the right to the protection of their personal data. When we use the term “Data Rights”, we refer in short to the applicable data protection rights. 

Note: Data protection regulations allow you to exercise your rights to be informed, access, rectification, erasure, restrict processing, object, to withdraw your consent, data portability and rights related to automated decision making and profiling, when applicable.

  • Lawful Bases: processing of your data shall be lawful only if at least one of these bases applies (Article 6 GDPR).

Note: For the six lawful bases covered in the law, we will essentially rely on Consent, Contract, Legal Obligation or Legitimate Interest. However, exceptionally, we might rely on Vital Interests or Public Tasks. You can find more information below. 

  • Personal Data (in this Privacy Notice also referred essentially as “your data”): any information relating to a directly or indirectly identified or identifiable to you, as a natural person. 
  • Platforms: all the services (websites, apps, call centre, etc.) that facilitate interactions between you and us.
  • Sensitive Personal Data: data related to racial origin, ethnic group, religion, health, sexual orientation and biometric data constitute special categories of data (as defined under Article 9 GDPR).

Note: As you will find explained below, we don’t need to process Sensitive Personal Data.

  • Third Countries: countries in which the GDPR regime is not applicable. Currently, by Third Countries, we mean all countries that lie outside of the European Economic Area (i.e. outside the European Union, Iceland, Liechtenstein and Norway).

2. Why do we process your data and which lawful basis do we rely on?

The main purpose is to offer you travel-search and comparison services in accordance with our General Terms and Conditions. This includes the specific purposes covered in this section. 

Also, in this section, we inform you of the legal basis on which we process data for individual purposes. Depending on the legal basis for our processing of your data, you may have particular data rights alongside the rest of the data rights. For example, in individual cases, you have the right to object to the processing of your data.

Detailed information:

  • Travel search and comparison services

Lawful bases: #Contract

We need to process your data in order to provide you with our travel search and comparison services, described in the General Terms and Conditions, that can be summarised as a search and comparison services of travel products or services available on the travel market and proposed by third companies on the basis of the search criterions informed by you (or just simply mentioned as “our Services”).

We endeavour to show to you the most relevant travel data in a personalised manner, so that when you visit our Platforms you do not miss the offers and information relevant to you.

These processing activities are necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract.

Please, bear in mind that the identification data we use is going to be your cookie ID.

  • Communications

Lawful bases: #Contract #Your Consent #Legitimate Interest

We can get in touch with you by the different means provided by you, for the following purposes:

  • To send to your email the price alert that you asked for in our Platforms or regular offers and news of our Services. We will process your personal data once you provide us with your consent. You can withdraw your consent / unsubscribe from email marketing communications easily and at any moment, just by clicking on the unsubscribe link included in each newsletter or other communication.
  • To administer any promotional activity where you participate. We will process your personal data once you provide us with your consent. You can withdraw your consent / unsubscribe from email marketing communications easily and at any moment, just by clicking on the unsubscribe link included in each newsletter or other communication.
  • We may show you customised offers in the content displayed to you on our Platforms when you access them, or in third-party platforms (including social media sites). Such offers can be booked on our site and can consist of other third-party offers or products we think you might find interesting, always related to the services we are providing you with. When using cookies for this purpose, we will rely on your consent (for more information, check out our Cookies Notice. Otherwise, most of the time we will use your identification and contact data pseudonymised (e.g. hashing your data) for this purpose, and we will rely on our legitimate interests as long as you are our customer to show you our travel-related products and services to those already hired by you. This will only be done if you have an account with the corresponding digital company that provides online advertising services, and they have the possibility to match your details in a secure way based on their terms and conditions applying to your account with them. If you prefer seeing generic non-customised offers, rather than what is considered to be more relevant for you, you can reject advertising Cookies anytime as described in our Cookies Notice.
  • To respond to any query or request from you or any travel service provider and to handle it by any of our contact channels (e.g. email, phone, social media, chatbot, etc.). We endeavour to maintain our best levels of customer service and we are attentive to the personal situation of each of our various customers in order to personalise our services. If the processing is related to the services provided, the processing is necessary for the performance of a contract to which you are a party.
  • To invite you to participate in a market research, or to ask you to provide a review of your experience with us and with the travel service provider. Please, bear in mind that those feedbacks may be available to other customers to help them make decisions about a product or a service. In case you agree to take part in market research, we will explain the data collected and how it would be further used. For those cases in which you take part in a market research survey with us, we will process your personal data once you provide us with your consent. However, if we ask you for a review of your experience with us or the travel service provider, the processing of your personal data will be necessary for legitimate interest purposes, since we have an interest in knowing your customer satisfaction degree and quality perception regarding the services that you have received.
  • Improving our Services or developing new services

Lawful basis: #Legitimate Interest

We use data for analytical purposes. The main goal here is to optimise our online Platforms to your needs, making our site easier and more enjoyable to use. We strive to use pseudonymised or anonymised data for these analytical purposes.

This is part of our drive to enhance the user experience. By user experience, we concretely mean:

  • testing and troubleshooting purposes, and
  • improving the functionality and quality of our online travel services.

The processing of your personal data will be necessary for legitimate interest purposes, since, we have an interest in improving the network and information security, and since we have an interest in improving the quality of our services, respectively.

Finally, we will also elaborate anonymised statistics regarding the overall conversion rate of the website. This processing is necessary for legitimate interests purposes, since we have a commercial interest to assess the percentage of users that have become customers.

  • Promotion of a safe and trustworthy service

Lawful bases: #Legal Obligation #Legitimate Interest

In order to create a trustworthy environment for you, your fellow travellers, our business partners, and our travel providers, we may use data for the detection and prevention of fraud and other illegal or unwanted activities, as well as for security purposes (e.g. authentication of users and bookings).

One example of this is our preventive stolen-credential control on the internet (if we might have any hint that your credentials could have been compromised, we may also block your account and ask you to reactivate it with a new password).

With this purpose, we protect your data and reduce fraud risk. As some of these security measures are compulsory by law and international standards, the corresponding personal data processing is necessary for compliance with a legal obligation to which we are subject. In other cases, we have deployed security measures that require the processing of personal data for legitimate interest purposes, since we have an interest in preventing fraud.

  • Legal purposes

Lawful bases: #Legal Obligation #Legitimate Interest

We redirect any claim directly to the Service providers.

In certain cases, we may need to use your data to handle and resolve legal disputes, for regulatory investigations and compliance, to enforce our General Terms and Conditions or to comply with lawful requests from law enforcement. This processing is necessary for legitimate interest purposes, since we have an interest in preventing fraud and defending our rights and interests.

  • Types of Lawful Bases

The main Lawful Bases commonly used are #Your Consent, #Contract, #Legal Obligation, #Legitimate Interest

Detailed information:

  • #Your Consent: you gave consent for a specific use of your data. We will always obtain your consent to collect and process your data unless another Lawful Basis applies. We will provide you with transparent information at the time that consent is obtained. This information will be provided in an accessible form, written in clear language. If the data is not obtained directly from you, then this information will be provided to you within a reasonable period after the data has been obtained.
  • #Contract: you have a contract or pre-contract with us. As an example, when booking an airline or hotel with us, or when accepting our General Terms and Conditions or any other of our terms, we need relevant data to process your reservation or handle your account respectively.
  • #Legal Obligation: we have a legal obligation. Normally, accounting and tax regulations require the storage of necessary data for compliance purposes.
  • #Legitimate Interest: it’s in our legitimate interest, and it is judged not to affect your rights and freedoms in a significant way.

Other lawful bases, only exceptionally used:

  • Vital Interest: You or a third party have a vital interest. We will not normally process data based on this legal basis, but if we do, we will let you know.
  • Public Task: We have a public task to perform. We will not normally process data based on this legal basis, but if we do, we will let you know.

We don't make Automated Decisions 

We don't make any decisions based solely on automated processing, beyond the legitimate interest of fraud prevention and the customisation of your user experience, marketing and advertising, which will not produce legal effects or similarly significantly affect you.

Detailed information:

As mentioned before, such an Automated Decision will not produce legal effects or similarly significantly affect you. In case we shall make any Automated Decision we will apply all appropriate measures and inform you.

3. What types of data do we process?

There are different sources where the data mainly can come from: much of the data we process is provided by you when you use our services or contact us, for example when you register and provide your name or email address or address (#Data you give to us). We also receive the technical device and access data which is automatically collected when you interact with our services. This may be, for example, information on which device you are using (#Data we collect from you). The following are categories of data that can be related to you (categories are not exclusive, data may transcend multiple categories).

Detailed information:

  • Communications data #Data you give to us

Data from all of the communications exchanged between you and us in connection to your requests. We use your email address as your identity data; your data will be linked based on your Cookie ID. For example, customer support cases, metadata and notes generated by our systems and agents, if any.

  • Browsing & Travel search data #Data you give to us

Data that you provide to us during the searching process. This data may automatically collect from your device when you visit our Platforms. For example, IP address, browser type, origin, destination, dates, and other travel characteristics, internet service providers, geographic location, technical data about the device, pages accessed and links clicked, the time and duration of request and visit, the method used to submit the request to the server.

As most of this data may be collected by using different types of Cookies or similar technologies, check our Cookies Notice.

Why don’t we process Sensitive Personal Data?

We don’t process Sensitive Personal Data because we don’t need it to provide you with our Services and we are committed to apply the principle of data minimisation. We don’t ask you for this data in our Platforms. Please, avoid providing us with Sensitive Personal Data in any open communication with us, if any. 

What happens with the data belonging to children?

Our Services aren’t intended for minors, as mentioned in our General terms and conditions

If we become aware that we have processed the data of a child without the valid consent of a parent or guardian, we will delete it.

Data we collect from third parties

We lawfully obtain data about you from business partners and other independent third-party sources (e.g. browsing or device data, contact data such as email, purchase or demographic data).

4. Who will be the recipients of your data?

We might have to share your data with third parties which might normally act as #Data Controller or #Data Processor depending on their circumstances (i.e. on their purposes and type of data they process, their relationship with them, you and us, their responsibilities under the law, etc.). We are selecting hereinbelow their main categories.

Detailed information:

Service providers 

In order to provide you with our services, we need to share your data with third parties. We will define and regulate the data transfer or processing contractually when required by law with the appropriate security measures.

  • Travel service provider you booked with #Data Controller (e.g. online travel agencies, airlines or carriers, hotels, car rental companies, etc.). In our Platform there might be services fully or partially provided by our travel business partners. Travel business partners’ terms shall apply, and when so, you will find a link to them in the corresponding page.
  • Information security services #Data Processor. We work with information security services to protect your data.
  • IT infrastructure providers #Data Processor (e.g. hosting service providers). They help us provide you with an available and secure Platform.
  • Software solutions and engineers #Data Processor. Software solutions and engineers help us work on a day to day basis and to continue improving our services.
  • Analytical service providers #Data Processor. They provide us with the necessary data to understand the use within our Platform, see if there are any bugs or decide how we can improve our services.
  • Customer Relationship Management and marketing solutions #Data Processor #Data Controller. They allow us to manage customised commercial communications. Some of them also help us display customised ads throughout the internet.
  • Social platforms #Data Controller. When login with your social media, clicking on a social media “like” button integrated into our Platforms by plugins, or using any social media services to interact with us, your data can be shared between us and the social media providers (e.g. your user names, email address, profile pictures, your contact, etc.).
  • Finance, administrative and legal services and tools #Data Processor #Data Controller (e.g. accounting systems, legal service providers, collection agencies, corporate insurances, etc.).

Our group companies 

We share your data within our group companies for internal purposes relating to management centralisation, and to comply with other provisions of the applicable law.

Our group of undertakings has a common Privacy Policy applying to all of them to ensure that any data processing carried out within our group, is made under the same level of security requirements and will be processed exclusively for the same purposes for which the data had been collected, according to the applicable laws.

Competent authorities

We might disclose your data to law enforcement insofar as it is required by law or is strictly necessary for the prevention, detection or prosecution of criminal acts and fraud or if we are otherwise legally obliged to do so, which will act as #Data Controllers. We may need to further disclose your data to competent authorities to protect and defend our rights or properties, or the rights and properties of third parties.

Others (transparently informed to you and with your consent to the disclosure, where applicable)

These recipients might be outside the European Economic Area (EEA), implying international data transfers. For more information on this, please check the next section. 

5. How do we protect your data?

Security measures 

While no online service can guarantee absolute security, we design our systems and devices with your security and privacy in mind. We work to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including for example the following ones.

Some examples of security measures we implement are as follows:

  • We apply pseudonymisation and encryption of personal data, when appropriate. For example, when handling payment data, we comply with the Payment Card Industry Data Security Standards (PCI DSS) or when using our online Platforms your data is sent through a secure connection using Hypertext Transfer Protocol Secure (HTTPS) that encrypts your data through the Internet, avoiding anyone to steal your information in transit.
  • We work to provide confidentiality, integrity, availability and resilience of processing systems and services. We have physical, electronic, and procedural security measures in place regarding the collection, storage, and disclosure of your data. Our security procedures mean that we may ask you to verify your identity before providing you with confidential information, and our Platforms offer security features that protect against unauthorised access and data loss.
  • We make endeavours to be able to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • We implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Retention procedures

We will keep your data for as long as we deem it necessary to enable you to use our Services, to provide our Services to you, to comply with the applicable laws, resolve disputes with any parties and otherwise as necessary to allow us to conduct our business (including, to detect and prevent any illegal activities). All your data we retain will be subject to this Privacy Notice.

Detailed information:

Usually, we process your data for a maximum period of five years, since your last trip or any further action related to it ended or since you performed your last action while logged in with your account for the purposes described above. 

Other specific terms might apply, such as a maximum term of three years for accountability purposes regarding data protection related interactions, or a maximum term of ten years for tax and accounting purposes.

If you provide us with your contact email address, but then you are unable to finish your booking, we will keep your email address only temporarily and, in any case, for a maximum period of seven days to help you with the booking if you are still interested.

For the purpose of customized offers, you will periodically get email offers from us, and in every email, there will be a clear and easy way to unsubscribe and therefore object to this type of processing. We will keep and use your data for this purpose until you unsubscribe.

For those processing activities based on your consent, we will store your personal data for as long as such processing activities are necessary for the purpose for which they were collected, unless you withdraw your consent or request their deletion prior to that date and there is no legal or judicial mandate to keep the personal data.

Regarding Cookie duration please check our Cookie Notice

International data transfers

Our servers are located within the European Union. However, to facilitate our global operations (e.g. by means of service providers) the transmission of your data to the recipients described above may include transfers of your data to third countries whose data protection laws might not be as comprehensive as those of the countries within the European Union.

For transfers to recipients in third countries, we rely on the decision of the adequate level of protection, on appropriate safeguards, or on the exception of (pre)contract necessity or any other which might apply from time to time.

Any service provider acting as Data Controller will process your data in accordance with its own Privacy Notice and will be fully responsible for processing your data.

The disclosure of your data will be done, when applicable, in accordance with the applicable laws and appropriate safeguards (in particular, the standard contractual clauses issued by the European Commission) are in place to ensure an adequate level of protection of the privacy and fundamental rights of individuals.

The international transfer of data onto the international airlines, hotels, train companies, or car rentals, for the purpose of providing the appropriate service provided by us, is a transfer necessary for the performance of the contract between you and us in accordance with the corresponding derogation of the applicable data protection regulations.

6. How can you control your data you have given to us?

We want you to be in control of how your data is used by us. 

We are committed to ensuring fair and transparent processing. That is why it is important to us that persons concerned can exercise the following rights where the respective legal requirements are satisfied:

  • Rectify your data: You have the right to ask us to correct inaccurate or incomplete data about you.
  • Access or port your data: You may request information relating to your data and copies of such data. You may also be entitled to request copies of the data that you have provided to us in a structured, commonly used, and machine-readable format where technically feasible.
  • Erasure or block your data: You may request to have your data deleted. In some cases, we may not be able to erase it due to the fact that the data processing may be necessary for the performance of the contract between you and us, for our legitimate business interests (i.e. fraud prevention, security-enhancing), or to comply with our legal obligations (i.e. legal reporting, auditing obligations). In any case, we will immediately erase them when we can do so. Because we protect our services from accidental or malicious loss and destruction, residual copies of your data may not be removed from our backup systems for a limited period of time (within a week).
  • Object or limit the use of your data: You may require us not to process your data for certain specific purposes (including profiling) where such processing is based on legitimate interest. If you object to such processing, we will no longer process your data for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the exercise or defence of legal claims. You can object at any time to the following processing activities of your personal data:
    • Elaborating anonymised statistics regarding the overall conversion rate of the website.
    • Asking you for a review of your experience with us or the travel provider.
    • Showing you customised categorised offers on our Platforms, or in third-party platforms.
    • Improving our services or developing new services.

Exceptionally, this right is not susceptible to be satisfied for the purpose of promotion of a safe and trustworthy service, since we rely on a compelling legitimate interest of protecting from any potential fraud or attack against the provision of our services.

  • Withdrawing your consent: If we are processing your data based on your consent you may withdraw your consent at any time, specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal. You can withdraw at any time your consent to the following processing activities of your personal data:
    • Sending to your email the price alert that you asked for in our Platforms or regular offers and news of our Services.
    • Administering any promotional activity where you participate.
    • When you take part in a market research survey with us.

When you use our Platforms we collect and process cookies. The ones that are not strictly necessary for the performance of our services require your consent, and those cookies can be easily rejected as explained in our Cookies Notice.

If you want to exercise any of your data protection rights described above, you can do it here: [email protected].

You can also contact the French Data Protection Authority or any other applicable supervisory authority.

7. Regional-specific provisions

Depending on your local applicable regulations applying, we are providing additional information. Please, review if applicable.

  • United Kingdom

Our UK Representative is Opodo Limited with tax ID number 766445988. 

Contact us here, to exercise a specific right or for other data protection comments or suggestions.

  • United States

Depending on which state you reside in, different laws might apply (such as California, Colorado, Connecticut, Virginia, and Utah). More specifically, if you are from California, the California Consumer Privacy Act (“CCPA“) would be applicable, and you would have the following rights in relation to the personal data that we hold about you: right to know (i.e. to request information about how we process your data), right to request deletion of certain personal data that we process about you, and the right to opt-out of sale of your personal data to third parties. Contact us through [email protected], to exercise a specific right or for other data protection comments or suggestions.

We allow third parties to collect your data through our Platforms, and share it for the purposes described in this Privacy Notice (including without limitation for customised advertising and marketing on our Platforms and elsewhere based on users’ online activities over time and across our Platforms, services, and devices). Remember that you can block non-strictly necessary Cookies (including ads and analytics cookies), as described in our Cookies Notice.

8. Updates and previous versions

We might amend this Privacy Notice from time to time to make sure it’s up-to-date. Do not hesitate to visit this page regularly and you will know exactly where you stand. We will note the date that revisions were last made to this Privacy Notice at the bottom of this page, and any revisions will take effect upon posting.

Last Updated: July 2023