Privacy Policy and Data Protection
Last updated: September 2, 2025
TL;DR
- We only ask for what's necessary to recommend experiences and manage reservations.
- Payments are processed with CardNet; we do not store card numbers.
- Conversational channel via WhatsApp (through Twilio).
- You can exercise access, rectification, portability and deletion by writing to privacy@exploraquisqueya.com.
- We apply TLS 1.3 encryption in transit and AES-256 at rest, RBAC and MFA.
1) Who we are
Data Controller: Explora Quisqueya ("Explora", "we").
Privacy/DPO Contact: privacy@exploraquisqueya.com
Address: Santo Domingo, Dominican Republic.
This Policy applies to the use of our conversational services through WhatsApp, our administrative panel and our website exploraquisqueya.com (collectively, the "Services").
2) Key definitions
- Personal data: information that identifies or can identify a person (e.g., name, phone, email).
- Data Processor: third party that processes data on our behalf (e.g., Twilio, hosting provider).
- Provider/Agency: tourism third party that offers experiences; receives data only when you request a reservation.
- Legal basis: foundation for processing data (consent, contract execution, legitimate interest, legal obligation).
3) What data we collect
3.1 Data you provide us
- Identifiers: name, WhatsApp number, email, language.
- Travel preferences and messages you send through chat.
- If you are a provider/agency: business name, experience descriptions, prices, photos, location and contact data.
- Billing data necessary to issue receipts.
- Claims, feedback or support requests.
3.2 Payment data
- Payments are processed through CardNet (PCI DSS compliance).
- We do not store complete card numbers or CVV in our systems.
3.3 Technical and usage data
- Device/browser information, interaction logs, performance, usage metrics of the site and assistant.
- Cookies and similar technologies (see Section 10).
3.4 Sensitive data
We do not request sensitive data. If the user voluntarily shares them in the chat, they will be processed only to attend to their request and we recommend not providing them.
4) What we use the data for (purposes) and legal basis
| Purpose | Examples | Legal basis |
|---|---|---|
| Operate the assistant and recommend experiences | Understand preferences; respond on WhatsApp | Contract execution / Legitimate interest |
| Manage reservations and support | Confirmations, changes, support | Contract execution |
| Process payments | Charges through CardNet | Contract execution / Legal obligation |
| Operational communications | Confirmations, reminders, notifications | Contract execution |
| Analytics and improvement | Usage metrics, performance, fraud | Legitimate interest |
| Legal compliance | Authority requirements, anti-fraud | Legal obligation |
| Optional marketing | News; you can unsubscribe | Consent |
We do not make automated decisions with legal effects on the user. We do apply personalization for recommendation relevance.
5) Who we share data with
We share data only when necessary:
- Twilio (WhatsApp): conversational channel.
- Hosting/infrastructure provider: secure platform operation.
- CardNet: payment processing (without exposing PAN to Explora).
- Agencies/guides: strictly necessary data when you request a reservation.
- Authorities: when required by law or to protect rights.
All providers act as processors under contract and adequate security measures. Agencies generally act as independent controllers for their own obligations (e.g., local billing).
6) International transfers
We may process data outside your country (including EU and US). When applicable, we use safeguards such as Standard Contractual Clauses (SCCs) and risk assessments, in addition to technical (encryption) and organizational controls.
7) Retention
We retain data only as long as necessary to fulfill the purposes and legal requirements. After the deadlines, they are deleted or anonymized.
| Category | Standard term |
|---|---|
| Chat and preferences | 24 months from last interaction or earlier if you request it |
| Account/provider data | While the account exists + 12 months |
| Reservation records | 5 years (accounting/local requirements may vary) |
| Payment records (no PAN) | According to applicable financial regulations (typically 5–10 years) |
| Technical logs | 12 months (security and audit) |
8) Security
- TLS 1.3 encryption in transit and AES-256 at rest.
- RBAC (role-based access control) and MFA for privileged access.
- Short-duration JWT, key and session rotation.
- Event monitoring and logging, encrypted backups, hardening and patches.
- Environment segregation and principle of least privilege.
Although we apply robust measures, no system is 100% infallible. If you suspect an incident, write to us immediately.
9) Your rights
You have the right to:
- Access your data.
- Rectification of inaccurate data.
- Deletion (right to be forgotten).
- Portability in structured format.
- Opposition or limitation of processing in certain cases.
- Withdraw consent when the basis is consent.
How to exercise them: write to privacy@exploraquisqueya.com indicating your request and the associated email/number. We may require identity verification. We respond within a maximum of 1 month (extendable in complex cases).
Complaints: you can also contact the data protection authority of your country (if you are in the EU, your local authority; in the United Kingdom, the ICO; in the Dominican Republic, the competent authority according to Law 172-13).
10) Cookies and similar technologies
We use cookies on the site to:
- Maintain session, remember preferences and improve performance.
- Usage analytics (product-focused; without intrusive profiling).
You can manage or block cookies from your browser. Disabling them may limit functions. If we implement third-party cookies for advertising purposes, we will indicate it in the corresponding banner/preference center.
11) Minors
The Services are not directed to minors under 18 years old. If a minor provided us data without authorization, request its deletion at privacy@exploraquisqueya.com.
12) Contact
Explora Quisqueya
Santo Domingo, Dominican Republic
Email: privacy@exploraquisqueya.com
13) Changes to this Policy
We may update this Policy to reflect regulatory or product changes. We will publish the current version with the update date and, if the change is substantial, we will notify you through a reasonable channel before it comes into effect.