Privacy Policy
This Privacy Policy explains how Tenerife World Tickets (operator of tenerifeworldtickets.org, hereinafter the Controller) collects, uses, stores and otherwise processes the personal data of visitors and customers of tenerifeworldtickets.org in compliance with Regulation (EU) 2016/679 (GDPR) and Directive 2002/58/EC as amended (the ePrivacy Directive). Reading this notice in full takes about 6 minutes — please do.
1. Identity and contact details of the Controller
1.1. The data Controller is Tenerife World Tickets (the company operating tenerifeworldtickets.org).
1.2. The Controller can be contacted by post at the registered office stated in the Legal Notice or by e-mail at support@tenerifeworldtickets.org.
1.3. Privacy-specific requests (subject access, erasure, rectification, portability, objection, restriction) should be sent to support@tenerifeworldtickets.org with the subject line "GDPR request" and a copy of an ID document for identity verification (we redact the ID within 30 days after the request is closed).
2. Categories of data we process
2.1. Identification & contact data: first name, last name, e-mail address, mobile phone number, postal address (where required for the receipt) of the lead guest and (where applicable) of additional guests listed on the booking.
2.2. Payment data: name on card, billing address, masked PAN (last 4 digits), card brand, expiry month/year, country of issue, transaction reference, 3-D Secure response. The full PAN, CVV/CVC and the magnetic-stripe data are processed exclusively by our PCI-DSS Level 1 Payment Service Provider and are never stored on the Controller's servers.
2.3. Booking data: Park, date of visit, number of adults / children / infants, options selected, Service Fee applied, total price, currency, Order ID.
2.4. Technical data: IP address, user-agent string, screen resolution, browser language, time-zone, referring URL, click-stream within tenerifeworldtickets.org during the session.
2.5. Communication data: support tickets, e-mail correspondence, recordings of phone calls (where the call is announced as recorded; recordings retained 90 days).
2.6. We do not intentionally process special categories of personal data (Article 9 GDPR) such as health, religion, ethnic origin, biometric data, or political opinions. Customers should not include such data in free-text fields.
3. Purposes of processing and legal basis
| Purpose | Categories of data | Legal basis (Art. 6 GDPR) | Retention |
|---|---|---|---|
| Conclusion and performance of the contract: issuing the Ticket, payment processing, delivery of the e-Ticket by e-mail, customer support during the journey | 2.1, 2.2, 2.3, 2.4 | (b) Performance of a contract | Until the Order is fully completed + legal retention (see §6) |
| Compliance with bookkeeping, fiscal and anti-money-laundering obligations: issuance of VAT-compliant invoices, registration of transactions, audit trails | 2.1, 2.2, 2.3 | (c) Compliance with a legal obligation (Council Directive 2006/112/EC; AMLD5) | 10 years from the issuance of the invoice |
| Fraud prevention & security: detection of stolen-card patterns, brute-force login attempts, suspicious bot activity | 2.1, 2.2, 2.4 | (f) Legitimate interest of the Controller in protecting the Service and its customers | 13 months |
| Customer support: replying to enquiries via e-mail, chat or phone | 2.1, 2.5 | (b) Performance of a contract / (f) Legitimate interest where pre-contractual | 3 years from last contact |
| Service analytics: understanding how visitors use tenerifeworldtickets.org so we can improve usability, fix bugs and tune marketing creative | 2.4 (anonymised, aggregated) | (a) Consent (collected via the cookie banner) | 26 months |
| Marketing communications about similar tickets & offers | 2.1 | (a) Consent for prospects, (f) Legitimate interest with opt-out for existing customers | Until withdrawal of consent / opt-out |
4. Recipients of personal data
4.1. Internal: employees and contractors of the Controller bound by written confidentiality obligations and processing data on a strict need-to-know basis.
4.2. External processors acting on the Controller's instructions under a data-processing agreement compliant with Art. 28 GDPR:
- Payment Service Provider — PCI-DSS Level 1, EU/EEA hosting, processing for transaction authorisation and chargeback handling;
- E-mail-delivery provider (transactional confirmations) — EU/EEA hosting;
- Cloud-hosting provider — EU/EEA data-centres, ISO 27001 / SOC 2 certified;
- Error-monitoring tool — anonymised stack-traces only, EU/EEA hosting;
- Analytics provider (Microsoft Clarity) — anonymised IP, opt-in via cookie banner.
4.3. Public authorities in the event of a binding legal request (court order, tax-authority audit, anti-fraud investigation). We require the request to be in writing, served through proper diplomatic / judicial channels, and we challenge requests that appear to exceed the scope authorised by law.
4.4. We do not sell, rent or otherwise commercially trade personal data to third parties.
5. International transfers of personal data
5.1. The default position is that personal data are processed within the European Economic Area (EEA).
5.2. Where a transfer outside the EEA is unavoidable (for example, a customer-support tool operating from the United Kingdom or a backup region in Switzerland), the transfer is protected by one of the safeguards listed in Chapter V GDPR: an adequacy decision of the European Commission, the Standard Contractual Clauses (SCCs) of 4 June 2021, or the EU-US Data Privacy Framework where the recipient is certified.
5.3. A list of current sub-processors and the corresponding transfer mechanism is available on request at support@tenerifeworldtickets.org.
6. Retention periods
6.1. Bookkeeping & fiscal data: 10 years from the year of the invoice (EU Member-State VAT and corporate-tax retention rule).
6.2. Customer-support correspondence: 3 years from last contact.
6.3. Fraud-prevention logs: 13 months from collection.
6.4. Anonymised analytics: 26 months.
6.5. Marketing-list e-mail: until the customer withdraws consent or opts out.
6.6. After expiry of the applicable period, data are deleted from active systems and removed from backups within the next backup-rotation cycle (≤90 days).
7. Rights of the data subject
The Customer has the following rights under Articles 15-22 GDPR:
- Right of access (Art. 15) — to obtain confirmation that personal data are processed and to receive a copy.
- Right to rectification (Art. 16) — to have inaccurate data corrected without undue delay.
- Right to erasure (Art. 17) — "right to be forgotten", subject to the legal retention obligations described in §6.
- Right to restriction (Art. 18) — to require the Controller to suspend processing in certain circumstances.
- Right to data portability (Art. 20) — to receive the personal data in a structured, commonly used, machine-readable format (CSV / JSON).
- Right to object (Art. 21) — to legitimate-interest-based processing, including direct marketing (the latter is unconditional).
- Rights related to automated decision-making (Art. 22) — we do not take decisions about Customers based solely on automated processing (including profiling) that produce legal effects.
Requests are answered within 30 calendar days (extendable by another 60 days for complex requests, with prior notice).
8. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, the Customer has the right to lodge a complaint with the supervisory authority of the EU Member State in which the Customer is habitually resident, the place of work, or the place of the alleged infringement (Article 77 GDPR). A directory of EU supervisory authorities is published by the European Data Protection Board at edpb.europa.eu.
9. Cookies and similar technologies
Cookies are governed by a separate Cookie Policy, which forms part of this Privacy Policy.
10. Security measures
10.1. We implement the technical and organisational measures listed in Article 32 GDPR, including: TLS 1.2+ on all customer-facing channels, encryption at rest of databases, role-based access control with multi-factor authentication, segregation of duties, change-management procedures, application firewalling, periodic penetration testing, and continuous logging.
10.2. In the event of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons, we notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and, where the risk is high, communicate the breach to affected data subjects without undue delay (Art. 34 GDPR).
11. Children
11.1. The Service is intended for adults. Tickets for minors are purchased by their legal guardian. We do not knowingly collect personal data of children under 16 directly from the child.
12. Modifications of this Privacy Policy
12.1. We may update this Privacy Policy from time to time. The "Last updated" date below indicates the date of the most recent revision. Material changes are notified by e-mail to active customers where their address is on file.
13. Glossary
Personal data — any information relating to an identified or identifiable
natural person (Art. 4(1) GDPR).
Processing — any operation performed on personal data, automated or not (Art. 4(2)).
Controller — the entity determining the purposes and means of the processing
(Art. 4(7)).
Processor — a third party processing data on behalf of, and under the instructions
of, the Controller (Art. 4(8)).