Privacy Policy

Maduro Travel & Leisure Ltd.
Version 1.0
Effective Date: 11/11/2025 

POLICY SUMMARY
This Privacy Policy explains how Maduro Travel & Leisure Ltd. collects, uses, and protects your personal data in accordance with Curaçao law (LBP) and international standards, including GDPR, C108+). Key points: we only collect data necessary for our services, you have rights to access, correct, or delete your data, we protect your information with strong security measures, and you can contact us at [email protected] with any questions or to exercise your rights. Full details are provided below. 

  1. INTRODUCTION

Maduro Travel & Leisure Ltd. (“the Company”) is committed to protecting the privacy and confidentiality of personal data entrusted to us by our customers, employees, partners, and other stakeholders. The Company recognizes its responsibility to process personal data in accordance with the Landsverordening Bescherming Persoonsgegevens (LBP), the prevailing privacy law in Curaçao. 

Furthermore, the Company aligns its practices with international standards, and the General Data Protection Regulation (GDPR). 

This policy sets out the principles, responsibilities, and practices that govern how the Company collects, processes, retains, shares, and secures personal data. 

  1. PURPOSE AND SCOPE

This policy aims to safeguard the rights and freedoms of individuals whose personal data is processed by the Company, ensure compliance with Curaçao law and recognized international privacy standards, and provide clarity and transparency to customers, employees, and business partners regarding how their data is used. 

This policy applies to all employees, contractors, and third parties acting on behalf of the Company. It covers all personal data processed in the context of the Company’s operations, including customer relationship management, service delivery, marketing, HR and employment activities, and outsourcing arrangements. 

 

  1. LEGAL BASIS FOR PROCESSING

The Company will only process personal data when a valid legal basis exists. These include performance of a contract (e.g., providing services, fulfilling orders, managing customer accounts), compliance with a legal obligation (e.g., tax reporting, employment law requirements, regulatory obligations), legitimate interests of the Company (e.g., fraud prevention, network and information security, business continuity) balanced against the rights of individuals, and consent where explicitly required, such as for marketing communications or processing of sensitive data. 

  1. DATA PRIVACY PRINCIPLES

The Company adheres to the following principles in all its data processing activities: 


Lawfulness, Fairness, and Transparency. Data is processed in a lawful and transparent manner, and individuals are informed about the purposes of processing. 


Purpose Limitation. Data is collected only for specified, legitimate purposes and not further processed in a manner incompatible with those purposes.


Data Minimization. Only data necessary for the intended purpose is collected and processed. 


Accuracy. Reasonable steps are taken to ensure data is accurate and kept up to date. 


Storage Limitation. Data is retained no longer than necessary to fulfill its purposes or as required by law. 


Integrity and Confidentiality. Data is processed securely, using appropriate technical and organizational measures to prevent unauthorized access, loss, or damage. 


Accountability. The Company is responsible for, and able to demonstrate, compliance with this policy and applicable laws. 

 

  1. ROLES AND RESPONSIBILITIES

Management and Board of Directors hold ultimate accountability for ensuring the Company’s compliance with data privacy requirements.
Employees must handle personal data responsibly and follow training and procedures established by the Company.
Third Parties and Vendors are required to comply with contractual obligations that include data protection requirements and are subject to oversight and audits. 

  1. CATEGORIES OF DATA PROCESSED

The Company processes different categories of personal data, including customer and client data (contact information, service preferences, transaction history, correspondence, billing information), employee data (HR records, payroll, benefits, performance evaluations, compliance-related data), third-party data (vendor contact details, contractual information, business partner data).
Sensitive personal data, such as data relating to racial or ethnic origin, political opinions, health, biometric identifiers, or criminal records, will only be processed under strict legal conditions, with explicit consent where required, and with enhanced safeguards.
Travel-specific data: passport and ID details, visa information, travel itineraries, flight and accommodation bookings, dietary requirements and special needs, frequent flyer and loyalty program numbers, travel insurance details, emergency contact information, payment card details for bookings, and travel companion information.

The Company processes certain sensitive data necessary for travel arrangements, including health information for travel insurance and medical assistance, dietary restrictions for religious or health reasons, accessibility requirements for disabilities, passport and visa details for booking international travel, and emergency contact details for traveler safety.
This data is processed only with explicit consent or where necessary to fulfill our contractual obligations to arrange travel services. Enhanced security measures apply to passport scans and payment information, which are encrypted and retained only as long as legally required. 

  1. CHILDREN’S PRIVACY

The Company does not knowingly collect or process personal data from children under the age of 18 without verifiable parental or guardian consent, except where permitted by law. If we become aware that we have inadvertently collected data from a child without appropriate consent, we will take steps to delete such information promptly.  

  1. DATA SUBJECT RIGHTS

Individuals have the following rights regarding their personal data: the right to access and obtain a copy of the data held; the right to rectification of inaccurate or incomplete data; the right to erasure when data is no longer legally required; the right to restriction of processing in certain cases; the right to object to processing based on legitimate interest or for direct marketing purposes; the right to portability to receive data in a machine-readable format where applicable; the right to withdraw consent previously given at any time; and the right to lodge complaints with the supervisory authority in Curaçao. 

Requests will be handled within one month of receipt, subject to verification of identity and applicable legal exemptions. Complex requests may require up to three months, and the requestor will be informed of any extension. 

To exercise these rights, individuals may submit a request via mail, or send a written request to the Company’s registered address. 

  1. AUTOMATED DECISION-MAKING AND PROFILING

Maduro Travel has no automated  decision making or profiling. 

  1. DATA TRANSFERS

Personal data may be transferred outside Curaçao in limited circumstances, for example, to cloud service providers, IT support vendors, payment processors, or group entities. The Company ensures that such transfers are protected by appropriate safeguards, such as standard contractual clauses approved under GDPR, adequacy decisions recognizing the recipient jurisdiction’s data protection framework, technical measures such as encryption and pseudonymization, or explicit consent from the data subject where other safeguards are not available. 

Preference will be given to service providers located in jurisdictions recognized as offering adequate protection under GDPR standards. 

  1. SECURITY OF PROCESSING

The Company maintains a comprehensive information security framework. 

  1. DATA BREACH MANAGEMENT

All employees are required to immediately report suspected data breaches to their supervisor. The response process includes immediate containment and mitigation of the breach, investigation to determine the scope, cause, and impact of the breach, risk assessment of potential impacts on affected individuals, notification to the local privacy regulator within 72 hours where the breach may result in risks to individuals’ rights and freedoms, notification to affected individuals without undue delay when the breach poses high risks to their rights and freedoms, documentation of all incidents in a breach register including facts, effects, and remedial actions taken, and implementation of measures to prevent recurrence. 

  1. RETENTION AND DISPOSAL

Personal data is retained only as long as necessary to fulfill its processing purpose or as required by law. General retention periods include customer and client data for the duration of the business relationship plus 10 years for legal, tax, and warranty purposes; marketing data until consent is withdrawn or 2 years of inactivity, whichever comes first; employee records in accordance with labor law requirements; financial and accounting records for 10 years in accordance with tax law; and video surveillance footage for 30 to 90 days unless required for investigation or legal proceedings. 

Specific retention schedules are maintained by department and reviewed annually. At the end of the retention period, personal data will be securely disposed of through methods such as secure data wiping, shredding of physical documents, or cryptographic erasure. 

Travel booking records and passenger manifests: 3 years after trip completion for liability and customer service purposes; passport and visa copies: deleted within 90 days after travel completion unless required for ongoing disputes or legal obligations; payment card information: not stored after transaction completion, except tokenized references for future bookings with explicit consent. 

  1. MARKETING AND COMMUNICATIONS

The Company processes personal data for marketing purposes only when the individual has provided explicit consent (opt-in) or when the Company has a legitimate interest and the individual has been given clear opt-out options. 

  1. COOKIES AND ONLINE TRACKING

If the Company operates a website or digital platforms, cookie and tracking technologies are used only in accordance with applicable law. The Company provides clear information about the types of cookies used (essential, functional, analytical, marketing), the purpose of each cookie category, third parties that may receive data through cookies, and how users can manage or reject cookies. 

Specific cookies used include those from Google Analytics for website analytics, payment gateway providers for secure transactions, and booking platform partners for real-time availability searches.  

Consent is obtained for non-essential cookies before they are placed on users’ devices. Users can withdraw consent or adjust cookie preferences at any time through the cookie management tool on the Company’s website. 

  1. THIRD-PARTY PROCESSING AND VENDORS

When the Company engages third parties to process personal data on its behalf (data processors), it ensures a written contract is in place specifying data protection obligations, processors are selected based on their ability to implement appropriate security measures, processors only process data according to documented instructions from the Company, regular audits or assessments are conducted to verify compliance, and sub-processors are only engaged with prior authorization. 

The Company shares personal data with travel service providers necessarily involved in fulfilling bookings, including airlines, hotels, tour operators, car rental companies, cruise lines, travel insurance providers, and payment processors. These parties act as independent data controllers for their own purposes and have their own privacy policies. The Company also shares data with government authorities when required for visa applications, border control, or regulatory compliance. Where possible, we minimize data shared to only what is necessary for each specific service. 

  1. TRAVEL-SPECIFIC DISCLOSURES

International Data Transfers: Travel bookings inherently require transferring your data internationally to airlines, hotels, and service providers in your destination countries. These transfers are necessary to fulfill your travel arrangements and may involve countries without adequate data protection laws. By booking travel services, you acknowledge and consent to these necessary international transfers. 

Government Requirements: We may be legally required to share passenger data with immigration authorities, customs agencies, and security organizations in accordance with laws such as Advance Passenger Information (API) and Passenger Name Record (PNR) requirements. This includes sharing data with authorities in countries you travel to or transit through. 

Emergency Situations: In medical emergencies or safety situations during travel, we may disclose relevant personal data to emergency services, medical providers, or authorities to protect your vital interests or those of other travelers. 

Travel Companions: When booking group travel, you may provide personal data of travel companions. You are responsible for ensuring you have authority to share their information and that they are aware of this privacy policy. 

  1. TRAINING AND AWARENESS

The Company provides mandatory data privacy training for all employees upon onboarding and annually thereafter. Training covers key provisions of this policy and applicable laws, data subject rights and how to handle requests, security best practices and incident reporting, and specific requirements for roles with access to sensitive data. 

Awareness campaigns and updates are communicated periodically to reinforce secure data handling practices and inform staff of policy changes. 

  1. MONITORING, AUDIT, AND CONTINUOUS IMPROVEMENT

Compliance with this policy is monitored through internal audits conducted at least annually, external assessments or certifications as appropriate, and monitoring of data subject requests, complaints, and incidents. 

Audit findings and improvement recommendations are reported to management and tracked until resolution. The Company is committed to continuous improvement of its privacy practices. 

  1. PRIVACY BY DESIGN AND BY DEFAULT

The Company integrates data protection into all new projects, systems, and processes from the outset (Privacy by Design). This includes conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities, implementing technical and organizational measures that ensure data minimization, configuring systems to use the most privacy-friendly settings by default (Privacy by Default), and regularly reviewing and updating privacy measures as technology and risks evolve. 

A DPIA is mandatory when processing is likely to result in high risk to individuals’ rights and freedoms, including large-scale processing of sensitive data, systematic monitoring of public areas, automated decision-making with legal effects, or use of new technologies. The DPIA process includes describing the processing operations and purposes, assessing necessity and proportionality, identifying and evaluating risks to individuals, and determining measures to mitigate those risks. 

  1. GOVERNANCE AND REVIEW

This policy is reviewed at least once annually and approved by management. Updates may be made earlier in response to changes in applicable laws or regulations, supervisory guidance or enforcement actions, changes in business operations or technology, or incidents or audit findings that indicate policy improvements are needed. 

Policy changes will be communicated to all employees and published on the Company’s website if applicable. 

 

  1. Contact

If you have questions about this Cookie Policy or your privacy rights
Email: [email protected]
Company: Maduro Travel & Leisure Ltd.
Location: Curaçao

 

© 2025 Maduro Travel & Leisure Ltd. All rights reserved
Privacy Policy | Cookie Policy | Terms and Conditions

Hit enter to search or ESC to close