Privacy Policy

Whenever this Privacy Notice mentions “we”, “us”, or “our”, it refers to Liligo Metasearch Technologies S.A.S. acting as Data Controller. 

Liligo Metasearch Technologies is a French-based company, with tax ID number FR91483314134.

Definitions for a better understanding of this Privacy Notice

• Automated Decisions: decision-based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (as defined under Article 22.1 EU General Data Protection Regulation; GDPR).

Note: As you will find explained below, we don’t make Automated Decisions.

• Data Controller: anyone responsible for determining the purposes and means of processing your data.
• Data Processor: a third party that only helps to achieve the purposes determined by the Data Controller. 

Note: We as a Data Controller use many third-party services to which we outsource some parts of our activities that we don’t do ourselves for various reasons such as cost-efficiency. A Data Processor is only allowed to process your data according to our documented instructions, and in compliance with the applicable law, so we are still in charge of your data, and they will not be able to process your data for any incompatible purpose. 

• Lawful Bases: Processing of your data shall be lawful only if at least one of these bases applies (Article 6 GDPR).

Note: For the six lawful bases covered in the law, we will essentially rely on Consent, Contract, Legal Obligation or Legitimate Interest. However, exceptionally, we might rely on Vital Interest or Public Task. 

• Personal Data (in this Privacy Notice also referred essentially as “your data”): any information relating to a directly or indirectly identified or identifiable to you, as a natural person. 
• Platforms: all the services that facilitate interactions between you and us (such as websites, apps, etc.).
• Sensitive Personal Data: data related to racial origin, ethnic group, religion, health, sexual orientation and biometric data constitute special categories of data (as defined under Article 9 GDPR).

Note: As you will find explained below, we shall not process Sensitive Personal Data.

Who is the Data Protection Officer?

We have a common Data Protection Officer who watches over all processing carried out with respect for your privacy and the applicable regulations at all times.

You can contact the Data Protection Officer’s team here.

Third Countries: countries in which the GDPR regime is not applicable. Currently, by Third Countries, we mean all countries that lie outside of the European Economic Area (i.e. outside the European Union, Iceland, Liechtenstein and Norway).

Travel search and comparison services

We need to process your data in order to provide you with our travel search and comparison services, described in Section 2 of the Terms and Conditions, that can be summarised as a search and comparison services of travel products or services available on the travel market and proposed by third companies on the basis of the search criterions informed by you (or just simply mentioned as “our Services”). 

We endeavour to show to you the most relevant travel data in a personalized manner, so that when you visit our Platforms you do not miss the offers and information relevant to you.

Please, bear in mind that the identification data we use is going to be your cookie ID.

Lawful bases: #Contract

 Communications

We can get in touch with you by the different means provided by you, and for the following purposes:

• To send to your email the price alert that you asked for in our Platforms or regular offers and news of our Services. You can unsubscribe from email marketing communications easily and at any moment, just by clicking on the unsubscribe link included in each newsletter or other communication.
• To administer any promotional activity where you participate.
• We may show you customized offers on our Platforms or third-party platforms (including social media sites) and the content of the site displayed to you may be personalized. Such offers can be booked on our Platforms, on co-branded sites, or other third-party offers or products we think you might find interesting, based on Cookies. If you prefer seeing generic non-customised offers, rather than what is considered to be more relevant for you, you can reject advertising cookies anytime as described in our Cookies Notice.
• To respond to any query or request from you and handle it. We endeavour to maintain our best levels of customer service and we are attentive to the personal situation of each of our various customers in order to personalise our Services.
• To invite you to provide a review of your experience when you use our Services, or to take part in market research with us. Please, bear in mind that this feedback may be available to other customers to help them make decisions about a product or a service. In case you agree to take part in market research, we will explain the data collected and how it would be further used.

Lawful bases: #Contract #Your Consent #Legitimate Interest

Improving our Services or developing new services

We also use data for analytical purposes. This is part of our drive to enhance the user experience, but can also be used for testing purposes, troubleshooting and improving the functionality and quality of our Services. The main goal here is to optimize our Platforms to your needs, making them easier and more enjoyable to use. We strive to use pseudonymized or anonymized data for these analytical purposes.

Lawful basis: #Legitimate Interest

Promotion of a safe and trustworthy service

In order to create a trustworthy environment for you, your fellow travelers, our business partners and our travel providers, we may use data for the detection and prevention of illegal or unwanted activities, as well as for security purposes in our Platforms.

One example of this is ***

Lawful bases: #Legal Obligation #Legitimate Interest

Legal purposes

We redirect any claim directly to the Service providers. 

Exceptionally, we may need to use your data for regulatory investigations and compliance, to enforce our General terms and conditions or to comply with lawful requests from law enforcement or other legal obligations.

Lawful bases: #Legal Obligation #Legitimate Interest

Types of Lawful Bases

Main lawful bases commonly used:

#Your Consent: you gave consent for a specific use of your data. We will always obtain your consent to collect and process your data unless another Lawful Basis applies. We will provide you with transparent information at the time that consent is obtained. This information will be provided in an accessible form, written in clear language. If the data is not obtained directly from you, then this information will be provided to you within a reasonable period after the data has been obtained.

#Contract: you have a contract or pre-contract with us. As an example, when booking an airline or hotel with us, we need relevant data to process your reservation.

#Legal Obligation: we have a legal obligation. Normally, accounting and tax regulations request to store necessary data for compliance purposes. 

#Legitimate Interest: It’s in our legitimate interest, and it is judged not to affect your rights and freedoms in a significant way. 

Other lawful bases, only exceptionally used:

• Vital Interest: You or a third party have a vital interest. We will not normally process data based on this legal basis, but if we do, we will let you know.
• Public Task: We have a public task to perform. We will not normally process data based on this legal basis, but if we do, we will let you know.

We don't make Automated Decisions 

We don't make Automated Decisions based on profiles, beyond the legitimate interest of fraud prevention and the customization of your user experience, marketing and advertising. In any case, such an Automated Decision will not produce legal effects or similarly significantly affect you.

In case we shall make any Automated Decision we will apply all appropriate measures and inform you. 

There are different origins where the data mainly can come from: #Data you give to us & #Data we collect from you. The following are categories of data that can be related to you (categories are not exclusive, data may transcend multiple categories):

• Communications data #Data you give to us

Data from all of the communications exchanged between you and us in connection to your requests. We use your email address as your identity data; your data will be linked based on your email. For example, customer support cases, metadata and notes generated by our systems and agents, if any.

• Browsing & Travel search data #Data you give to us

Data that you provide to us during the searching process. This data may automatically collect from your device when you visit our Platforms. For example, IP address, browser type, origin, destination, dates, and other travel characteristics, internet service providers, geographic location, technical data about the device, pages accessed and links clicked, the time and duration of request and visit, the method used to submit the request to the server.

As most of this data may be collected by using different types of Cookies or similar technologies, check our Cookies Notice.

Why don’t we process Sensitive Personal Data?

We don’t process Sensitive Personal Data because we don’t need it to provide you with our Services and we are committed to apply the principle of data minimisation. We don’t ask you for this data in our Platforms. Please, avoid providing us with Sensitive Personal Data in any open communication with us, if any. 

What happens with the data belonging to children?

Our Services aren’t intended for minors, as mentioned in our General terms and conditions. 

If we become aware that we have processed the data of a child without the valid consent of a parent or guardian, we will delete it.

Data we collect from third parties

We lawfully obtain data about you from business partners and other independent third-party sources (e.g. browsing or device data, contact data such as email, purchase or demographic data).

We might have to share your data with third parties which might normally act as #Data Controller or #Data Processor depending on their circumstances (i.e. on their purposes and type of data they process, their relationship with them, you and us, their responsibilities under the law, etc.). We are selecting hereinbelow their main categories.

Service providers 

In order to provide you with our services, we need to share your data with third parties. We will define and regulate the data transfer or processing contractually when required by law with the appropriate security measures.

• Travel service provider you booked with #Data Controller (e.g. online travel agencies, airlines or carriers, hotels, car rental companies, etc.). In our Platform there might be services fully or partially provided by our travel business partners. Travel business partners’ terms shall apply, and when so, you will find a link to them in the corresponding page.
• Information security services #Data Processor. We work with information security services to protect your data.
• IT infrastructure providers #Data Processor (e.g. hosting service providers). They help us provide you with an available and secure Platform.
• Software solutions and engineers #Data Processor. Software solutions and engineers help us work on a day to day basis and to continue improving our services.
• Analytical service providers #Data Processor. They provide us with the necessary data to understand the use within our Platform, see if there are any bugs or decide how we can improve our services.
• Customer Relationship Management and marketing solutions #Data Processor #Data Controller. They allow us to manage customised commercial communications. Some of them also help us display customised ads throughout the internet.
• Social platforms #Data Controller. When login with your social media, clicking on a social media “like” button integrated into our Platforms by plugins, or using any social media services to interact with us, your data can be shared between us and the social media providers (e.g. your user names, email address, profile pictures, your contact, etc.).
• Finance, administrative and legal services and tools #Data Processor #Data Controller (e.g. accounting systems, legal service providers, collection agencies, corporate insurances, etc.).

Our group companies 

We might share your data within our group companies who will be obliged to use your data solely for the purpose for which they were collected, and comply with other provisions of the applicable law. 

Our group of undertakings has a common Privacy Policy applying to all of them to ensure that any data processing carried out within our group, is made under the same level of security requirements and will be processed exclusively for the same purposes for which the data had been collected, according to the applicable laws.

Competent authorities

We might disclose your data to law enforcement insofar as it is required by law or is strictly necessary for the prevention, detection or prosecution of criminal acts and fraud or if we are otherwise legally obliged to do so, which will act as #Data Controllers. We may need to further disclose your data to competent authorities to protect and defend our rights or properties, or the rights and properties of third parties.

Others

(transparently informed to you and with your consent to the disclosure, where applicable)

These recipients might be outside the European Economic Area (EEA), implying international data transfers. For more information on this, please check the next section. 

Security measures 

While no online service can guarantee absolute security, we design our systems and devices with security and privacy in mind. We work to implement appropriate technical and organisational measures to ensure an appropriate level of security to the risk, including for example the following ones. See below.

• We apply pseudonymisation and encryption of your data, when appropriate. For example, when using our online Platforms your data is sent through a secure connection using Hypertext Transfer Protocol Secure (HTTPS) that encrypts your data through the Internet, avoiding anyone to steal your information in transit.
• We work to provide confidentiality, integrity, availability and resilience of processing systems and Services. We have physical, electronic, and procedural security measures in place regarding the collection, storage, and disclosure of your data. Our security procedures mean that we may ask you to verify your identity before providing you with confidential information, and our Platforms offer security features that protect against unauthorized access and data loss.
• We make endeavours to be able to restore the availability and access to your data in a timely manner in the event of a physical or technical incident.
• We implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Retention procedures

We will keep your data for as long as we deem it necessary to enable you to use our Services, to provide our Services to you, to comply with the applicable laws, resolve disputes with any parties and otherwise as necessary to allow us to conduct our business (including, to detect and prevent any illegal activities). All your data we retain will be subject to this Privacy Notice. If you have any questions about a specific retention period for certain types of your data we process about you, see below.

Usually, we process your data for a maximum period of five years, since your last trip or any further action related to it ended or since you performed your last action while logged in with your account for the purposes described above. 

Other specific terms might apply, such as a maximum term of three years for accountability purposes regarding data protection related interactions, or a maximum term of ten years for tax and accounting purposes.

If you provide us with your contact email address, but then you are unable to finish your booking, we will keep your email address only temporarily and, in any case, for a maximum period of seven days to help you with the booking if you are still interested.

For the purpose of customized offers, you will periodically get email offers from us, and in every email, there will be a clear and easy way to unsubscribe and therefore object to this type of processing. We will keep and use your data for this purpose until you unsubscribe.

Regarding Cookie duration please check our Cookie Notice. 

International data transfers

Our servers are located within the European Union. However, to facilitate our global operations (i.e. by means of service providers) the transmission of your data to the recipients described above may include transfers of your data to third countries whose data protection laws might not be as comprehensive as those of the countries within the European Union.

For transfers to recipients in such countries, we rely on the decision of the adequate level of protection, on appropriate safeguards, or on the exception of (pre)contract necessity or any other which might apply from time to time.

Any service provider (such as an online travel agency or an airline) acting as Data Controller will process your data in accordance with its own Privacy Notice and will be fully responsible for processing your data.

The disclosure of your data will be done, when applicable, in accordance with the applicable laws and that appropriate safeguards (in particular, the standard contractual clauses issued by the European Commission) are in place to ensure an adequate level of protection of the privacy and fundamental rights of individuals.

We want you to be in control of how your data is used by us. 

Taking into account that we process very limited personal data, we make it very easy for you to exercise your rights:

• When you use our Platforms we collect and process cookies. The ones that are not strictly necessary for the performance of our services, can be easily rejected as explained in our Cookies Notice.
• When you share with us your email for commercial communications, you can erase it by just clicking on the unsubscribe button of any of our communications. 

Unless you have sent us exceptionally and voluntarily more of your data through other means, we don’t have any other data from you. If so, and you want to exercise your data protection rights (right to access, rectification, erasure, object or limit, or withdraw your consent), you can do it here. 

You can also contact the French Data Protection Authority or any other applicable supervisory authority.

Depending on your local applicable regulations applying, we are providing additional information. Please, review if applicable.

• United Kingdom

Our UK Representative is Opodo Limited with tax ID number 766445988. 

Contact us here, to exercise a specific right or for other data protection comments or suggestions.

• United States

Depending on which state you reside in, different laws might apply (such as California or Virginia). 

Contact us here to exercise a specific right or for other data protection comments or suggestions.

We allow third parties to collect your data through our Platforms and share it with third parties for the business purposes described in this Privacy Notice (including without limitation advertising and marketing on our Platforms and elsewhere based on users’ online activities over time and across our Platforms, Services, and devices). Remember that you can block Cookies for these purposes, through the Consent Management  Platform (CMP) as described in our Cookies Notice.