Privacy Policy
Last updated: 10 June 2026 | Effective date: 10 June 2026
1. Who we are
KaabaTrip Limited (“we”, “us”, “our”) is a UK-based travel comparison platform registered in England and Wales. Our registered office is:
KaabaTrip LimitedSlough, Berkshire
United Kingdom
Email: privacy@kaabatrip.com
For data protection purposes, KaabaTrip Limited is the data controller of your personal information. Our Data Protection Officer can be reached at dpo@kaabatrip.com.
2. What data we collect
- Account data: name, email address, password hash, user role (customer, operator, or admin).
- Quote request data: travel preferences (destination, dates, hotel star rating, room occupancy, budget range, inclusions), departure city, and any notes you provide.
- Booking intent data: reference codes, selected offer/package, payment evidence metadata, and communication notes.
- Operator data: company name, registration number, ATOL/ABTA numbers, contact details, office address, service regions, and bank account details (for verified operators only).
- Complaint data: complaint descriptions, category, severity, and operator/admin responses.
- Technical data: IP address, browser type, device information, and cookies (see our Terms & Conditions for cookie details).
3. Legal basis for processing
We process your personal data under the following lawful bases under UK GDPR:
- Contract: account registration, quote requests, booking intents, and payment evidence handling.
- Legal obligation: complaint handling, audit logs, and financial record-keeping (7 years).
- Legitimate interests: operator verification for consumer safety, fraud prevention, and platform security.
- Consent: marketing communications and analytics cookies. You can withdraw consent at any time by emailing privacy@kaabatrip.com.
4. How we use your data
- To provide and maintain the KaabaTrip comparison platform.
- To match your quote requests with verified travel operators.
- To facilitate booking intents between you and your chosen operator.
- To process complaints and disputes in accordance with UK consumer law.
- To send you service-related communications (booking updates, security alerts).
- To send marketing communications only if you have given explicit consent during sign-up or via your account settings.
- To comply with legal and regulatory obligations.
5. Data sharing
We do not sell your personal data. We share data only with:
- Travel operators: when you submit a quote request or booking intent, the relevant operator receives your contact details and travel preferences.
- Service providers: Supabase (cloud database, London region), hosting providers, and email delivery services—all under GDPR-compliant data processing agreements.
- Regulators: where required by law (e.g., ICO, CAA, ABTA, Trading Standards).
6. International transfers
Your data is stored in the United Kingdom (eu-west-2, London) via Supabase. We do not transfer personal data outside the UK or European Economic Area for core business operations. If we ever need to transfer data internationally, we will ensure adequate safeguards are in place (e.g., UK International Data Transfer Agreement or EU Standard Contractual Clauses).
7. Data retention
| Data type | Retention period |
|---|---|
| User account (active) | Indefinite (until you delete your account) |
| User account (deleted) | 90 days grace, then hard-delete |
| Booking intent + evidence | 90 days (auto-purged unless dispute flagged) |
| Audit log entries | 7 years (legal/financial requirement) |
| Complaint records | 7 years (consumer protection requirement) |
| Marketing consent records | Indefinite (proof of consent required) |
8. Your rights
Under UK GDPR, you have the following rights:
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Request deletion of your personal data (“right to be forgotten”).
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests or direct marketing.
- Restriction: Request limited processing in certain circumstances.
To exercise any of these rights, email us at privacy@kaabatrip.com. We will respond within one month.
9. Cookies and tracking
We use essential cookies for authentication and security, and optional analytics cookies to improve our service. You can manage your cookie preferences at any time via the cookie banner or by contacting us. See our Terms & Conditions for the full cookie table.
10. Security
We implement appropriate technical and organisational measures to protect your data, including TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access control (RBAC), Row Level Security (RLS) on our database, and regular security audits.
11. Children's privacy
Our platform is not intended for children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on our platform. The Last updated date at the top of this page indicates when this policy was last revised.
13. Contact us
If you have any questions about this Privacy Policy or our data practices, please contact us:
KaabaTrip LimitedSlough, Berkshire
United Kingdom
Email: privacy@kaabatrip.com
This Privacy Policy is governed by the laws of England and Wales and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.