Welcome to www.istedafah.com! In the below Privacy Policy, we inform you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "data") in the context of the provision of our website.
We attach great importance to the security of your data and compliance with applicable data protection regulations. The collection, processing and use of personal data is subject to the provisions of Oman's Personal Data Protection Law (PDPL) and the General Data Protection Regulation (GDPR).
Data Controller
The person responsible within the meaning of the PDPL and GDPR is: Istedafah Businesses.
Salalah, Oman
E-Mail: info@istedafah.com
Data Protection Officer
In accordance with Article 19 of the PDPL, we are required to have a Data Protection Officer (DPO). Our DPO is Istedafah Businesses and can be contacted at info@istedafah.com
Accuracy
It is important that the data we hold about you is accurate and current, therefore please keep us informed of any changes to your personal data.
What are the categories of data subjects?
Customers, interested parties, visitors, and users of the website, business partners. In the following, we refer to the data subjects collectively as "users".
What are the purposes for processing?
What are the relevant legal bases for processing your data?
The following informs you about the legal basis of us processing your data and unless the legal basis is not specifically mentioned, the following applies:
Data Protection Principles
All personal data must be:
What are your rights?
You have a number of rights; these rights are standardized in the PDPL and GDPR and include:
The above rights may be limited in some circumstances, for example, if fulfilling your request would reveal Personal Data about another person, if you ask us to delete information which we are required to have by law, or if we have compelling legitimate interests to keep it.
We will let you know if that is the case and will then only use your information for these purposes. You may also be unable to continue using our services if you want us to stop processing your Personal Data.
Please contact us at any time with questions and suggestions regarding data protection and to enforce your rights as a data subject.
Types of data processed
Categories of data subjects
Visitors and users of the website, as well as guests and hosts (collectively as "users").
How we use information
The main reason we use your information is to provide and improve our services. We also use your information to protect you and to provide you with advertisements that may be of interest to you.
Security measures
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, input, disclosure, ensuring availability and segregation of the data. We also have procedures in place to ensure the exercise of data subjects' rights, deletion of data and response to data compromise.
We would like to point out that data transmission on the Internet (e.g., when communicating by e-mail) can have security gaps. Complete protection of data against access by third parties is not possible.
Cooperation with processors, joint controllers and third parties
If, in the course of our processing, we disclose data to other persons and companies (order processors, jointly responsible persons or third parties), transfer it to them or otherwise grant them access to the data, this will only be done on the basis of legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is necessary for the performance of the contract), users have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
If we disclose or transfer data to other companies in our group of companies or otherwise grant them access, this is done in particular for administrative purposes as a legitimate interest and, in addition, on a basis that complies with the legal requirements.
Transfers to third countries
If we process data in a third country (outside Oman) or do so in the context of using third-party services or disclosing or transferring data to other persons or companies, this will only be done if it is done to fulfill our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will only process or allow data to be processed in a third country if the legal requirements are met. This means, for example, that the processing is carried out on the basis of special guarantees, such as the officially recognised determination of a level of data protection or compliance with officially recognised special contractual obligations.
Deletion of data
The data processed by us will be deleted or restricted in its processing in accordance with the legal requirements. Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations.
If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e., the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.
Data processing in relation to our services
Commercial and business services
We process data of our contractual partners, e.g., customers and guests and hosts in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractual), e.g., to answer enquiries.
We process this data to fulfill our contractual obligations, to secure our rights and for the purposes of the administrative tasks associated with this information as well as for business organization.
We only disclose the data of the contractual partners to third parties within the scope of the applicable law to the extent that this is necessary for the aforementioned purposes or for the fulfillment of legal obligations or with the consent of the contractual partners (e.g., to auxiliary services as well as subcontractors, banks, tax and legal advisers, payment service providers or tax authorities).
Unless otherwise specified the purposes of processing are Contractual performance and service, contact requests and communication, office and organizational procedures, administration, and response to requests, visit action evaluation, interest-based and behavioral marketing. And, the Legal bases are Contractual performance and pre-contractual inquiries, Legal obligation, and our Legitimate interests.
Technical services
We process the data of our customers and Customers in order to enable them to select, purchase or commission the selected services. The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for the provision of services and billing as well as contact information.
Unless otherwise specified the purposes of processing are Contractual performance and service, contact requests and communication, office and organizational procedures, administration, and response to requests, visit action evaluation, interest-based and behavioral marketing. And, the Legal bases are contractual performance and pre-contractual inquiries, Legal obligation, and our Legitimate interests.
Administration, financial accounting, office organization, contact management
We process data in the context of administrative tasks as well as organization of our operations, financial accounting and compliance with legal obligations, such as archiving. In this regard, we process the same data that we process in the course of providing our contractual services. The purpose and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e., tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the data mentioned in these processing activities.
In this context, we disclose or transfer data to consultants, such as legal advisors or auditors, as well as other fee offices and payment service providers.
Furthermore, based on our business interests, we store information on suppliers, and other business partners, e.g., for the purpose of contacting them at a later date. This data, most of which is company-related, is generally stored permanently.
Data transfer to payment service providers
In order to fulfill the contract, we pass on your data to the company commissioned with the payment, insofar as this is necessary for the payment of our services. Depending on which payment method you select, we pass on the payment data collected for this purpose to the credit institution commissioned with the payment and, if applicable, to payment service providers commissioned by us or to the selected payment service provider. In some cases, the selected payment service providers also collect this data themselves. In this case, the privacy policy of the respective payment service provider applies. The legal basis for the data processing is contract.
The data processed by the payment services include the payment data mentioned above. The information is necessary to carry out the transactions. However, the customer data entered is only processed by the payment service providers and stored by them. Furthermore, we cannot exclude that data of the payment service provider is transmitted to credit agencies. In this regard, we refer to the terms and conditions and privacy policies of the respective payment service providers.
Data processing for the purpose of fraud prevention and optimization of our payment processes
Where applicable, we provide our service providers with further data, which they use together with the data necessary for the processing of the payment as our processors for the purpose of fraud prevention and optimization of our payment processes (e.g., invoicing, processing of contested payments, accounting support). This serves to protect our legitimate interests in our protection against fraud or in efficient payment management, which outweigh our interests in the context of a balancing of interests.
Legal defense and enforcement of our rights
The legal basis for the processing of your personal data in the context of legal defense and enforcement of our rights is our legitimate interest. The purpose of processing your personal data in the context of legal defense and enforcement of our rights is the defense against unjustified claims and the legal enforcement and assertion of claims and rights.
Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. The processing of your personal data in the context of legal defense and enforcement is mandatory for legal defense and enforcement of our rights. Consequently, there is no possibility for you to object.
Use of customer data for direct marketing purposes
If you have provided us with your e-mail address when using our Services, we reserve the right to regularly send you e-mail offers for similar services. We do not need to obtain your separate consent for this. In this respect, the data processing is carried out solely on the basis of our legitimate interest in personalized direct advertising. If you have initially objected to the use of your e-mail address for this purpose, we will not send you any e-mails.
You are entitled to object to the use of your e-mail address for the aforementioned advertising purpose at any time with effect for the future by notifying the responsible person named at the beginning. After receipt of your objection, the use of your e-mail address for advertising purposes will cease immediately. If you wish to object to the data analysis for statistical evaluation purposes, you must unsubscribe from the marketing.
Data processing in relation to our website
Log files
In principle, it is possible to use the Booking Travel website without providing personal data. When a page of our website is accessed and each time a file is retrieved, access data about this process is stored in a log file. The corresponding log file contains: Your IP address, the page from which the file was requested, the name of the file, the date and time of the request, the amount of data transferred, the access status (file transferred, file not found, etc.), a description of the type of operating system and web browser used. The stored data does not allow any conclusions to be drawn about your identity and is evaluated exclusively for statistical purposes.
The collection and processing of this data is carried out in order to enable the use of the website at all, on the basis of our legitimate interest, whereby our legitimate interest is the provision of our website. Incidentally, we store this aforementioned data, including the IP addresses, only in anonymized form and use it only in this anonymized form to analyze the use of the offer and the further development and optimization of our website in your interest. Our legitimate interest is the ongoing improvement of our website in order to provide you with the greatest possible user comfort.
Hosting
To provide our website, we use the services of AWS who process the below-mentioned data and all data to be processed in connection with the operation of our website on our behalf. The legal basis for the data processing is our legitimate interest in providing our website.
Contacting Us
If you contact us and send us general enquiries the contact details you provide, will be stored, and used by us to fulfill the purpose associated with the transmission, e.g., to process your enquiry or in the event of follow-up questions.
The basis for this storage and use of your personal data is your consent which you give us by sending the contact form. Insofar as you provide us with your personal data for the purpose of responding to your questions, the entry of personal data is required as without this information, we cannot process your request.
You have the right to revoke your consent to the data processing described above at any time with effect for the future. In this case, we will no longer process your data. Your personal data will be deleted even without your revocation in any case if we have processed your request or if the storage is inadmissible for other legal reasons.
Cookies
During the use of our website, so-called "cookies", small text files, are stored on your computer. Such cookies register information about your computer's navigation on our website (pages selected, day, time and duration of use, etc.). For further information on cookies in general, please visit www.allaboutcookies.org and for further details on the cookies we use, please refer to our Cookie Policy.
Creating an account
Personal data will continue to be collected and processed if you provide it to us for the performance of a contract or when opening an account. Which data is collected can be seen from the respective input forms. Deletion of your account is possible at any time and can be done by sending a message to us. We store and use the data provided by you for the purpose of processing the contract. After complete processing of the contract or deletion of your customer account, your data will be blocked with regard to tax and commercial law retention periods and deleted after expiry of these periods, unless you have expressly consented to a further use of your data or a legally permitted further use of data has been reserved on our part.
Profile
As a registered user (Guest and Host), you have the opportunity to create a user profile with just a few clicks and details. If you make use of the option, the relevant profile data you provide will be transferred to your profile. Of course, you can change the information at any time via the settings in your profile. When creating a profile, you can submit personal data such as your profile picture, property information, photos and images etc. Content and data are publicly viewable. You have choices about the information on your profile. You don’t have to provide additional information on your profile; however, profile information helps you to get more from our Services. It’s your choice whether to include sensitive information on your profile and to make that sensitive information public. Please do not post or add personal data to your profile that you would not want to be available. The legal basis for the processing of your personal data is the establishment and implementation of the user contract for the use of the service. We store the data until you delete your user account. Insofar as legal retention periods are to be observed, storage also takes place beyond the time of deletion of a user account.
Contacting others
Of course, we also process your chats and communications with other users as well as the content you publish, as necessary for the operation of the services. In addition to the information, you may provide us directly, we receive information about you from others. Members may provide information about you as they use our services, for instance as they interact with you or if they submit a report involving you.
We also share some members’ information with service providers and partners who assist us in operating the services. You share information with other members when you voluntarily disclose information on the service (including your profile). Please be careful with your information and make sure that the content you share is stuff that you’re comfortable being visible. If you choose to limit the audience for all or part of your profile or for certain content or information about you, then it will be visible according to your settings.
Processing of data for payments
If you make a booking, it will be processed via the payment service provider PayPal and payment will solely be processed through the relevant payment systems. The legal basis for the provision of a payment system is the establishment and implementation of the user contract for the use of the service. Please note we do not directly store payment data. Any data or fees collected by PayPal payment processor is not the responsibility of Istedafah.
Miscellaneous and Closing
Children Data
Our website is not intended for children, and we do not knowingly collect data relating to children. If you become aware that your Child has provided us with Personal Data, without parental consent, please contact us, and we take the necessary steps to remove that information from our server.
External Links
Our website contains links to the websites of other providers. We hereby point out that we have no influence on the content of the linked websites and the compliance with data protection regulations by their providers.
Changes and updates to the privacy policy
We kindly ask you to regularly inform yourself about the content of our Privacy Policy. We will amend the privacy policy as soon as changes to the data processing activities we carry out make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g., consent) or other individual notification.
Concerns and Contact
If you have any concerns about a possible compromise of your privacy or misuse of your personal data on our part, or any other questions or comments, you can contact us.
Exercising your rights
If you would like to exercise any of our rights as set out above in the” What are your rights?” section above or have a complaint, please contact our DPO. Any such request will be responded to within one month and we might require proof of identity to verify and process your request.