Privacy Policy

This Privacy Policy was last updated on Sunday, 18 June 2023

 

Welcome to www.istedafah.com! In the below Privacy Policy, we inform you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "data") in the context of the provision of our website.

We attach great importance to the security of your data and compliance with applicable data protection regulations. The collection, processing and use of personal data is subject to the provisions of Oman's Personal Data Protection Law (PDPL) and the General Data Protection Regulation (GDPR).

 

Data Controller

The person responsible within the meaning of the PDPL and GDPR is: Istedafah Businesses.

Salalah, Oman

E-Mail: info@istedafah.com

 

Data Protection Officer

In accordance with Article 19 of the PDPL, we are required to have a Data Protection Officer (DPO). Our DPO is Istedafah Businesses and can be contacted at info@istedafah.com

 

Accuracy

It is important that the data we hold about you is accurate and current, therefore please keep us informed of any changes to your personal data.

 

What are the categories of data subjects?

Customers, interested parties, visitors, and users of the website, business partners. In the following, we refer to the data subjects collectively as "users".

 

What are the purposes for processing?

  • Provision of the website, its contents, and functions.
  • Provision of contractual services, service, and customer care.
  • Answering contact enquiries and communication with users.
  • Marketing, advertising, and market research.
  • Security measures.

 

What are the relevant legal bases for processing your data?

The following informs you about the legal basis of us processing your data and unless the legal basis is not specifically mentioned, the following applies:

 

  • Consent – This is where we have asked you to provide explicit permission to process your data for a particular purpose.
  • Contract – This is where we process your information to fulfill a contractual arrangement, we have made with you.
  • Answering your business enquiries – This is where we process your information to reply to your messages, e-mails, posts, calls, etc.
  • Legitimate Interests - This is where we rely on our interests as a reason for processing, generally this is to provide you with the best products and service in the most secure and appropriate way. Of course, before relying on any of those legitimate interests we balance them against your interests and make sure they are compelling enough and will not cause any unwarranted harm.
  • Legal Obligation – This is where we have a statutory or other legal obligation to process the information, such as for the investigation of crime.

 

Data Protection Principles

All personal data must be:

 

  • processed lawfully, fairly and in a transparent manner in relation to the data subject;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject.
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  • accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures;

 

What are your rights?

You have a number of rights; these rights are standardized in the PDPL and GDPR and include:

 

  • the right to information,
  • the right to rectification,
  • the right to erasure,
  • the right to restriction of data processing,
  • the right to data portability,
  • the right to object to data processing,
  • the right to revoke any consent you have given, and
  • the right to lodge a complaint with the competent supervisory authority.

 

The above rights may be limited in some circumstances, for example, if fulfilling your request would reveal Personal Data about another person, if you ask us to delete information which we are required to have by law, or if we have compelling legitimate interests to keep it.

 

We will let you know if that is the case and will then only use your information for these purposes. You may also be unable to continue using our services if you want us to stop processing your Personal Data.

 

Please contact us at any time with questions and suggestions regarding data protection and to enforce your rights as a data subject.

 

Types of data processed

  • Inventory data (e.g., personal master data, names or addresses).
  • Verification Data (e.g., proof of identity, proof of address).
  • Contact data (e.g., e-mail, telephone numbers).
  • Content data (e.g., text input, property data, photographs, videos).
  • Usage data (e.g., web sites visited, interest in content, access times).
  • Payment Data (e.g., when you pay for our services)
  • Meta/communication data (e.g., device information, IP addresses).

 

Categories of data subjects

Visitors and users of the website, as well as guests and hosts (collectively as "users").

How we use information

The main reason we use your information is to provide and improve our services. We also use your information to protect you and to provide you with advertisements that may be of interest to you.

 

  • to provide our services to you;
  • to provide you with customer support and respond to your inquiries;
  • to complete your transactions;
  • to communicate with you about our services;
  • to improve our services and develop new services;
  • to develop new features and services;
  • to prevent, detect and respond to fraud or other illegal or unauthorized activities;
  • to address ongoing or perceived misconduct;
  • to perform data analysis to better understand these activities and develop countermeasures;
  • to retain data related to fraudulent activity to prevent recurrence;
  • to ensure compliance with laws;
  • to comply with legal requirements;
  • to assist law enforcement; and
  • to enforce or exercise our rights.

 

Security measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

 

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, input, disclosure, ensuring availability and segregation of the data. We also have procedures in place to ensure the exercise of data subjects' rights, deletion of data and response to data compromise.

 

We would like to point out that data transmission on the Internet (e.g., when communicating by e-mail) can have security gaps. Complete protection of data against access by third parties is not possible.

 

Cooperation with processors, joint controllers and third parties

If, in the course of our processing, we disclose data to other persons and companies (order processors, jointly responsible persons or third parties), transfer it to them or otherwise grant them access to the data, this will only be done on the basis of legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is necessary for the performance of the contract), users have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

 

If we disclose or transfer data to other companies in our group of companies or otherwise grant them access, this is done in particular for administrative purposes as a legitimate interest and, in addition, on a basis that complies with the legal requirements.

 

Transfers to third countries

If we process data in a third country (outside Oman) or do so in the context of using third-party services or disclosing or transferring data to other persons or companies, this will only be done if it is done to fulfill our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will only process or allow data to be processed in a third country if the legal requirements are met. This means, for example, that the processing is carried out on the basis of special guarantees, such as the officially recognised determination of a level of data protection or compliance with officially recognised special contractual obligations.

 

Deletion of data

The data processed by us will be deleted or restricted in its processing in accordance with the legal requirements. Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations.

 

If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e., the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

 

Data processing in relation to our services

Commercial and business services

We process data of our contractual partners, e.g., customers and guests and hosts in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractual), e.g., to answer enquiries.

 

We process this data to fulfill our contractual obligations, to secure our rights and for the purposes of the administrative tasks associated with this information as well as for business organization.

 

We only disclose the data of the contractual partners to third parties within the scope of the applicable law to the extent that this is necessary for the aforementioned purposes or for the fulfillment of legal obligations or with the consent of the contractual partners (e.g., to auxiliary services as well as subcontractors, banks, tax and legal advisers, payment service providers or tax authorities).

 

Unless otherwise specified the purposes of processing are Contractual performance and service, contact requests and communication, office and organizational procedures, administration, and response to requests, visit action evaluation, interest-based and behavioral marketing. And, the Legal bases are Contractual performance and pre-contractual inquiries, Legal obligation, and our Legitimate interests.

 

Technical services

We process the data of our customers and Customers in order to enable them to select, purchase or commission the selected services. The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information required for the provision of services and billing as well as contact information.

 

Unless otherwise specified the purposes of processing are Contractual performance and service, contact requests and communication, office and organizational procedures, administration, and response to requests, visit action evaluation, interest-based and behavioral marketing. And, the Legal bases are contractual performance and pre-contractual inquiries, Legal obligation, and our Legitimate interests.

 

Administration, financial accounting, office organization, contact management

We process data in the context of administrative tasks as well as organization of our operations, financial accounting and compliance with legal obligations, such as archiving. In this regard, we process the same data that we process in the course of providing our contractual services. The purpose and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e., tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the data mentioned in these processing activities.

 

In this context, we disclose or transfer data to consultants, such as legal advisors or auditors, as well as other fee offices and payment service providers.

 

Furthermore, based on our business interests, we store information on suppliers, and other business partners, e.g., for the purpose of contacting them at a later date. This data, most of which is company-related, is generally stored permanently.

 

Data transfer to payment service providers

In order to fulfill the contract, we pass on your data to the company commissioned with the payment, insofar as this is necessary for the payment of our services. Depending on which payment method you select, we pass on the payment data collected for this purpose to the credit institution commissioned with the payment and, if applicable, to payment service providers commissioned by us or to the selected payment service provider. In some cases, the selected payment service providers also collect this data themselves. In this case, the privacy policy of the respective payment service provider applies. The legal basis for the data processing is contract.

 

The data processed by the payment services include the payment data mentioned above. The information is necessary to carry out the transactions. However, the customer data entered is only processed by the payment service providers and stored by them. Furthermore, we cannot exclude that data of the payment service provider is transmitted to credit agencies. In this regard, we refer to the terms and conditions and privacy policies of the respective payment service providers.

 

Data processing for the purpose of fraud prevention and optimization of our payment processes

Where applicable, we provide our service providers with further data, which they use together with the data necessary for the processing of the payment as our processors for the purpose of fraud prevention and optimization of our payment processes (e.g., invoicing, processing of contested payments, accounting support). This serves to protect our legitimate interests in our protection against fraud or in efficient payment management, which outweigh our interests in the context of a balancing of interests.

 

Legal defense and enforcement of our rights

The legal basis for the processing of your personal data in the context of legal defense and enforcement of our rights is our legitimate interest. The purpose of processing your personal data in the context of legal defense and enforcement of our rights is the defense against unjustified claims and the legal enforcement and assertion of claims and rights.

 

Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. The processing of your personal data in the context of legal defense and enforcement is mandatory for legal defense and enforcement of our rights. Consequently, there is no possibility for you to object.

 

Use of customer data for direct marketing purposes

If you have provided us with your e-mail address when using our Services, we reserve the right to regularly send you e-mail offers for similar services. We do not need to obtain your separate consent for this. In this respect, the data processing is carried out solely on the basis of our legitimate interest in personalized direct advertising. If you have initially objected to the use of your e-mail address for this purpose, we will not send you any e-mails.

 

You are entitled to object to the use of your e-mail address for the aforementioned advertising purpose at any time with effect for the future by notifying the responsible person named at the beginning. After receipt of your objection, the use of your e-mail address for advertising purposes will cease immediately. If you wish to object to the data analysis for statistical evaluation purposes, you must unsubscribe from the marketing.

 

Data processing in relation to our website

Log files

In principle, it is possible to use the Booking Travel website without providing personal data. When a page of our website is accessed and each time a file is retrieved, access data about this process is stored in a log file. The corresponding log file contains: Your IP address, the page from which the file was requested, the name of the file, the date and time of the request, the amount of data transferred, the access status (file transferred, file not found, etc.), a description of the type of operating system and web browser used. The stored data does not allow any conclusions to be drawn about your identity and is evaluated exclusively for statistical purposes.

 

The collection and processing of this data is carried out in order to enable the use of the website at all, on the basis of our legitimate interest, whereby our legitimate interest is the provision of our website. Incidentally, we store this aforementioned data, including the IP addresses, only in anonymized form and use it only in this anonymized form to analyze the use of the offer and the further development and optimization of our website in your interest. Our legitimate interest is the ongoing improvement of our website in order to provide you with the greatest possible user comfort.

 

Hosting

To provide our website, we use the services of AWS who process the below-mentioned data and all data to be processed in connection with the operation of our website on our behalf. The legal basis for the data processing is our legitimate interest in providing our website.

 

Contacting Us

If you contact us and send us general enquiries the contact details you provide, will be stored, and used by us to fulfill the purpose associated with the transmission, e.g., to process your enquiry or in the event of follow-up questions.

 

The basis for this storage and use of your personal data is your consent which you give us by sending the contact form. Insofar as you provide us with your personal data for the purpose of responding to your questions, the entry of personal data is required as without this information, we cannot process your request.

 

You have the right to revoke your consent to the data processing described above at any time with effect for the future. In this case, we will no longer process your data. Your personal data will be deleted even without your revocation in any case if we have processed your request or if the storage is inadmissible for other legal reasons.

 

Cookies

During the use of our website, so-called "cookies", small text files, are stored on your computer. Such cookies register information about your computer's navigation on our website (pages selected, day, time and duration of use, etc.). For further information on cookies in general, please visit www.allaboutcookies.org and for further details on the cookies we use, please refer to our Cookie Policy.

 

Creating an account

Personal data will continue to be collected and processed if you provide it to us for the performance of a contract or when opening an account. Which data is collected can be seen from the respective input forms. Deletion of your account is possible at any time and can be done by sending a message to us. We store and use the data provided by you for the purpose of processing the contract. After complete processing of the contract or deletion of your customer account, your data will be blocked with regard to tax and commercial law retention periods and deleted after expiry of these periods, unless you have expressly consented to a further use of your data or a legally permitted further use of data has been reserved on our part.

 

Profile

As a registered user (Guest and Host), you have the opportunity to create a user profile with just a few clicks and details. If you make use of the option, the relevant profile data you provide will be transferred to your profile. Of course, you can change the information at any time via the settings in your profile. When creating a profile, you can submit personal data such as your profile picture, property information, photos and images etc. Content and data are publicly viewable. You have choices about the information on your profile. You don’t have to provide additional information on your profile; however, profile information helps you to get more from our Services. It’s your choice whether to include sensitive information on your profile and to make that sensitive information public. Please do not post or add personal data to your profile that you would not want to be available. The legal basis for the processing of your personal data is the establishment and implementation of the user contract for the use of the service. We store the data until you delete your user account. Insofar as legal retention periods are to be observed, storage also takes place beyond the time of deletion of a user account.

 

Contacting others

Of course, we also process your chats and communications with other users as well as the content you publish, as necessary for the operation of the services. In addition to the information, you may provide us directly, we receive information about you from others. Members may provide information about you as they use our services, for instance as they interact with you or if they submit a report involving you.

 

We also share some members’ information with service providers and partners who assist us in operating the services. You share information with other members when you voluntarily disclose information on the service (including your profile). Please be careful with your information and make sure that the content you share is stuff that you’re comfortable being visible. If you choose to limit the audience for all or part of your profile or for certain content or information about you, then it will be visible according to your settings.

 

Processing of data for payments

If you make a booking, it will be processed via the payment service provider PayPal and payment will solely be processed through the relevant payment systems. The legal basis for the provision of a payment system is the establishment and implementation of the user contract for the use of the service. Please note we do not directly store payment data.  Any data or fees collected by PayPal payment processor is not the responsibility of Istedafah.

 

 

Miscellaneous and Closing

Children Data

Our website is not intended for children, and we do not knowingly collect data relating to children. If you become aware that your Child has provided us with Personal Data, without parental consent, please contact us, and we take the necessary steps to remove that information from our server.

 

External Links

Our website contains links to the websites of other providers. We hereby point out that we have no influence on the content of the linked websites and the compliance with data protection regulations by their providers.

 

Changes and updates to the privacy policy

We kindly ask you to regularly inform yourself about the content of our Privacy Policy. We will amend the privacy policy as soon as changes to the data processing activities we carry out make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g., consent) or other individual notification.

 

Concerns and Contact

If you have any concerns about a possible compromise of your privacy or misuse of your personal data on our part, or any other questions or comments, you can contact us.

 

Exercising your rights

If you would like to exercise any of our rights as set out above in the” What are your rights?” section above or have a complaint, please contact our DPO. Any such request will be responded to within one month and we might require proof of identity to verify and process your request.