Privacy Policy

AlbaCulture Tour Operator
Licensed Cultural Tours in Albania

Last Updated: January 2025

---

1. Introduction

Welcome to AlbaCulture (“we,” “us,” “our,” or “AlbaCulture”). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website https://albaculture.com, use our services, or communicate with us.

This Privacy Policy applies to all information collected through our website, email, phone communications, WhatsApp, and any related services, sales, marketing, or events (collectively, “Services”).

Please read this Privacy Policy carefully. By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our Services.

Company Information

AlbaCulture Tour Operator
Licensed Tour Operator in Albania
Email: info@albaculture.com
Telephone: +355 69 692 2676 (WhatsApp preferred)
Website: www.albaculture.com

---

2. Information We Collect

We collect personal information that you voluntarily provide to us when you express an interest in obtaining information about us or our products and Services, when you participate in activities on the Website, or otherwise when you contact us.

2.1 Personal Information You Provide to Us

The personal information we collect depends on the context of your interactions with us and the choices you make. The personal information we may collect includes:

Contact Information:

• First name and last name
• Email address
• Phone number (including WhatsApp contact)
• Mailing address, city, state/province, postal/ZIP code, country

Booking and Travel Information:

• Passport information (number, issue date, expiration date, nationality)
• Date of birth
• Emergency contact details
• Travel companion information (names and relationships)
• Travel dates and preferences
• Accommodation preferences

Health and Dietary Information:

• Medical conditions relevant to tour participation
• Mobility limitations or accessibility requirements
• Dietary restrictions and allergies
• Medication requirements (where relevant to tour safety)

Payment Information:

• Bank transfer details and payment receipts
• Billing address
• Transaction records

Communication Information:

• Information contained in or relating to any communication you send to us (email content, inquiry forms, chat messages)
• Records of correspondence and conversations with our staff

Social Media Information:

• If you interact with us through social media platforms, we may receive information from those platforms, including your profile information and any content you share with us

Other Information:

• Tour reviews and feedback
• Marketing preferences
• Special requests or requirements
• Photographs or videos (if you participate in tours and consent to promotional use)

2.2 Information Automatically Collected

When you visit our Website, we may automatically collect certain information about your device and browsing actions, including:

Technical Information:

• IP address
• Browser type and version
• Operating system
• Device type (desktop, mobile, tablet)
• Time zone setting and location
• Browser plug-in types and versions

Usage Information:

• Pages you visit on our Website
• Time and date of your visit
• Time spent on pages
• Links you click
• Page response times and download errors
• Referring/exit pages and URLs

Tracking Technologies: We use cookies and similar tracking technologies to collect and track information and to improve and analyze our Services. You can control cookies through your browser settings.

2.3 Information from Third Parties

We may receive information about you from:

Service Providers:

• Hotel partners (booking confirmations, special requests)
• Transportation providers
• Restaurant and activity partners
• Payment processors

Public Sources:

• Travel review websites (if you post reviews about our services)
• Social media platforms (if you tag or mention us)

---

3. How We Use Your Information

We use personal information collected via our Services for a variety of business purposes described below. We process your personal information for these purposes with your consent and/or in compliance with our legal obligations.

3.1 Legitimate Business Purposes

To Provide and Manage Our Services:

• Process and manage your tour bookings and reservations
• Coordinate accommodation, transportation, guides, and activities
• Provide customer support and respond to inquiries
• Communicate with you about your booking (confirmations, changes, reminders)
• Arrange special requirements (dietary needs, accessibility accommodations)
• Provide emergency assistance during tours

To Process Payments:

• Facilitate payment transactions and issue invoices
• Maintain payment records for accounting and tax purposes
• Detect and prevent fraud

To Comply with Legal Obligations:

• Report tourism statistics to Albanian authorities as required by Law No. 93/2015 “On Tourism”
• Maintain records for tax compliance (7-year retention required by Albanian law)
• Respond to legal requests and prevent illegal activities
• Comply with Albanian data protection and tourism regulations

To Communicate with You:

• Send booking confirmations and updates
• Respond to your inquiries and requests
• Send you important notices about changes to our Terms and Conditions or Privacy Policy
• Provide tour-related information and documentation
• Send pre-departure information and travel tips

To Improve Our Services:

• Analyze Website usage and tour feedback to improve our offerings
• Conduct research and development
• Test new features and services
• Troubleshoot technical issues

For Marketing and Promotional Purposes (with your consent):

• Send you newsletters, promotional materials, and special offers about our tours
• Share information about new tour packages and Albanian travel experiences
• Display targeted advertising (if you have consented)

You can opt out of marketing communications at any time by clicking the “unsubscribe” link in our emails or contacting us directly.

To Protect Our Business:

• Monitor and analyze usage and trends
• Prevent fraudulent transactions and protect against criminal activity
• Enforce our Terms and Conditions
• Protect our legal rights and interests

3.2 With Your Consent

We may use your information for other purposes with your explicit consent, such as:

• Using photographs or videos featuring you for promotional purposes
• Sending you marketing communications
• Sharing your information with specific third parties you have authorized

You may withdraw your consent at any time by contacting us.

---

4. How We Share Your Information

We may share your personal information in the following situations:

4.1 Service Providers and Business Partners

We share your information with third-party service providers who perform services on our behalf or help us provide our tours:

Tourism Service Partners:

• Hotels and accommodation providers (name, contact details, special requests, dietary requirements)
• Transportation companies and drivers (name, contact details, pickup locations)
• Licensed tour guides (name, contact details, relevant health/mobility information)
• Restaurants and catering services (name, dietary restrictions)
• Museums, archaeological sites, and attraction partners (group information)
• Travel insurance providers (if arranged through us)

Business Service Providers:

• Payment processors and banking institutions (payment and billing information)
• IT service providers and website hosting (technical information)
• Email and communication service providers
• Analytics and advertising providers (anonymized or aggregated data)
• Legal and accounting professionals (as necessary for compliance)

All service providers are contractually required to protect your information and use it only for the purposes we specify.

4.2 Legal and Regulatory Authorities

We may disclose your information to government authorities, regulators, or law enforcement when:

• Required by Albanian law or legal process
• Necessary to respond to legal claims or proceedings
• Required for tourism reporting to Albanian Ministry of Tourism and Environment
• Necessary to comply with tax and financial regulations
• Required to protect public safety or prevent crime
• Necessary to enforce our Terms and Conditions or protect our rights

4.3 Business Transfers

If AlbaCulture is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

4.4 With Your Consent

We may share your information with third parties when you have given us specific consent to do so, such as:

• Sharing tour reviews you provide with us on our website or social media
• Using photographs or videos featuring you in promotional materials
• Providing references or recommendations at your request

4.5 Aggregated or Anonymized Data

We may share aggregated or anonymized information that cannot identify you personally with:

• Tourism industry partners for research and analysis
• Marketing agencies for industry reports
• Public authorities for statistical purposes

---

5. Tracking Technologies and Cookies

5.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help websites recognize your device and remember information about your visit.

5.2 How We Use Cookies

We use cookies and similar tracking technologies for the following purposes:

Essential Cookies (Required):

• Enable core website functionality
• Remember your language preferences
• Maintain security and prevent fraud
• Ensure website stability

Analytics Cookies:

• Understand how visitors use our Website
• Track Website performance and identify technical issues
• Analyze user behavior to improve our Services
• Generate statistical reports about Website usage

We use Google Analytics to collect and analyze Website usage data. Google Analytics uses cookies to track your interactions with our Website. The information generated (including your IP address) is transmitted to and stored by Google on servers worldwide. Google uses this information to evaluate your use of our Website, compile reports on Website activity, and provide other services related to Website activity and internet usage.

Learn more about Google Analytics:

• How Google uses data
• Google Analytics privacy policy
• Opt-out of Google Analytics

Functionality Cookies:

• Remember your preferences and settings
• Pre-fill contact forms with your information
• Provide enhanced features and personalization

Marketing and Advertising Cookies (Optional):

• Deliver relevant advertisements based on your interests
• Measure advertising campaign effectiveness
• Limit the number of times you see an advertisement
• Track whether you clicked on our advertisements

5.3 Cookie Duration

• Session Cookies: Temporary cookies deleted when you close your browser
• Persistent Cookies: Remain on your device for a set period or until you delete them

5.4 Managing Cookies

Browser Settings: You can control and manage cookies through your browser settings. Most browsers allow you to:

• View and delete cookies
• Block cookies from specific websites
• Block all third-party cookies
• Delete all cookies when you close your browser
• Enable “do not track” settings

Note: Disabling certain cookies may affect Website functionality and prevent you from using some features.

Browser-Specific Instructions:

• Chrome
• Firefox
• Safari
• Edge

Opt-Out Tools:

• Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout

5.5 Do Not Track Signals

Some browsers have “Do Not Track” (DNT) features. Currently, there is no industry standard for responding to DNT signals. We do not currently respond to DNT browser signals.

---

6. International Data Transfers

AlbaCulture is based in Albania. If you access our Services from outside Albania, your information may be transferred to, stored, and processed in Albania.

Data Protection Standards: Albania has adopted data protection legislation aligned with European standards. However, Albanian data protection laws may differ from laws in your country.

Transfers to Third Countries: Some of our service providers (such as Google Analytics, email service providers, or website hosting) may be located in countries outside Albania and the European Economic Area (EEA), including the United States.

When we transfer your personal information to third countries, we implement appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission
• Ensuring service providers maintain adequate data protection standards
• Relying on adequacy decisions where applicable

By using our Services, you acknowledge and consent to the transfer of your information to Albania and other countries where our service providers operate.

---

7. Data Security

7.1 Security Measures

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

Technical Security:

• Secure Socket Layer (SSL) encryption for data transmission
• Secure servers and databases with access controls
• Regular security updates and patches
• Firewalls and intrusion detection systems
• Encrypted backups of critical data

Organizational Security:

• Restricted access to personal information (only authorized personnel)
• Confidentiality agreements with employees and contractors
• Regular security training for staff
• Security audits and risk assessments
• Incident response procedures

Physical Security:

• Secure office premises with access controls
• Secure storage of physical documents containing personal information
• Secure disposal procedures for sensitive documents

7.2 Payment Security

We do not store complete credit card information. Payment processing is handled through secure bank transfers. You are responsible for maintaining the security of your bank account information and ensuring secure transmission of payment details.

7.3 Limitations

No System Is Completely Secure: While we implement reasonable security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

Your Responsibility: You are responsible for:

• Maintaining the confidentiality of your account information
• Using secure internet connections when transmitting sensitive information
• Not sharing personal information unnecessarily
• Reporting any suspected security breaches to us immediately

Third-Party Security: We are not responsible for the security practices of third-party websites you may access through links on our Website. Review their privacy policies before providing information.

---

8. Data Retention

8.1 Retention Periods

We retain your personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy and to comply with legal obligations.

Active Booking Data:

• During the booking process and tour duration
• Plus 12 months after tour completion for customer support and feedback purposes

Financial and Tax Records:

• 7 years after transaction date (required by Albanian tax law)
• Includes invoices, payment records, and booking documentation

Marketing Communications:

• Until you unsubscribe or request deletion
• Minimum retention for suppression lists to ensure you don’t receive unwanted communications

Legal and Dispute Records:

• Duration of legal proceedings or disputes
• Plus applicable statute of limitations period (typically 1 year for tourism claims under Albanian law)

Website Analytics Data:

• Typically 26 months for Google Analytics (automatically deleted by Google)
• Aggregated data may be retained indefinitely as it cannot identify you

8.2 Deletion After Retention Period

After the retention period expires, we securely delete or anonymize your personal information using:

• Secure deletion software for electronic data
• Physical destruction (shredding) for paper documents
• Anonymization techniques that make re-identification impossible

8.3 Exceptions

We may retain certain information beyond standard retention periods when:

• Required by law or regulatory authorities
• Necessary for ongoing legal proceedings
• You have specifically requested continued retention
• Necessary to establish, exercise, or defend legal claims

---

9. Your Data Protection Rights (GDPR)

If you are a resident of the European Economic Area (EEA) or the United Kingdom, you have specific data protection rights under the General Data Protection Regulation (GDPR) and UK GDPR.

9.1 Right to Access

You have the right to request access to the personal information we hold about you. You can request:

• Confirmation of whether we process your personal information
• A copy of your personal information
• Information about how we use and share your information

How to Exercise: Contact us at info@albaculture.com with “Data Access Request” in the subject line.

Response Time: We will respond within 30 days of receiving your request.

Fee: The first copy is free. Additional copies may incur a reasonable administrative fee.

9.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal information.

How to Exercise: Contact us at info@albaculture.com with “Data Correction Request” and specify the information requiring correction.

Response Time: We will correct inaccurate information within 30 days.

9.3 Right to Erasure (“Right to Be Forgotten”)

You have the right to request deletion of your personal information in certain circumstances:

• The information is no longer necessary for the purposes it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• The information was unlawfully processed
• Erasure is required to comply with legal obligations

Limitations: We may refuse erasure if we need to retain information to:

• Comply with legal obligations (e.g., 7-year tax retention requirement)
• Establish, exercise, or defend legal claims
• Fulfill a contract with you

How to Exercise: Contact us at info@albaculture.com with “Deletion Request.”

9.4 Right to Restriction of Processing

You have the right to request that we limit how we use your personal information in certain circumstances:

• You contest the accuracy of the information (restriction during verification)
• Processing is unlawful but you don’t want deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing (restriction pending verification)

How to Exercise: Contact us at info@albaculture.com with “Restriction Request.”

9.5 Right to Data Portability

You have the right to receive your personal information in a structured, commonly used, machine-readable format and transmit it to another controller when:

• Processing is based on consent or contract
• Processing is carried out by automated means

How to Exercise: Contact us at info@albaculture.com with “Data Portability Request.”

Format: We will provide data in CSV or PDF format unless you specify another format.

9.6 Right to Object

You have the right to object to processing of your personal information when:

• Processing is based on legitimate interests
• Processing is for direct marketing purposes

Direct Marketing: You can opt out of marketing communications at any time by:

• Clicking “unsubscribe” in marketing emails
• Contacting us at info@albaculture.com
• Calling us at +355 69 692 2676

Other Processing: You may object to other processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

9.7 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to Exercise: Contact us at info@albaculture.com or use opt-out mechanisms provided in communications.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe we have violated your data protection rights.

Albanian Authority: Commissioner for the Right to Information and Personal Data Protection Address: Blvd. “Zhan D’Ark”, No. 3, Tirana, Albania Website: www.idp.al Email: info@idp.al

EU Citizens: You may also lodge a complaint with the supervisory authority in your country of residence.

9.9 Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or significantly affects you.

9.10 Exercising Your Rights

How to Submit Requests:

• Email: info@albaculture.com (preferred method)
• Phone: +355 69 692 2676
• Post: AlbaCulture Tour Operator, [complete address]

Verification: We may request additional information to verify your identity before processing your request to prevent unauthorized access to your information.

Response Time: We will respond to requests within 30 days. If we need more time (maximum 60 days total), we will notify you of the extension and reasons.

Fees: Requests are generally free. We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.

Refusal: If we refuse your request, we will explain the reasons and inform you of your right to lodge a complaint with a supervisory authority.

---

10. Marketing Communications

10.1 Types of Marketing Communications

With your consent, we may send you:

• Email newsletters about Albanian travel and culture
• Promotional offers and special tour discounts
• Information about new tour packages and destinations
• Seasonal travel tips and destination guides
• Invitations to events or webinars

10.2 How We Obtain Consent

We obtain consent for marketing communications when you:

• Check the opt-in box on our contact form
• Subscribe to our newsletter
• Request information about our tours (implied interest)
• Attend our events and provide contact information

10.3 Opt-Out Mechanisms

You can opt out of marketing communications at any time by:

Email Unsubscribe:

• Click the “unsubscribe” link at the bottom of any marketing email
• Your preferences will be updated immediately

Contact Us Directly:

• Email: info@albaculture.com with “Unsubscribe” in subject line
• Phone: +355 69 692 2676
• Specify which communications you want to stop

Update Preferences:

• Contact us to update your communication preferences without completely unsubscribing

10.4 Effect of Opt-Out

What Stops:

• Promotional emails and newsletters
• Marketing offers and advertisements
• Non-essential travel tips and information

What Continues:

• Transactional emails about your bookings (confirmations, updates, invoices)
• Important service announcements
• Responses to your inquiries
• Legal notifications

10.5 Processing Time

Opt-out requests are processed within 5 business days. You may receive communications already in progress during this period.

---

11. Third-Party Websites and Services

11.1 Links to Other Websites

Our Website may contain links to third-party websites, including:

• Hotel and accommodation websites
• Airline booking platforms
• Albanian tourism information sites
• Social media platforms
• Payment processors
• Travel review sites

We Are Not Responsible: These third-party websites have their own privacy policies. We do not control and are not responsible for the privacy practices or content of third-party websites. We encourage you to review their privacy policies before providing any information.

11.2 Social Media Features

Our Website may include social media features such as:

• Facebook, Instagram, Twitter, LinkedIn sharing buttons
• “Like” or “Follow” buttons
• Embedded social media feeds

These features may collect your IP address, pages visited, and may set cookies. Social media features are hosted by third parties or directly on our Website. Your interactions with these features are governed by the privacy policies of the companies providing them.

11.3 Third-Party Service Providers

We use third-party service providers that may collect information about you:

Google Analytics:

• Collects Website usage data
• Privacy policy: https://policies.google.com/privacy
• Opt-out: https://tools.google.com/dlpage/gaoptout

Email Service Providers:

• Process and deliver our email communications
• Subject to their privacy policies and data processing agreements

Payment Processors:

• Process bank transfers and payment transactions
• Subject to banking privacy and security regulations

11.4 Your Responsibility

You are responsible for:

• Reviewing third-party privacy policies
• Understanding how third parties use your information
• Managing privacy settings on third-party platforms
• Making informed decisions about sharing information

---

12. Children’s Privacy

12.1 Age Restrictions

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 13 years of age without verifiable parental consent.

12.2 Minors Traveling with Adults

When minors (under 18) participate in our tours:

• They must be accompanied by a parent or legal guardian
• The parent/guardian must provide consent for the minor’s participation
• The parent/guardian accepts our Terms and Conditions on the minor’s behalf
• We collect only information necessary for tour participation and safety

Information Collected About Minors:

• Name and age
• Passport information (for border crossings and accommodation)
• Emergency contact information
• Relevant health or dietary information (for safety)
• Parent/guardian contact details

12.3 Parental Rights

Parents and guardians have the right to:

• Review personal information we hold about their children
• Request correction or deletion of information
• Refuse further collection or use of their child’s information

Exercise Rights: Contact info@albaculture.com with “Minor’s Privacy Request” in the subject line.

12.4 If We Discover We Have Collected Children’s Data

If we learn we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as quickly as possible. If you believe we have collected information from a child under 13, please contact us immediately at info@albaculture.com.

12.5 COPPA Compliance

While we are based in Albania, we respect the U.S. Children’s Online Privacy Protection Act (COPPA) and do not knowingly collect information from children under 13 without parental consent.

---

13. California Privacy Rights

13.1 California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

13.2 Information We Collect

In the past 12 months, we have collected the following categories of personal information from California residents:

• Identifiers: Name, email address, phone number, postal address, IP address
• Personal information under Cal. Civ. Code § 1798.80: Name, address, telephone number, passport information, payment information
• Protected classifications: Age, date of birth, nationality
• Commercial information: Booking history, payment records, tour preferences
• Internet activity: Website browsing history, search history, interaction with our Website
• Geolocation data: IP address-based location
• Sensory information: Photographs or videos (with consent)
• Professional information: If provided in communications
• Inferences: Preferences and characteristics derived from your activity

13.3 How We Use Personal Information

We use personal information for the business and commercial purposes described in Section 3 of this Privacy Policy, including:

• Providing and managing tour services
• Processing payments
• Marketing and advertising (with consent)
• Analyzing and improving our services
• Complying with legal obligations

13.4 Sharing Personal Information

We share personal information with the categories of third parties described in Section 4 of this Privacy Policy, including service providers, business partners, and legal authorities.

Sale of Personal Information: We do NOT sell personal information to third parties for monetary consideration.

Sharing for Cross-Context Behavioral Advertising: We may share personal information with advertising partners for targeted advertising purposes. This may constitute “sharing” under CPRA.

13.5 Your California Privacy Rights

Right to Know: You have the right to request that we disclose:

• Categories of personal information collected
• Sources of personal information
• Business or commercial purpose for collecting information
• Categories of third parties with whom we share information
• Specific pieces of personal information we have collected about you

Right to Delete: You have the right to request deletion of personal information we collected from you, subject to certain exceptions.

Right to Correct: You have the right to request correction of inaccurate personal information.

Right to Opt-Out of Sale/Sharing: You have the right to opt out of the “sale” or “sharing” of your personal information.

Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those specified in CPRA regulations.

Right to Non-Discrimination: We will not discriminate against you for exercising your CPRA rights, including by:

• Denying goods or services
• Charging different prices or rates
• Providing different quality of services
• Suggesting you will receive different prices or quality of services

13.6 Exercising Your Rights

How to Submit Requests:

• Email: info@albaculture.com with “California Privacy Request” in subject line
• Phone: +355 69 692 2676
• Website: Visit https://albaculture.com/contact

Verification: We will verify your identity before processing requests to protect your personal information.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization.

Response Time: We will respond within 45 days of receiving your request. If we need more time (up to 90 days total), we will notify you.

13.7 California “Shine the Light” Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

13.8 Do Not Sell or Share My Personal Information

While we do not sell personal information for monetary consideration, you can opt out of sharing for targeted advertising purposes by:

• Emailing info@albaculture.com with “Do Not Share My Information”
• Contacting us at +355 69 692 2676

---

14. Contact Us

14.1 Privacy Questions and Concerns

If you have questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact us:

Email: info@albaculture.com (Preferred method)
Subject Line: “Privacy Inquiry” or “Privacy Complaint”

Telephone: +355 69 692 2676 (WhatsApp preferred)

Website Contact Form: https://albaculture.com/contact

Postal Mail: AlbaCulture Tour Operator
[Complete Postal Address]
Albania

14.2 Business Hours

Monday – Friday: 9:00 AM – 6:00 PM (Albanian time – CET/CEST)
Saturday: 9:00 AM – 1:00 PM
Sunday: Closed (emergency contact available for active tour participants)

14.3 Response Time

We aim to respond to privacy inquiries within:

• Email/Website: 2 business days for acknowledgment; 10 business days for substantive response
• Phone: Immediate response during business hours
• Data subject requests: 30 days as required by GDPR

14.4 Complaints

If you believe we have violated your privacy rights or you are unsatisfied with our response to your privacy concerns:

Albanian Authority: Commissioner for the Right to Information and Personal Data Protection
Blvd. “Zhan D’Ark”, No. 3
Tirana, Albania
Website: www.idp.al
Email: info@idp.al

EU Residents: You may lodge a complaint with the supervisory authority in your country of residence.

California Residents: You may contact the California Attorney General’s Office.

---

15. Changes to This Privacy Policy

15.1 Updates and Modifications

We may update this Privacy Policy from time to time to reflect:

• Changes in our privacy practices
• Changes in applicable laws and regulations
• New features or services we offer
• Feedback from users and regulators
• Technological developments
• Changes in our business operations

15.2 Notice of Changes

Material Changes: If we make material changes that significantly affect your privacy rights, we will:

• Update the “Last Updated” date at the top of this Privacy Policy
• Notify you by email (if we have your email address)
• Display a prominent notice on our Website
• Provide at least 30 days’ notice before changes take effect

Minor Changes: For non-material changes (clarifications, formatting, minor updates), we will:

• Update the “Last Updated” date
• Post the revised Privacy Policy on our Website

15.3 Your Continued Use

Your continued use of our Services after the effective date of Privacy Policy changes constitutes your acceptance of the revised Privacy Policy.

If you do not agree to the updated Privacy Policy:

• Stop using our Services
• Contact us to delete your account and personal information (subject to legal retention requirements)

15.4 Version History

We maintain previous versions of this Privacy Policy for reference. You may request previous versions by contacting info@albaculture.com.

---

16. Legal Basis for Processing (GDPR)

Under GDPR, we must have a legal basis for processing your personal information. We rely on the following legal bases:

16.1 Contract Performance

Processing is necessary to perform our contract with you or take steps before entering a contract:

• Processing booking requests and confirmations
• Coordinating tour services (accommodation, transportation, guides)
• Managing payments and issuing invoices
• Providing customer support
• Fulfilling our obligations under our Terms and Conditions

16.2 Legal Obligations

Processing is necessary to comply with legal obligations:

• Tourism reporting to Albanian authorities (Law No. 93/2015 “On Tourism”)
• Tax and accounting record-keeping (7-year retention requirement)
• Responding to legal requests and court orders
• Preventing fraud and illegal activities
• Complying with data protection regulations

16.3 Legitimate Interests

Processing is necessary for our legitimate interests or those of a third party (provided your rights do not override these interests):

• Improving and developing our Services
• Analyzing Website usage and tour feedback
• Preventing fraud and ensuring security
• Managing business operations efficiently
• Marketing our services to existing customers
• Protecting our legal rights and property
• Enhancing customer experience

We balance our legitimate interests against your privacy rights before processing personal information on this basis.

16.4 Consent

Processing is based on your explicit consent:

• Marketing communications and newsletters
• Using photographs or videos for promotional purposes
• Optional cookies and tracking technologies
• Sharing information with specific third parties beyond service provision

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

16.5 Vital Interests

Processing is necessary to protect vital interests (yours or another person’s):

• Medical emergencies during tours
• Emergency assistance and safety situations
• Contacting emergency contacts in urgent situations

---

17. Specific Data Processing Activities

17.1 Email Communications

What We Collect: Email address, name, content of your messages, email metadata (timestamps, IP addresses)

How We Use It:

• Respond to inquiries and booking requests
• Send booking confirmations and tour information
• Provide customer support
• Send marketing communications (with consent)

Legal Basis: Contract performance, consent (for marketing), legitimate interests

Retention: Active bookings plus 12 months; marketing lists until unsubscribe

17.2 Website Analytics

What We Collect: IP address, pages visited, time on site, browser information, device type, referring websites

How We Use It:

• Understand how visitors use our Website
• Improve Website functionality and user experience
• Identify technical issues
• Generate statistical reports

Tools Used: Google Analytics

Legal Basis: Legitimate interests (with cookie consent where required)

Retention: Up to 26 months (Google Analytics default)

Opt-Out: Use Google Analytics opt-out browser add-on

17.3 Payment Processing

What We Collect: Bank transfer details, payment receipts, billing address, transaction records

How We Use It:

• Process tour payments
• Issue invoices and receipts
• Maintain financial records for accounting
• Comply with tax regulations
• Detect and prevent fraud

Legal Basis: Contract performance, legal obligations

Retention: 7 years (Albanian tax law requirement)

Security: Bank-level security for transaction processing

17.4 Tour Participation Data

What We Collect: Health information, dietary restrictions, mobility limitations, emergency contacts, special requirements

How We Use It:

• Ensure your safety and wellbeing during tours
• Accommodate special needs
• Provide appropriate meals and services
• Respond to emergencies

Legal Basis: Contract performance, vital interests, consent

Retention: Duration of tour plus 12 months

Sensitivity: This is sensitive data; we implement additional security measures

17.5 Photography and Video

What We Collect: Photographs and videos featuring tour participants

How We Use It:

• Promotional materials (website, social media, brochures)
• Marketing campaigns
• Documenting tour experiences

Legal Basis: Explicit consent

Retention: Until consent is withdrawn or indefinitely for published materials

Your Rights: You may opt out or request removal at any time

17.6 Customer Reviews and Feedback

What We Collect: Your name, review content, ratings, comments

How We Use It:

• Display on our Website and social media
• Improve our services
• Respond to feedback
• Share with potential customers

Legal Basis: Consent (by submitting review), legitimate interests

Retention: Indefinitely unless you request removal

Your Rights: You may request modification or removal of your review

---

18. Data Protection Officer

18.1 DPO Contact Information

For data protection inquiries, you may contact our Data Protection contact:

Email: info@albaculture.com
Subject Line: “Data Protection Officer” or “DPO”

Note: As a small-to-medium enterprise, we are not required to appoint a formal Data Protection Officer under GDPR Article 37. However, our management team is responsible for data protection compliance and will address your privacy concerns.

18.2 When to Contact Our DPO Contact

Contact our data protection contact for:

• Questions about how we process your personal information
• Exercising your data protection rights (access, deletion, rectification, etc.)
• Concerns about data security
• Complaints about privacy practices
• Information about data breaches
• Questions about international data transfers

---

19. Data Breach Notification

19.1 Our Commitment

We take data security seriously and have implemented measures to prevent data breaches. However, no system is completely secure.

19.2 What We Will Do

If a data breach occurs that is likely to result in a risk to your rights and freedoms, we will:

Notify Authorities:

• Report to the Albanian Commissioner for the Right to Information and Personal Data Protection within 72 hours of becoming aware of the breach

Notify You:

• If the breach is likely to result in a high risk to your rights, we will notify you without undue delay
• Notification will include:
  • Nature of the breach
  • Likely consequences
  • Measures we have taken or propose to take
  • Contact information for further inquiries

Take Action:

• Investigate the breach
• Contain and mitigate the breach
• Implement additional security measures
• Document the breach and our response

19.3 What You Should Do

If you suspect a data breach or unauthorized access to your information:

• Contact us immediately at info@albaculture.com
• Change any passwords if applicable
• Monitor your accounts for suspicious activity
• Report any fraudulent activity to appropriate authorities

---

20. Special Categories of Personal Data

20.1 Definition

Special categories of personal data (sensitive data) include information about:

• Health and medical conditions
• Dietary restrictions related to religion or philosophy
• Racial or ethnic origin (if disclosed)
• Religious or philosophical beliefs (if relevant to tour requirements)

20.2 When We Collect Sensitive Data

We collect sensitive data only when necessary for:

• Ensuring your safety during tours (health conditions, mobility limitations)
• Accommodating dietary restrictions (religious, health-related, or ethical reasons)
• Providing appropriate services and support
• Responding to emergencies

20.3 Legal Basis for Processing Sensitive Data

We process sensitive data based on:

• Explicit consent: You provide explicit consent when disclosing health or dietary information
• Vital interests: Necessary to protect your life or physical well-being in emergencies
• Substantial public interest: Ensuring equal access to services

20.4 Extra Protection

We implement additional security measures for sensitive data:

• Strict access controls (only authorized personnel)
• Enhanced encryption
• Separate storage systems
• Regular security audits
• Staff training on handling sensitive information

20.5 Your Rights

You have enhanced rights regarding sensitive data:

• You may withdraw consent at any time
• We will only use sensitive data for specified purposes
• We will not share sensitive data unnecessarily
• You may request deletion (subject to legal requirements)

---

21. Automated Processing and Profiling

21.1 No Automated Decision-Making

We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

21.2 Limited Automated Processing

We use limited automated processing for:

• Email filtering and spam detection
• Website analytics (aggregated data only)
• Fraud detection algorithms (alerts reviewed by humans)

All significant decisions about your booking, services, or customer support are made by humans.

21.3 Your Rights

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing. Since we do not engage in such practices, this right is automatically respected.

---

22. International Data Transfer Safeguards

22.1 Standard Contractual Clauses

When transferring personal data to countries outside the EEA that do not provide adequate protection, we use Standard Contractual Clauses (SCCs) approved by the European Commission.

22.2 Service Provider Agreements

We require all service providers processing personal data on our behalf to:

• Implement appropriate technical and organizational security measures
• Process data only according to our instructions
• Notify us of any data breaches
• Assist with data subject rights requests
• Delete or return data when services end

22.3 Transfer Impact Assessments

We conduct Transfer Impact Assessments to ensure that data transferred to third countries receives adequate protection, considering:

• Laws and practices in the destination country
• Additional security measures implemented
• Risks to data subjects’ rights

---

23. Transparency and Accountability

23.1 Records of Processing Activities

We maintain records of our data processing activities as required by GDPR Article 30, including:

• Purposes of processing
• Categories of data subjects and personal data
• Recipients of personal data
• International transfers
• Retention periods
• Security measures

23.2 Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that pose high risks to your rights and freedoms.

23.3 Privacy by Design and Default

We implement privacy by design and default principles:

• Minimizing data collection
• Implementing security measures from the outset
• Providing privacy-friendly default settings
• Ensuring data protection throughout the data lifecycle

23.4 Staff Training

We provide regular data protection training to our staff to ensure:

• Understanding of privacy principles
• Compliance with data protection laws
• Proper handling of personal information
• Recognition of data breaches and security incidents

---

24. Your Choices and Controls

24.1 Summary of Your Rights

You have the following rights regarding your personal information:

✓ Access – Request copies of your personal information
✓ Rectification – Request correction of inaccurate information
✓ Erasure – Request deletion of your information
✓ Restriction – Request limited processing of your information
✓ Portability – Receive your information in machine-readable format
✓ Object – Object to certain processing activities
✓ Withdraw Consent – Withdraw consent for consent-based processing
✓ Opt-Out – Opt out of marketing communications
✓ Complain – Lodge a complaint with supervisory authorities

24.2 How to Exercise Your Rights

Primary Contact Method:
Email: info@albaculture.com

Alternative Methods:

• Phone: +355 69 692 2676
• Website: https://albaculture.com/contact
• Post: AlbaCulture Tour Operator, [Address], Albania

What to Include in Your Request:

• Full name
• Email address associated with your booking
• Booking reference number (if applicable)
• Specific right you wish to exercise
• Any relevant details or context

24.3 Verification Process

To protect your privacy, we will verify your identity before processing requests. We may ask for:

• Additional identifying information
• Proof of identity (passport copy, ID card)
• Confirmation of email address or phone number

24.4 Response Time and Fees

Response Time: 30 days (may extend to 60 days for complex requests)
Fees: Generally free (reasonable fee for excessive or repetitive requests)
Updates: We will keep you informed if we need more time or information

---

25. Glossary of Terms

Personal Information/Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Controller: The entity that determines the purposes and means of processing personal data (AlbaCulture).

Processor: An entity that processes personal data on behalf of the controller (our service providers).

Data Subject: An individual whose personal data is processed (you).

Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing.

Legitimate Interests: Processing necessary for legitimate business interests, balanced against individual rights.

GDPR: General Data Protection Regulation (EU) 2016/679.

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act.

Cookies: Small text files stored on your device when visiting websites.

Third Party: An entity other than you and AlbaCulture.

Anonymization: Processing that makes personal data unable to identify an individual.

Pseudonymization: Processing that makes personal data unable to identify an individual without additional information.

---

26. Effective Date and Acceptance

Effective Date: This Privacy Policy is effective as of the “Last Updated” date stated at the top of this document (January 2025).

Acceptance: By using our Services after the effective date, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Binding Agreement: This Privacy Policy forms part of our agreement with you, along with our Terms and Conditions.

Questions or Concerns: If you do not understand or agree with this Privacy Policy, please contact us before using our Services.

---

27. Additional Resources

27.1 Related Documents

• Terms and Conditions: https://albaculture.com/terms-and-conditions
• Cookie Policy: https://albaculture.com/cookie-policy (if separate)
• Booking Confirmation: Provided upon confirmed booking

27.2 External Resources

Data Protection Authorities:

• Albanian Commissioner: www.idp.al
• European Data Protection Board: https://edpb.europa.eu
• Your Country’s Supervisory Authority: https://edpb.europa.eu/about-edpb/board/members_en

Privacy Tools:

• Google Analytics Opt-Out: https://tools.google.com/dlpage/gaoptout
• Browser Cookie Settings: Refer to your browser’s help documentation

Legal Framework:

• GDPR Full Text: https://gdpr-info.eu
• Albanian Data Protection Law: www.idp.al
• CCPA/CPRA Information: https://oag.ca.gov/privacy/ccpa

---

Thank you for trusting AlbaCulture with your personal information.

We are committed to protecting your privacy and providing transparent information about our data practices. If you have any questions, concerns, or feedback about this Privacy Policy, please don’t hesitate to contact us.

AlbaCulture Tour Operator
Authentic Albanian Cultural Experiences

📧 Email: info@albaculture.com
📞 Phone: +355 69 692 2676 (WhatsApp)
🌐 Website: www.albaculture.com

---

END OF PRIVACY POLICY

This Privacy Policy was last updated in January 2025 and is subject to Albanian law and international data protection regulations including GDPR, CCPA, and CPRA.