Privacy Policy

We collect the following categories of data, depending on how you use the Services:

• Identity & contact data: name, phone, email, country of residence, preferred language, passport/ID details if you provide them for bookings.
• Concierge request data: your itinerary, booking details (flights, ferries, taxis, villas, restaurants, spa/wellness), preferences (e.g., dietary), special requests, notes you ask us to pass to providers.
• Payment & billing data: transaction amounts, currency, partial card/payment identifiers from our payment processor(s); billing address where required.
• Communications & support: messages, call logs/notes, feedback, and customer support interactions (including WhatsApp/Telegram if you contact us there).
• Technical data: device, browser, OS, IP address, general location, app version, log data, and cookie identifiers.
• Marketing & analytics: your consents/preferences, email opens/clicks (if you opt into marketing).
• Sensitive data (only if you choose to share): health-related information (e.g., allergies), religion/culture-related preferences (e.g., dietary rules). We process these only with your explicit consent and solely to fulfill your request.

• Directly from you (forms, chat, email, phone, messaging apps, in-app).
• From your authorized representative (e.g., family member who contacts us on your behalf).
• From third-party providers to complete bookings (e.g., accommodation, transport, restaurants) and payment processors.
• From cookies, SDKs, analytics tools.

• Provide & operate the Services (process your requests, make bookings, liaise with providers): Contract Art. 6(1)(b).
• Payments, invoicing & fraud prevention: Contract and Legitimate Interests Art. 6(1)(b), 6(1)(f).
• Account & customer support: Contract.
• Communications about your orders/requests: Contract.
• Marketing (news, offers): Consent Art. 6(1)(a) (you may withdraw at any time).
• Analytics & improvements: Legitimate Interests Art. 6(1)(f).
• Compliance with laws (e.g., tax, accounting): Legal Obligation Art. 6(1)(c).
• Vital interests (rare emergencies you notify us about): Art. 6(1)(d).

Special categories of data (e.g., health/dietary) are processed only with your explicit consent (GDPR Art. 9(2)(a)) to fulfill your request and are not used for any other purpose.

We share data strictly as needed with:

• Concierge partners & suppliers: hotels/villas, drivers, ferry/tour operators, spas, restaurants, event organizers.
• Payment processors & banks: to collect payments, process refunds, prevent fraud.
• Operational vendors: cloud hosting, CRM/support platforms, analytics, messaging providers.
• Professional advisors & authorities: where required by law or to protect our rights.

We never sell your personal data.

Your data may be transferred from the EEA to Thailand and other countries. Where required, we use Standard Contractual Clauses (SCCs) and appropriate supplementary measures. When processing data of Thai residents, we comply with the PDPA and may rely on PDPA transfer mechanisms. Details are available upon request.

We retain data only as long as necessary:

• Booking and support records: duration of the relationship + up to 3 years for claims.
• Billing/tax records: as required by law (e.g., up to 6 years in Poland).
• Marketing data: until you withdraw consent or after inactivity per our retention rules.

We then delete or irreversibly anonymize data.

We apply administrative, technical, and physical safeguards appropriate to the risks (access controls, encryption in transit, restricted staff access, vendor due diligence). No method is 100% secure, but we work to protect your data.

Under GDPR (and where applicable, PDPA), you can access, rectify, erase, or restrict processing of your data, object to certain processing, and port your data. Where processing is based on consent, you may withdraw it at any time (this doesn't affect prior lawful processing). You also have the right to lodge a complaint with your local supervisory authority or with the President of the Personal Data Protection Office (UODO) in Poland.

To exercise rights, contact us at privacy@vayana.app. We may need to verify your identity.

Our Services are not directed to children under the age of 16 (or lower age of digital consent where permitted by law). We do not knowingly collect data from children. If you believe a child provided data, contact us to delete it.

We use necessary cookies (to run the site), and—subject to your consent—analytics and advertising cookies/SDKs to measure usage and improve Services. You can manage preferences through our cookie banner and your browser/device settings. Disabling certain cookies may limit functionality.

Our Services may link to third-party sites or involve third-party services (e.g., payment gateways, booking platforms). Their privacy practices are their own; please review their policies.

Where you opt in, we may send updates and offers. You can unsubscribe via the link in each email or by contacting us. We will continue sending essential transactional messages related to your requests/bookings.

We may update this Policy from time to time. We will post the revised version and update the effective date. Material changes will be notified where required by law.

Controller: KRAKEN SOLUTIONS SP Z O O

Address: ul. Floriańska 6/02, 03-707 Warszawa, Polska

Email: privacy@vayana.app