GDPR and CCPA

Last Updated -

We take data privacy seriously at Acai Travel. We act as the data processor (under GDPR) or service provider (under CCPA), and our business customers (“Clients”) act as the data controllers (under GDPR) or businesses (under CCPA) with respect to the personal data that is made available to Acai Travel in connection with our Clients’ use of our products and services (collectively, the “Services”).

What is the GDPR?

What is the GDPR?

The EU General Data Protection Regulation 2016/679 (“GDPR”) a comprehensive regulation from the European Union to protect the privacy of EU residents. The GDPR went into effect on May 25, 2018 and replaced the EU Data Protection Directive. As of January 1, 2021, the UK GDPR applies to UK data subjects. The term “GDPR,” as used in this policy, also refers to the UK GDPR.

The GDPR Alliance posted an article titled, The General Data Protection Regulation (GDPR) In A Nutshell which outlines the GDPR in simple terms. In sum, the GDPR:

  • Applies to personal data, meaning any data that relates, or can be used, to identify a person in any way.
  • Controls what can be done with personal information.
  • Requires that consent is given or there is a good reason to process or store personal data.
  • Gives a person a right to know what information is held about them.
  • Allows a person to request that information about them is erased and that they are ‘forgotten’ — unless there is a reason not to do this — e.g. a loan account.
  • Imposes requirements around data collection and security. New systems must have protections designed into them (Privacy by Design). Access to data is strictly controlled and only given when required (Privacy by Default).
  • Imposes data breach notification obligations.
  • Requires that data is securely deleted after it is no longer needed, subject to certain exceptions.
  • Allows national authorities to impose fines for violations of the GDPR.

For more information, here is the full GDPR.

What is the CCPA?

The California Consumer Privacy Act(“CCPA”) went into effect on January 1, 2020, and grants California consumers new rights with respect to the collection of their personal data and requires companies to comply with certain obligations related to those rights, including:

  • An obligation on businesses to notify a consumer of its data collection practices, including the categories of personal data it has collected, the sources of the information, the business’s use of the information, and to whom the business disclosed the information it has collected about the consumer;
  • An obligation on businesses to disclose information about consumers’ CCPA rights;
  • The consumer’s right to receive a copy, in a readily usable format, of the specific personal data collected about them during the twelve (12) months prior to their request;
  • The consumer’s right to have such personal data deleted (with exceptions);
  • The consumer’s right to know the business’s data sale practices and to request that their personal data not be sold to third parties; and
  • A prohibition on businesses on discrimination for exercising their rights under the CCPA.

For more information on CCPA click here.

What is Acai Travel doing to comply with GDPR & CCPA?

Acai Travel has incorporated a strong focus and emphasis on data security and privacy from our earliest days as a company. As data privacy laws evolve, we regularly update our privacy policy and statement, landing pages, and application forms to clearly, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, identify the purpose of the processing of personal data by Acai Travel and our sub-processors to make Clients fully aware of how we collect and use personal data. More specifically, some of the technical and organization controls that we have implemented include the following highlighted areas of focus:

Data Protection by Design

We consider privacy when designing new features. As part of this approach, we seek to understand where personal data is being processed within our internal systems and through our sub-processors so that we can provide the proper level of visibility and control to our users.

Security of Processing

Acai Travel applies technical and organizational practices to minimize access to systems and data. There are multiple levels of authorization required for individuals to access personal data, audit trails are available for understanding access, we employ real-time notifications from our continuous security monitoring tools, and we have procedures in place to limit and remove access when no longer required.

Data Mapping

Acai Travel performs data mappings to understand where personal data is flowing, what specifically is being processed by each sub-processor, and whether it needs to be processed.

Data Processing Addendum

Acai Travel offers our Clients a Data Processing Addendum (DPA) to the subscription agreement for our Services that governs the relationship between our Clients (acting as the data controller / business) and Acai Travel (acting as the data processor / service provider) with respect to personal data subject to the GDPR and CCPA. The DPA facilitates our Clients’ compliance with their obligations under applicable data protection laws and contains strong privacy commitments, and has been updated to confirm our compliance with the GDPR and CCPA. We also commit to supporting our Clients in responding to requests from data subjects to access, correct, amend, delete or exercise other rights with respect to their personal data. A copy of our DPA is available here. Clients who signed earlier versions of our DPA can click on that link to request our current DPA at any time.

How can I manage data subject rights requests within Acai Travel’s services?

Our Clients are the data controllers/businesses that collect personal data of their customers/end-users. As such, Clients are responsible for receiving and responding to requests from individuals to exercise any rights afforded to them under applicable data protection laws, including the GDPR and CCPA. Our Services provide the necessary functionality to respond to most, if not all, data subject rights requests, including access, correction, deletion and portability. If requested by a Client to assist with a data subject rights requests, we will respond within a reasonable timeframe and assist with such request in accordance with our Data Processing Addendum if (i) Client is itself unable to respond without Acai Travel’s assistance and (ii) Acai Travel is able to do so in accordance with all applicable data protection laws.

Additionally, because we may only access a Client’s data upon their instructions, if Acai Travel receives a data subject request directly from one of their customers/end-users using our data subject request form, Acai Travel will direct that individual to contact the Client directly about any request relating to his/her personal data such as access or deletion, and to the extent that the applicable data protection law does not prohibit Acai Travel from doing so, we will refer their request to the Client they specify in their request. Acai Travel will not further respond to a data subject request without Client’s prior consent.

Who are Acai Travel’s Sub-Processors?

We share some personal data with certain third party companies, including affiliates of Acai Travel, that we use as sub-processors to help us provide, manage, secure and improve the Services. A current list of our third party sub-processors is available here and includes the ability for our Clients to subscribe to notifications of changes. We evaluate the privacy and security practices of each sub-processor and enter into contractual arrangements that require the sub-processor to safeguard the privacy and the personal data that it sub-processes. Acai Travel remains responsible for the acts and omissions of our sub-processors to the same extent that Acai Travel would be responsible if Acai Travel was performing the services of each sub-processor directly.

Contact Us

If you have any further GDPR, CCPA or other privacy questions or concerns, more information is available in our Product Privacy Statement or you can reach out to us at compliance@acaitravel.com.