Last updated: 01 Oct 2025

1) Who we are

Controller: ALBTourism
Email: [email protected]Phone/WhatsApp: +355 69 969 0000.
We operate albtourism.al to offer holiday rentals and car-hire services.

We comply with applicable Albanian data-protection law and—where we offer services to people in the EU/EEA—the EU General Data Protection Regulation (GDPR). The Albanian Information and Data Protection Commissioner (IDP) oversees compliance in Albania. European Commission+1

2) What data we collect

  • Booking & account data: name, email, phone, billing details, stay dates, party size, preferences.
  • Car hire data (if you rent a car): driver’s licence details, age confirmation, pickup/return info.
  • Payment data: card details are processed by our payment provider(s) (we receive only limited tokens/last four digits and status).
  • Communications: emails, contact forms, WhatsApp/SMS, social DMs.
  • Device & usage data: IP address, browser/device type, pages viewed, and cookies (see §9).
  • Identity documents at check-in (where legally required).

3) Why we process your data (legal bases)

  • To provide our services & manage bookings/contracts (GDPR Art. 6(1)(b)).
  • To comply with law (tax/accounting, guest registers) (Art. 6(1)(c)).
  • Our legitimate interests (site security, fraud prevention, improving services, customer support) (Art. 6(1)(f)).
  • Your consent for optional things like marketing emails, non-essential cookies (Art. 6(1)(a)). EUR-Lex

4) How we use your data

  • Manage enquiries, bookings, payments, check-in/out, and customer support.
  • Send booking confirmations, pre-arrival messages, and important service updates.
  • Provide car-hire agreements and verify eligibility where required.
  • Improve our website and services (analytics, troubleshooting).
  • Marketing with your consent (e.g., newsletters); you can unsubscribe anytime.

5) Sharing your data

We share data only with trusted processors that help us run the business, such as:

  • Hosting & infrastructure (website host, CDN/backup).
  • Payment processors (e.g., Stripe/PayPal/bank), who act as independent controllers for card data.
  • Email, CRM, chat/WhatsApp, SMS providers for communications.
  • Analytics & marketing tools (e.g., Google) — only with consent for non-essential cookies.
  • Professional services (accountants, legal) and authorities when required by law.

We require processors to protect your data and process it only on our instructions.

6) International transfers

Some providers may process data outside Albania/EU. Where that happens, we rely on lawful transfer tools (e.g., Standard Contractual Clauses) plus additional safeguards as required by GDPR. European Commission

7) Retention

  • Bookings & invoices: normally 6 years (tax/accounting).
  • Car-hire contracts/IDs: as required by law and up to 6 years for claims/defence.
  • Support messages: up to 24 months.
  • Marketing lists: until you unsubscribe or ask us to delete.
  • Cookies: see durations in §9.

We keep data longer only if needed for legal obligations or disputes.

8) Your rights

Depending on where you live (incl. EU/EEA), you may have the right to access, rectify, erase, restrict, object, data portability, and to withdraw consent at any time. You also have the right to lodge a complaint with your local authority or with Albania’s Information and Data Protection Commissioner (IDP). To exercise rights, email [email protected]. GDPR+1

9) Cookies & similar tech

  • Essential cookies (security, load balancing, session) — always on.
  • Analytics (e.g., Google Analytics) — used only with consent.
  • Marketing (e.g., Meta/Google Ads) — used only with consent.

Your choices: use our cookie banner to accept all, reject all, or customise. You can also adjust browser settings. For transparency and consent logging, we recommend using a compliant Consent Management Platform (CMP).

10) Payments

Payments are handled by third-party processors. We do not store full card numbers. The processor’s privacy policy applies to their processing (we’ll link to it at checkout).

11) Children

Our services are not directed to children under 16. We do not knowingly collect children’s data. If we learn this has happened, we’ll delete it.

12) Security

We use appropriate technical and organisational measures (TLS/HTTPS, access controls, backups, least-privilege, staff confidentiality). No method of transmission is 100% secure, but we work to protect your data.

13) Third-party links

Our site may link to external websites (e.g., Instagram). Their privacy policies apply to their processing.

14) Contact us

15) Changes to this policy

We’ll update this page when our practices change. Material changes will be clearly notified on the site.