Dapita Travel - Header
DAPITA TRAVEL

Privacy Policy

Effective date:

Data Controller: DAPITA LTD (Company No. 16634395)

ICO Registration: ICO:00011692083

Registered office: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Privacy contact: support@dapita.travel | +442045770719

At Dapita, your privacy is a priority. This policy explains how we collect, use, protect, and share your personal data as required by UK GDPR and Data Protection Act 2018.

1. Glossary

  • Personal Data: Information that identifies or can identify an individual
  • Data Controller: Entity that determines purposes and means of processing personal data (DAPITA LTD)
  • Data Processor: Entity that processes personal data on behalf of the controller
  • Processing: Any operation performed on personal data
  • Data Subject: Individual whose personal data is processed (you)
  • Legal Basis: Lawful ground for processing (contract, consent, legitimate interests, legal obligation)

2. Data Protection Principles

We process personal data in accordance with UK GDPR principles:

  • Lawfulness, fairness, transparency: We process data lawfully and inform you how we use it
  • Purpose limitation: We collect data for specific, explicit purposes
  • Data minimisation: We collect only necessary data
  • Accuracy: We keep data accurate and up to date
  • Storage limitation: We retain data only as long as necessary
  • Integrity and confidentiality: We protect data with appropriate security
  • Accountability: We demonstrate compliance with these principles

3. Data Controller

Controller: DAPITA LTD

Company Number: 16634395

ICO Registration: ICO:00011692083

Address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Contact: support@dapita.travel | +442045770719

We appoint data processors (third-party vendors) under data processing agreements with appropriate technical and organizational safeguards.

4. Data We Collect

Data You Provide

  • Account information: Email address, password (hashed), username
  • Contact details: Phone number (optional for order updates)
  • Billing information: Name, address, VAT number (when requesting invoice)
  • Preferences: Language, theme, communication preferences
  • Support communications: Messages, attachments, inquiry details

Data We Collect Automatically

  • Technical data: IP address, browser type, device information, operating system
  • Usage data: Pages visited, time spent, clicks, navigation paths
  • Cookies: See Cookie Policy for details
  • eSIM usage: Activation status, data consumption, connection logs

Data from Third Parties

  • Payment processors (Stripe): Payment method details (last 4 digits), transaction status
  • Network providers: eSIM activation and connectivity data

Children's Data

We do not knowingly collect data from individuals under 13 years of age (or under 16 in certain jurisdictions) without parental/guardian consent.

5. How We Use Your Data

Service Delivery

  • Create and manage your account
  • Process and fulfill orders
  • Deliver eSIM profiles and activation instructions
  • Provide customer support
  • Send order confirmations, receipts, and service updates

Service Improvement

  • Analyze usage patterns to improve features
  • Troubleshoot technical issues
  • Conduct security monitoring
  • Prevent fraud and abuse

Marketing (with consent)

  • Send promotional emails about our products
  • Display personalized ads (via Google, Facebook, TikTok with consent)
  • Create marketing profiles based on usage

Legal Compliance

  • Comply with tax and accounting obligations
  • Respond to legal requests and enforce terms
  • Maintain records for regulatory compliance

6. Legal Basis for Processing

Contract Performance

We process data necessary to perform our contract with you (account management, order fulfillment, support).

Legitimate Interests

We process data for our legitimate business interests:

  • Fraud prevention and security
  • Service improvement and analytics
  • Internal administration
  • Basic profiling for product recommendations (you can object)

Consent

We obtain your consent for:

  • Marketing communications
  • Analytics and advertising cookies
  • Third-party marketing partnerships

You can withdraw consent at any time.

Legal Obligation

We process data to comply with legal requirements (tax records, law enforcement requests, regulatory obligations).

7. Your Rights (UK GDPR)

Under UK GDPR and Data Protection Act 2018, you have the following rights:

Right of Access

Request a copy of your personal data we hold.

Right to Rectification

Correct inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data in certain circumstances.

Right to Restriction

Request we limit processing of your data in certain situations.

Right to Data Portability

Receive your data in a structured, machine-readable format and transfer to another service.

Right to Object

Object to processing based on legitimate interests, including profiling and direct marketing.

Right to Withdraw Consent

Withdraw consent for marketing or cookies at any time.

Right to Lodge a Complaint

File a complaint with the Information Commissioner's Office (ICO): ico.org.uk

How to Exercise Your Rights

Contact us at: support@dapita.travel or +442045770719

Response time: Within 1 month (may be extended to 3 months for complex requests)

Verification: We may request identity verification before fulfilling requests

8. Data Sharing

We share personal data with the following categories of recipients:

Service Providers (Processors)

  • Payment processing: Stripe (payment transactions)
  • Hosting: Cloud infrastructure providers
  • Email delivery: Transactional email services
  • Customer support: Help desk and chat platforms
  • Analytics: Google Analytics (with consent)

eSIM Network Providers

Connectivity partners who deliver eSIM service (activation data, usage logs).

Marketing Partners (with consent)

  • Google Ads
  • Facebook/Meta Pixel
  • TikTok Pixel

Legal and Regulatory Authorities

Law enforcement, tax authorities, regulators when required by law.

Business Transfers

In the event of merger, acquisition, or asset sale, personal data may be transferred to the acquiring entity.

Data Processing Agreements: All processors operate under contracts with appropriate data protection clauses.

9. Data Security

We implement technical and organizational measures to protect personal data:

Technical Measures

  • SSL/TLS encryption for data transmission
  • Encryption at rest for sensitive data
  • Secure password hashing (bcrypt)
  • Regular security testing and vulnerability scanning
  • Access controls and authentication
  • Firewall and intrusion detection systems

Organizational Measures

  • Staff training on data protection
  • Confidentiality agreements
  • Access limited to authorized personnel only
  • Incident response procedures
  • Regular audits and reviews

Data Breach Notification

In the event of a personal data breach:

  • We will notify the ICO within 72 hours where required
  • We will inform affected individuals without undue delay if there is a high risk to their rights
  • We will document all breaches and remedial actions

10. Data Retention

We retain personal data only as long as necessary for the purposes collected:

Account Data

  • Active accounts: Duration of account + 30 days after closure
  • Inactive accounts: May be deleted after 3 years of inactivity with prior notice

Transaction Records

  • Order history: 10 years (tax and accounting obligations)
  • Payment records: 10 years (financial regulations)
  • Invoices: 10 years (VAT requirements)

Support Communications

  • Support tickets: 3 years after resolution
  • Chat logs: 12 months

Technical Logs

  • Access logs: 12 months
  • Usage analytics: 12 months (aggregated data may be retained longer)

Marketing Data

  • With consent: Until consent withdrawn + 30 days
  • After consent withdrawal: Suppression list maintained indefinitely

11. International Data Transfers

Some of our service providers are located outside the UK/EEA. When we transfer personal data internationally, we ensure appropriate safeguards:

Safeguards

  • Standard Contractual Clauses (SCCs): EU-approved contract terms
  • Adequacy Decisions: Transfers to countries with adequate data protection (e.g., EU/EEA)
  • UK GDPR International Data Transfer Addendum: For UK-specific transfers

Countries We Transfer Data To

  • United States: Stripe (payment processing) - EU-US Data Privacy Framework + SCCs
  • European Union: Various cloud and service providers - adequacy decision

Current list of international transfers: Available on request at support@dapita.travel

12. Cookies

We use cookies and similar technologies. For detailed information, see our Cookie Policy.

Summary

  • Essential cookies: Required for site operation (always active)
  • Marketing cookies: Analytics and advertising (requires consent)

Manage cookies: Via cookie banner or cookie preferences

13. Children's Privacy

Our services are not directed to children under 13 years of age (or under 16 in certain jurisdictions).

  • We do not knowingly collect personal data from children without parental consent
  • If we learn we have collected data from a child without consent, we will delete it promptly
  • Parents/guardians may contact us to review, delete, or stop collection of their child's data

If you believe we have inadvertently collected data from a child, contact: support@dapita.travel

14. Policy Updates

We may update this Privacy Policy from time to time to reflect:

  • Changes in our data processing practices
  • New legal or regulatory requirements
  • Service improvements or new features

Notification of Changes

  • Material changes: We will notify you via email or prominent notice on our website at least 30 days before changes take effect
  • Minor changes: Updated effective date posted on this page
  • Continued use after changes constitutes acceptance

Current version: 1.0

Last updated:

Contact Us

For privacy questions, to exercise your rights, or to file a complaint:

Email: support@dapita.travel

Phone: +442045770719

Post: DAPITA LTD, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Response time: Within 1 month of request

UK Supervisory Authority

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

Dapita Footer