top of page

WWE TRAVEL CY  ·  PRIVACY POLICY

Privacy Policy

Worldwide Wellness Escapes Ltd  (trading as WWE Travel CY)
Effective date: 1 January 2026  ·  Last reviewed: May 2026
Governing law: GDPR (EU) 2016/679  ·  Cyprus Law 125(I)/2018  ·  ePrivacy Law 112(I)/2004

1. About This Policy & Who We Are

This Privacy Policy explains how Worldwide Wellness Escapes Ltd (registered in Cyprus, Company No. HE458302 , trading as WWE Travel CY, collects, uses, stores, shares, and protects your personal data when you:

 

  • visit or use our website at www.wwe-cy.com

  • submit a booking request, enquiry, or contact form

  • book or enquire about hotels, holiday homes, transfers, tours, or holiday packages

  • communicate with us by email, telephone, WhatsApp, or Viber

  • subscribe to our newsletter or marketing communications

  • use our B2B platform or services as a trade partner

 

We act as the data controller for the personal data we process in connection with our own services. Where we share data with third-party service providers (hotels, transport operators, tour operators), those providers act as independent data controllers for the data they process in their own right.

 

This policy is written to comply with Regulation (EU) 2016/679 (GDPR), Cyprus Law 125(I)/2018 (national GDPR implementation), and Part 14 of Cyprus Law 112(I)/2004 (ePrivacy). If you have any questions, contact our data protection contact point at info@wwe-cy.com.

2. Personal Data We Collect

We collect only the data necessary for the specific purpose for which it is collected (the principle of data minimisation). The categories of personal data we process are set out in the table below.

Category of Data

  • Identity & Contact Data

  • Booking & Travel Data

  • Payment Data

  • Communication Data

  • Technical & Device Data

  • Marketing & Preference Data

  • B2B Partner Data

Examples

  • Full name, email address, phone number, nationality, date of birth (where required)

  • Travel dates, destination, room/unit type, passenger names, dietary or accessibility requirements, flight numbers

  • Transaction reference numbers, payment method type. Note: we do not store full card numbers - these are processed by PCI DSS-compliant payment processors

  • Emails, WhatsApp messages, Viber messages, phone call records (where consent given), enquiry form submissions

  • IP address, browser type and version, operating system, device type, time zone, pages visited, referring URLs

  • Communication preferences, marketing opt-in status, survey responses, feedback

  • Company name, VAT number, authorised contact names, email, phone, platform access credentials

Purpose

  • Processing booking requests, issuing confirmations, communicating about your reservation

  • Managing your reservation; coordinating with hotels, property owners, transport and tour operators

  • Processing payments and issuing invoices or receipts

  • Responding to enquiries; maintaining records of service commitments

  • Website security, fraud prevention, improving user experience and website performance

  • Sending relevant offers and updates (only with explicit consent); improving our services

  • Managing B2B partnerships, platform access, invoicing and commercial agreements

We do not collect special categories of sensitive personal data (as defined in GDPR Article 9) such as health information, racial or ethnic origin, political opinions, or biometric data, except where you specifically provide health or accessibility information relevant to your travel booking, in which case we collect this on the basis of your explicit consent.

3. How We Collect Your Personal Data

3.1  Data You Provide Directly

  • Booking request and enquiry forms on our website

  • Email, telephone, WhatsApp, or Viber communications

  • Newsletter or marketing subscription forms

  • B2B registration and partner onboarding forms

  • Feedback, surveys, or review submissions

3.2  Data Collected Automatically

  • Cookies and similar tracking technologies on our website (see Section 9)

  • Google Analytics and similar analytics tools (aggregated and anonymised where possible)

  • Server logs recording IP addresses, page requests, and technical metadata

  • Meta Pixel and social media pixels, where active (subject to your cookie consent)

3.3  Data Received from Third Parties

  • Booking platform partners and distribution channels from whom bookings originate

  • Payment processors who provide transaction confirmation data

  • Hotels and property owners who share guest data in connection with your booking

4. Legal Basis for Processing (GDPR Article 6)

We process your personal data only where we have a lawful basis to do so. The applicable legal bases are:

4.1  Contract Performance (Article 6(1)(b))

We process identity, contact, booking, and payment data because it is necessary to perform the travel services you have requested or to take steps at your request prior to entering into a contract. This is our primary lawful basis for processing booking-related data.

4.2  Legitimate Interests (Article 6(1)(f))

We process technical and device data, and certain communication data, on the basis of our legitimate interests in:

  • Maintaining website security and preventing fraud

  • Improving our services and website performance

  • Maintaining records of communications for dispute resolution

  • Sending service-related messages to existing customers about similar services

 

We have assessed that these legitimate interests are not overridden by your fundamental rights and freedoms, given the reasonable expectations of individuals using a travel booking service.

4.3  Consent (Article 6(1)(a))

We rely on your freely given, specific, informed, and unambiguous consent for:

  • Email or SMS marketing newsletters and promotional communications

  • Non-essential cookies and tracking technologies (e.g. analytics, advertising pixels)

  • Processing health or accessibility information you provide in connection with your booking

 

You may withdraw consent at any time by using the unsubscribe link in any marketing email, by adjusting your cookie preferences via our Cookies Policy page, or by contacting us directly. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

4.4  Legal Obligation (Article 6(1)(c))

We process and retain certain financial and booking records because we are required to do so under Cyprus tax law, VAT regulations, and anti-money laundering legislation.

5. How We Use Your Personal Data

We use your personal data for the following specific purposes:

 

  • Processing and confirming booking requests for hotels, holiday homes, transfers, and tours

  • Communicating with you about your reservation, including confirmation emails, amendments, and pre-arrival information

  • Coordinating with third-party service providers (hotels, property owners, transport operators, tour operators) to deliver the services you have booked

  • Processing payments and issuing invoices, receipts, and financial records

  • Responding to enquiries, complaints, and requests for assistance

  • Sending marketing communications where you have opted in (you can opt out at any time)

  • Improving our website, services, and customer experience through analytics

  • Maintaining our legal and regulatory obligations, including tax, accounting, and anti-fraud measures

  • Managing B2B partner relationships, platform access, and commercial agreements

  • Protecting the security and integrity of our systems and services

 

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you, within the meaning of GDPR Article 22.

6. Sharing Your Personal Data

We share your personal data only where necessary and only with recipients who maintain appropriate legal and technical safeguards. We never sell your personal data to third parties.

6.1  Travel Service Providers

To deliver your booking, we share relevant personal data (names, contact details, travel dates, special requirements) with:

  • Hotels and holiday home property owners or managers in Cyprus and internationally

  • Airport transfer and ground transport operators

  • Tour operators and excursion providers

 

Each of these providers acts as an independent data controller for the data they receive. They are contractually required to process your data lawfully, securely, and only for the purpose of delivering the booked service.

6.2  Technology & Platform Providers

We use the following third-party platforms and processors, all of which provide appropriate safeguards under GDPR:

 

  • Wix.com (website platform and hosting) — EU-compliant data processing; Data Processing Agreement in place

  • Google LLC (Google Analytics, Google Workspace) — EU-US Data Privacy Framework; Standard Contractual Clauses

  • Meta Platforms Ireland (Meta Pixel) — EU-US Data Privacy Framework; subject to your cookie consent

  • WhatsApp / Viber (customer communications) — used where you initiate contact via these channels

6.3  Legal & Regulatory Disclosure

We may disclose personal data to competent authorities (including the Cyprus Tax Department, Cyprus Police, or courts) where required to do so by law, court order, or regulatory obligation. We will notify you of such disclosure where legally permitted to do so.

6.4  International Transfers

Where we transfer personal data outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including:

  • Adequacy decisions adopted by the European Commission

  • Standard Contractual Clauses (SCCs) approved by the European Commission

  • The EU-US Data Privacy Framework, where applicable

7. How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Specific retention periods are set out below.

Data Category

  • Booking records & confirmations

  • Invoice and payment records

  • Customer communication records

  • Marketing consent and preferences

  • Website analytics and logs

  • B2B partner data

  • Unconfirmed enquiries

Retention Period

  • 7 years

  • 7 years

  • 2 years after last interaction

  • Until consent withdrawn, then 1 year

  • 26 months (Google Analytics default)

  • Duration of partnership + 7 years

  • 6 months

Legal Basis for Retention

  • Tax and accounting obligations (Cyprus Tax Law, EU VAT Directive)

  • Cyprus Companies Law; Tax authority requirements

  • Legitimate interest (dispute resolution, service quality)

  • GDPR Article 7 consent documentation requirement

  • Legitimate interest; anonymised after 26 months

  • Contractual and legal obligations

  • Legitimate interest; deleted if no booking follows

When personal data is no longer required, it is securely deleted or permanently anonymised. Where technically feasible, we review and purge data on a rolling basis.

8. Security of Your Personal Data

We implement appropriate technical and organisational security measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These measures include:

 

  • SSL/TLS encryption for all data transmitted between your browser and our website

  • Secure hosting infrastructure provided by Wix.com with access controls and monitoring

  • PCI DSS-compliant payment processing — we do not store full payment card numbers on our systems

  • Role-based access controls, limiting access to personal data to staff who require it

  • Regular review of our data protection practices and vendor security posture

 

No internet transmission or electronic storage method is 100% secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security. If you have reason to believe your data has been compromised, please contact us immediately at info@wwe-cy.com.

9. Cookies & Tracking Technologies

Our website uses cookies and similar technologies. Cookies are small text files placed on your device when you visit our website. We use:

Strictly Necessary Cookies

Essential for the website to function. Cannot be disabled. No consent required.

  • Session management and security cookies (Wix platform)

  • Shopping basket / booking session cookies

Analytics Cookies (Consent Required)

Help us understand how visitors use our website. We use Google Analytics (anonymised IP) to measure traffic and improve content. These cookies are set only with your consent.

Marketing & Advertising Cookies (Consent Required)

Used to deliver relevant advertising and measure campaign performance. Where active, we use Meta Pixel and similar tools. These are set only with your explicit consent.

 

You can manage your cookie preferences at any time through the cookie consent banner on our website or by visiting our Cookies Policy page at www.wwe-cy.com/cookies-policy.

 

Our cookie practices comply with Part 14 of Cyprus Law 112(I)/2004 (ePrivacy), which requires consent for non-essential cookies, and with GDPR for the personal data processed through those cookies.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights in relation to your personal data. We will respond to verified requests within one month of receipt (extendable by a further two months in complex cases, with notice).

Your Right

  • Right of Access (Art. 15)

  • Right to Rectification (Art. 16)

  • Right to Erasure (Art. 17)

  • Right to Restriction (Art. 18)

  • Right to Portability (Art. 20)

  • Right to Object (Art. 21)

  • Right to Withdraw Consent (Art. 7)

  • Right to Lodge a Complaint

What This Means

  • Obtain a copy of all personal data we hold about you and information about how we use it

  • Have inaccurate or incomplete personal data corrected without undue delay

  • Request deletion of your personal data where there is no longer a lawful basis for us to hold it, subject to legal retention obligations

  • Request that we limit processing of your data (e.g. while a complaint is being resolved)

  • Receive your data in a structured, machine-readable format and transfer it to another provider where technically feasible

  • Object to processing based on legitimate interests, including direct marketing and profiling

  • Withdraw consent for marketing or any other consent-based processing at any time without affecting prior processing

  • File a complaint with the Cyprus Commissioner for the Protection of Personal Data or your local supervisory authority

How to Exercise

To exercise any of these rights, email us at info@wwe-cy.com with the subject line: DATA RIGHTS REQUEST. We may ask you to verify your identity before processing your request. We will not charge a fee for reasonable requests. Manifestly unfounded or excessive requests may be refused or subject to a fee as permitted by GDPR Article 12(5).

Supervisory Authority

If you are not satisfied with our response to a data protection request or believe we are processing your data unlawfully, you have the right to lodge a complaint with:

 

Commissioner for the Protection of Personal Data (Cyprus)

1 Iasonos Street, 1082 Nicosia, Cyprus

Tel: +357 22 818 456  |  Email: commissioner@dataprotection.gov.cy

Website: www.dataprotection.gov.cy

 

If you are resident in another EU Member State, you may also lodge a complaint with your local supervisory authority.

11. Children's Privacy

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. Where children are included in a booking (e.g. as passengers), the data provided relates to travel arrangements and is provided by the responsible adult making the booking.

 

If you believe we have inadvertently collected personal data relating to a child under 16 without appropriate consent, please contact us immediately at info@wwe-cy.com and we will delete the data promptly.

12. Changes to This Privacy Policy

We review and update this Privacy Policy periodically to reflect changes in our services, technology, applicable law, or regulatory guidance. When we make material changes, we will:

 

  • Update the Effective Date and Last Reviewed date at the top of this page

  • Where required by law or where changes are significant, notify active customers and B2B partners by email

 

We encourage you to review this Privacy Policy regularly. Your continued use of our website and services after any update constitutes acceptance of the revised policy.

13. Contact Us & Data Protection Enquiries

For any questions, requests, or concerns relating to this Privacy Policy or our data protection practices, please contact:

Worldwide Wellness Escapes Ltd (WWE Travel CY)

Data Protection Contact Point

Address: Theodosiou Hadjitheodosiou 6, Nicosia, Republic of Cyprus

Email: info@wwe-cy.com  (subject: PRIVACY / DATA PROTECTION REQUEST)

Telephone: +357 22 420437

Website: www.wwe-cy.com/privacy-policy

 

Company Registration No: ΗΕ 458302  ·  CTO Licence: 7732

© 2026 Worldwide Wellness Escapes Ltd. All rights reserved.  This disclaimer was last reviewed in May 2026 against applicable Cyprus and EU law, including EU Directive 2015/2302 (Package Travel), GDPR (EU) 2016/679, Cyprus Consumer Protection Law 112(I)/2021, and Cyprus Data Protection Law 125(I)/2018. This document is provided for informational purposes. For legally binding advice specific to your circumstances, consult a qualified Cyprus lawyer

bottom of page