Privacy Policy

Last Updated: November 1, 2025

1. Introduction

UmrahDeals Ltd (Company No. 16423580), with registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ ("we," "us," or "our"), is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, transfer, and store your personal data when you visit our website or use our services.

We are the data controller responsible for your personal data. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

This Privacy Policy applies to all users of our services, including residents of the United States and Middle East countries. If you have any questions about how we handle your personal data, please contact us at [email protected].

2. Information We Collect

2.1 Information You Provide to Us

We collect personal data that you voluntarily provide when using our services:

Account Registration

Full name
Email address
Phone number
Password (encrypted)
Country of residence

Booking Information

Full name of all travelers
Date of birth
Nationality
Gender
Passport details (number, issue date, expiry date, issuing country)
Travel dates and preferences
Special requirements (dietary restrictions, accessibility needs, medical conditions relevant to travel)
Emergency contact information

Payment Information

Billing name and address
Payment card information (processed and stored by Stripe, our payment processor)
Transaction history

Visa Application Information

Full passport details
Passport photograph
Proof of accommodation
Travel itinerary
Employment information
Travel insurance details
Previous travel history
Vaccination certificates

eSIM Purchase Information

Device type and model
IMEI or device identifier
Email address for QR code delivery

Communications

Customer support correspondence
Feedback and reviews
Marketing preferences

2.2 Information We Collect Automatically

When you visit our website, we automatically collect certain information:

Technical Information

IP address and approximate geographic location
Browser type and version
Operating system
Device type (desktop, mobile, tablet)
Screen resolution
Referring website

Usage Information

Pages visited and time spent on each page
Links clicked
Search queries
Booking journey and conversion data
Date and time of visits

2.3 Information from Third Parties

We may receive information about you from third-party sources:

Airlines: Flight booking confirmations, schedule changes, cancellations
Hotels: Reservation confirmations, availability updates
Visa Authorities: Application status, approval or rejection notifications
Payment Processors: Payment confirmation, fraud prevention data
eSIM Providers: Activation status, data usage

3. How We Use Your Information

We use your personal data for the following purposes, based on specific legal grounds:

3.1 Contract Performance

To fulfill our contractual obligations to you, we use your data to:

Process and manage your bookings for flights, hotels, eSIM products, and visa services
Create and manage your account
Process payments and issue invoices
Deliver eSIM QR codes and activation instructions
Send booking confirmations, itineraries, and travel documents
Provide customer support and respond to your inquiries
Communicate important service updates and booking changes

3.2 Legal Obligations

To comply with legal requirements, we process your data to:

Submit visa applications to Saudi Arabian authorities
Comply with financial regulations and tax requirements
Prevent fraud and money laundering
Respond to legal requests from law enforcement or regulatory authorities
Maintain records as required by UK company law
Verify your identity and prevent unauthorized access

3.3 Legitimate Interests

Where we have legitimate business interests, we use your data to:

Improve our website functionality and user experience
Analyze booking patterns and customer preferences
Prevent fraudulent activities and enhance security
Develop new products and services
Conduct market research and analytics
Protect our business interests and enforce our Terms of Service

We carefully balance these interests against your privacy rights and will not process your data in ways you would not reasonably expect.

3.4 Consent

With your explicit consent, we may:

Send you marketing communications about our services, special offers, and travel deals
Use cookies and similar technologies for analytics and advertising
Share your information with marketing partners (only with your express permission)

You can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. Legal Basis for Processing (UK GDPR)

Under UK GDPR, we must have a legal basis for processing your personal data. Our legal bases are:

Purpose	Legal Basis
Processing bookings and providing services	Contract performance (Article 6(1)(b))
Visa application submission	Legal obligation (Article 6(1)(c))
Payment processing and fraud prevention	Legal obligation (Article 6(1)(c))
Tax and accounting compliance	Legal obligation (Article 6(1)(c))
Website analytics and improvements	Legitimate interests (Article 6(1)(f))
Marketing communications	Consent (Article 6(1)(a)) or Legitimate interests (Article 6(1)(f))
Security and fraud prevention	Legitimate interests (Article 6(1)(f))

5. How We Share Your Information

We share your personal data with the following categories of recipients:

5.1 Service Providers

Airlines: We share passenger details (name, date of birth, passport information) with airlines through our partner Duffel to complete flight bookings
Hotels: We share guest details (name, contact information, special requests) with accommodation providers to confirm reservations
eSIM Providers: We share email addresses and device information to provision and deliver eSIM services
Payment Processors (Stripe): We share billing information to process payments securely. Stripe handles all payment card data and is PCI-DSS compliant
Email Service Provider (Resend): We share email addresses and names to send booking confirmations and service communications

5.2 Government Authorities

Saudi Arabian Visa Authorities: We share comprehensive personal data, passport information, travel itineraries, and supporting documents to process visa applications
UK Tax Authorities (HMRC): We share transaction records and financial data to comply with UK tax laws
Law Enforcement: We may disclose information when legally required or to protect our legal rights

5.3 Business Partners

Duffel (IATA-accredited flight booking partner): For processing flight reservations
Analytics Providers: Aggregated, anonymized data for website performance analysis

5.4 Legal Requirements

We may disclose your personal data when required by law or in response to:

Court orders or subpoenas
Legal processes or government requests
Protection of our rights, property, or safety
Investigation of fraud or security issues

5.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change and ensure that your data continues to be protected.

6. International Data Transfers

As a UK company serving international customers, your personal data may be transferred to and processed in countries outside your country of residence:

6.1 Destinations

United Kingdom: Our primary data processing location (adequate protection under UK GDPR)
European Union: Some service providers are located in EU countries (adequate protection under UK adequacy decisions)
United States: Payment processing (Stripe), email services (Resend), and flight booking (Duffel) involve data transfers to the US
Saudi Arabia: Visa application data is transferred to Saudi government authorities for processing tourist visa applications

6.2 Safeguards

For transfers to countries without adequacy decisions, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs): We use UK/EU-approved SCCs with service providers in countries lacking adequacy decisions
Processor Agreements: All processors are contractually bound to protect your data and use it only as instructed
US Service Providers: We work with providers that implement strong security measures and comply with applicable data protection frameworks
Government Transfers: Transfers to Saudi authorities are necessary for visa processing and based on your explicit consent and legal requirements

7. Cookies and Tracking Technologies

7.1 What Are Cookies

Cookies are small text files placed on your device when you visit our website. They help us provide you with a better experience and allow certain features to function.

7.2 Types of Cookies We Use

Essential Cookies (Always Active)

These cookies are necessary for our website to function and cannot be disabled:

Session management and user authentication
Shopping cart functionality
Security and fraud prevention
Load balancing

Functional Cookies

These cookies remember your preferences:

Language and currency settings
Display preferences
Form auto-fill

Analytics Cookies

We use analytics cookies to understand how visitors use our website:

Pages visited and navigation paths
Time spent on pages
Click patterns and user interactions
Device and browser information
Traffic sources and referrals

Payment Cookies

Stripe uses cookies to:

Process secure payments
Detect and prevent fraudulent transactions
Remember payment methods (if you choose)

7.3 Cookie Control

You can control cookies through:

Browser Settings: Most browsers allow you to refuse or delete cookies
Our Cookie Preferences: Adjust non-essential cookies through our website settings
Third-Party Opt-Outs: Some analytics providers offer opt-out mechanisms on their websites

Note: Disabling essential cookies may prevent you from using certain features of our website, including making bookings.

7.4 Do Not Track Signals

Our website does not currently respond to "Do Not Track" browser signals, as there is no industry standard for handling such signals. We respect your privacy choices through cookie controls and opt-out mechanisms.

8. Data Security

We implement comprehensive security measures to protect your personal data:

8.1 Technical Measures

Encryption: All data transmission uses SSL/TLS encryption (HTTPS)
Database Encryption: Sensitive data is encrypted at rest in our databases
Password Security: Passwords are hashed using industry-standard algorithms
Access Controls: Role-based access limits who can view or process personal data
Firewall Protection: Network security prevents unauthorized access
Regular Security Audits: We conduct periodic security assessments

8.2 Organizational Measures

Staff Training: Employees receive data protection and security training
Confidentiality Agreements: All staff sign confidentiality agreements
Data Minimization: We only collect data necessary for our services
Regular Backups: Encrypted backups protect against data loss
Incident Response Plan: Procedures for handling data breaches

8.3 Payment Security

We do not store complete payment card details on our servers. All payment processing is handled by Stripe, which is PCI-DSS Level 1 compliant (the highest level of security certification in the payments industry).

8.4 Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and relevant authorities within 72 hours as required by UK GDPR.

9. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy:

9.1 Retention Periods

Data Type	Retention Period	Reason
Booking records and invoices	7 years	UK tax and accounting law requirements
Payment transaction records	7 years	Financial regulations and dispute resolution
Visa application documents	2 years after travel date	Potential visa-related inquiries or appeals
eSIM purchase records	2 years	Customer support and warranty claims
Marketing communications data	Until opt-out or 3 years of inactivity	Marketing consent management
Website analytics data	26 months maximum	Website improvement and analysis
Customer support correspondence	3 years	Quality assurance and dispute resolution
Account information (active accounts)	Duration of account plus 1 year	Service provision and legal compliance
Account information (inactive accounts)	3 years of inactivity, then deleted	Re-engagement opportunity and GDPR compliance

9.2 Secure Deletion

After the retention period expires, we securely delete or anonymize your personal data. Anonymized data (which can no longer identify you) may be retained for statistical and analytical purposes.

10. Your Data Protection Rights

Under UK GDPR and applicable data protection laws, you have the following rights:

10.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge in a commonly used electronic format.

10.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

10.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data when:

The data is no longer necessary for the purposes for which it was collected
You withdraw consent (where processing is based on consent)
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed

Note: We may be unable to delete data if we have legal obligations to retain it (e.g., tax records, financial compliance).

10.4 Right to Restriction of Processing

You have the right to request restriction of processing when:

You contest the accuracy of your personal data
Processing is unlawful but you don't want data deleted
We no longer need the data but you need it for legal claims
You have objected to processing pending verification of legitimate grounds

10.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another data controller. This applies to data you provided to us with consent or for contract performance, and where processing is automated.

10.6 Right to Object

You have the right to object to processing based on:

Legitimate interests: You can object to processing based on our legitimate interests
Marketing: You can object to direct marketing at any time
Profiling: You can object to automated decision-making and profiling

10.7 Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing before consent was withdrawn.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority:

UK: Information Commissioner's Office (ICO) - https://ico.org.uk
US: Federal Trade Commission (FTC) or your state's Attorney General
Middle East: Your local data protection authority or consumer protection agency

11. Additional Rights for US Residents

Residents of certain US states have additional rights under state privacy laws:

11.1 California Residents (CCPA/CPRA)

Right to know what personal information is collected, used, shared, or sold
Right to delete personal information (subject to exceptions)
Right to opt-out of the sale or sharing of personal information (we do not sell your data)
Right to correct inaccurate personal information
Right to limit use of sensitive personal information
Right to non-discrimination for exercising privacy rights

11.2 Virginia, Colorado, Connecticut, Utah Residents

Residents of these states have similar rights under their respective state privacy laws, including:

Right to access and obtain a copy of personal data
Right to delete personal data
Right to correct inaccuracies
Right to opt-out of targeted advertising (we do not engage in targeted advertising)
Right to opt-out of the sale of personal data (we do not sell personal data)

12. How to Exercise Your Rights

To exercise any of your data protection rights, please:

Email us: Send a request to [email protected] with "Data Privacy Request" in the subject line
Account Settings: Many changes can be made directly in your account settings
Unsubscribe: Use the unsubscribe link in marketing emails

12.1 Verification

To protect your privacy, we will verify your identity before processing requests. We may ask for:

Email address associated with your account
Recent booking reference number
Answers to security questions

12.2 Response Time

We will respond to your request:

UK GDPR: Within 1 month (extendable to 3 months for complex requests)
US State Laws: Within 45 days (extendable to 90 days with notice)

12.3 Fees

We do not charge fees for exercising your rights unless requests are manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable administrative fee or refuse the request.

13. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately, and we will delete such information.

Travel bookings for minors must be made by a parent or legal guardian who provides the child's information as part of the booking process.

14. Automated Decision-Making and Profiling

We use limited automated decision-making in the following contexts:

Fraud Detection: Automated systems may flag potentially fraudulent transactions for manual review. This protects both you and us from fraud
Pricing and Availability: Algorithms determine real-time pricing and availability based on supplier data, travel dates, and demand

We do not make solely automated decisions that have legal or similarly significant effects on you. All significant decisions involve human review. You have the right to request human intervention, express your point of view, and challenge automated decisions.

15. Third-Party Links

Our website may contain links to third-party websites, including airlines, hotels, and partner services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify registered users via email
Display a prominent notice on our website
For significant changes, seek renewed consent where required

We encourage you to review this Privacy Policy periodically. Your continued use of our services after changes are posted constitutes acceptance of the updated Privacy Policy.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]
Subject Line: "Privacy Inquiry" or "Data Privacy Request"
Company Name: UmrahDeals Ltd
Company Number: 16423580
Registered Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

17.1 Data Protection Officer

For specific data protection inquiries or to exercise your rights under UK GDPR, you may also contact our designated data protection contact at [email protected] with "DPO" in the subject line.

18. Supervisory Authority Contact Information

You have the right to lodge a complaint with your local supervisory authority:

United Kingdom

Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

United States

Federal Trade Commission (FTC)
Website: https://www.ftc.gov
Phone: 1-877-FTC-HELP (1-877-382-4357)

State-specific privacy rights inquiries may also be directed to your state Attorney General's office.