Privacy Policy

Privacy — what we collect, why, and what we do with it — quick summary

Privacy on this site is intentionally minimal. We collect only the information needed to deliver your booking. We do not run analytics that profile individual visitors, we do not load third-party advertising trackers, and we do not enrich the data we hold from external sources.

This page explains in plain language: what data we collect, why we collect it, where it lives, who we share it with, how long we keep it, and what your rights are. The legal frame is the UAE Personal Data Protection Law (PDPL); where you are reading from a jurisdiction with stronger rights (GDPR, CCPA), we apply the higher standard.

1. What data we collect

At booking: full name, mobile number (for the WhatsApp thread), pickup hotel or area, group size with adult/child split, any dietary preference for safari camps, and any disclosed medical condition relevant to the service.

At payment: card last four digits and the issuing bank, transaction reference, payment status. Full card numbers are never stored on our systems — they are processed by the UAE-licensed payment gateway and only the truncated reference returns to us.

From visiting the site: an anonymised log of pages visited (no IP-level tracking), screen size and browser type for layout debugging. We do not load Google Analytics, we do not load Meta Pixel, we do not load any third-party advertising tracker.

If you message WhatsApp: the conversation thread itself, which is held by Meta (WhatsApp's operator) under their privacy terms in addition to ours. Messages used by the office to coordinate your booking are referenced only by the office staff handling that booking.

2. Why we collect each item

Name and mobile number — to confirm the booking, to coordinate pickup on the day, and to handle any operator-side weather rebook. Without these the booking cannot be delivered.

Hotel address — pickup logistics. The driver needs to know where to go. Out-of-zone surcharges are calculated from this.

Group size + age split — capacity planning at the camp, vehicle assignment for safari, kid-seat preparation at the BBQ, and minimum-age check for balloon and dirt-bike experienced tier.

Dietary preference — the camp kitchen prepares vegetarian, halal, allergy-aware portions in advance to avoid scramble at service time.

Disclosed medical condition — to confirm the service is safe for the guest and to brief the lead rider or balloon pilot.

Payment confirmation — accounting and refund handling.

3. Where data is held

Booking records are held on UAE-based servers operated by the office. The office uses standard small-business productivity tools (encrypted spreadsheet, encrypted backup) for the daily booking sheet. The booking sheet is accessible only to office staff handling bookings on the relevant date.

Payment records are held on the gateway operator's systems under their PCI-DSS compliance regime. Payment gateway operators are UAE-licensed.

WhatsApp message threads are held on Meta's WhatsApp infrastructure under WhatsApp's privacy terms; the threads are end-to-end encrypted between your device and the office device. The office does not export or archive the threads beyond what is needed to coordinate the booking.

4. Who we share data with

Operator partners. Hot air balloon flights are operated by a UAE GCAA-approved partner; the partner needs the manifest (names, ages, weight where relevant) to confirm the booking. We share only the manifest data, not the payment record. Camel ride and dirt bike operators receive the rider name and headcount for their daily roster.

Pickup driver. The driver receives your name, hotel and pickup time on the day of the booking. The driver does not see your payment record or any medical disclosure beyond what affects the ride (for example, "guest skipping the dune-bash, taking the alternative camel-only segment").

Government authorities. If a UAE government authority requests booking records under a legitimate legal process, we comply. We do not voluntarily share booking records with any third party.

We do not sell data. We do not share booking records with marketing partners. We do not use booking data to train any external system.

5. How long we keep data

Active booking records are held for 90 days after the date of the service. This window covers refund processing, dispute resolution, and the standard accounting close.

After 90 days, personal data is anonymised in the office records — the booking is retained for accounting and tourism-board reporting purposes (headcount, service mix, seasonality) but the personally identifying fields (name, mobile, hotel) are stripped.

WhatsApp threads with no booking activity for 12 months are archived locally and the corresponding chat is closed in the office account.

Payment records are held for the period required by UAE tax and accounting regulations (currently five years from the end of the relevant tax year), held only on the payment gateway side.

6. Cookies and on-site tracking

This site uses no third-party advertising trackers, no remarketing pixels, no cross-site analytics. We use a minimal set of first-party cookies for layout preference (so the site remembers your dark/light preference between visits) and an anonymised page-view log for content planning.

Full cookie inventory and the controls available to refuse non-essential cookies live on the dedicated cookie policy page.

7. Your rights

Under the UAE PDPL (and under GDPR / CCPA where applicable to you), you have the right to: access the personal data we hold on you, correct any inaccuracy, delete your personal data, object to specific processing, port your data to a third party, and complain to the relevant supervisory authority if you believe we have mishandled your data.

Exercising any of these rights is the same workflow: message the office on WhatsApp +971 52 440 9525, state which right you want to exercise, and the office responds in writing within 30 days. Most requests are handled inside 7 days. There is no fee for any reasonable rights request.

8. Children's data

Children's names and ages may be collected at booking when a family books a service together. The data is held under the same rules as the parent's data and is used only to deliver the booking (kid-seat preparation, minimum-age check, age-appropriate equipment).

We do not market to children, we do not collect any data directly from a child under 18, and we do not retain children's personal data beyond the standard 90-day window.

9. Data security

The office laptops and mobile devices used to handle bookings run a standard endpoint security stack — full-disk encryption, current operating-system security patches, automatic screen-lock. Backup of the booking sheet is encrypted at rest. Access to the booking sheet is limited to office staff actively handling bookings; no external party has read access.

In the event of a personal-data breach we will notify affected guests within 72 hours of discovery and notify the relevant UAE supervisory authority within the period required by PDPL. The notification will describe what happened, what data was affected, what we are doing about it, and what you can do.

10. Changes to this policy

This policy may be updated to reflect changes in our services, in payment partners, in UAE law, or in industry best practice. Material changes are noted at the top of this page with the change date. The version of the policy in effect at the time of your booking is the version that applies to your booking.

For any privacy question or rights request, message WhatsApp +971 52 440 9525.