Maldives Diaries

INTRODUCTION AND SCOPE

About This Policy

This Privacy Policy applies to Maldives Diaries (hereinafter "the Company," "we," "us," or "our"), a duly licensed tour operator incorporated under the laws of the Republic of Maldives. This Policy applies to all personal data collected and processed by the Company through:

• Our website and any mobile applications operated by the Company
• Direct booking and enquiry processes (email, telephone, and in-person)
• Interactions with our guides, staff, and representatives
• Our relationships with business partners, affiliates, and service providers
• Social media channels operated by the Company

This Policy is published in compliance with the Maldives Data Protection Act 2017 (Law No. 29/2017) and in anticipation of further obligations under the Privacy and Personal Data Protection Bill (as consulted upon in 2023 and any successor legislation enacted thereafter), as well as the General Data Protection Regulation (GDPR) of the European Union and the UK General Data Protection Regulation (UK GDPR) to the extent applicable to our processing of personal data of individuals resident in those jurisdictions.

Data Controller

For the purposes of applicable data protection law, Maldives Diaries acts as the Data Controller with respect to personal data collected from Clients, website visitors, and business partners. Our details are:

Maldives Diaries
Email (Privacy): privacy@maldivesdiaries.com
Phone: [+960 XXX XXXX]
Address: [Address, Malé, Republic of Maldives]

Definitions

"Data Controller" means the entity that determines the purposes and means of processing personal data.
"Data Processor" means an entity that processes personal data on behalf of the Data Controller.
"Data Subject" means a natural person whose personal data is processed by the Company.
"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, identification numbers, location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
"Processing" means any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, combination, restriction, erasure, or destruction.
"Sensitive Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning sexual orientation.
"Third Party" means a natural or legal person, public authority, agency, or body other than the Data Subject, Data Controller, or Data Processor.

PERSONAL DATA WE COLLECT

Categories of Personal Data Collected

The Company collects and processes the following categories of personal data:

Identity and Contact Data

• Full legal name as it appears on travel documents
• Date of birth and nationality
• Passport number and expiry date
• Email address
• Telephone number(s)
• Postal address
• Emergency contact details (name, relationship, and contact number)

Booking and Transaction Data

• Package selection, travel dates, and itinerary preferences
• Booking history and previous interactions with the Company
• Payment information (we do not store full card details; payments are processed through PCI-DSS compliant payment processors)
• Invoices, receipts, and transaction records
• Correspondence and communications related to a Booking

Health and Special Requirements Data

• Medical conditions, disabilities, or physical limitations relevant to participation in Package activities
• Dietary requirements and food allergies
• Pregnancy status (where disclosed for safety purposes)
• Vaccination records (where required)

Health data constitutes Sensitive Personal Data. We process such data only where strictly necessary for the safe delivery of our services and with the explicit consent of the Data Subject.

Technical and Usage Data

• IP address and device identifiers
• Browser type and version
• Pages visited on our website and time spent
• Referral source and search queries
• Cookie and tracking data (see Cookie Policy)

Marketing and Communication Preferences

• Preferences for receiving marketing communications
• Communication channel preferences
• Feedback, survey responses, and reviews

Photography and Media

• Photographs or videos taken during Package activities where the Client has consented to marketing use
• Social media handles (where provided voluntarily)

Partner and Business Contact Data

• Contact names, roles, email addresses, and telephone numbers of employees of foreign tour operator partners, guesthouses, and other Service Providers
• Company registration details and licensing information of business partners

How We Collect Personal Data

We collect personal data through the following channels:

• Booking forms, enquiry forms, and registration processes submitted by the Client
• Email, telephone, and in-person communications with the Company
• Automated technologies on our website (cookies, analytics tools)
• Third-party sources, including foreign tour operators or travel agents who transmit Booking information to us on behalf of Clients
• Social media platforms where you interact with our accounts
• Feedback forms, post-trip surveys, and review submissions

LEGAL BASIS AND PURPOSES OF PROCESSING

Legal Bases for Processing

We process personal data on the following legal bases:

• Contract Performance: Processing necessary to fulfil a Booking and deliver the contracted Package to the Client.
• Legal Obligation: Processing required to comply with applicable Maldivian law, including tourism licensing, tax obligations (TGST, Green Tax), immigration requirements, and any applicable international law.
• Legitimate Interests: Processing for the Company's legitimate business interests, where these are not overridden by the rights and interests of Data Subjects, including fraud prevention, security, business analytics, and marketing to existing clients.
• Explicit Consent: Processing of Sensitive Personal Data (including health data) and processing for direct marketing to new contacts, where we rely on the explicit, freely given, specific, and informed consent of the Data Subject.
• Vital Interests: Processing necessary to protect the vital interests of the Data Subject or another person in emergency situations.

Purposes of Processing

We process personal data for the following purposes:

Service Delivery

• Processing and confirming Bookings
• Coordinating accommodation, transportation, and activities with Service Providers
• Providing pre-departure information, cultural briefings, and itinerary documents
• Communicating itinerary changes, alerts, or emergency information during the Package
• Facilitating immigration and customs compliance, including the provision of Client details to Maldivian immigration authorities where required by law

Health and Safety

• Assessing and managing health and safety risks associated with Package activities
• Communicating health information to activity providers and guides on a need-to-know basis
• Facilitating emergency medical assistance if required

Financial Administration

• Processing payments and issuing invoices and receipts
• Managing cancellations, refunds, and amendments
• Accounting, financial reporting, and audit compliance
• Fraud detection and prevention

Legal and Regulatory Compliance

• Compliance with the Maldives Tourism Act and associated regulations
• Compliance with Maldivian tax law, including TGST and Green Tax obligations
• Responding to lawful requests from Maldivian government authorities, law enforcement, or courts
• Maintaining records required by applicable tourism and business regulations

Marketing and Business Development

• Sending promotional communications about our Packages and services (with consent or pursuant to our legitimate interests for existing clients)
• Conducting post-trip surveys and gathering feedback
• Using anonymised or aggregated data for business intelligence and service improvement
• Publishing Client photographs and testimonials (with explicit consent only)

Website and Digital Services

• Operating and improving our website
• Analysing website usage to improve user experience
• Managing cookies and tracking technologies

DATA SHARING AND DISCLOSURE

Who We Share Personal Data With

We share personal data with third parties only where necessary and on a lawful basis. Recipients of personal data may include:

Service Providers

Guesthouses, transport operators, activity providers, dive centres, and local guides engaged to deliver elements of the Package receive the minimum personal data necessary to deliver their specific service. All Service Providers engaged by the Company are required under our Service Provider Agreements to process personal data only for the purposes for which it is shared and in compliance with applicable law.

Foreign Tour Operator Partners

Where a Booking is received through a foreign tour operator or travel agent operating under an affiliation agreement with Maldives Diaries, personal data may be shared with that partner to the extent necessary for the coordination of the Package. Foreign partners are required to maintain appropriate data protection standards and to process personal data only for the purposes of the Booking.

Payment Processors

Payment transactions are processed by third-party payment processors who are PCI-DSS compliant. We do not store full credit or debit card details. Payment processors operate under their own privacy policies and data security standards.

Maldivian Government Authorities

We may disclose personal data to the Ministry of Tourism, Maldives Immigration, Maldives Customs Service, the Maldives Inland Revenue Authority (MIRA), the Maldives Police Service, or any other competent Maldivian government authority where required by law, where necessary for the safe delivery of our services, or in response to a lawful order from a court or authority. Clients should be aware that Maldivian immigration authorities require advance passenger information for all arrivals.

Emergency Services

In the event of a medical or safety emergency, the Company may share personal data, including health information, with emergency services, medical facilities, and evacuation services to protect the vital interests of the Data Subject or others.

Professional Advisers

Our legal advisers, auditors, accountants, and insurers may receive personal data where necessary in connection with their professional services, subject to professional confidentiality obligations.

Successors and Transferees

In the event of a merger, acquisition, or restructuring of the Company, personal data held by the Company may be transferred to the successor entity as part of the business transfer, subject to the receiving entity being bound by equivalent data protection obligations.

International Data Transfers

The nature of our business requires that personal data is shared with Service Providers, partners, and authorities in the Republic of Maldives. Clients from the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data transfer restrictions should be aware that the Maldives does not currently hold an adequacy decision from the European Commission or equivalent body.

Where personal data is transferred from the EEA or UK to Maldives-based recipients, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards where contractually feasible. Where SCCs are not in place, we rely on the necessity of the transfer for the performance of the contract between the Data Subject and the Company (Article 49(1)(b) GDPR).

Personal data may be transferred to foreign tour operator partners in the Client's country of residence. Such transfers are made pursuant to contractual necessity and, where applicable, supported by SCCs or equivalent safeguards.

For Clients from jurisdictions outside the EEA and UK, the Company complies with applicable local data protection law regarding cross-border transfers to the extent notified in writing by the Client's jurisdiction.

DATA RETENTION, SECURITY, AND BREACH RESPONSE

Data Retention

We retain personal data for no longer than is necessary for the purposes for which it was collected, subject to applicable legal requirements.

The following indicative retention periods apply:

• Booking and transaction records: 7 years from the date of the relevant transaction, in compliance with Maldivian tax and accounting law
• Health and medical data: Deleted or anonymised within 12 months of the conclusion of the relevant Package, unless required for an ongoing legal claim
• Marketing contact data: Until the Data Subject withdraws consent or objects to processing, subject to a maximum of 3 years from the last interaction
• Website analytics data: 26 months on a rolling basis
• Photographs and media: Until withdrawn by the Company or upon request by the Data Subject
• Correspondence and communications: 3 years from the date of the relevant communication, unless related to a legal dispute

At the end of the applicable retention period, personal data will be securely deleted or irreversibly anonymised.

Data Security

Maldives Diaries implements appropriate technical and organisational security measures to protect personal data against unauthorised access, accidental loss, disclosure, alteration, or destruction, commensurate with the nature and sensitivity of the data processed.

Security measures include, but are not limited to:

• Encryption of data in transit using TLS/SSL protocols
• Access controls and authentication requirements for staff accessing personal data systems
• Role-based access limitations ensuring staff access only the personal data necessary for their function
• Regular security assessments and updates
• Staff training on data protection and information security
• Physical security controls for premises where personal data may be stored

Notwithstanding the foregoing, no method of transmission over the internet or electronic storage is completely secure. The Company cannot guarantee absolute security and encourages Clients to use secure channels when transmitting sensitive personal information.

Payment card data is handled exclusively by PCI-DSS compliant payment processors. The Company does not store, transmit, or process full card numbers.

Personal Data Breach Response

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of Data Subjects, the Company will:

• Contain the breach and take immediate remedial action
• Notify the relevant supervisory authority (or, in the absence of a designated Maldivian data protection authority, notify the Ministry responsible for data protection) without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• Notify affected Data Subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms

Notifications to Data Subjects will describe the nature of the breach, the likely consequences, the measures taken or proposed to address the breach, and provide the contact details of the Company's privacy contact.

YOUR RIGHTS AS A DATA SUBJECT

Rights of Data Subjects

Subject to applicable law and any exemptions therein, Data Subjects have the following rights with respect to their personal data held by Maldives Diaries:

Right of Access

You have the right to request a copy of the personal data we hold about you and information about how it is processed. We will respond to such requests within 30 days (or such other period as required by applicable law). We may require verification of your identity before fulfilling an access request.

Right to Rectification

You have the right to request correction of inaccurate personal data. If you believe any personal data we hold is incorrect or incomplete, please contact us and we will rectify it without undue delay.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected, where consent has been withdrawn, or where the data has been unlawfully processed. This right is subject to our legal obligations to retain data for tax, regulatory, or legal purposes, which may override a deletion request.

Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate interests.

Right to Data Portability

Where processing is based on consent or contractual necessity and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.

Right to Object

You have the right to object to the processing of your personal data for direct marketing purposes at any time, without giving reasons. You also have the right to object to processing based on our legitimate interests, on grounds relating to your particular situation.

Rights Related to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects concerning you. Maldives Diaries does not currently engage in such automated decision-making.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. For EEA residents, this is the data protection authority of your EU Member State. For UK residents, this is the Information Commissioner's Office (ICO). For Maldivian residents or for complaints relating to Maldivian law, you may contact the relevant Maldivian authority responsible for data protection matters.

To exercise any of the above rights, please submit a written request to privacy@maldivesdiaries.com. We may ask you to verify your identity before processing your request. We will respond within 30 days, or within the timeframe required by applicable law.

COOKIES AND ONLINE TRACKING

Cookie Policy

Our website uses cookies and similar tracking technologies to enhance user experience, analyse website performance, and support our marketing activities. A cookie is a small data file stored on your device when you visit a website.

Types of Cookies We Use:

• Strictly Necessary Cookies: Essential for the operation of our website, including session management, security, and booking form functionality. These cannot be disabled without impairing website functionality.
• Performance and Analytics Cookies: Collect anonymised data about how visitors use our website, including pages visited and error messages, to help us improve website performance. We use third-party analytics tools (such as Google Analytics) for this purpose.
• Functionality Cookies: Remember your preferences and choices (such as language or currency) to personalise your experience.
• Marketing and Targeting Cookies: Used to deliver advertising relevant to you and your interests. These may be set by third-party advertising networks.

We obtain your consent before placing non-essential cookies on your device through our cookie consent tool. You may withdraw or modify your consent at any time by accessing your cookie settings on our website.

You may also control cookies through your browser settings. Disabling certain cookies may affect the functionality of our website.

Third-Party Analytics and Social Media

Our website may include social media sharing features, embedded content, or links to third-party websites. The Company is not responsible for the privacy practices of third-party websites and encourages you to review their respective privacy policies.

When you interact with our social media channels, your personal data will also be processed by the operator of the relevant platform (e.g., Meta, Instagram, Facebook) in accordance with their privacy policies. We do not control this processing.

MARKETING AND COMMUNICATIONS

Direct Marketing

We may use your contact details to send you promotional communications about our Packages, special offers, new itineraries, and travel content. We rely on:

• Your explicit consent, where required (including for new contacts and Clients from certain jurisdictions)
• Our legitimate interest in marketing to existing Clients with whom we have an established commercial relationship, subject to your right to object at any time

You may unsubscribe from marketing communications at any time by clicking the unsubscribe link in any marketing email, or by contacting us at privacy@maldivesdiaries.com. Unsubscribing from marketing does not affect communications necessary for the performance of an existing Booking.

We do not sell, rent, or exchange your personal data with third parties for their own marketing purposes.

User-Generated Content and Testimonials

Where you provide us with a review, testimonial, or photograph for publication on our website or marketing materials, we will publish this content only with your explicit written consent.

You may withdraw consent for publication of your testimonial or photograph at any time by contacting us. We will remove such content within a reasonable time, acknowledging that content already distributed in physical print materials cannot be recalled.

CHILDREN'S PRIVACY

Processing of Minors' Data

Our services are marketed to adults aged 18 and over. Where a Package includes minors (persons under 18 years of age), the personal data of such minors is processed only with the explicit consent of and under the authority of the minor's parent or legal guardian, who accepts full responsibility for compliance with these terms on behalf of the minor.

The personal data of minors will be used only to the extent necessary for the delivery of the booked Package and compliance with Maldivian immigration and safety requirements.

The Company does not knowingly collect personal data from children for marketing purposes. If we become aware that we have inadvertently collected such data, we will delete it promptly.

SPECIAL SITUATIONS AND SENSITIVE DATA

Health Data Processing in Detail

We recognise that health data is among the most sensitive categories of personal data. We process health-related information provided by Clients solely for the following purposes:

• Assessing whether a Client is physically fit to safely participate in Package activities
• Making reasonable accommodations for disabilities or medical conditions
• Communicating relevant health constraints to activity providers and guides on a strict need-to-know basis
• Facilitating emergency medical assistance

Health data is shared with Service Providers only to the extent strictly necessary for safety, and is not disclosed for any other purpose.

We process health data on the basis of explicit consent, which you provide by completing the health declaration section of our Booking Form. You may withdraw this consent at any time; however, withdrawal may mean that the Company is unable to assess the suitability of certain activities for your participation.

Passport and Immigration Data

Passport and travel document data is collected solely for the purposes of coordinating travel logistics and fulfilling Maldivian immigration requirements. Copies of passports are held in encrypted digital storage and are not shared beyond the parties necessary for immigration, transport, and accommodation check-in purposes.

Maldivian law and immigration regulations require that certain passenger data be provided to Maldivian immigration authorities. Provision of this data is a legal requirement and is not subject to Client objection.

JURISDICTION-SPECIFIC RIGHTS

European Economic Area and UK Clients

Where we process personal data of individuals in the EEA or UK, we do so in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the UK GDPR respectively. This includes observing all applicable data subject rights described in Section 13, maintaining records of processing activities, and implementing appropriate safeguards for international transfers.

Our lawful basis for international transfer from the EEA or UK to the Maldives is primarily the necessity of the transfer for the performance of a contract between the Data Subject and the Company (Article 49(1)(b) GDPR). Where we engage EEA or UK-based data processors, we ensure Standard Contractual Clauses are in place where required.

EEA and UK Clients have the right to complain to their local data protection authority: for EEA residents, the supervisory authority of the relevant EU Member State; for UK residents, the Information Commissioner's Office (ico.org.uk).

Other International Clients

Clients resident in countries with applicable data protection legislation (including but not limited to Australia, Canada, Singapore, India, and other jurisdictions with privacy frameworks) retain their rights under applicable local law. The Company will endeavour to accommodate rights requests from Data Subjects in all jurisdictions within a reasonable timeframe.

Clients are encouraged to contact privacy@maldivesdiaries.com to exercise any jurisdiction-specific rights or to request information about how we comply with applicable local data protection law.

UPDATES, CONTACT, AND MISCELLANEOUS

Updates to This Privacy Policy

We review and update this Privacy Policy periodically to reflect changes in our data processing activities, applicable law, and best practice. The current version and its effective date are displayed at the top of this document.

Where we make material changes to this Policy, we will notify affected Data Subjects by email (where we hold an active email address) and will publish the updated Policy prominently on our website. Continued use of our services following notification of a material update constitutes acceptance of the updated Policy.

We encourage you to review this Policy periodically.

Governing Law

This Privacy Policy is governed by the laws of the Republic of Maldives. To the extent required by applicable law in the jurisdiction of the Data Subject, the applicable data protection law of that jurisdiction also applies to the processing of that Data Subject's personal data.