Privacy Policy

Privacy Policy

DATE: Nov 10, 2025 | Posted_by: tad sørensen

 

The NEST Global OTA

Privacy Policy (Comprehensive Version)

Last updated: 06 November 2025

Note: This comprehensive Privacy Policy has been developed to align with leading global privacy and data protection standards followed by major Online Travel Agencies (OTAs) and digital platforms. It is designed to ensure compliance with applicable international and regional frameworks, including the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), ePrivacy Directive, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and other comparable global laws.

This policy forms an integral part of The NEST Global OTA Master Policy Suite, ensuring a unified, transparent, and legally compliant approach to the collection, processing, and safeguarding of personal data across all our operations and platforms.

 

1. Introduction

At The NEST Global OTA AS (“The NEST”, “we”, “our”, “us”), your privacy and trust are paramount. We are committed to protecting your personal information transparently, responsibly, and in full compliance with applicable data protection laws globally.

This Privacy Policy describes how we collect, use, disclose, transfer, and safeguard your information when you use our websites, mobile applications, APIs, or services that reference this Policy (collectively, the “Platform”).

2. Who We Are & Contact Details

Controller: The NEST Global OTA AS
Registered Office: [Insert full legal address, Norway]
Company Registration No.: [Insert]
Email: privacy@thenestglobal.com
DPO (if appointed): dpo@thenestglobal.com
Website: https://the-nest.no

If you are located in the EEA/UK, we act as the data controller for the processing of your personal data, except where we act purely as an agent on behalf of independent travel Suppliers (e.g., airlines, hotels, car rental agencies). In such cases, those Suppliers are separate controllers for their processing.

3. Scope of Policy

This Policy applies to:

  • Visitors and users of our Platform (websites, apps, APIs);
  • Individuals who book or inquire about travel-related products and services;
  • Representatives of our suppliers, business partners, and vendors;
  • Marketing subscribers, customer support users, and complaint filers.

It does not apply to third-party websites, mobile applications, or services linked to or integrated into our Platform. We recommend reviewing their respective privacy policies.

4. What Personal Data We Collect

We collect the following categories of information depending on your interactions:

a. Identity & Contact Information

  • Full name, title, date of birth, gender (optional)
  • Contact details (email, phone, address)
  • Passport/ID numbers, nationality (for travel/visa bookings)

b. Booking & Transaction Data

  • Booking details, itinerary, confirmation numbers, loyalty memberships
  • Travel preferences, seat choices, special requests (e.g., meals, accessibility)
  • Payment method, billing address, transaction history (we do not store full credit card details)

c. Technical & Device Data

  • IP address, browser type, device identifiers, operating system, app version
  • Log data, clickstream, session duration, language, and error reports

d. Usage & Preference Data

  • How you interact with our Platform and services
  • Search queries, booking filters, viewed listings
  • Cookie identifiers and analytics metrics (see our Cookie Policy)

e. Communication Data

  • Support inquiries, feedback, chat transcripts, call recordings (where lawful)
  • Emails, messages, and correspondence with The NEST Global OTA AS

f. Marketing & Profiling Data

  • Subscription preferences and engagement metrics
  • Inferred interests for personalized recommendations (e.g., destinations, property types)

g. Sensitive Data (Special Category Data)

Only where strictly necessary and with explicit consent, e.g.:

  • Health information related to travel assistance or accessibility needs
  • Dietary, disability, or religious preferences when voluntarily disclosed

5. How We Collect Your Information

We collect personal data through the following means:

  • Directly from you when you book, create an account, or contact us
  • Automatically through cookies, analytics, and SDKs when you use our Platform
  • From Suppliers and travel partners providing or fulfilling services
  • From public sources, fraud prevention databases, or credit reference agencies (where permitted)

6. How We Use Your Information (Purposes & Legal Bases)

Purpose

Legal Basis

Examples

Booking & service fulfillment

Contract (Art. 6(1)(b))

Completing hotel/flight/car/tour/visa bookings

Payment processing & fraud prevention

Legitimate interest; legal obligation

Verify transactions, prevent unauthorized use

Customer support & communication

Legitimate interest; contract

Respond to inquiries, manage complaints

Account management

Contract

Create and maintain your user account

Marketing & personalization

Consent; legitimate interest

Send offers, newsletters, recommendations

Analytics & improvements

Legitimate interest

Analyze site usage, improve experience

Legal compliance & recordkeeping

Legal obligation

Tax, accounting, sanctions screening

Security & incident management

Legitimate interest; legal obligation

Detect and mitigate breaches

Where consent is the legal basis (e.g., cookies, direct email marketing, or processing sensitive data), you may withdraw consent at any time without affecting prior lawful processing.

7. Sharing of Information

We only share personal data where necessary and under proper safeguards:

a. Suppliers & Service Providers

  • Airlines, hotels, B&Bs, car and boat rental agencies, tour operators, and visa processors
  • Payment processors, anti-fraud systems, and IT hosting providers

b. Business Partners

  • Marketing partners, affiliate networks, and loyalty programs (only with consent)

c. Legal & Regulatory

  • Public authorities, regulators, courts, or law enforcement upon lawful request

d. Corporate Transactions

  • In the event of a merger, acquisition, or sale of assets, user data may be transferred under confidentiality protections

We do not sell personal information to third parties. In jurisdictions where “sale” includes data sharing for targeted advertising (e.g., under CCPA/CPRA), we provide opt-out rights.

8. International Data Transfers

As a global OTA, we and our partners operate in multiple countries. Your data may be transferred to and processed outside your country of residence, including locations not deemed to provide equivalent data protection.

Where transfers occur from the EEA/UK to non-adequate countries, we implement safeguards such as:

  • EU Standard Contractual Clauses (SCCs) or UK Addendum;
  • Supplementary technical measures (encryption, pseudonymization);
  • Transfer impact assessments for high-risk destinations.

9. Retention of Personal Data

We retain personal data only as long as necessary for the purposes collected:

Category

Typical Retention

Purpose

Booking & transactional data

7–10 years

Accounting, disputes, tax compliance

Account & profile data

Duration of account + 2 years

Re-engagement, legal defense

Marketing data

Until withdrawal of consent

Marketing operations

Support communications

3 years

Complaint handling, service quality

Cookie & analytics logs

13–24 months

Service improvement, performance

When no longer needed, data is securely deleted or anonymized.

10. Security Measures

We use industry-standard security measures to protect your personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Firewalls, intrusion detection, DDoS mitigation
  • MFA for internal systems and user accounts
  • Role-based access controls and least-privilege principles
  • Regular penetration testing, vulnerability scans, and security audits
  • Incident Response Plan aligned with GDPR 72-hour breach notification rule

[JK1] 

11. Your Rights (EEA, UK & Similar Jurisdictions)

You have the following rights under GDPR and similar laws:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure (“Right to be Forgotten”): Request deletion, subject to retention laws.
  • Restriction: Limit processing under certain circumstances.
  • Portability: Receive data in a structured, machine-readable format.
  • Objection: Object to direct marketing or processing based on legitimate interests.
  • Withdraw Consent: Withdraw consent where applicable.
  • Complaint: File with your local data protection authority (e.g., Datatilsynet [JK2] in Norway).

Requests can be made to privacy@thenestglobal.com. We may require ID verification to protect your data.

12. Children’s Privacy

Our services are not directed at children under 16. Bookings involving minors must be made by a parent or guardian. We process children’s data only as necessary for travel fulfillment and with adult consent.

13. Cookies & Tracking Technologies

We use cookies and similar technologies for authentication, analytics, personalization, and advertising. Please refer to our detailed Cookie Policy for full information about cookie categories, consent mechanisms, and preference management.

14. Automated Decision-Making & Profiling

We may use automated tools for:

  • Fraud detection and transaction risk scoring;
  • Personalized search results and recommendations;
  • Dynamic pricing optimization.

You may request human review or contest automated decisions where legally required.

15. Marketing Communications

  • Marketing emails, app notifications, or SMS are sent only with prior consent (or as permitted for existing customers under soft opt-in rules).
  • You can manage preferences or unsubscribe anytime via links in our messages or in your account.
  • We do not use sensitive data for marketing profiling.

16. Third-Party Links & Integrations

Our Platform may include links to third-party sites or embedded services (e.g., Google Maps, payment gateways). We do not control their data practices and encourage you to review their privacy policies.

17. Data Processors & Vendor Management

We only use vendors that meet our data protection and security standards. All vendors undergo due diligence and sign Data Processing Agreements (DPAs) compliant with Article 28 GDPR.

18. International-Specific Rights

a. United States (California, Virginia, etc.)

  • Right to know categories of data collected and shared.
  • Right to delete personal data.
  • Right to opt-out of sale/share (via “Do Not Sell or Share My Info” link).
  • Right to non-discrimination for exercising privacy rights.

b. Canada (PIPEDA)

You may request access, correction, and challenge our compliance with the Privacy Commissioner of Canada.

c. Australia, Singapore, and Others

We comply with applicable laws (Privacy Act 1988, PDPA, etc.) and maintain comparable protections.

19. Changes to This Policy

We periodically update this Policy to reflect changes in law, technology, or business operations. Material changes will be communicated through our Platform or email notifications at least 7 days before the new policy takes effect.

20. Contact Us

For questions or concerns regarding privacy, contact:

  • Privacy Team: privacy@thenestglobal.com
  • Data Protection Officer (if appointed): IT@thenestglobal.com
  • Postal Address: Valen5, 4070 Randaberg, Norway.

If unresolved, you may contact Datatilsynet (Norwegian Data Protection Authority) or your local supervisory authority.

Versioning & Change Log

  • v1.0 (2025-11-06) – Full comprehensive global privacy policy established.
 
Search for the best prices...