Privacy Statement

Last Updated: 2024-12-16

Expedia Cruises, part of the Expedia Group, (“we” or “us”) values you as our customer and recognizes that privacy is important to all of us. This Privacy Statement explains how we collect, use, and disclose personal data when you use our platform and associated services, your rights in determining what we do with the data that we collect or hold about you and tells you how to contact us.

Privacy Statement Summary

This is a summary of our Privacy Statement. To review our Privacy Statement in full, please click here, or scroll down.

What does this Privacy Statement cover?

This Privacy Statement is designed to describe:

How and what type of personal data we collect and use
When and with whom we share your personal data
What choices you can make about how we collect, use, and share your personal data
How you can access and update your data

What personal data do we collect and use, and how do we collect it?

We collect personal data when:

You give us the personal data
We collect it automatically
We receive it from others

When you create an account on one of our sites, sign up to receive offers or information, or make a booking using our platform, you give us your personal data. We also collect such personal data through automated technology such as cookies placed on your browser (with your consent where applicable) when you visit our sites or download and use our apps. We also receive personal data from affiliated companies within Expedia Group, as well as business partners and other third-parties, which help us improve our platform and associated tools and services, update and maintain accurate records, potentially detect and investigate fraud, and more effectively market our services.

When is your personal data shared?

Your personal data may be shared for several purposes, including: to help you book your travel / vacation, assist with your travel and/or vacation stay, communicate with you (including when we send information to you on products and services or enable you to communicate with travel providers and/or property owners), and comply with the law. The full Privacy Statement below details how personal data is shared.

What are your rights and choices?

You can exercise your data protection rights in various ways. For example, you can opt out of marketing by clicking the “unsubscribe” link in the emails, in your account as applicable, or contacting our customer service. Our Privacy Statement has more information about the options and data protection rights and choices available to you.

How to contact us

More information about our privacy practices is in our full Privacy Statement. You can also contact us Contact Us to ask questions about how we handle your personal data or make requests about your personal data.

*****************************

Privacy Statement

Categories of Personal Data We Collect and Use
Sharing of Personal Data
Joint Use of Personal Data
Our Use of AI
Your Rights and Choices
International Data Transfer
EU - U.S. Data Privacy Framework
Global Cross Border Privacy Rules System Participation
Security
Minors
Record Retention
Contact Us
Updates to Privacy Statement
Cookie Statement

Collection and Use of Your Personal Data

In this section, you will find information about:

the types of personal data that we collect and use,
how we collect and use it,
the purposes for which we collect and use it, and
the lawful basis we rely on to collect and use it.

Lawful bases for processing:

In the table below, you will find the lawful bases we rely on to collect and use your personal data.

In summary, whenever we collect or use your personal data, that collection or use must be based on one of the following criteria:

Consent: this means you have given your consent for us to do so (e.g., sending you marketing communications where consent is required).
Legal obligation: this means we have a legal obligation to collect personal data from you or use it for a specific purpose (e.g. using your transaction history to complete our financial and tax obligations under the law).
Performance of a contract:this means the personal data is necessary to perform a contract with you (e.g., manage your booking, process payments, or create an account at your request),

o If we ask you to provide personal data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal data is mandatory or not (as well as of the possible consequences if you do not provide your personal data).

Legitimate interest: this means the processing is in our legitimate interests and those interests are not overridden by your rights (as explained below),

o Certain countries and regions allow us to process personal data on the basis of legitimate interests. If we collect and use your personal data in reliance on our legitimate interests (or the legitimate interests of any third party), this interest will typically be to operate or improve our platform and communicate with you as necessary to provide our services to you, for security verification purposes when you contact us, to respond to your queries, to undertake marketing, or for the purpose of detecting or preventing illegal activities. Whatever our determination of our specific legitimate interest is for a given use of your personal data, when we assess its appropriateness, we will always assess it against the potential impact on your rights. While the concept of legitimate interest only exists in certain countries and regions, we balance our usage of your personal data against your rights globally.

Categories of Personal Information We Collect and Use

We collect and use personal data for the following purposes:

Platform Usage and Booking Purposes – including to:

Facilitate your booking, verify your identity, and for travel insurance purposes.
Book the requested travel (such as flights, cars, cruises, activities, and hotels) or enable vacation property booking.
Provide services related to the booking and/or account.
Create, maintain, and update user accounts on our platform and authenticate you as a user.
Maintain your search and travel history, accommodation and travel preferences, and similar information about your use of Expedia Group’s platform and services, and as otherwise described in this Privacy Statement.
Enable and facilitate acceptance and processing of payments (such as collecting or validating your payment details for our various payment models to hold a reservation, secure a booking, enable a travel partner to check the validity of your bank card, expedite the check-out process, or deal with any fee, charge, payment or refund that applies), coupons, and other transactions.
Administer loyalty and rewards programs.
Collect and enable booking-related reviews.
Help you to use our services faster and more easily through features such as the ability to sign in using your account within the online services and sites of some of the Expedia Group brands.

Communications and Customer Service Purposes – including to:

Respond to your questions, requests for information, and process information choices.
Enable communication between you and travel suppliers (such as hotels and vacation property owners).
Contact you (e.g. by text message, email, phone calls, mail, push notifications, or messages on other communication platforms) to provide information such as travel booking confirmations and updates, emergency notifications, or for other purposes as described in this Privacy Statement.

Marketing Purposes – including to:

Contact you (such as by text message, email, phone calls, mail, in-app messaging, push notifications, or messages on other communication platforms) for marketing purposes.
Analyze information such as browsing and/or purchase history and use the result to optimize advertising and marketing in accordance with your interests and preferences.
Measure and analyze the effectiveness of our marketing and promotions.
Administer promotions like contests, sweepstakes, and similar giveaways.
Deliver targeted advertising and advertising based on your profile. Our Cookie Statement further explains how we use cookies and similar tracking technology.

Market Research, Analytics, and Training Purposes to improve our Services – including to:

Conduct surveys, market research, and data analytics.
Maintain, improve, research, and measure the effectiveness of our sites and apps, activities, tools, and services.
Monitor or record calls, chats, and other communications with our customer service team and other representatives, as well as platform communications between or among partners and travelers for quality control, training, dispute resolution, and as described in this Privacy Statement.
Create aggregated or otherwise anonymized or deidentified data, which we may use and disclose without restriction where permissible.

Security and Compliance Purposes – including to:

Promote security, verify identity of our customers, prevent and investigate fraud and unauthorized activities, defend against claims and other liabilities, and manage other risks.
Comply with applicable laws (including tax data sharing laws and obligations), protect our and our users’ rights and interests, defend ourselves, and respond to law enforcement, courts, governments, public bodies, other legal authorities, and requests that are part of a legal process.
Comply with applicable security and anti-terrorism, anti-bribery, customs and immigration, and other such due diligence laws and requirements.

We collect and use the following categories of personal data for the following purposes:

Personal Data Category	Purposes for collection / use	Sources of Personal Data	Lawful Basis (where applicable)
Government issued identification data – including passport, driver’s license, government redress numbers, country of residence, tax identification number (for property owners)	Platform Usage and Booking Purposes Security and Compliance Purposes	Directly from you From other Expedia Group companies	Legal obligation relating to booking and/or financial transactions, such as the obligation to maintain books and records or collecting national ID numbers where legally required, including to establish identity of individuals to meet our obligations under applicable laws, including sanctions screening, money laundering and counterterrorism Performance of a contract with you, such as to facilitate and process your booking(s)
Identification data – including name, username, email address, telephone number, as well as home, business, and billing addresses (including street and postal code)	Platform Usage and Booking Purposes Communication and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance Purposes	Directly from you From other Expedia Group companies Automatically from your device From third parties, such as our business and affiliate partners and authorized service providers	Legal obligation relating to booking and/or financial transactions, such as the obligation to maintain books and records, and to establish identity of individuals to meet our obligations under applicable laws, including sanctions screening, money laundering and counterterrorism Performance of a contract with you (and any co-traveler), such as to facilitate and process your booking(s) Legitimate interest (of you or a co-traveler), such as responding to complaints or concerns, or for marketing purposes Consent (including consent of a parent/guardian for the use of child data), where requested on the platform or via customer services
Payment data - including payment card number, expiration date, billing address, financial / bank account number	Platform Usage and Booking Purposes Communication and Customer Service Purposes Security and Compliance Purposes	Directly from you From other Expedia Group companies From third parties, such as our business and affiliate partners and authorized service providers	Legal obligation relating to booking and/or financial transactions, such as the obligation to maintain books and records and to meet our obligations under applicable laws, including sanctions screening, money laundering and counterterrorism Performance of a contract with you (and any co-traveler), such as processing payments Consent, where requested on the platform
Travel related preferences - including favorite destination and accommodation types, special dietary and accessibility needs, as available	Platform Usage and Booking Purposes Communication and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services	Directly from you From other Expedia Group companies Automatically from your device From third parties, such as our business and affiliate partners and authorized service providers	Legitimate interest (of you or a co-traveler), such as honoring your preferences, as well as for any individuals accompanying you (e.g., co-travelers, including minors) Consent, where requested on the platform
Loyalty data – including loyalty program membership, loyalty points balance, points earnt and used, loyalty status	Platform Usage and Booking Purposes Communication and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services	Directly from you From other Expedia Group companies Automatically from your device From third parties, such as our business and affiliate partners and authorized service providers	Legitimate interest (of you or a co-traveler), such as administering or marketing our loyalty programs and benefits Performance of a contract with you, such as administering our loyalty program(s) Consent, where requested on the platform
Geolocation data – including inferred location from IP address, country selected to use our website, and exact, real-time location (with your consent)	Platform Usage and Booking Purposes Communication and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance Purposes	Directly from you From other Expedia Group companies Automatically from your device From third parties, such as our business and affiliate partners and authorized service providers	Legal obligation, such as complying with tax or pricing requirements and to establish identity to meet our obligations under applicable laws, including sanctions screening, money laundering and counterterrorism Legitimate interest (of you or a co-traveler), such as displaying relevant content in your selected region/language Consent, where requested on the platform
Images, videos and recordings – including videos, images, facial photographs you upload or that we pull from social media accounts that you connect to your profile with us (e.g. when you create an account using social media sign-in)	Platform Usage and Booking Purposes Communication and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance Purposes	Directly from you From other Expedia Group companies Automatically from your device From third parties, such as our business and affiliate partners and authorized service providers	Performance of a contract with you, such as to facilitate a booking or listing Consent, where requested
Communications with us – including emails, chat transcripts and recordings of calls with customer service representatives	Platform Usage and Booking Purposes Communication and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance Purposes	Directly from you From other Expedia Group companies Automatically from your device From third parties, such as our business and affiliate partners and authorized service providers	Legal obligation, such as to respond to law enforcement requests (where legally permitted) Performance of a contract with you (and any co-traveler), such as to facilitate customer service interactions Legitimate interest (of you or a co-traveler), such as responding to complaints or concerns Consent (including consent of a parent/guardian for the use of child data), where requested
Site interaction data - including searches you conduct, transactions and other interactions with you on our platform, online services and apps	Platform Usage and Booking Purposes Communication and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance Purposes	Directly from you From other Expedia Group companies Automatically from your device From third parties, such as our business and affiliate partners and authorized service providers	Legal obligation, such as responding to law enforcement requests Legitimate interest, such as improving our products and services Consent, where requested
Device data – including device type, unique device identification numbers , operating system, mobile carrier, and how your device has interacted with our online services, including the pages accessed, links clicked, trips viewed, and features used, along with associated dates and times	Platform Usage and Booking Purposes Communication and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance Purposes	From other Expedia Group companies Automatically from your device From third parties, such as our business and affiliate partners and authorized service providers	Legal obligations relating to financial transactions, such as the obligation to maintain books and records Legitimate interest, such as responding to complaints and concerns Consent, where requested
Friends, connections and co-traveler data - including data you give us about other people, such as your travel companions, or others for whom you are making a booking, or with whom you are (i) planning a trip, and/or inviting to join a trip board, (ii) having a conversation within or outside our platform (e.g. Romie, our travel assistant, where available), and friends you refer to us.	Platform Usage and Booking Purposes Communication and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance Purposes	Directly from you From other Expedia Group companies From third parties, such as our business and affiliate partners and authorized service providers	Performance of a contract with you (and any co-traveler), such as facilitating a booking Legitimate interest (of you or a co-traveler), such as providing personalized services Consent (including consent you may have received from friends or co-travelers), where applicable
Child data – including name and contact details of minor travelers provided by you as the parent/guardian of the minor as part of a trip reservation	Platform Usage and Booking Purposes Communication and Customer Service Purposes Security and Compliance Purposes	Directly from you From other Expedia Group companies Automatically from your device From third parties, such as our business and affiliate partners and authorized service providers	Performance of a contract with you (and any co-traveler), such as facilitating a booking Consent (including consent of a parent/guardian for the use of child data), where requested on the platform or via customer services
Clickstream data - In certain instances, we may use clickstream data to render an illustration of your usage of our site. Clickstream data is the collection of a sequence of events that represent visitor actions on a website. We may reconstruct your site journey modeled on the timing and location of your actions.	Platform Usage and Booking Purposes Communication and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance Purposes	From other Expedia Group companies Automatically from your device From third parties, such as our business and affiliate partners and authorized service providers	Legitimate interest, such as responding to complaints and concerns Consent, where requested on the platform
Birthdate and gender - including both your specific date of birth or an approximate age bracket you fall within, along with your gender.	Platform Usage and Booking Purposes Communication and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance Purposes	Directly from you From other Expedia Group companies From third parties, such as our business and affiliate partners and authorized service providers	Legal obligation, such as responding to law enforcement requests and to establish identity of individuals to meet our obligations under applicable laws, including sanctions screening, money laundering and counterterrorism Performance of a contract with you (and any co-traveler), such as facilitating a booking Legitimate interest (of you or a co-traveler), such as providing relevant search results Consent where requested on the platform
Sensitive data – data that could reveal sensitive information, including your racial or ethnic origin, religious or philosophical beliefs, sexual orientation, or health or disability information. We will only use your sensitive personal data for the purposes for which it was collected.	Platform Usage and Booking Purposes Communication and Customer Service Purposes Security and Compliance Purposes	Directly from you From other Expedia Group companies	Legal obligation, such as to facilitate any accessibility requests as part of a booking Consent, where requested on the platform

Sharing of Personal Information

We share your personal data with the categories of third parties set out in the table for the broad purposes stated below which are described in more detail elsewhere in this Privacy Statement. The third parties with whom we share your personal data may be processing that personal data as a controller (either jointly or autonomously) rather than as our processor. See here for more information on such circumstances and parties.

Recipient of Personal Data	Purpose Category
Expedia Group Companies. We share your personal data within Expedia Group, the main brands of which are listed on expediagroup.com. Other Expedia Group companies act either as joint data controllers or processors for another Expedia Group company when accessing and processing your shared personal data.	Platform Usage and Booking Purposes Communications and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance purposes
Third-party service providers. We share personal data with third parties in connection with the delivery of services to you and the operation of our business. These third-party service providers are required to protect personal data we share with them and may not use any identifiable personal data other than to provide the agreed services. They are not allowed to use the personal data we share for purposes of their own direct marketing (unless you have separately permitted them to do so).	Platform Usage and Booking Purposes Communications and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance purposes
Travel suppliers. We share personal data (including travel preferences) with travel-related suppliers such as hotels, airlines, car-rental companies, insurance, vacation-rental property owners and managers, and where available, activity providers, rail, or cruise lines who fulfill your booking. Please note that travel suppliers may contact you to obtain additional personal data if and as required to facilitate your booking or to otherwise provide the travel or associated services.	Platform Usage and Booking Purposes Communications and Customer Service Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance
Business partners and offers. If we promote a program or offer a service or product in conjunction with a third-party business partner, we will share your personal data with that partner to assist in marketing or to provide the associated product or service. In most of those cases, the program or offer will include the name of the third-party business partner, either alone or with ours, or you will be redirected to the website of that business with notice.	Platform Usage and Booking Purposes Communications and Customer Service Purposes Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services Security and Compliance
Targeted Advertising partners. We may disclose your personal data to our third-party marketing partners for targeted advertising. This may be considered “sharing” data under California law. Subject to certain limitations, some US residents have the right to opt out of having their personal data shared for this purpose. For more information, see the Your Rights and Choices section below. You should note that by opting out of these types of disclosures, you may limit our ability to customize your experience with content that may be of interest to you or to provide you with a better travel experience. You should note that by opting out of these types of disclosures, you may limit our ability to customize your experience with content that may be of interest to you or to provide you with a better travel experience. View our Cookie Statement for more information on our use of tracking technology for the purposes of targeted advertising.	Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services
Social media and online platforms: we share personal data with media agencies, social media, search engines and other online platforms to help us target our online marketing. These social media and other online platforms may also use personal data they hold and combine or match it against personal data received from us to create target audiences, which are audiences that we think would be interested in our online advertising. This may involve social media and other online platforms building a ‘lookalike’ profile of the type of person we are trying to target and providing specific adverts to those people when they browse the internet or use social media. We may also share personal data with third parties who act as intermediaries between us and social media and online platforms to facilitate the above activities.	Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services
Other Third-Parties. When you access certain features such as Facebook’s “Like” button or a single sign-on that allows you to login with your social media credentials to our online services, you will share information with the third party, like a social media company, such as the fact that you have visited or interacted with us. In the European Economic Area (EEA), Switzerland, and United Kingdom (UK) we will not load social media sharing or sign-on buttons on our website unless and until you accept our use of cookies and similar technologies. For more information, see our Cookie Statement. The third-party provider may combine this information with other information they have about you. The personal data shared will be governed by the third-party provider’s privacy policy (including any personal data we may access via the third-party provider). The third-party providers should inform you about how you can modify your privacy settings on their site.	Marketing Purposes Market Research, Analytics, and Training Purposes to improve our Services
Recipients in relation to our legal rights and obligations. We may disclose your personal data and associated records to enforce our policies; as necessary to satisfy our tax or other regulatory reporting requirements, including the remission of certain taxes in the course of processing payments; or where we are permitted (or believe in good faith that we are required) to do so by applicable law, such as in response to a subpoena or other legal request, in connection with actual or proposed litigation, or to protect and defend our property, people and other rights or interests.	Security and Compliance purposes
Recipients in relations to corporate transactions. We may share your personal data in connection with a corporate transaction, such as a divestiture, merger, consolidation, assignments or asset sale, or in the unlikely event of bankruptcy. In the case of any acquisition, we will inform the buyer it must use your personal data only for the purposes disclosed in this Privacy Statement.	Security and Compliance purposes

Joint Use of Personal Data within the Expedia Group

Expedia Group companies jointly use and are joint controllers of your personal data in the following manner:

We process all the categories of personal data identified in the “Categories of Personal Information We Collect and Use” section jointly for the uses identified in the table above.
The Expedia Group companies, the main brands of which are listed on expediagroup.com https://expediagroup.com/travel-with-us/default.aspx process this personal data jointly.
Expedia, Inc. is the party responsible for managing your personal data. More information about how to contact us regarding this joint use can be found in the Contact Us section below.

Our Use of Artificial Intelligence

We use artificial intelligence and machine learning for various purposes to deliver our platform and associated services. We may use your personal data for the following purposes:

To enhance your user experience;
To determine the sort order you see on our site;
To interact with you, answer your questions and help you and your friends plan a trip (through our chatbot and virtual travel agent/assistant);
To personalize your search on our site, suggest relevant personalized filters, pre-populate search criteria and provide destinations, property, restaurant or activity recommendations based on your profile, preferences, interactions, anticipated and unexpected real-time local events, weather forecast, flight delays or cancellations;
For pricing, price insights and alerts, including direct price setting and/or margin adjustments;
To screen the content you upload on our site (e.g., images of your properties) to ensure they meet our quality or formatting requirements, and to identify relevant amenities included in your listing.
To screen the reviews and feedback you share with us to ensure they do not contain identifiable personal data or to assess customer satisfaction;
To provide you with summaries of property reviews and articles from our Help Center;
To keep our site safe by preventing and detecting any kind of fraud at a transaction level, listing level, user level, among others, including any breach of our terms and conditions or other fraudulent activities;
To display your language and dialects within our virtual agents’ experience;
To enrich other applications such as embeddings;
For auto-moderation purposes, including approving/rejecting the display/storage of specific elements in our systems;
For insurance transactions, including all types of insured products that we offer;
To optimise our positioning or redirect travellers to our websites;
To generate any kind of new content, generally text, such as text summarisation, translation or text suggestions;
To provide security governance;
To improve our efficiency and productivity, for example, tools that create summaries/documentation from existing files;
To detect anomalies, for example, finding elements that don’t match an existing trend;
To focus on improving/categorizing/displaying images more effectively;
To analyse and help resolve claims, complaints, disputes, payment settlements.

Automated decisions may be made by putting your personal data into a system and the decision is calculated using automatic processes.

We will rely on our legitimate interest to keep our site safe and to enhance your user experience. We will not engage in automated decision-making that involves a decision with legal or similarly significant effects solely based on automated processing of personal data, unless:

you explicitly consented to the processing,
the processing is necessary for entering into a contract, or for its performance, or
when otherwise authorized by applicable law.

You may have rights in relation to automated decision making, including:

the ability to request a manual decision-making process instead, or

contest a decision based solely on automated processing.

If you want to know more about your data protection rights, please see the Your Rights and Choices section below. https://expediagroup.com/travel-with-us/default.aspx

Your Rights and Choices

You have certain rights and choices with respect to your personal data, as described below:

If you have an account with us, you may change your communication preferences by either (1) logging in and updating the information in your account (not available for all Expedia Group companies) or (2) contacting us via the Contact Us section below.
You can control our use of non-essential cookies by following the guidance in our Cookie Statement.
You can access, amend, inquire about deletion of, or update the accuracy of your personal data at any time by either logging into your account or contacting us via the Contact Us section below.
If you no longer wish to receive marketing and promotional emails, you may unsubscribe by clicking the 'unsubscribe' link in the email. You can also log into your account to change communication settings (not available for all Expedia Group companies) or contacting us via the Contact Us section below. Please note that if you choose to unsubscribe from or opt out of marketing emails, we may still send you important transactional and account-related messages from which you will not be able to unsubscribe
For our mobile apps, you can view and manage notifications and preferences in the settings menus of the app and of your operating system
If we are processing your personal data on the basis of consent, you may withdraw that consent at any time by contacting us via the Contact Us section below. Withdrawing your consent will not affect the lawfulness of any processing that occurred before you withdrew consent and it will not affect our processing of your personal data that is conducted in reliance on a legal basis other than consent

Certain countries and regions provide their residents with additional rights relating to personal data. These additional rights vary by country and region and may include the ability to:

Request a copy of your personal data
Request information about the purpose of the processing activities
Delete your personal data
Object to our use or disclosure of your personal data
Restrict the processing of your personal data
Opt-out of the sale of your personal data
Port your personal data
Request information about the logic involved in our automated decision-making used in our fraud prevention practices, or the result of such decisions
Object to the use of fully automated decision making, including profiling, with significant legal effect, and request a manual decision-making process instead,
Contest a decision based solely on automated processing.

For more information on what data privacy rights may be available to you, please click here.

For questions about privacy, your rights and choices, and in order for you, or (where applicable) your authorized agent to make a request to amend or update your information, or to inquire about deletion of your information, please contact us here..

In addition to the above rights, you may have the right to complain to a data protection authority about our collection and use of your personal data. However, we encourage you to contact us first so we can do our best to resolve your concern. You may submit your request to us using the information in the Contact Us section below.

We respond to all requests we receive from individuals wanting to exercise their personal data protection rights in accordance with applicable data protection laws. Should you have the right under applicable law to appeal a decision we have made to not take action on your request, instructions on how to make that appeal will be included in our response to you.

International Data Transfer

The personal data we process may be accessed from, processed or transferred to countries other than the country in which you reside. Those countries may have data protection laws that are different from the laws of your country. Such cross-border transfer of your personal data is necessary for us to service your transaction with us, and for the other purposes outlined in this Privacy Statement.

The servers for our platform are located in the United States, and the Expedia Group companies and third-party service providers operate in many countries around the world. When we collect your personal data, we may process it in any of those countries. Our employees may access your personal data from various countries around the world. The transferees of your personal data may also be located in countries other than the country in which you reside.

We have taken appropriate steps and put safeguards in place to help ensure that any access, processing and/or transfer of your personal data remains protected in accordance with this Privacy Statement and in compliance with applicable data protection law. Such measures provide your personal data with a standard of protection that is at least comparable to that under the equivalent local law in your country, no matter where your data is accessed from, processed and/or transferred to. We will comply with obligations regarding personal data cross-border transfer in accordance with application data protection laws, regulations, and conditions set by the competent authorities. This may include fulfilling obligations such as security assessments and/or certifications and signing agreements with overseas recipients in accordance with the standard contract established by the competent authorities.

Some measures that we have in place include the following:

Adequacy decisions of the European Commission confirming an adequate level of data protection in certain non-EEA countries. Please see the latest list of such countries published by the European Commission here.
Transferee countries’ participation in the Global-CBPR forum. Please see the latest list of participant countries here. Expedia Group holds the Global-CBPR certification, and we have accordingly established measures across all Expedia Group companies to ensure that, where relevant to the transfer, personal data is shared only in accordance with the CBPR requirements. Further detail on Expedia Group’s participation in such forum may be found in the Global Cross Border Privacy Rules System Participation section below.
Ensuring that the third-party partners, vendors and service providers to whom data transfers are made have appropriate mechanisms in place to protect your personal data. For instance, our agreements signed with our third-party partners, vendors and service providers incorporate strict data transfer terms (including, where applicable, the European Commission's Standard Contractual Clauses issued by the European Commission and/or United Kingdom, for transfers from the EEA/UK), and require all contracting parties to protect the personal data they process in accordance with applicable data protection law. Our agreements with our third-party partners, vendors and service providers may also include, where applicable, their certification under the EU-U.S. DPF and the UK extension to EU-U.S. DPF and/or Swiss-U.S. DPF certification (and any other country specific extension to the DPF Frameworks adopted from time to time), or reliance on the service provider's Binding Corporate Rules, as defined by the European Commission. In regard to the onward principle of the DPF Frameworks, if Expedia, Inc. learns that a third party is using or disclosing your Personal Information in a manner that is contrary to this Policy, we will take reasonable steps to prevent or stop such use or disclosure. Expedia, Inc. may be liable for onward transfers of Personal Information to third parties in violation of this Policy and the DPF Frameworks (will change defined term if needed based on feedback above).
Intragroup agreements in place for our Group companies which incorporate strict data transfer terms (including, where applicable, reliance on our Global-CBPR and DPF certifications (as appropriate to the transfer), with Standard Contractual Clauses issued by the European Commission and/or United Kingdom, for transfers from the EEA/UK incorporated as fallbacks in circumstances where we cannot rely on our DPF certifications) and require all group companies to protect the personal data they process in accordance with applicable data protection law.
Carrying out periodic risk assessments and implementing various technological and organization measures to ensure compliance with relevant laws on data transfer.

EU - U.S. Data Privacy Framework

All wholly-owned U.S. affiliates of Expedia, Inc. (part of the Expedia Group of brands) have certified to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (“the DPF Frameworks”) and that we adhere to the DPF Framework Principles of Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability for personal data from the EU, Switzerland, and the United Kingdom. The Federal Trade Commission has jurisdiction over such Expedia Group U.S. affiliates’ compliance with the DPF Frameworks. In addition, Expedia Group maintains intra-group Standard Contractual Clauses where applicable to cover the transfer of EU personal data to the U.S in the event that any of our certifications to the DPF Frameworks cease to be a valid safeguard for a relevant transfer. Our certifications can be found here. For more information about the the DPF Frameworks principles, please visit: https://www.dataprivacyframework.gov.

In compliance with the DPF Frameworks, Expedia Group U.S. affiliates (part of Expedia Group of brands) commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the DPF Frameworks. Under certain circumstances, you may have the possibility to invoke binding arbitration for complaints regarding compliance with the DPF Frameworks not resolved by any of the other DPF Frameworks mechanisms. Please visit this link for more information: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2..

Global Cross Border Privacy Rules System Participation (Global-CBPR)

The privacy practices of Expedia Cruises, described in this Privacy Statement, comply with the Global Cross Border Privacy Rules System. The Global CBPR system provides a framework for organizations to ensure protection of personal data transferred among participating economies. More information about the Global CBPR framework can be found here.

Security

We want you to feel confident about using our platform and all associated tools and services, and we are committed to taking appropriate steps to protect the information we collect. While no company can guarantee absolute security, we do take reasonable steps to implement appropriate physical, technical, and organizational measures to protect the personal data that we collect and process.

Our cybersecurity team develops and deploys technical security controls and measures to ensure responsible personal data collection, storage, and sharing that is proportionate to the personal data’s level of confidentiality or sensitivity. We take efforts to continuously implement and update security measures to protect your personal data from unauthorized access, loss, destruction, or alteration. We hold our data-handling partners to equally high standards.

We have established an information security protection system based on industry standard practices and perform regular assessment and certifications, such as PCI-DSS certification. We have also implemented appropriate security measures throughout the entire lifecycle of data collection, storage, processing, use, transmission, and sharing, and have taken certain technical and management measures including but not limited to verification and access controls, VPN, SSL encrypted transmission, and multi-factor authentication mechanisms, based on our information classification and processing standards, to ensure the security of systems and services.

We have management and approval mechanisms for employees who may have access to your information and provide regular information security training for employees.

In the event of a personal data security incident that may affect your rights and interests, you will be notified in accordance with applicable data protection laws and regulations. We will also report the relevant incident to the competent regulatory authorities, if required by applicable laws and regulations.

Minors

Our website and mobile application are not directed at minors (as defined in applicable data protection laws) and we cannot distinguish the age of persons who access and use these. If a minor has provided us with personal data without parental or guardian consent, the parent or guardian should contact us (see the Contact Us section below). If we become aware that personal data has been collected from a minor without parental or guardian consent, we will terminate the minor’s account, where that minor has an account with us.

The limited circumstances we might need to collect the personal data of minors include as part of a reservation, the purchase of other travel-related services, or in other exceptional circumstances (such as features addressed to families). When processing personal data of minors, we strictly adhere to the principles of legality, necessity, clear purpose, openness, transparency, and security, and we take strict measures to protect such data.

If you have any questions or concerns regarding our protection of minors’ personal data, or if you (in your capacity as the parent or guardian of the minor) wish to delete or correct the personal data of minors, please contact us via the Contact Us section below.

Record Retention

We will retain your personal data in accordance with all applicable laws, for as long as it may be relevant to fulfill the purposes set forth in this Privacy Statement, unless a longer retention period is required or permitted by law. We will deidentify, aggregate, or otherwise anonymize your personal data if we intend to use it for analytical purposes or trend analysis over longer periods of time.

When we delete your personal data, we use industry standard methods to ensure that any recovery or retrieval of your information is impossible. We may keep residual copies of your personal data in backup systems to protect our systems from malicious loss. This personal data is inaccessible unless restored, and all unnecessary personal data will be deleted upon restoration.

The criteria we use to determine our retention periods include:

The duration of our relationship with you, including any open accounts you may have with Expedia Group companies, or recent bookings or other transactions you have made on our platform
Whether we have a legal obligation related to your personal data, such as laws requiring us to keep records of your transactions with us
Whether there are any current and relevant legal obligations affecting how long we will keep your personal data, including contractual obligations, litigation holds, statutes of limitations, and regulatory investigations
Whether your personal data is needed for secure backups of our systems

Contact Us

If you have any questions or concerns about our use of your personal data, or wish to inquire about our personal data handling practices, and exercise your rights to access, correct or inquire about deletion of personal data, please contact us via the Privacy Section here. For a list of our family of Expedia Group brands, click here.

Your principal data controller is the Expedia Group company responsible for the site or app with which you are interacting, and this data controller may be acting as a joint controller with other members of the Expedia Group of companies. For more information about the Expedia Group data controller(s) (and joint controllers, where applicable) and/or Representative for personal data we process, please click here .

Updates to Statement

We may make changes to this Statement by updating it at any time for various reasons, including (1) to improve them and make them clearer or easier to understand, (2) to comply with legal, regulatory, and/or tax requirements, (3) where we make changes to our services or how we run our business, and/or (4) for security-related reasons. If we propose to make changes that will materially impact your rights or obligations, we will provide you with reasonable advance notice of such changes, unless the changes are urgently required to meet security, legal, or tax requirements. You can see when this Privacy Statement was last updated by checking the “last updated” date displayed at the top of this Statement.

For information on prior updates please contact us here.

Our Promise

At Expedia Cruises, we are navigators of spectacular vacation experiences. As part of the number one brand in travel, this is our promise to you:

Learn More

Advice you can trust.
The best choice and prices.
Expedia Extras.
More than cruises.
Always there.

Barbara West
Vacation Consultant

313 Colony Boulevard
The Villages, FL
32162
Get Directions

Phone

Barbara West
Vacation Consultant