Privacy Notice

1. Introduction

Welcome to Local & Traveler.

This Privacy Notice has been prepared to explain how your personal data is collected, used, shared, stored, and protected when you use the Local & Traveler website, mobile application, and all related services.

At Local & Traveler, we are committed to protecting your privacy and safeguarding your personal data. We process your personal data in accordance with the applicable European Union data protection legislation, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Digital Services Act ("DSA"), applicable electronic communications and cookie regulations, and other relevant legal requirements.

This Privacy Notice applies to:

  • Individuals who visit our website;
  • Users of our mobile application;
  • Locals offering services through the platform;
  • Travelers making reservations through the platform;
  • Individuals using our customer support services;
  • Individuals receiving marketing communications; and
  • All other natural persons whose personal data is processed in connection with our services.

Where additional privacy information is required for specific services or features of the Platform, such information will be provided to you at the time your personal data is collected.

For the purposes of this Privacy Notice, the following terms shall have the meanings set out below unless the context requires otherwise:

User means any natural person who visits, uses, creates an account on, or otherwise interacts with the Platform for any purpose.

Traveler means a User who browses, books, purchases, or benefits from services offered by a Local through the Platform.

Local means any natural or legal person who offers experiences, activities, or other services through the Platform.

Platform means the website, mobile application, and all related digital services operated by Local & Traveler.

Services means reservation services, experience-sharing services, activity organization, communication services, payment services, user interaction features, and all other services made available through the Platform.

Personal Data means any information relating to an identified or identifiable natural person.

Processing means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, sharing, dissemination, restriction, erasure, anonymization, or any other form of processing.

Controller means the natural or legal person that determines the purposes and means of the processing of Personal Data.

Processor means a natural or legal person that processes Personal Data on behalf of the Controller and in accordance with its instructions.

Service Provider means any third-party natural or legal person providing services on behalf of Local & Traveler for the operation, maintenance, development, or support of the Platform.

Business Partner means any natural or legal person collaborating with Local & Traveler in connection with the provision of certain services or commercial activities relating to the Platform.

Third Party means any natural or legal person other than Local & Traveler, the Traveler, or the Local.

Public Authority means courts, law enforcement authorities, regulatory and supervisory authorities, and any other competent public authority to whom Personal Data may be disclosed where required by applicable law.

Cookies and Similar Technologies means cookies, software development kits (SDKs), pixel tags, local storage technologies, and similar technologies used to operate the Platform, remember user preferences, measure performance, enhance security, and improve the user experience.

Profiling means any form of automated processing of Personal Data used to evaluate certain personal aspects of a User in order to provide personalized services, recommendations, improve Platform security, or enhance the overall user experience.

Applicable Data Protection Laws means the General Data Protection Regulation (GDPR), together with all other applicable European Union legislation and national laws relating to data protection, privacy, electronic communications, and online platform services.

2. About the Data Controller

The Controller responsible for the processing of your Personal Data under this Privacy Notice is:

Data Controller: LOCAL AND TRAVELER OÜ (hereinafter referred to as the "Company" or "L&T").

Registered Address: Ahtri tn 12, Kesklinna linnaosa, Tallinn, Harju maakond, 15551, Estonia

If you have any questions regarding the processing of your Personal Data or this Privacy Notice, or if you wish to exercise your rights under the GDPR, you may contact us using the contact details provided above.

Upon receiving your request, we will review and respond to it within the time limits prescribed by the applicable data protection laws. Where necessary, we may request additional information to verify your identity or to enable us to process and respond to your request appropriately.

3. Who Does This Privacy Notice Apply To?

This Privacy Notice applies to all natural persons whose Personal Data is processed in connection with the website, mobile application, and related services provided by L&T.

In particular, this Privacy Notice applies to:

  • Travelers who search for, book, purchase, or receive services through the Platform;
  • Locals who offer or intend to offer services through the Platform;
  • Individuals who visit our website or use our mobile application;
  • Users who create an account or register on the Platform;
  • Users participating in identity verification processes;
  • Individuals who contact our customer support services;
  • Individuals who choose to receive marketing communications, newsletters, promotional offers, or other announcements;
  • Users who participate in surveys, submit reviews, ratings, or otherwise provide feedback regarding the Platform;
  • Users who upload or share photographs, videos, reviews, comments, or other content through the Platform; and
  • All other natural persons whose Personal Data is processed in connection with the provision of our Services.

This Privacy Notice applies solely to Personal Data processing activities carried out by L&T in its capacity as the Controller.

Where Personal Data is processed as part of a legal relationship established directly between a Local and a Traveler through the Platform, the relevant parties may also act as separate or independent controllers under the applicable data protection laws with respect to their own processing activities.

Our Platform may contain links to third-party websites, applications, or services. This Privacy Notice applies only to the Platform and Services operated by L&T. L&T is not responsible for the privacy practices or Personal Data processing activities of third parties. We therefore encourage you to review the privacy policies of those third-party websites, applications, or services before providing any Personal Data.

4. What Personal Data Do We Collect?

Depending on the nature of the Services provided through our Platform, we may collect and process the following categories of Personal Data. The Personal Data we collect may vary depending on the Services you use, your activities on the Platform, and the nature of your relationship with us.

4.1 Identity Information

We may process information used to identify you, including your first and last name, date of birth, nationality, identity card or passport details, information contained in official identification documents submitted for identity verification purposes, and, where applicable, your driver's licence information.

4.2 Contact Information

We may process your contact details, including your email address, telephone number, postal address, and any other contact information you choose to provide to us.

4.3 Account and Profile Information

We may process information relating to your user account on the Platform, including your username, profile information, biography, interests, preferred language, profile photograph, verified account status, and account settings.

4.4 Reservation and Service Information

We may process information relating to reservations you make and the Services you receive or provide through the Platform. This may include reservation dates, service details, trip information, availability information, cancellation records, requests, complaints, and customer support records.

4.5 Location Information

We may process your location information where necessary to provide our Services or enable certain Platform features. This may include travel routes, locations where Services are provided, and, where you have granted permission, your device's real-time location data.

4.6 Identity Verification Information

Where you request account verification or where identity verification is required by applicable law, we may process information contained in identity cards, passports, driver's licences, or similar official documents, including images of such documents.

4.7 Device and Usage Information

To ensure the security of the Platform, improve its performance, and provide our Services, we may process your IP address, device information, operating system details, application usage records, session information, log files, browser information, and similar technical data.

4.8 Payment and Financial Information

We may process information relating to payments made through the Platform. As payment transactions are securely processed by authorized payment service providers, your payment card details may not be stored directly by us. However, we may process transaction identifiers, payment status, payment amounts, and other payment-related information.

4.9 Communications and Support Records

We may process correspondence between you and us, customer support requests, complaints, feedback, and call records for the purposes of improving our Services, responding to your requests, and complying with our legal obligations.

4.10 Reviews and User Content

We may process reviews, ratings, comments, photographs, videos, audio recordings, and other content that you upload or share through the Platform. Depending on your preferences and the nature of the content, such information may be visible to other users.

4.11 Marketing and Preference Information

We may process your marketing consents, communication preferences, interests, campaign participation records, survey responses, and preferences relating to our Services.

4.12 Professional and Service-Related Information

Where you provide Services professionally through the Platform, we may process your professional qualifications, licences, permits, service-related documentation, and, where applicable, information relating to vehicle ownership or authorization to operate a vehicle.

In all cases, we process only the Personal Data that is necessary to provide our Services, comply with our legal obligations, or achieve the purposes described in this Privacy Notice. We are committed to processing your Personal Data in accordance with the principle of data minimization and only to the extent necessary for the relevant processing purposes.

5. How Do We Collect Your Personal Data?

We may collect your Personal Data from different sources in order to provide our Services, perform our contractual obligations, comply with applicable legal requirements, and improve the Platform.

5.1 Personal Data You Provide Directly

We collect a significant portion of your Personal Data directly from you. For example, we may collect Personal Data when you:

  • Create an account on the Platform;
  • Create or update your profile;
  • Make a reservation or provide a Service;
  • Complete identity verification procedures;
  • Contact our customer support team;
  • Submit reviews, ratings, or comments;
  • Upload photographs, videos, or other content;
  • Participate in surveys; or
  • Manage your marketing communication preferences.

5.2 Personal Data Collected Automatically

When you use our Platform, certain information may be generated or collected automatically. This may include:

  • Your IP address;
  • Device information;
  • Operating system and application version;
  • Session information;
  • Usage statistics;
  • Error logs;
  • Security logs; and
  • Technical information collected through cookies and similar technologies.

We use this information to ensure the security of the Platform, resolve technical issues, improve performance, and enhance our Services.

5.3 Personal Data Obtained from Other Users

Due to the nature of our Platform, certain Personal Data relating to you may be provided by other users. For example, this may occur through:

  • Reservations made by a Traveler;
  • Service information provided by a Local;
  • Communications exchanged between users; and
  • Reviews and ratings submitted by users.

5.4 Personal Data Obtained from Third Parties

Where necessary to provide our Services, we may obtain certain Personal Data from trusted third parties. These may include:

  • Identity verification service providers;
  • Payment service providers;
  • Analytics and security service providers;
  • Cloud service providers; and
  • Social media platforms, where you choose to register or sign in using your social media account and authorize the sharing of your information.

Any Personal Data obtained from third parties will be processed solely for the purposes described in this Privacy Notice or as otherwise permitted by applicable law.

5.5 Cookies and Similar Technologies

We use cookies, software development kits (SDKs), pixel tags, and similar technologies on our Platform. These technologies are used to:

  • Ensure the proper operation of the Platform;
  • Enhance security;
  • Remember your preferences;
  • Analyze the use of our Services;
  • Measure Platform performance; and
  • Improve your overall user experience.

For more detailed information about our use of cookies and similar technologies, please refer to our Cookie Policy.

6. For What Purposes and on What Legal Bases Do We Process Your Personal Data?

We process your Personal Data only for specific, explicit, and legitimate purposes. Each processing activity is based on at least one of the lawful bases for processing provided under the GDPR.

The table below summarizes the purposes for which we process your Personal Data, the categories of Personal Data that may be processed, and the corresponding legal basis under the GDPR.

Purpose of ProcessingCategories of Personal DataLegal Basis (GDPR)
Creating and managing user accountsIdentity Information, Contact Information, Account and Profile InformationPerformance of a contract or taking steps prior to entering into a contract (Art. 6(1)(b))
Verifying Platform membership and ensuring account securityIdentity Information, Account Information, Device and Usage InformationPerformance of a contract (Art. 6(1)(b)) and Legitimate Interests (Art. 6(1)(f))
Managing reservation processesIdentity Information, Reservation Information, Contact InformationPerformance of a contract (Art. 6(1)(b))
Facilitating communication between Locals and TravelersIdentity Information, Contact Information, Reservation InformationPerformance of a contract (Art. 6(1)(b))
Processing payments and maintaining transaction recordsIdentity Information, Payment Information, Reservation InformationPerformance of a contract (Art. 6(1)(b)) and Compliance with a legal obligation (Art. 6(1)(c))
Providing customer support and responding to inquiriesIdentity Information, Contact Information, Support RecordsPerformance of a contract (Art. 6(1)(b)) and Legitimate Interests (Art. 6(1)(f))
Carrying out identity verification proceduresIdentity Verification Information, Identity InformationPerformance of a contract (Art. 6(1)(b)), Compliance with a legal obligation (Art. 6(1)(c)), or Legitimate Interests (Art. 6(1)(f))
Verifying the qualifications of Locals providing professional servicesProfessional Information, Identity Information, Licence and Permit InformationCompliance with a legal obligation (Art. 6(1)(c)) and Legitimate Interests (Art. 6(1)(f))
Preventing fraud, ensuring Platform security, and detecting misuseIdentity Information, Device and Usage Information, Reservation Information, Support RecordsLegitimate Interests (Art. 6(1)(f)) and, where applicable, Compliance with a legal obligation (Art. 6(1)(c))
Maintaining Platform security, resolving technical issues, and improving performanceDevice and Usage Information, Log Files, IP AddressLegitimate Interests (Art. 6(1)(f))
Improving service quality and enhancing the user experienceUsage Information, Reservation Information, Reviews, Survey ResponsesLegitimate Interests (Art. 6(1)(f))
Publishing user reviews, ratings, and feedbackProfile Information, Reviews, User ContentPerformance of a contract (Art. 6(1)(b)) and Legitimate Interests (Art. 6(1)(f))
Providing personalized recommendations and personalizing the PlatformProfile Information, Reservation History, Interests, Usage InformationLegitimate Interests (Art. 6(1)(f))
Providing location-based servicesLocation InformationPerformance of a contract (Art. 6(1)(b)); where real-time device location is required, your Consent (Art. 6(1)(a))
Sending marketing communicationsIdentity Information, Contact Information, Marketing PreferencesConsent (Art. 6(1)(a)) or, where permitted by applicable law, other lawful bases
Complying with legal obligationsIdentity Information, Financial Information, Reservation Information, Legal InformationCompliance with a legal obligation (Art. 6(1)(c))
Resolving legal disputes and establishing, exercising, or defending legal claimsAll relevant categories of Personal DataLegitimate Interests (Art. 6(1)(f)) or Compliance with a legal obligation (Art. 6(1)(c))

For every processing activity, we process only the Personal Data that is necessary to achieve the relevant purpose and always apply the principle of data minimization.

Where we process your Personal Data based on your consent, you may withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of any processing carried out before such withdrawal.

Where we process your Personal Data on the basis of our legitimate interests, you have the right to object to such processing under the GDPR. Upon receiving an objection, we will reassess the relevant processing activity by balancing our legitimate interests against your fundamental rights and freedoms.

7. Who Do We Share Your Personal Data With?

We may share your Personal Data with third parties only where necessary to achieve the purposes described in this Privacy Notice, comply with our legal obligations, or pursue our legitimate business interests.

Your Personal Data may be shared with the following categories of recipients:

7.1 Other Platform Users

Due to the nature of our Platform, certain Personal Data may be shared with other users where necessary to facilitate reservations and the provision of Services. For example:

  • with the relevant Local in connection with a reservation made by a Traveler; or
  • with the relevant Traveler in connection with Services provided by a Local.

In each case, only the Personal Data necessary for the performance of the relevant Service will be shared.

7.2 Payment Service Providers

Where necessary to process payments securely, your Personal Data may be shared with authorized payment service providers, financial institutions, and payment infrastructure providers. Your payment card details may be processed directly by the relevant payment service provider through its secure payment infrastructure and may not be stored directly by us.

7.3 Our Service Providers

To operate the Platform and provide our Services, we may share your Personal Data with:

  • Cloud service providers;
  • Hosting service providers;
  • Information technology and software providers;
  • Customer support service providers;
  • Communication service providers;
  • Identity verification service providers;
  • Data storage and backup providers; and
  • Analytics and security service providers.

These service providers process your Personal Data solely on our behalf and in accordance with our instructions. Our service providers may change from time to time. An up-to-date list of our service providers, processors, and sub-processors may be made available upon request, where appropriate.

7.4 Business Partners

We may share your Personal Data with our business partners where necessary to provide specific Services through the Platform. Such disclosures are limited to the extent necessary for the provision of the relevant Services.

7.5 Professional Advisers

Where necessary to protect our rights, conduct legal proceedings, or comply with legal obligations, we may share your Personal Data with:

  • Lawyers;
  • Law firms;
  • Independent auditors;
  • Tax advisers and accountants; and
  • Professional consultants.

7.6 Competent Public Authorities

Where required by law or in response to lawful requests from competent public authorities, we may disclose your Personal Data to:

  • Courts;
  • Law enforcement authorities;
  • Regulatory and supervisory authorities;
  • Tax authorities; and
  • Data protection authorities,

or any other competent public authority, where required under applicable law.

7.7 Corporate Transactions

In the event of a corporate restructuring, merger, acquisition, sale of assets, financing transaction, or similar corporate event, your Personal Data may be disclosed to the relevant parties to the extent legally necessary. In such circumstances, appropriate contractual, technical, and organizational safeguards will be implemented to protect your Personal Data.

We do not sell your Personal Data to third parties.

Whenever we share your Personal Data, we disclose only the information necessary for the relevant purpose, apply the principle of data minimization, and implement appropriate contractual, technical, and organizational safeguards to ensure that all recipients process your Personal Data securely and in accordance with applicable data protection laws.

8. International Transfers of Your Personal Data

As part of the operation of our Platform and the provision of our Services, your Personal Data may be transferred to our service providers, affiliated companies, business partners, or other recipients located outside your country of residence.

Where your Personal Data is transferred outside the European Economic Area ("EEA"), such transfers will be carried out in accordance with Chapter V of the GDPR.

Where the European Commission has adopted an Adequacy Decision in respect of the destination country, your Personal Data may be transferred on the basis of that decision.

Where no Adequacy Decision exists, your Personal Data will be transferred only where one or more of the appropriate safeguards provided under Article 46 GDPR have been implemented. These safeguards may include:

  • The Standard Contractual Clauses (SCCs) adopted by the European Commission;
  • Binding Corporate Rules (BCRs), where applicable; or
  • Any other appropriate transfer mechanism recognized under applicable data protection laws.

In addition, we implement appropriate technical and organizational measures to ensure the confidentiality, integrity, and security of your Personal Data during international transfers. Depending on the circumstances, these measures may include:

  • Encryption of Personal Data;
  • Access control mechanisms;
  • Data minimization practices;
  • Contractual confidentiality obligations;
  • Information security policies;
  • Maintenance of access logs; and
  • Regular security testing and audits.

Where appropriate, we may also conduct transfer risk assessments and implement supplementary safeguards to ensure that international transfers provide an adequate level of protection for your Personal Data.

If you would like further information regarding our international data transfer practices or the safeguards we apply, you may contact us using the contact details provided at the end of this Privacy Notice.

9. How Long Do We Retain Your Personal Data?

We retain your Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Notice, perform our contractual obligations, comply with applicable legal obligations, resolve disputes, establish, exercise or defend legal claims, and pursue our legitimate business interests.

When determining the appropriate retention period for your Personal Data, we take into account the following criteria:

  • The purpose for which the Personal Data was collected and processed;
  • The nature of the Services provided;
  • The contractual relationship between the parties;
  • Applicable European Union legislation and national laws;
  • Tax, accounting, and other statutory record retention requirements;
  • Potential legal disputes and applicable limitation periods; and
  • Information security requirements and fraud prevention considerations.

The table below sets out the general retention periods applicable to different categories of Personal Data.

Category of Personal DataGeneral Retention Period
Account and Profile InformationRetained for as long as your account remains active or until you request its deletion. Where required by law or justified by our legitimate interests, certain information may be retained for a longer period.
Reservation and Service InformationRetained after completion of the relevant reservation for the period required under applicable laws and as necessary to address potential legal claims.
Payment and Financial InformationRetained for the period required under applicable tax, accounting, financial reporting, and other legal obligations.
Identity Verification InformationRetained until the identity verification purpose has been fulfilled or for the period required under applicable laws.
Customer Support RecordsRetained for a reasonable period to enable us to respond to your requests, improve our Services, and manage potential legal claims.
Reviews, Ratings, and User ContentRetained while the relevant content remains published on the Platform or while your account remains active. Such content may be removed, anonymized, or deleted upon request, account closure, or where required by applicable law.
Marketing Data and Communication PreferencesRetained until you withdraw your consent, object to receiving marketing communications, or until the relevant processing purpose no longer exists.
Device, Usage, and Security InformationRetained for a reasonable period necessary to ensure Platform security, monitor system performance, prevent fraud, and comply with applicable legal obligations.
Legal Records and Dispute-Related InformationRetained until the relevant legal proceedings have been concluded and any applicable limitation periods have expired.

Once the applicable retention period has expired, or where there is no longer a lawful basis for processing your Personal Data, your Personal Data will be deleted, anonymized, or otherwise securely disposed of in accordance with applicable data protection laws.

In certain circumstances, we may retain your Personal Data for longer periods where necessary to comply with legal obligations, prevent fraud, maintain information security, establish, exercise or defend legal claims, or respond to ongoing legal proceedings.

We are committed to ensuring that your Personal Data is not retained for longer than necessary and that all retention practices comply with the principles of data minimization and storage limitation under the GDPR.

10. Automated Decision-Making, Profiling, and Recommendation Systems

To enhance Platform security, improve the quality of our Services, and provide a better user experience, Local & Traveler may use automated processing, recommendation systems, and limited profiling activities. These activities are intended to ensure that the Platform operates in a secure, efficient, and user-focused manner for both Travelers and Locals.

Automated Processing for Travelers

To provide Travelers with a more personalized experience, we may use automated processing to:

  • Recommend Locals and experiences based on your interests and preferences;
  • Rank search results according to your search criteria and selected filters;
  • Suggest Services based on your location or the destination you are searching for;
  • Recommend experiences based on your previous reservations and Platform activity;
  • Detect unusual account activity in order to protect Platform security; and
  • Identify fraud, abuse, and other security risks.

Automated Processing for Locals

To improve the quality and reliability of the Platform, we may also apply certain automated processing activities relating to Locals. These activities may include:

  • Ranking Services within search results;
  • Displaying Services based on selected filtering criteria;
  • Highlighting recommended service providers based on objective factors such as user reviews, reservation history, profile completeness, service quality, and similar criteria;
  • Detecting fake accounts, fraudulent activity, or other security risks; and
  • Conducting security analyses to identify activities that may violate our Platform Rules or applicable laws.

Our ranking and recommendation systems may consider objective criteria such as users' search preferences, the location where the Service is offered, availability, user reviews, reservation history, profile completeness, and similar relevant factors.

Where required by applicable law, you have the right to obtain further information regarding the logic involved in these automated processing activities and, where applicable, to exercise your rights under Articles 21 and 22 of the GDPR.

11. Platform Security, Trust, and Community Protection

Local & Traveler is committed to providing a safe, transparent, and trustworthy Platform for all users. To protect our Platform, prevent fraud, enforce our Platform Rules, and safeguard the rights and interests of our users, we may process your Personal Data for security and trust purposes.

Such processing may include:

  • Identifying fake or unverified accounts;
  • Protecting the security of user accounts;
  • Detecting unusual or suspicious account activity;
  • Preventing fraud, identity theft, spam, abuse, and other security threats;
  • Identifying activities that may violate applicable laws, our platform rules, or our terms of use;
  • Investigating complaints submitted by users;
  • Reviewing platform content and user conduct to ensure compliance with applicable laws, community standards, and our terms of use; and
  • Protecting our information systems against unauthorized access and other cybersecurity threats.

For these purposes, we may process Identity Information, Account Information, Device and Usage Information, IP addresses, security logs, reservation information, user-generated content, communications, and complaint records.

Messages exchanged between users through the Platform and other communications may be processed automatically for the purpose of providing our Services. In addition, where reasonably necessary to ensure Platform security, investigate fraud, respond to user complaints, comply with legal obligations, or investigate suspected violations of our Terms of Use or applicable law, we may review relevant communications in a limited, proportionate, and lawful manner.

These processing activities are primarily based on our legitimate interests in maintaining a secure and trustworthy Platform and, where applicable, on our legal obligations under relevant laws.

Local & Traveler implements appropriate technical and organizational measures to safeguard Personal Data and regularly assesses the potential impact of these activities on the rights and freedoms of users.

12. Public Content and User-Generated Content

Certain features of our Platform are designed to enable users to share information publicly. Depending on your choices, the following information may be visible to other users:

  • Your profile information;
  • Profile photograph;
  • Biography;
  • Descriptions of the services you provide;
  • Photographs and videos relating to your services;
  • Reviews;
  • Ratings;
  • Comments; and
  • Any other content that you voluntarily choose to make available through the platform.

Such information may be displayed to other users where necessary for the operation of the Platform and the provision of our Services.

Any information you choose to make publicly available may be viewed, shared, or, where permitted by applicable law, accessed by third parties. We therefore encourage you to exercise caution before publishing Personal Data or other content through the Platform.

Even if you close your account or delete certain content, we may retain limited copies where necessary to comply with legal obligations, resolve disputes, prevent fraud, protect the rights of other users, or otherwise as permitted or required by applicable law.

13. Users Under the Age of 18

Our Platform is not intended for individuals under the age of 18. Individuals under the age of 18 are not permitted to create an account, make reservations, or offer Services through the Platform.

If we become aware that we have collected or processed Personal Data relating to an individual under the age of 18 without an appropriate legal basis, we will take reasonable steps to delete or anonymize such Personal Data without undue delay.

If you are a parent or legal guardian and believe that a person under the age of 18 has provided us with Personal Data in violation of this Privacy Notice or applicable law, please contact us using the contact details provided at the end of this Privacy Notice.

14. Security of Your Personal Data

We implement appropriate technical and organizational measures to protect the confidentiality, integrity, and availability of your Personal Data.

Taking into account the nature of the risks, the scope of the processing activities, technological developments, and applicable legal requirements, these measures may include, where appropriate:

  • Access control and authorization mechanisms;
  • Identity verification procedures;
  • Encryption of personal data;
  • Firewalls and network security solutions;
  • Logging and monitoring of system activities;
  • Regular security testing and risk assessments;
  • Data backup and business continuity measures;
  • Privacy and information security training for our personnel;
  • Data protection and confidentiality agreements with our processors and service providers; and
  • Restricting access to personal data on a need-to-know basis.

However, no method of transmitting data over the internet or storing electronic data can be guaranteed to be completely secure. We therefore encourage all users to protect the confidentiality of their account credentials, use strong passwords, and notify us immediately if they suspect any unauthorized access to their account.

Where a Personal Data breach occurs that is likely to affect the rights and freedoms of individuals, we will comply with our obligations under applicable data protection laws, including notifying the competent supervisory authority and, where required, the affected individuals.

15. Your Rights

Subject to the applicable data protection laws, you may have the following rights regarding your Personal Data:

  • to obtain confirmation as to whether we process your Personal Data;
  • to request access to your Personal Data;
  • to request the rectification of inaccurate or incomplete Personal Data;
  • to request the erasure of your Personal Data under certain circumstances;
  • to request the restriction of processing under certain circumstances;
  • to receive your Personal Data in a structured, commonly used, and machine-readable format and to request its transmission to another controller where technically feasible;
  • to object to processing based on our legitimate interests;
  • to object at any time to the processing of your Personal Data for direct marketing purposes;
  • to withdraw your consent at any time where processing is based on your consent, without affecting the lawfulness of processing carried out before such withdrawal; and
  • where applicable, not to be subject solely to a decision based on automated processing, including profiling, and to request human intervention, express your point of view, and contest such a decision.

These rights are not absolute and may be subject to the conditions, exceptions, and limitations provided under applicable data protection laws.

If you wish to exercise any of your rights, you may contact us using the contact details provided in this Privacy Notice.

16. Right to Lodge a Complaint with a Supervisory Authority

If you believe that your Personal Data has been processed in violation of applicable data protection laws, you have the right to lodge a complaint with the competent supervisory authority in the country of your habitual residence, your place of work, or the place where the alleged infringement occurred, in accordance with Article 77 of the GDPR.

Before contacting a supervisory authority, we encourage you to contact us first so that we have the opportunity to address your concerns promptly and efficiently. However, this does not affect or limit your right to lodge a complaint with a competent supervisory authority at any time.

17. Contact Us

If you have any questions, requests, or concerns regarding this Privacy Notice or the processing of your Personal Data, or if you wish to exercise your rights under applicable data protection laws, you may contact us using the contact details below.

Local & Traveler OÜ

Registered Address: Ahtri tn 12, Kesklinna linnaosa, Tallinn, Harju maakond, 15551, Estonia

Your request will be reviewed and responded to within the time limits prescribed by the applicable data protection laws. Where necessary, we may request additional information to verify your identity or to enable us to properly assess and process your request.

© 2026 L&T. All rights reserved.