Privacy Policy

Data Protection and Privacy Rights for Booking Engine

Effective Date: May 25, 2025

1. Introduction

Flora Plus, LLC ("Flora Plus", "we", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use and protect your personal information when you make a booking through our integrated booking engine, hosted on our partners' websites. This Policy complies with the General Data Protection Regulation (EU 2016/679), the Swiss Federal Data Protection Act, the California Consumer Privacy Act (CCPA/CPRA), and other local laws.

2. Definitions

Personal Data:

information that identifies or can be linked to an individual.

Sensitive Data:

includes health, ethnicity, or special categories.

Controller:

determines the purposes and means of processing.

Processor:

processes data on behalf of the controller.

Anonymized Data:

data that cannot be linked to an individual.

3. Who We Are

Flora Plus is a technology provider based in Delaware, United States. We facilitate online bookings on behalf of tour operators. When you use our booking engine, Flora Plus is the data controller of the personal information you provide.

4. What Data We Collect

• Full name, email address, phone number, country

• IP address, device, browser, language

• Payment details (processed directly by Stripe)

• Booking details, metadata, and sensitive data if required by the operator

ⓘ

Sensitive information (e.g., allergies) is only collected if requested by the operator and is never used by Flora Plus for profiling or marketing purposes.

5. Why We Use Your Data

We use your data to:

• Process and confirm your booking

• Send transactional emails (confirmations, reminders)

• Remind you to complete your booking (abandoned cart)

• Offer relevant discounts related to your booking process

• Prevent fraud and ensure platform security

ⓘ

Flora Plus may send you transactional and follow-up communications that are personalized based on your booking or booking attempt. This includes messages about your confirmed booking or reminders to complete a pending booking, which may include incentives or discounts. These communications are tailored to your specific interaction with our platform.

Our emails may include tracking features (e.g., open tracking pixels or tracked links) to measure engagement and improve our communication. This allows us to know if and when you open our emails or interact with links within

6. Subprocessors and Stripe

Some data (such as your booking details and contact information) is shared with the tour operator whose service you booked, so they can fulfill the service and, if applicable, send you follow-up communications or promotions related to their offer. These operators are considered third parties under this policy and are responsible for their own compliance with applicable data protection laws.

ⓘ

We use Stripe, Inc. as our secure payment provider. Stripe acts as a data processor and may access your data to process payments. Other subprocessors include AWS, Cloudflare, Google Cloud, and email delivery tools.

Stripe privacy policy: https://stripe.com/privacy | DPA: https://stripe.com/legal/dpa

7. Legal Basis

We rely on:

• Contractual necessity for transactional communications

• Legitimate interest for abandoned cart reminders and related incentives

• Your consent for additional promotional communications

You may object to the use of your data under legitimate interest at any time.

8. Data Storage and Security

Data is securely stored by Flora Plus and may also be accessible to the operator for service purposes. We use industry-standard systems and protocols to protect and store data appropriately. There is no automatic deletion of user data for security and legal compliance.

9. Logs and Technical Data

Flora Plus automatically logs certain technical data related to your interaction with the booking engine for security, system integrity and fraud prevention purposes. This includes, but is not limited to, access timestamps, IP address, browser type, device metadata, user agent, and error logs.

These logs are retained for a limited period and are not used for profiling or marketing. They may be used to investigate suspected misuse, enforce our terms, comply with legal obligations, and ensure secure platform operations.

10. International Data Transfers

Data may be transferred and processed in the United States under SCCs and the Data Privacy Framework.

11. Data Retention

We retain your data for operational, legal and security purposes and do not automatically delete it.

12. Your Rights

You may request access, correction, deletion, restriction or portability of your data, or object to its processing. You also have the right not to be subject to automated decision-making. All requests should be directed to info@getfloraplus.com.

13. Minors Data

We do not knowingly process data from users under 13 years of age. If we become aware of such data, we will delete it.

14. Cookies

Flora Plus does not use first-party cookies in its booking engine. However, cookies already present on the host website (e.g., analytics or marketing cookies from the operator) may remain active during the booking process. These are managed by the operator's domain.

15. Do Not Track

Flora Plus does not track user activity across websites and does not respond to Do Not Track (DNT) signals.

16. Changes

We may update this policy. Changes will be announced in the booking interface.

17. Governing Law and Jurisdiction

These Terms are governed by the laws of the State of Delaware, United States. Any dispute will be resolved in state or federal courts located in Delaware.

18. Language and Prevailing Version

In case of any conflict between different language versions of this Policy, the English version shall prevail.

19. Contact

Contact Information

For any inquiries or questions about data, contact:

Company
Flora Plus, LLC

Email
info@getfloraplus.com

Address
131 Continental Dr Suite 305
Newark, DE, 19713, United States

Appendix A – EU/UK Residents

EU and UK residents have the right to access, rectify, delete, restrict, object and port their data under GDPR/UK GDPR. Flora Plus acts as a controller. Transfers follow SCCs and the EU-US Data Privacy Framework.

Appendix B – California Residents (CCPA/CPRA)

California residents may exercise rights to know, delete, correct, opt-out of sharing, and limit use of sensitive data. Flora Plus does not sell personal data.

Appendix C – Latin America

Flora Plus complies with regional data protection laws, including Habeas Data (Colombia), LGPDP (Mexico), and others, applying principles of legality, consent, purpose and proportionality.