Personal Data Processing Policy

1. Introduction and Scope

At Magic Journey, we deeply value the trust of our travelers, partners, and collaborators. Therefore, our Personal Data Processing Policy describes how we collect, use, store, and protect the information provided to us by those who interact with our services, whether on our website, through digital forms, social media, or direct communications.

Magic Journey LLC, headquartered in Boston, Massachusetts, USA, acts as the data controller. This policy applies to all company operations, including partnerships and travel services provided in collaboration with third parties within and outside the United States.

We recognize that our clients come from different parts of the world. Therefore, this policy is designed in accordance with international best practices in privacy and data protection, including the principles established in the Massachusetts Data Privacy Law (201 CMR 17.00), the Federal Trade Commission Act (FTC Act), the European Union’s General Data Protection Regulation (GDPR), and the provisions of Colombian Law 1581 of 2012.

The purpose of this policy is to ensure that all personal information we collect is treated with transparency, responsibility, and respect, promoting ethical, safe, and reliable tourism.

2. Definitions and Principles of Data Protection

Definitions

For the purposes of this Policy, the following definitions apply:

• Personal data: any information that identifies or can identify a natural person, such as name, identity document, telephone number, email address, physical address, country of residence, or payment information.
• Sensitive data: information that may reveal racial or ethnic origin, sexual orientation, religious beliefs, health status, or other intimate data. Magic Journey does not request or process this type of information unless strictly necessary to fulfill a specific service (for example, dietary or medical restrictions during a trip).
• Processing: any operation or set of operations performed on personal data, such as collection, storage, use, transmission, or deletion.
• Data subject: the natural person to whom the personal data belongs.
• Data controller: Magic Journey LLC, which determines the purpose and use of personal data.
• Data processor: Any third party that processes personal data on behalf of Magic Journey (e.g., accommodation, transportation, or digital service providers).
• Consent: A freely given, informed, and voluntary indication by which the data subject authorizes the processing of their personal data.

Data Protection Principles

The processing of personal data by Magic Journey is governed by the following international principles:

1. Lawfulness: Data is collected and processed in accordance with the law and with a valid legal basis.
2. Transparency: We inform the data subject clearly and accessibly about the use that will be made of their information.
3. Purpose: Data is collected only for legitimate, explicit, and previously informed purposes.
4. Minimization: Only the information strictly necessary for the purposes of the service is collected.
5. Accuracy: We keep data up-to-date and accurate to ensure its validity.
6. Security: We apply appropriate technical and organizational measures to protect information against unauthorized access, loss, or alteration.
7. Confidentiality: We guarantee that personal information will be treated confidentially by all persons involved in its processing.
8. Storage limitation: Data will be kept only for as long as necessary to fulfill the purpose for which it was collected.
9. Accountability: Magic Journey is committed to demonstrating compliance with this policy and applicable data protection laws.

3. Data We Collect and Purpose of Processing

At Magic Journey, we collect only the information necessary to offer safe, personalized, and high-quality travel experiences. Data is collected directly through forms on our website, emails, social media, business partnerships, or communications with our team.

📋 Types of Data We May Collect

1. Identification and Contact Information:
   Full name, nationality, ID number, email address, phone number, country or city of residence.
2. Travel and Personal Preference Information:
   Travel dates, destinations of interest, preferred type of accommodation, level of physical activity (for experiences such as cycling tours), transportation and food requirements, and other details necessary to personalize the service.
3. Payment and Billing Information:
   Payment information (partial card number, payment methods used, billing information, or selected currency). Magic Journey does not store complete financial information; Payments are processed through secure third-party platforms certified under the highest international standards (such as PCI DSS).
4. Health or dietary data (optional): Limited information on medical conditions or dietary restrictions, only when the traveler voluntarily provides it to tailor their experience.
5. Website usage data: Anonymous information about browsing on our website, collected through cookies or analytics tools, to improve the user experience and platform functionalities.

Purposes of processing

The personal data collected by Magic Journey will be used solely for the following legitimate purposes:

1. Managing reservations and providing tourism services.
   Coordinating accommodation, transportation, activities, travel assistance, and personalized attention before, during, and after the trip.
2. Customer service and support.
   Contacting travelers to address concerns, confirm trip details, or provide information of interest.
3. Compliance with legal and contractual obligations. Issuing invoices, preparing accounting reports, handling audits, and complying with local and international tourism and safety regulations.
4. Communication and customer loyalty. Sending information about new destinations, promotions, satisfaction surveys, or special programs, provided the data subject has consented to receive marketing communications.
5. Security and fraud prevention. Verifying traveler identity and protecting both users and the company from illegal activities and cyber risks.
6. Collaborations with tourism partners. Sharing the minimum and strictly necessary data with authorized partners (hotels, tour operators, tour guides, insurance companies, etc.) to ensure the proper execution of contracted services.
7. Service improvement and internal analysis. Analyzing usage patterns, travel preferences, and customer feedback to optimize our programs and experiences.

4. Consent and Rights of Data Subjects

Consent for Data Processing

Magic Journey processes personal data only when there is free, explicit, and informed consent from the data subject, or when such processing is based on a legally justified cause (for example, the performance of a travel contract or compliance with a legal obligation).

Consent may be given in writing, electronically, or verbally, provided there is verifiable evidence of its granting. In the case of web forms, the voluntary submission of information constitutes consent.

The data subject may revoke their consent at any time by sending a written communication to the contact channels indicated in this policy. However, such revocation will not affect processing carried out previously and lawfully.

Data Subject Rights

Magic Journey guarantees the full exercise of the rights of all individuals whose data is processed by the company.

In accordance with applicable legislation, data subjects have the right to:

1. Access their personal data and know what information Magic Journey holds about them.
2. Rectify inaccurate, incomplete, or outdated data.
3. Delete or erase their data when it has fulfilled the purpose for which it was collected, or when they wish to withdraw their consent.
4. Object to the processing of their data in certain circumstances, for legitimate reasons related to their particular situation.
5. Temporarily restrict processing while claims or corrections are being verified.
6. Request the portability of their personal data, when technically feasible, to be transferred to another provider or data controller.
7. Revoke consent granted for commercial or promotional purposes.

Contact channels to exercise your rights

Data subjects may exercise their rights by sending a request to:
Email: info@magicjourney.co
Subject: “Request to exercise rights regarding personal data”

Requests will be processed within a maximum of 15 business days from receipt, in accordance with international best practices and applicable regulations.

5. Data transfer, storage, and security

International data transfer

Due to the international nature of Magic Journey’s services, travelers’ personal data may be transferred or shared with partners and suppliers located in different countries, including Colombia and other regions where tourism experiences are offered.

These transfers are made only with suppliers or partners that comply with appropriate security and confidentiality standards and guarantee data protection in accordance with applicable laws (including the standard contractual clauses of the General Data Protection Regulation – GDPR).

Magic Journey ensures that all international data transfers are carried out based on legal justification and under confidentiality agreements or service contracts that include data protection clauses.

Data Storage

Personal data collected by Magic Journey is stored on secure servers located in the United States or in countries that offer an equivalent level of protection.

We use recognized technology providers (for example, platforms certified under ISO 27001, SOC 2, or equivalent standards), which guarantees the integrity, availability, and confidentiality of the information.

Data will be retained only for as long as necessary to fulfill the purposes described in this policy, or for the period required by applicable laws.

Once this period has expired, the information will be securely deleted or anonymized. (Please ask Jaime and Ruby if this aligns with the website’s requirements.)

Security Measures

Magic Journey adopts reasonable technical, administrative, and organizational measures to protect personal information against loss, unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption and secure authentication for data transmission.
• Restricted access to authorized personnel.
• Internal confidentiality policies and data protection training.
• System backup and monitoring procedures.
• Periodic compliance and security audits.

In the event of a security breach affecting personal information, Magic Journey will notify the data subject and the competent authorities within the timeframes established by applicable regulations, along with the measures taken to mitigate potential risks.

6. Data Retention, Modifications, and Official Contact

Data Retention

Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected or while an active contractual or commercial relationship exists with the data subject.

Once the purpose has been fulfilled or the applicable legal deadlines have expired, the data will be securely deleted or anonymized, in accordance with Magic Journey’s internal policies and the legal provisions in force in the United States and the countries where we operate.

Policy Modifications

Magic Journey may update or modify this Data Processing Policy at any time to adapt it to regulatory, technological, or operational changes. All updates will be published on our website, www.magicjourney.co, indicating the date of the last revision.

In the event of substantial changes that affect the rights of data subjects, they will be notified through the registered contact methods or via a prominent notice on our website.

Official Privacy Contact

To exercise your rights or make inquiries, complaints, or requests related to the processing of personal data, data subjects may contact our Data Protection Officer at:

Magic Journey LLC
📍 Boston, Massachusetts – USA
📧 info@magicjourney.co
🌐 www.magicjourney.co