Privacy policy
Last updated: 2026-05-14
BookMySafari.ae is a Dubai desert safari booking platform operated by BookMySafari (the "platform"). Bookings on this site are fulfilled by Velari Tourism L.L.C, the named Dubai DET-licensed partner operator (DET license #1491675). This policy explains what personal data the platform collects, why, for how long, where it goes, and how a data subject can access, correct, or erase it.
The policy is written against UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL"), UAE Federal Law No. 15 of 2020 on Consumer Protection, and Cabinet Decision No. 66 of 2023 on the Implementing Regulations of the Consumer Protection Law.
1. Data we collect
The platform collects only the personal data needed to confirm a booking:
- Booking enquiry data: full name, WhatsApp number, hotel zone or pickup address, party size, travel date, package tier, optional special-requirement notes (allergy, pregnancy, mobility, child age, vehicle preference).
- Payment data: card or wallet payment is collected by the partner operator's payment processor, not by the platform. The platform never sees or stores card numbers, CVVs, or wallet credentials.
- Server logs: IP address, user agent, requested URL, HTTP status, timestamp. Retained 30 days for security audit, then deleted.
- Email correspondence: messages exchanged with the booking team, retained 24 months for partner-operator dispute resolution, then archived in cold storage for the statutory minimum required by UAE consumer-protection law (currently 5 years) and deleted thereafter.
The platform does not run third-party advertising pixels, social-media trackers, fingerprint scripts, or behavioural-analytics tags by default.
2. Why we collect it
Booking enquiry data is collected solely to (a) confirm availability with the partner operator, (b) generate the WhatsApp confirmation message inside the 10-minute service promise, (c) hand the booking record to the partner operator for fulfilment, and (d) honour cancellation, refund, or rescheduling requests under UAE Federal Law 15/2020 and the cancellation policy at /legal/cancellation-refund-policy/.
Email correspondence is retained to evidence the booking conversation in the event of a partner-operator dispute, a credit-card chargeback, or a regulator query from the Department of Economy and Tourism.
3. Lawful basis (UAE PDPL Articles 4 to 6)
The platform processes personal data on two lawful bases: (a) performance of a service contract the data subject has requested (Article 4(2) of the UAE PDPL), and (b) legitimate interest in fraud prevention, accounting, and statutory record-keeping (Article 4(7)). Marketing and analytics, when introduced, will operate on a separate consent basis (Article 4(1)) with a documented opt-in.
4. Processors and sub-processors
The platform shares data with the following processors only:
- Velari Tourism L.L.C (UAE, DET license #1491675), the named DET-licensed partner operator. Receives the booking record, pickup details, and special-requirement notes needed to run the safari.
- Mailgun (Sinch) (EU region, Frankfurt) for transactional email delivery from the platform's contact form. Standard contractual clauses in place for any cross-border transfer.
- Hostinger International Ltd. (EU region, Lithuania) for application hosting. The site is fronted by Hostinger's reverse proxy and runs as a Node.js Express wrapper.
- Cloudflare, Inc. (United States) for DNS, CDN, and edge security when configured. Cross-border transfer covered by Cloudflare's data-processing addendum and SCCs.
The platform does not sell, rent, or share personal data with marketing networks, ad exchanges, or data brokers.
5. International transfer
The partner operator is UAE-domiciled and processes data inside the UAE. Mailgun, Hostinger, and Cloudflare may process data outside the UAE (EU and United States). The platform relies on (a) the European Commission adequacy decision for the UK and EEA where applicable, and (b) standard contractual clauses with each non-UAE processor, in line with UAE PDPL Article 22 on cross-border transfer.
6. Retention windows
- Booking enquiry data: 24 months after the safari date, then archived 36 more months.
- Server logs: 30 days, then deleted.
- Email correspondence: 5 years from the last message in the thread, then deleted.
- Marketing data (when collected): retained until the data subject withdraws consent, then deleted inside 30 days.
7. Your rights as a data subject
Under UAE PDPL Articles 13 to 17 the data subject has the right to (a) request a copy of their personal data, (b) correct inaccurate data, (c) request erasure when the original purpose no longer applies, (d) restrict processing pending dispute resolution, (e) object to processing based on legitimate interest, and (f) lodge a complaint with the UAE Data Office at u.ae.
Requests should be sent to [email protected]. The platform will respond inside 30 calendar days as required by Article 14 of the UAE PDPL.
8. Cookies
The site sets one strictly necessary first-party cookie for OAuth state on the admin route and no other cookies by default. No advertising cookies, no analytics cookies, no third-party trackers are loaded without explicit consent. Detailed cookie inventory at /legal/cookie-policy/.
9. Security
The platform enforces HTTPS site-wide via HSTS with a 2-year max-age and the
preload directive. The Content-Security-Policy blocks third-party script, style, and
frame sources by default. Form input is validated server-side and rate-limited at the reverse-proxy
layer. Email transport runs over STARTTLS to Mailgun on port 587.
10. Children
The platform does not knowingly collect data from any person under 18 without verified parental consent. Booking enquiries naming a child as a participant are processed on the lawful basis of the booking adult's contract, not on the child's consent.
11. Changes to this policy
Material changes are announced on this page with the new "Last updated" date. Subscribers to a marketing list (when introduced) will receive an email summary of the change.
12. Contact
For data-subject requests or privacy questions: [email protected].