333
 edits
Changes
Created page with "== Websky customer info ==  On May 25, 2018 the European Union "General Data Protection Regulation" (GDPR) comes into force. This regulation applies to all ticketing agency we..."
== Websky customer info ==
On May 25, 2018 the European Union "General Data Protection Regulation" (GDPR) comes into force.
This regulation applies to all ticketing agency websites and, to a greater extent, to those with language versions of the websites in English or EU languages.
'''To meet the requirements of the GDPR in the system Nemo.travel has been implemented a number of improvements:'''
* only mandatory fields will now be requested on the B2C user registration form;
* complete deletion of the user is available on all design themes;
* a block for user's consent to Cookie Policy and/or Privacy Policy will be displayed on all pages of the site;
* added a restriction on the IP of the company's offices for uploading data on orders by agency employees;
* deletion of the unused fields on the user profile page;
* automatic deletion of personal data from orders whose processing is fully completed.
'''Tasks of the agent (Nemo.travel client) as the controller of personal data:'''
1. Enter the current text of the Privacy Policy in Russian and English in the Websky administration panel in the settings section '''Site Management → Domains and Protocols''', field '''Privacy Policy'''.
You can access the page where the text of the privacy policy will be displayed by clicking the following link: http(s)://DOMAIN/privacy__policy
2. Check that your Terms of use page includes information that the site is not intended for children under the age of 16.
Information about the Terms of Use must be entered in Russian and English in the Nemo.travel administration panel in the settings section '''Site Management → Domains and Protocols''', field "Booking Rules".
To get access to the page where the text of the site usage rules will be displayed, it is possible by clicking the link of the following view: http(s)://DOMAIN/booking__policy.
3. After filling in the Privacy Policy, enable the option Display warning about the use of cookies in the Websky administration panel in the settings section '''Site Management → Domains and Protocols'''.
4. Check that links to the Terms of Use and Privacy Policy pages are located at the bottom of the site (in the footer element). In case of their absence - make the necessary changes to the template of the footer element in the Nemo.travel administration panel in the settings section '''Site management → Nemo CMS → Templates'''.
===How to fill in the "Privacy Policy"=== correctly.
1. You can create your own document. At the same time, you need to check that your text includes:
* description of what information about the buyer is collected by your site;
* for what purpose and how it is used;
* how long it will be stored and to whom it will be transferred (Booking Systems and GDS, back office, third-party services, etc.);
* the rights of the personal data subject;
* data storage policy;
* Cookie Policy - what data the site writes to the buyer's device and for what purpose;
* regulations for changes in the privacy policy;
* contact information;
2. You can use the example below as a sample and make necessary changes related to the specifics of your site and the services and modules connected to it.
==An example of the Website Privacy Policy==
===General information===
''Personal data'' is any information that relates to you as a user of a site and through which you can be directly or indirectly identified.
 
This site collects and processes personal data in accordance with the requirements of international laws and only for the purpose of selling the tourism products in accordance with the public agreement '''"Website terms of use"'''.
We transfer personal data only to reliable partners using the secure protocols (for example, to international reservation systems).
We restrict access to personal data by means of password based authentication and secret codes.
Personal data is stored in encrypted form and only for the purposes of increasing the usability of the service. The data owner is provided an opportunity to view, edit and delete personal data by means of the "private office" functionality.
 
To purchase as a natural person you do not need to create an account in the system. In this case, in order to get the access to your booking you have to enter a secret access code (a set of numbers and letters) that will be displayed on the order page and duplicated in an e-mail notification of successful booking. We do use cookies to store information about your device so you do not have to enter an access code each time you open an order page. In case you forgot or lost the access code and changed the device, you can restore access to the order by entering its number and last name of the first passenger. To ensure that the access code, the order number and the last name of the first passenger can not be brute forced, the system limits the number of attempts for data entry per unit of time.
 
If you create an account in our system, your orders will be tied to this account and displayed in your personal “private office”. We will also store personal data of the passengers that you have entered, so that you can reuse it when creating new orders. Nobody except you has the access to the passengers’ personal data stored in your personal “private office”. You can delete your account in your personal “private office”. In this case all personal data associated with your account, including your orders, will be deleted from the system.
 
Personal data related to orders is stored in an encrypted form. Only you and our company’s employees have the access to this data. Our employees use your personal data only for purposes of analysing and solving technical problems (for example, an error during the booking due to an unacceptable format of the data). Use of personal data for other purposes is prohibited by the nondisclosure agreement that is signed by each of our employees. Personal data from the orders will be deleted after the completion of the service execution time, after the end of the acceptable terms of exchanges and refunds for the services and after the end of the reporting period.
We send e-mail and sms notifications only:
* to notify you about the current status of your orders;
* to confirm your e-mail address during the account registration process;
* to change the password after the account registration process.
During the account registration process you can also subscribe to our newsletter in order to receive news about our company, information about profitable promotions and our special offers. You can unsubscribe at any time by clicking the "unsubscribe" link we provide in each letter.
 
Our system does not obtain or store card data. All payments are processed through reliable and certified systems of banks or payment gateways. We only obtain and process data concerning the successful or unsuccessful result of your payment.
===Rights of the subject of personal data===
Processing of personal data is carried out in accordance with the website terms of use and in compliance with this privacy policy.
You have the right to obtain, edit or completely delete your personal data.
 
You have the right to request the following information by e-mail or phone:
* one copy of your personal data (free of charge);
* detailed information about the companies (reservation systems), to which your personal data was or will be transferred, and the country of their location;
* any information related to the purposes and terms of processing of personal data, to the sources of obtain of your personal data (if it does not contradict the requirements of laws).
The system does not process personal data for the purposes of making automated decisions that can affect the order price or decisions restricting your rights as a subject of personal data.
===Information collected and processed by our system===
We obtain from you the following information:
{| class="wikitable"
|-
! scope="col" | Data type
! scope="col" | The use
! scope="col" | Where is being transferred to
! scope="col" | Data storage period
|-
| width="25%"| Browser language
| width="25%"| To determine the language version of the site
| width="25%"| Not transferred
| width="25%"| Not stored
|-
| Browser type
| To determine specific parameters for the correct display of a website
| Transmitted to reservation systems, if required
| Stored in logs up to 3 years (only for analysing and solving technical problems)
|-
| Internet Protocol address (IP)
| For an approximate definition of the nearest departure airport. To limit the number of attempts of performing the operations that are critical for the security (protection against brute force selection)
| Transmitted to reservation systems, if required
| Stored in logs up to 3 years (only for analysing and solving technical problems)
|-
| Parameters of the search request
| To pre-fill the search form, in case the user updates the webpage or returns to the website
| Transmitted to reservation systems to get offers (results of search)
| Not more than a week on the server side, 1 year in the client's browser
|-
| Passengers data (purchasing process)
| For booking and issuing tickets
| To reservation systems and airlines
| 3 months after the end of the service (in an encrypted form)
|-
| Passengers data (private office)
| To re-enter personal data automatically to the new orders
| Not transferred
| Unlimitedly in an encrypted form (until being removed by the user)
|-
| User's e-mail address (purchasing process)
| For booking and issuing tickets. To send e-tickets and e-mail notifications about the status of the order
| To reservation systems and airlines
| 3 months after the end of the service (in an encrypted form)
|-
| User's phone number (purchasing process)
| For booking and issuing tickets. To send SMS-messages to notify about the status of the order
| To reservation systems and airlines
| 3 months after the end of the service (in an encrypted form)
|-
| User's e-mail address (registration process)
| To indentify the user. For password recovery.
| To the mailing list management system in the case of direct user consent
| Unlimitedly in an encrypted form (until the removal of the user)
|-
| User's password
| For authentication
| Not transferred
| Unlimitedly in an encrypted form (until the removal of the user), as a hash sum.
|}
===Cookie Policy===
 
Cookies are files with data related to our system and stored on the side of your device. You manage the stored data yourself and you can delete it at any time. It is not recommended to completely disable the cookies functionality as this can adversely affect the availability of the certain functionality of our system.
We use personal data from these files only for the purposes listed below.
 
'''Security features:'''
  
We identify your device and restrict unauthorized access to your personal data from any other devices. Because of this you can purchase tickets without creating an account in our system.
 
During the process of the authentication (at the moment when user enters username and password), we store your data through a unique session identifier stored in the cookie. So you do not need to re-enter your login and password each time you perform the operations that require authorization.
 
'''To improve the quality of the system:'''
 
We save the site settings that are convenient for you, for example, the language or the currency.
 
We also save the last entered search parameters, so in case you return to the webpage with the search form you do not have to fill out the search form again.
 
'''To collect analytical data:'''
 
We strive to improve our service, to increase its speed and make it more convenient for the customers.
We use cookies to collect anonymous analytical data in the Yandex.Metrica and Google Analytics systems for identifying problematic and non-optimal webpages.
 
'''For effective and useful advertising:'''
 
We use ad serving systems (for example, Google AdWords, Yandex.Direct) to promote our solution.
The ad serving systems collect anonymous statistical data about visitors of the websites for the purposes of an effective and unobtrusive advertising campaigns.
===Data Storage Policy===
1. Security of access to personal data is provided by authentication and authorization.
 
2. Security of access to personal data by unregistered customers is provided through unique access codes or identification of the device of the customer (through a cookie).
 
3. Employees of companies that have access to personal data, sign a non-disclosure agreement and have to pass two-factor authentication.
 
4. During the process of transmission and storage (including backups) personal data is encrypted. To check the integrity of the encrypted data the checksum algorithm is used. Encryption algorithm: symmetric-key algorithm with 256-bit key and random initialization vector.
 
5. Secure storage of passwords (via hash value without the ability to restore the user's original password).
 
6. Passwords and access codes to personal data are protected from brute force selection.
 
7. Protection against data loss is organized through a real-time replication and daily backups systems.
8. All operations of accessing personal data are logged.
===Changes to Privacy Policy===
 
The requirements of international laws and agreements on personal data vary and we must comply with them. Besides we are constantly improving our system, adding new functionality and integrating with the new reservation systems. We continuously improve the mechanisms for protection of personal data. Taking into the consideration the information above changes to this privacy policy may required. The new document enters into the force from the date of its publication.
===Contact Information===
Here you have to specify the contact information of your agency.
Date of publication: dd.mm.yyyy
On May 25, 2018 the European Union "General Data Protection Regulation" (GDPR) comes into force.
This regulation applies to all ticketing agency websites and, to a greater extent, to those with language versions of the websites in English or EU languages.
'''To meet the requirements of the GDPR in the system Nemo.travel has been implemented a number of improvements:'''
* only mandatory fields will now be requested on the B2C user registration form;
* complete deletion of the user is available on all design themes;
* a block for user's consent to Cookie Policy and/or Privacy Policy will be displayed on all pages of the site;
* added a restriction on the IP of the company's offices for uploading data on orders by agency employees;
* deletion of the unused fields on the user profile page;
* automatic deletion of personal data from orders whose processing is fully completed.
'''Tasks of the agent (Nemo.travel client) as the controller of personal data:'''
1. Enter the current text of the Privacy Policy in Russian and English in the Websky administration panel in the settings section '''Site Management → Domains and Protocols''', field '''Privacy Policy'''.
You can access the page where the text of the privacy policy will be displayed by clicking the following link: http(s)://DOMAIN/privacy__policy
2. Check that your Terms of use page includes information that the site is not intended for children under the age of 16.
Information about the Terms of Use must be entered in Russian and English in the Nemo.travel administration panel in the settings section '''Site Management → Domains and Protocols''', field "Booking Rules".
To get access to the page where the text of the site usage rules will be displayed, it is possible by clicking the link of the following view: http(s)://DOMAIN/booking__policy.
3. After filling in the Privacy Policy, enable the option Display warning about the use of cookies in the Websky administration panel in the settings section '''Site Management → Domains and Protocols'''.
4. Check that links to the Terms of Use and Privacy Policy pages are located at the bottom of the site (in the footer element). In case of their absence - make the necessary changes to the template of the footer element in the Nemo.travel administration panel in the settings section '''Site management → Nemo CMS → Templates'''.
===How to fill in the "Privacy Policy"=== correctly.
1. You can create your own document. At the same time, you need to check that your text includes:
* description of what information about the buyer is collected by your site;
* for what purpose and how it is used;
* how long it will be stored and to whom it will be transferred (Booking Systems and GDS, back office, third-party services, etc.);
* the rights of the personal data subject;
* data storage policy;
* Cookie Policy - what data the site writes to the buyer's device and for what purpose;
* regulations for changes in the privacy policy;
* contact information;
2. You can use the example below as a sample and make necessary changes related to the specifics of your site and the services and modules connected to it.
==An example of the Website Privacy Policy==
===General information===
''Personal data'' is any information that relates to you as a user of a site and through which you can be directly or indirectly identified.
This site collects and processes personal data in accordance with the requirements of international laws and only for the purpose of selling the tourism products in accordance with the public agreement '''"Website terms of use"'''.
We transfer personal data only to reliable partners using the secure protocols (for example, to international reservation systems).
We restrict access to personal data by means of password based authentication and secret codes.
Personal data is stored in encrypted form and only for the purposes of increasing the usability of the service. The data owner is provided an opportunity to view, edit and delete personal data by means of the "private office" functionality.
To purchase as a natural person you do not need to create an account in the system. In this case, in order to get the access to your booking you have to enter a secret access code (a set of numbers and letters) that will be displayed on the order page and duplicated in an e-mail notification of successful booking. We do use cookies to store information about your device so you do not have to enter an access code each time you open an order page. In case you forgot or lost the access code and changed the device, you can restore access to the order by entering its number and last name of the first passenger. To ensure that the access code, the order number and the last name of the first passenger can not be brute forced, the system limits the number of attempts for data entry per unit of time.
If you create an account in our system, your orders will be tied to this account and displayed in your personal “private office”. We will also store personal data of the passengers that you have entered, so that you can reuse it when creating new orders. Nobody except you has the access to the passengers’ personal data stored in your personal “private office”. You can delete your account in your personal “private office”. In this case all personal data associated with your account, including your orders, will be deleted from the system.
Personal data related to orders is stored in an encrypted form. Only you and our company’s employees have the access to this data. Our employees use your personal data only for purposes of analysing and solving technical problems (for example, an error during the booking due to an unacceptable format of the data). Use of personal data for other purposes is prohibited by the nondisclosure agreement that is signed by each of our employees. Personal data from the orders will be deleted after the completion of the service execution time, after the end of the acceptable terms of exchanges and refunds for the services and after the end of the reporting period.
We send e-mail and sms notifications only:
* to notify you about the current status of your orders;
* to confirm your e-mail address during the account registration process;
* to change the password after the account registration process.
During the account registration process you can also subscribe to our newsletter in order to receive news about our company, information about profitable promotions and our special offers. You can unsubscribe at any time by clicking the "unsubscribe" link we provide in each letter.
Our system does not obtain or store card data. All payments are processed through reliable and certified systems of banks or payment gateways. We only obtain and process data concerning the successful or unsuccessful result of your payment.
===Rights of the subject of personal data===
Processing of personal data is carried out in accordance with the website terms of use and in compliance with this privacy policy.
You have the right to obtain, edit or completely delete your personal data.
You have the right to request the following information by e-mail or phone:
* one copy of your personal data (free of charge);
* detailed information about the companies (reservation systems), to which your personal data was or will be transferred, and the country of their location;
* any information related to the purposes and terms of processing of personal data, to the sources of obtain of your personal data (if it does not contradict the requirements of laws).
The system does not process personal data for the purposes of making automated decisions that can affect the order price or decisions restricting your rights as a subject of personal data.
===Information collected and processed by our system===
We obtain from you the following information:
{| class="wikitable"
|-
! scope="col" | Data type
! scope="col" | The use
! scope="col" | Where is being transferred to
! scope="col" | Data storage period
|-
| width="25%"| Browser language
| width="25%"| To determine the language version of the site
| width="25%"| Not transferred
| width="25%"| Not stored
|-
| Browser type
| To determine specific parameters for the correct display of a website
| Transmitted to reservation systems, if required
| Stored in logs up to 3 years (only for analysing and solving technical problems)
|-
| Internet Protocol address (IP)
| For an approximate definition of the nearest departure airport. To limit the number of attempts of performing the operations that are critical for the security (protection against brute force selection)
| Transmitted to reservation systems, if required
| Stored in logs up to 3 years (only for analysing and solving technical problems)
|-
| Parameters of the search request
| To pre-fill the search form, in case the user updates the webpage or returns to the website
| Transmitted to reservation systems to get offers (results of search)
| Not more than a week on the server side, 1 year in the client's browser
|-
| Passengers data (purchasing process)
| For booking and issuing tickets
| To reservation systems and airlines
| 3 months after the end of the service (in an encrypted form)
|-
| Passengers data (private office)
| To re-enter personal data automatically to the new orders
| Not transferred
| Unlimitedly in an encrypted form (until being removed by the user)
|-
| User's e-mail address (purchasing process)
| For booking and issuing tickets. To send e-tickets and e-mail notifications about the status of the order
| To reservation systems and airlines
| 3 months after the end of the service (in an encrypted form)
|-
| User's phone number (purchasing process)
| For booking and issuing tickets. To send SMS-messages to notify about the status of the order
| To reservation systems and airlines
| 3 months after the end of the service (in an encrypted form)
|-
| User's e-mail address (registration process)
| To indentify the user. For password recovery.
| To the mailing list management system in the case of direct user consent
| Unlimitedly in an encrypted form (until the removal of the user)
|-
| User's password
| For authentication
| Not transferred
| Unlimitedly in an encrypted form (until the removal of the user), as a hash sum.
|}
===Cookie Policy===
Cookies are files with data related to our system and stored on the side of your device. You manage the stored data yourself and you can delete it at any time. It is not recommended to completely disable the cookies functionality as this can adversely affect the availability of the certain functionality of our system.
We use personal data from these files only for the purposes listed below.
'''Security features:'''
We identify your device and restrict unauthorized access to your personal data from any other devices. Because of this you can purchase tickets without creating an account in our system.
During the process of the authentication (at the moment when user enters username and password), we store your data through a unique session identifier stored in the cookie. So you do not need to re-enter your login and password each time you perform the operations that require authorization.
'''To improve the quality of the system:'''
We save the site settings that are convenient for you, for example, the language or the currency.
We also save the last entered search parameters, so in case you return to the webpage with the search form you do not have to fill out the search form again.
'''To collect analytical data:'''
We strive to improve our service, to increase its speed and make it more convenient for the customers.
We use cookies to collect anonymous analytical data in the Yandex.Metrica and Google Analytics systems for identifying problematic and non-optimal webpages.
'''For effective and useful advertising:'''
We use ad serving systems (for example, Google AdWords, Yandex.Direct) to promote our solution.
The ad serving systems collect anonymous statistical data about visitors of the websites for the purposes of an effective and unobtrusive advertising campaigns.
===Data Storage Policy===
1. Security of access to personal data is provided by authentication and authorization.
2. Security of access to personal data by unregistered customers is provided through unique access codes or identification of the device of the customer (through a cookie).
3. Employees of companies that have access to personal data, sign a non-disclosure agreement and have to pass two-factor authentication.
4. During the process of transmission and storage (including backups) personal data is encrypted. To check the integrity of the encrypted data the checksum algorithm is used. Encryption algorithm: symmetric-key algorithm with 256-bit key and random initialization vector.
5. Secure storage of passwords (via hash value without the ability to restore the user's original password).
6. Passwords and access codes to personal data are protected from brute force selection.
7. Protection against data loss is organized through a real-time replication and daily backups systems.
8. All operations of accessing personal data are logged.
===Changes to Privacy Policy===
The requirements of international laws and agreements on personal data vary and we must comply with them. Besides we are constantly improving our system, adding new functionality and integrating with the new reservation systems. We continuously improve the mechanisms for protection of personal data. Taking into the consideration the information above changes to this privacy policy may required. The new document enters into the force from the date of its publication.
===Contact Information===
Here you have to specify the contact information of your agency.
Date of publication: dd.mm.yyyy