Privacy Policy

Data Privacy Policy and Governance Framework

Effective Date: 12 October 2025

Governing Law: Republic Act No. 10173 (The Data Privacy Act of 2012) and its Implementing Rules and Regulations.

1. Our Commitment and Scope

Pearl Horizon Travel, referred to herein as the "Agency," is committed to the protection, confidentiality, and security of all Personal Information (PII) and Sensitive Personal Information (SPI) processed in connection with our travel services. This Policy operates in strict adherence to the DPA and its foundational principles of Transparency, Legitimate Purpose, and Proportionality. This Policy applies to all data collected through the Agency’s physical, digital, and online channels. This Policy is an integral part of the General Terms and Conditions (GTC) governing all bookings made with the Agency.

2. Definition and Categories of Personal Data Collected

The Agency collects and processes data based on the necessity for fulfilling the travel contract and related services.

2.1. Personal Identifiable Information (PII)

This includes details used to identify and contact an individual, such as name, gender, date of birth, nationality, contact information (mailing address, email address, phone number), and travel information (ticket numbers, destinations, flight information, booking references).

2.2. Sensitive Personal Information (SPI)

SPI is data requiring elevated security and is strictly processed only when absolutely necessary for the booking and subject to explicit consent:

Identification Details: Passport numbers and validity dates, other government-issued identification numbers.
Financial Data: Credit or debit card information, including cardholder name, card number, billing address, and expiry date.
Health and Medical Information: Any requests for specific medical assistance (e.g., wheelchair, oxygen), pregnancy status requiring airline clearance, or dietary restrictions.
Biometric Data: May be collected by third-party suppliers (e.g., airlines, airport security) during travel and shared with the Agency as part of the service fulfillment.

3. Lawful Basis and Purpose of Processing

The Agency processes PII and SPI under the following two lawful bases:

3.1. Contractual Necessity (Mandatory Consent)

The primary purpose for data collection is the fulfillment of the travel contract. This processing is mandatory and non-negotiable for service delivery. Purposes include:

Securing and confirming flight bookings, accommodations, and tours (ticketing and reservation).
Processing necessary payment transactions and verifying billing addresses.
Facilitating mandatory government and regulatory compliance (e.g., visa applications, K-ETA, Philippine eTravel declarations).
Providing travel insurance or other essential ancillary services.
Responding to and resolving service requests or complaints.

3.2. Express Consent (Optional)

Secondary processing activities, such as sending marketing materials, promotional offers, or non-essential product updates, are based on the Client’s separate, explicit, and optional consent. Clients may withdraw this consent at any time without prejudice to the fulfillment of the executed travel contract.

4. Data Sharing, Cross-Border Transfer, and Intermediary Status

The Agency operates as an independent agent and intermediary. Data sharing is essential to provide the service but is executed only under strict DPA compliance.

4.1. Sharing with Suppliers and Affiliates

The Client grants explicit consent for the Agency to securely share their PII and SPI strictly with necessary third-party Suppliers (airlines, hotels, local tour operators) and Agency Affiliates (insurance providers, visa processors). The Agency mandates that all recipients implement appropriate security and confidentiality measures equivalent to the DPA.

4.2. Cross-Border Data Transfer Protocol

As travel involves international destinations, the Agency frequently transfers data outside the Philippines. To maintain compliance, the Agency commits to mitigating cross-border risk by ensuring that the receiving foreign entity guarantees a level of protection for the data that meets or exceeds the standards set forth by the DPA.

The Agency utilizes Standard Contractual Clauses (SCCs), based on NPC-recognized international models (such as ASEAN Model Contract Clauses), in all agreements with foreign Suppliers and Affiliates to contractually enforce DPA-equivalent security and accountability. This measure is crucial for the lawful and secure transfer of data.

5. Security and Data Protection Measures

The Agency adheres to Section 20 of the DPA by implementing appropriate Organizational, Physical, and Technical Security measures.

Organizational: Access to data is restricted on a strict "Need-to-Know" basis. All personnel are trained on data handling protocols, and non-compliance results in disciplinary action.
Physical: Hard copies of SPI (e.g., passports) are secured in locked cabinets within restricted-access facilities. Personal storage devices are prohibited in processing areas.
Technical: All data transmitted online (website, email) is protected using Secure Sockets Layer (SSL) encryption. Robust firewall and security systems are maintained, and payment processing adheres to global industry standards. Encrypted, regular backups are maintained to prevent data loss.

6. Data Retention and Secure Disposal

Personal data shall not be retained longer than necessary to fulfill the specified purpose. To balance DPA proportionality with mandatory legal and fiscal accountability, the Agency implements a defined retention schedule:

All core contractual and financial records related to a booking are retained for seven (7) years following the completion of the travel service.
Marketing consent and associated data are retained until consent is withdrawn.
Once the retention period expires, data is securely disposed of using verified methods, including cross-shredding for physical records and cryptographic erasure for digital files.

7. Data Subject Rights Under RA 10173

As a valued client, you are afforded the following rights, which the Agency commits to honoring upon verified request:

Right to Be Informed: You have the right to be notified about how your data is processed (fulfilled through this Policy).
Right to Access: You may request access to your personal data held by the Agency.
Right to Object: You may refuse the processing of your data, particularly for marketing or non-contractual purposes.
Right to Rectification: You may request that the Agency correct any inaccurate, outdated, or incomplete personal data.
Right to Erasure or Blocking: You may request the suspension, withdrawal, or order the blocking of your personal data under specific legal circumstances (e.g., unlawful processing).
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format to facilitate its transfer to another controller.
Right to Damages: You have the right to claim compensation for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data.
Right to File a Complaint: You may lodge a complaint with the National Privacy Commission (NPC) if you believe your rights under the DPA have been violated.

8. Security Incident and Breach Reporting

The Agency has implemented a mandatory Breach Reporting Procedure in compliance with NPC requirements. In the event of a security incident that materially compromises the confidentiality or integrity of personal data, the Agency will notify the National Privacy Commission and the affected data subjects within seventy-two (72) hours of discovery.

9. Contact Details of the Data Protection Officer (DPO)

For any requests regarding your data subject rights, clarification of this Policy, or concerns regarding data security, please contact our designated Data Protection Officer:

Pearl Horizon Travel – Data Protection Office

Email: compliance@pearlhorizontravel.com.ph

Phone: +63 966 0313013

Address: Purok 5, Barangay Sikat, Alfonso, Cavite, Philippines 4123