Join Us

Privacy Policy

Privacy Policy

We respect your privacy and handle personal data in line with the Mauritius Data Protection Act 2017 (the “DPA 2017”). This Policy explains what we collect, why we collect it, how we use it, and your rights.

1. Who We Are & Contact

Controller: White Shell Tours Ltd, Flic en Flac, Mauritius. Contact: privacy@whiteshelltours.mu (example).

2. What We Collect

  • Identity data: names, titles, date of birth, nationality, passport details.
    • Contact data: billing and email addresses, phone numbers, emergency contacts.
    • Travel data: flight details, accommodation preferences, itineraries, special requests.
    • Transaction data: invoices, bookings, payment references (note: card data is processed by PCI‑compliant providers; we do not store full card numbers).
    • Technical data: IP address, browser type, device identifiers, cookies and analytics events.
    • Marketing data: preferences, consents, and communication history.
    • Special category data (only if volunteered and necessary): health or dietary information for trip suitability.

3. Legal Bases for Processing

We process data on the following bases under the DPA 2017: (a) performance of a contract (processing bookings); (b) compliance with legal obligations (tax, accounting, security); (c) legitimate interests (service improvement, fraud prevention, network security); (d) consent (marketing communications; health data for activity suitability). You can withdraw consent at any time.

4. How We Use Data

  • To create quotations, process bookings, and deliver services.
  •  To communicate operational updates and customer support.
  •  To personalise experiences and manage special requests.
  • To administer payments and detect/prevent fraud.
  • To run analytics and improve our website and services.
  • To comply with law, requests from authorities, and record‑keeping obligations.

5. Sharing & International Transfers

We share data with:

  • Suppliers (e.g., hotels, transport, activity providers) strictly for delivering your booking;
  • Payment processors and IT providers acting as data processors under contracts;
  • Regulators or authorities where legally required;
  • Professional advisors (auditors, lawyers).

If we transfer data outside Mauritius (e.g., to global IT providers), we use appropriate safeguards such as contractual clauses or equivalents permitted by the DPA 2017.

6. Retention

We keep data only as long as necessary: booking records up to 7 years for accounting/tax; marketing data until you opt out or after 24 months of inactivity; incident/claim files for the period needed to establish or defend legal claims. When no longer needed, we securely delete or anonymise data.

7. Security

We use administrative, technical, and physical safeguards appropriate to the risk, including access controls, encryption in transit for our website, and supplier due diligence. No system is perfectly secure; please notify us immediately if you suspect unauthorised access.

8. Cookies & Tracking

We use cookies and similar technologies to operate the site, remember preferences, and measure performance. You can control cookies via your browser settings. Where required, we will request consent for non‑essential cookies. See our Cookie Notice for details.

9. Your Rights

Subject to conditions under the DPA 2017, you may request: access, rectification, erasure, restriction, portability, and objection to certain processing. You can opt out of marketing at any time. We will respond within statutory timeframes.

Complaints: You can contact us first. You also have the right to lodge a complaint with the Data Protection Office in Mauritius.

10. Children

Our services are intended for adults. We do not knowingly collect personal data from children without parental/guardian consent. If you believe a child provided data to us, contact us to remove it.

11. Changes

We may update this Policy from time to time. The latest version will appear on our website with the effective date.

Your Question