Privacy Policy
Last updated: 15 January 2026 · Effective: 15 January 2026
1. Who we are
This Privacy Policy applies to burj-khalifa-tickets.shop (the "Site"), an independent affiliate website that refers ticket bookings to Viator. For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021 — "PDPL"), we act as a data controller for the limited personal data we collect to operate the Site, and as a data processor when we transmit booking details to Viator on your behalf.
2. What data we collect
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Booking data | Name, email, phone, billing address, visit date/time, ticket type | Process booking via Viator API | Contract performance (GDPR Art. 6(1)(b)) |
| Payment data | Encrypted card payload (RSA-OAEP-256) | Process payment via Viator | Contract performance (Art. 6(1)(b)) |
| Technical data | IP address, user agent, language, referrer | Security, fraud prevention, analytics | Legitimate interests (Art. 6(1)(f)) |
| Cookies | Essential session cookies only | Site functionality | Strictly necessary — no consent required |
We do not store your full card number (PAN) or CVV. Card data is encrypted in your browser using RSA-OAEP-256 and forwarded to Viator's payment processor. Only the last 4 digits and brand are retained for receipt and customer service.
3. How we use your data
- To create and fulfil your booking through Viator's API.
- To send booking confirmation, voucher delivery, and operational emails.
- To detect, prevent and respond to fraud, abuse, and security incidents.
- To comply with legal, tax and accounting obligations.
- To improve site performance and user experience (aggregated analytics only).
We do not sell your personal data. We do not use it for behavioural advertising. We do not share it with data brokers.
4. Who we share data with
- Viator, Inc. (Tripadvisor) — to fulfil your booking. Their privacy policy: viator.com/support/privacy.
- Cloudflare, Inc. — content delivery, DDoS protection, hosting (Pages).
- Google Cloud Platform — backend API hosting (Tokyo region).
- MongoDB Atlas — encrypted database storage.
- Law enforcement — only when legally compelled by valid court order.
5. International transfers
Your data may be transferred outside your country of residence (e.g. to the United States, Japan, the EU). Where required, we rely on the EU Standard Contractual Clauses and equivalent UK/UAE mechanisms to safeguard your data.
6. Retention
Booking data is retained for up to 7 years to comply with tax and accounting obligations. Technical logs are retained for up to 90 days. After these periods, data is securely deleted or anonymised.
7. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate data;
- Erase your data ("right to be forgotten");
- Restrict or object to certain processing;
- Data portability — receive your data in a machine-readable format;
- Withdraw consent at any time (where processing is based on consent);
- Lodge a complaint with your local data protection authority (e.g. ICO in the UK, CNIL in France, AEPD in Spain, UAE Data Office, California Attorney General).
To exercise these rights, email privacy@burj-khalifa-tickets.shop. We will respond within 30 days.
8. California (CCPA/CPRA)
California residents have the right to know what personal information we collect, request deletion, opt out of "sale" or "sharing" (we do neither), and not be discriminated against for exercising these rights. Requests: privacy@burj-khalifa-tickets.shop.
9. UAE PDPL
UAE residents have analogous rights under Federal Decree-Law No. 45 of 2021. The supervisory authority is the UAE Data Office.
10. Security
We implement industry-standard safeguards: TLS 1.3 in transit, AES-256-GCM at rest for sensitive fields, RSA-OAEP-256 for client-side card encryption, strict CSP headers, HSTS preload, rate limiting, and IP banning for abusive actors. No system is perfectly secure; we promptly notify affected users in case of a breach.
11. Children
The Site is not directed to children under 13 (16 in the EU). We do not knowingly collect data from minors. If you believe a child has provided us data, contact us for prompt deletion.
12. Changes
We may update this policy. Material changes will be highlighted at the top of this page or notified by email where appropriate.
13. Contact
Data Protection contact: privacy@burj-khalifa-tickets.shop