Privacy Policy — aAlabu

Last updated: 24 September 2025

1) Who we are (Data Controller)

Aalabu (“we”, “us”, “our”) operates the website https://aalabu.com.
Registered/contact address (for correspondence): 182–184 High Street North, East Ham, London E6 2JA, United Kingdom.
Contact for privacy matters: aalabu@aalabu.com

2) What this policy covers

This explains what personal data we collect, why we collect it, how we use it, who we share it with (e.g., hotels/resorts and payment providers), how long we keep it, and your rights under the UK GDPR and the Data Protection Act 2018.

3) The data we collect

• Identity & Contact: name, email, phone, country, billing address.
• Booking details: check-in/out dates, property chosen, guests, extras selected, order/booking numbers, amounts paid.
• Payment details: the last 4 digits/brand of card or payment token (actual card data is processed by our payment processors, not stored by us).
• Communications: messages you send us (e.g., special requests, customer support).
• Account data: login, order history, saved preferences.
• Technical data: IP address, device/browser info, cookies, and activity on our site (for security, performance and analytics).
• Optional special requests: if you share health or accessibility information (e.g., step-free access, dietary needs), we use it only to fulfil your request and with your consent.

4) How we collect it

• Directly from you when you browse, create an account, make a booking or contact us.
• Automatically via cookies and similar tech.
• From booking partners or accommodation providers when needed to manage a reservation.

5) Why we use your data (lawful bases)

• To provide our services (create/confirm bookings, take payments, send confirmations) — contract.
• Fraud prevention & security (protect accounts, verify payments) — legitimate interests / legal obligation.
• Customer support & service messages (booking updates, changes, reminders) — contract / legitimate interests.
• Marketing (optional) — consent. You can opt out anytime.
• Legal & tax compliance — legal obligation.
• Where you share special-category info (e.g., health requirements) — used only with your explicit consent to arrange your stay.

6) Who we share it with

• Accommodation/experience providers you book with (so they can provide the service). They become independent controllers for their copy.
• Payment processors (e.g., WooCommerce Payments/Stripe, PayPal, Apple Pay/Google Pay wallets) to process payments and prevent fraud.
• Operational service providers (secure hosting, email, anti-spam, analytics, error logging, content delivery network if used).
• Authorities when required by law, and professional advisers (accountants, legal).

We never sell your personal data.

7) International transfers

Many stays involve providers outside the UK. When we must transfer your data internationally, we rely on the safeguards available under UK GDPR (e.g., Standard Contractual Clauses) or, where appropriate, Article 49(1)(b) (transfer necessary for the performance of your booking/contract with you). Payment processors may also store data outside the UK—see their privacy notices.

8) Cookies & similar technologies

We use cookies that are:

• Strictly necessary — site security, session and checkout (e.g., woocommerce_cart_hash, woocommerce_items_in_cart, wp_woocommerce_session_*, WordPress login/session cookies).
• Performance/analytics — to understand usage and improve the site (only if enabled).
• Payments — set by processors to prevent fraud and enable wallets (e.g., Stripe __stripe_mid, __stripe_sid; PayPal cookies; Apple/Google Pay rely on the respective provider).

You can manage cookies via your browser settings; if we run a cookie banner, you can adjust preferences there. Blocking some cookies may affect checkout.

9) How long we keep your data

• Bookings & invoices: usually 7 years for accounting/tax.
• Support tickets/messages: up to 24 months after resolution.
• Accounts: while active; if inactive, we may delete or anonymise after 24 months.
• Marketing: until you unsubscribe or request deletion.
• Logs/security: short, rolling periods unless we investigate an incident.

10) Your rights (UK GDPR)

You can ask us to:

• access a copy of your data;
• correct inaccurate data;
• delete your data (where we’re not required to keep it);
• restrict or object to processing;
• provide your data in a portable format;
• withdraw consent (for anything we rely on consent for).

To exercise these rights, email aalabu@aalabu.com.
You also have the right to complain to the UK Information Commissioner’s Office (ICO): https://ico.org.uk/

11) Children

Our services are for people 18+. We do not knowingly collect data from children. If you believe a child has provided data, contact us and we’ll remove it.

12) Security

We use appropriate technical and organisational measures to protect data (TLS encryption, access controls, least-privilege admin, regular updates, fraud screening with our payment providers). No system is 100% secure.

13) Third-party links & embeds

Our site may link to or embed content from third parties (e.g., maps, videos). Those services may collect data in line with their own policies.

14) Contact

Questions or requests about this policy: aalabu@aalabu.com