1) Legal Basis & Commitment

We are committed to protecting personal data in accordance with:

• The Personal Data Protection Law of the Kingdom of Bahrain (Law No. 30 of 2018) and its implementing regulations.
• The EU General Data Protection Regulation (GDPR) where applicable (e.g., targeting or tracking individuals within the European Economic Area).

By using the Platform, you acknowledge that you have read, understood, and agreed to this Policy.

2) Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Sensitive Data: Data revealing racial or ethnic origin, political opinions, religious beliefs, health or biometric data, or any category classified as sensitive by law.
• Data Controller: Bee Global Bahrain W.L.L.
• Data Processor: Any party that processes data on behalf of the Controller and in accordance with its instructions.
• User/Customer: Any natural or legal person using the Platform's services.

3) Scope of Application

This Policy applies to all Platform services, websites, applications, and related systems, and includes users inside and outside the Kingdom of Bahrain, including individuals, companies, agents, and service providers.

4) Types of Data We Collect

• First: Identity and Contact Data: Name, ID or passport number, email, phone number, address.
• Second: Account Data: Username, password (encrypted), language preferences.
• Third: Travel and Booking Data: Destinations, dates, number of travelers, accommodation and activity details.
• Fourth: Payment and Transaction Data: Transaction number, payment status, without storing card numbers.
• Fifth: Technical Data: IP address, device and browser type, browsing history within the Platform.
• Sixth: Geographic Location: When explicitly enabled by the user.
• Seventh: Interactions: Support correspondence, complaints, forms, reviews.
• Eighth: Sensitive Data (when necessary and with explicit consent): Health requirements for travel, dietary details, official documents required for booking.

5) How We Collect Data

• Directly from the user when creating an account, submitting a request, or making a booking.
• Automatically through cookies and similar technologies.
• From third-party service providers (hotels, airlines, payment providers) under data protection agreements.

6) Processing Purposes and Legal Basis

We use data based on one of the recognized legal bases, for purposes including:

• Providing services, managing bookings, and executing contracts. – Contract performance
• Processing payments and preventing fraud (legal obligation/legitimate interest). – Legal obligation/legitimate interest
• Creating accounts and managing customer relationships and support. – Contract performance/legitimate interest
• Improving user experience and operational analysis (legitimate interest). – Legitimate interest
• Direct marketing and sending offers (with explicit and withdrawable consent). – Explicit consent
• Compliance with regulatory and supervisory obligations. – Legal obligation
• Protecting Platform security and preventing breaches. – Legitimate interest

7) Data Sharing

We may share your data only to the necessary extent with:

• Tourism Service Partners: Hotels, carriers, activity providers.
• Technology Infrastructure, Hosting, and Analytics Providers:
• Accredited Payment Gateways Compliant with PCI DSS:
• Authorized Agents within the Scope of Your Request:
• Regulatory or Judicial Authorities When Legal Obligation Exists:

We commit not to sell your data or share it for marketing purposes with third parties without explicit consent. Data Processing Agreements (DPA) are executed with all processors.

8) International Data Transfers

Your data may be stored or processed outside Bahrain for service delivery purposes. In all cases, we guarantee:

• A level of protection no less than that adopted in the Kingdom of Bahrain.
• Use of appropriate safeguards (standard contractual agreements/approved mechanisms).
• No transfer of data to high-risk countries according to classifications by competent regulatory authorities.

You will be notified and additional consent will be obtained when necessary.

9) Information Security

We apply advanced technical and organizational controls, including:

• Data encryption during transmission and storage where possible.
• Principle of least privilege and multi-factor authentication.
• Firewalls and intrusion detection and prevention systems.
• Backup and business continuity and disaster recovery plans.
• Periodic testing and risk assessment aligned with best practices and ISO/IEC 27001 (without claiming certification).

Note: We do not retain complete payment card data; processing is handled by an accredited payment provider compliant with PCI DSS.

10) Data Retention Periods

We retain data for the period necessary to achieve regulatory purposes, then delete or anonymize it:

• Account and Identity Data: Throughout the active period + 24 months after closure.
• Booking, Transaction, and Invoice Data: Up to 10 years for accounting and regulatory compliance.
• Support Records and Correspondence: Up to 24 months.
• Cookies: According to their type (see below).

11) Your Rights

In accordance with Bahraini law and GDPR where applicable, you have the right to:

• Access your data and obtain a copy.
• Correct inaccurate data.
• Erase data when the need has ceased or processing violates the law.
• Restrict processing in certain cases.
• Object to processing, including direct marketing.
• Withdraw consent at any time without affecting the lawfulness of previous processing.
• Not be subject to purely automated decisions with significant legal effect without appropriate human intervention.

12) Automated Decisions and Profiling

We may use analytics to improve recommendations and offers. We do not make purely automated decisions with significant legal effect without human intervention. You may object to the use of your data for this marketing purpose.

13) Children and Minors

Our services are not directed at those under 18 years of age. If it becomes apparent that data from a minor has been collected without parental consent, it will be deleted immediately.

14) Cookies and Similar Technologies

We use the following types:

• Essential: To operate the site and process orders (cannot be disabled).
• Functional: To remember language and region.
• Analytical: To measure usage and improve performance.
• Marketing: To display customized content (based on your consent).

You can manage cookie settings from your browser. Blocking may affect some Platform functions.

15) Third-Party Links and Content

The Platform may contain links or components from third parties. We are not responsible for their privacy policies, and we advise reviewing them before use.

16) Changes to this Policy

We may update this policy from time to time. You will be notified of material changes via the Platform or email before they take effect. Your continued use after the effective date constitutes acceptance of the updated policy.

17) Responsibilities and Roles

• Data Controller: Bee Global Bahrain W.L.L
• We may work with service providers and partners under B2B models with clear agreements to distribute responsibilities and protect rights.

18) Contact, Rights Requests, and Complaints

• Support and Privacy Email: privacy@imkan.tours
• Postal Address: Kingdom of Bahrain – Manama Bee Global Bahrain W.L.L

We will respond within a period not exceeding (30) days or as determined by law.

In case of dissatisfaction, you have the right to file a complaint with the competent data protection regulatory authority in the Kingdom of Bahrain.