Privacy & Cookie Policy

Effective Date: March 13, 2026

Cielo Travel (“Company,” “we,” “our,” or “us”) respects your privacy and is committed to protecting the personal information you share with us. This Privacy & Cookie Policy explains how we collect, use, disclose, and safeguard your information when you visit our website cielo.travel and use our services.

1. Information We Collect

We may collect the following categories of personal and non-personal information:

Personal Information: Name, email address, phone number, mailing/billing address, payment information, travel preferences, and location data.
Booking & Transaction Data: Details related to reservations, payments, and transactions.
Digital Marketing Data: Information collected via cookies, pixels, analytics tools, advertising platforms, and third-party integrations (e.g., Google Analytics, Facebook Pixel).
Communication Data: Information you provide when contacting us via forms, subscriptions, or customer service.
Technical Data: IP address, browser type, device identifiers, and browsing activity.

1.1 Mobile Phone Numbers for Messaging

Collection Purpose: When you provide your phone number during registration, booking, or subscription, we collect it exclusively for transactional messaging purposes.

How We Collect:

Through website booking forms and newsletter sign-ups
During customer support interactions
Via mobile-optimized reservation interfaces

Use of Mobile Numbers:

Transactional Messages: Reservation confirmations, booking updates, itinerary changes, and customer support responses.
Promotional Messages (Opt-In Required): Travel offers, special deals, and exclusive packages (only with your explicit separate consent).

Data Security & Non-Sharing: Your mobile phone number is protected with encryption and security protocols equivalent to bank-level standards. Your number is NOT shared with marketing partners, third-party advertisers, or any external organizations for marketing or promotional purposes.

2. How We Collect Information

We collect information through:

Website contact forms, booking forms, and newsletter sign-ups.
Cookies, analytics, and tracking technologies.
Third-party marketing and advertising tools.
Secure payment gateways and reservation systems.
Direct communications with customers.

3. Use of Information

We use your information for the following purposes:

To process and confirm bookings and reservations.
To provide newsletters, promotions, and marketing communications.
To personalize user experience and targeted advertising.
To analyze website performance and improve services.
To comply with legal obligations and regulatory requirements.

3.1 Messaging Communications and Consent

Transactional SMS Opt-In:

By providing your phone number during registration, booking, or subscription, you explicitly consent to receive transactional messages from Cielo Travel regarding your reservations, bookings, travel confirmations, and itinerary updates.

This consent is automatic and mandatory for completing bookings and does not require additional action.

Promotional SMS Messages:

To receive promotional messages, special offers, and marketing communications via SMS, you must provide explicit separate opt-in consent.

This consent is NOT automatically granted by providing your phone number and must be granted through a separate checkbox or declaration.

Opt-Out Rights:

All promotional messages include clear opt-out instructions. You can unsubscribe from marketing messages at any time by:

Replying “STOP” or “UNSUBSCRIBE” to any SMS message
Replying with keywords: “CANCEL,” “END,” “QUIT,” or “STOPALL”
Contacting us directly at hola@cielo.travel or (+1) 601 514 2624

We will process opt-out requests within 24 hours and confirm via SMS.

Message Frequency and Costs:

Transactional Message Frequency: Varies based on booking activity. Typically 1-5 messages per reservation.
Promotional Message Frequency: Typically 1-3 per week, maximum. You may adjust frequency through account settings or direct contact.
Message and Data Rates: Standard message and data rates may apply based on your mobile carrier plan. Cielo Travel does not charge additional SMS fees beyond your carrier’s standard charges.

Essential Disclosures on Opt-In Forms:

All website and in-person forms that collect your mobile number must clearly display:

“By providing your phone number, you consent to receive SMS messages from Cielo Travel about your travel booking and reservations”
“I wish to receive promotional offers and special travel deals via SMS (optional – separate opt-in)”
“Message and data rates may apply per your carrier plan”
Direct link to this updated Privacy Policy
Direct link to Terms of Service
Clear opt-out instructions (“Reply STOP to unsubscribe”)

4. Sharing of Information

We may share your information with carefully selected service providers and business partners under strict data protection commitments.

Service Providers

We share limited information with the following categories of service providers as data processors only, under written Data Processing Agreements:

Payment Processors: Process payments securely on our behalf
Booking & Reservation Partners: Facilitate hotel and tour reservations
Customer Support Providers: Handle customer inquiries and support tickets
SMS Messaging Service Providers: Facilitate SMS communications with customers

Travel & Tourism Partners

We share travel-related data with hotels, tour operators, and service providers exclusively for fulfilling your travel reservations, and these partners are contractually bound by equivalent data protection commitments.

Legal Authorities

We may disclose information when required by applicable law, court order, regulatory authority, or government request.

MOBILE DATA NON-SHARING COMMITMENT

We DO NOT share, sell, rent, lease, or disclose your mobile phone number or text message data to:

Marketing partners or affiliates
Digital advertising platforms (except for your own account settings)
Third-party marketing organizations
Data brokers or data aggregators
Social media platforms for marketing purposes
Any external organization for promotional or marketing purposes

For any purpose other than:

Sending you transactional SMS messages about your reservations
Sending you promotional SMS messages (ONLY if you opt in separately)
Legal compliance and fraud prevention

4.1 Data Processors and Service Providers List

The following organizations process personal data on our behalf under written Data Processing Agreements (DPA) that include equivalent privacy and security protections:

SMS Messaging Service Provider

Purpose: SMS and messaging communications
Data Processed: Phone numbers, message content, message timestamps
Location: United States (EU-US DPF Certified)

Our SMS messaging service provider is explicitly listed as our sole SMS/messaging processor. Our messaging service provider acts exclusively as a data processor on our behalf, does NOT use your phone number or message data for marketing purposes, complies with GDPR, CCPA, TCPA, and A2P 10DLC regulatory standards, is certified under the EU-US Data Privacy Framework, and maintains SOC 2 Type II compliance and ISO 27001 certification.

For detailed information about our SMS messaging service provider’s data processing practices, please contact us.

Google Analytics

Purpose: Website analytics and user behavior analysis
Data Processed: IP address, device ID, browsing activity, page views
Location: United States

We use Google Analytics to understand how users interact with our website and to identify areas for improvement. Google Analytics operates as a data processor under our direction and contractual obligations.

Facebook Pixel

Purpose: Marketing analytics and audience building
Data Processed: Device ID, browsing activity, conversion data
Location: United States

We use Facebook Pixel to measure the effectiveness of our advertising campaigns and to create targeted audiences for future marketing. Facebook operates as a data processor for this limited purpose under our contractual obligations.

Stripe / Payment Processors

Purpose: Payment processing
Data Processed: Name, email, payment information (tokenized)
Location: United States

We use PCI-DSS compliant payment processors to securely handle all payment transactions. Payment information is tokenized and encrypted, meaning your full payment details are never stored on our systems. These processors operate under strict data protection agreements and industry security standards.

Your Rights with Processors:

You have the right to request information about how these processors handle your data. Each processor has committed to appropriate technical and organizational security measures equivalent to or exceeding our own standards

Important Note on SMS Messaging Processing:

Our SMS messaging service provider is explicitly listed as our sole SMS/messaging processor. Our messaging service provider:

Acts exclusively as a data processor on our behalf
Does NOT use your phone number or message data for marketing purposes
Complies with GDPR, CCPA, TCPA, and A2P 10DLC regulatory standards
Is certified under the EU-US Data Privacy Framework
Maintains SOC 2 Type II compliance and ISO 27001 certification

For detailed information about our SMS messaging service provider’s data processing practices, please contact us at hola@cielo.travel

Your Rights with Processors:

5. Data Retention

We retain personal information according to the following principles:

Active Accounts and Customer Relationships

Contact information and booking history are retained for the duration of your customer relationship and for as long as your account remains active, plus 3 additional years for compliance, dispute resolution, and chargeback protection purposes.

Consent Evidence Retention

We maintain comprehensive records of your consent to receive SMS messages (including the specific date, time, method, and channel of opt-in) for a minimum of 3 years, or as required by applicable telecommunications and privacy regulations (TCPA, GDPR, CASL), whichever is longer.

These records include:

Screenshot or copy of the opt-in form
Timestamp of opt-in action
Specific consent method (web form, in-person, phone call, etc.)
The exact text the customer consented to

Message Logs and Records

Phone numbers and message content are retained in our SMS messaging service account for compliance auditing, legal purposes, and fraud prevention for a minimum of 2 years.

Deletion Upon Request

You may request deletion of your personal data at any time. Upon receiving a deletion request, we will:

Within 30 days: Remove your contact information from all active marketing lists and communications databases
Immediately: Add your phone number to our internal Do Not Contact and Do Not Message suppression lists to prevent any future contact
Within 30 days: Delete personal data from our primary systems and databases, except where retention is legally mandated
Immediately: Forward your deletion request to our SMS messaging service provider to ensure removal from their systems as well

Exception – Suppression Lists:

Your phone number will be retained on our Do Not Call/Do Not Text suppression list indefinitely for compliance with TCPA and other telemarketing regulations. This retention is necessary to prevent future contact attempts.

6. User Rights

You have the following privacy rights. To exercise any of these rights, please contact us using the methods in Section 6.1.

6.1 How to Exercise Your Rights

Dedicated Privacy Contacts:

Privacy Email: hola@cielo.travel
Phone: (+1) 601 514 2624
Mailing Address: Cielo Travel, Frisco, Texas, USA

Response Timeline: We will respond to your request within 30 days of receipt, or as required by applicable law.

6.2 Right to Access

Data Subject Access Request (DSAR)

You may request a copy of all personal data we hold about you in a portable, structured, and machine-readable format.

This includes:

All booking and reservation records
All communication history with our company
All consent records related to messaging
All data we maintain in your customer profile

6.3 Right to Correct

Data Rectification

You may request correction of inaccurate, incomplete, or outdated information we hold about you.

Common corrections include:

Address or contact information updates
Travel preference modifications
Correction of booking details

6.4 Right to Delete

Right to Be Forgotten

You may request deletion of your personal data. We will delete your information within 30 days, except where:

We have a legal or regulatory obligation to retain your information
Your data is necessary to fulfill a travel reservation, resolve disputes, or process refunds
You are on a Do Not Call/Do Not Text suppression list (retained separately for TCPA compliance purposes)

6.5 Right to Opt-Out of Marketing Communications

Promotional Message Opt-Out

You may opt out of promotional and marketing messages at any time by:

SMS: Replying “STOP”, “UNSUBSCRIBE”, “CANCEL”, “END”, “QUIT”, or “STOPALL” to any SMS message
Email: Replying “UNSUBSCRIBE” to any marketing email or using the unsubscribe link
Direct Contact: Emailing hola@cielo.travel or calling (+1) 601 514 2624

We will process opt-out requests within 24 hours and confirm via your preferred communication method.

Important Note:

Even after opting out of marketing messages, you will continue receiving transactional SMS messages related to existing reservations, bookings, and customer support.

6.6 Right to Restrict Processing

You may request that we limit how we process your data for specific purposes.

For example, you may restrict:

Processing for marketing purposes (while maintaining transactional messaging)
Use of data for analytics and profiling

6.7 Right to Data Portability

You may request that we provide your personal data in a machine-readable format (such as CSV or JSON) so you can transfer it to another service provider.

6.8 Right to Lodge a Complaint

Data Protection Authority Complaint

If you believe we have violated your privacy rights or failed to comply with applicable data protection regulations, you may file a complaint with your local Data Protection Authority or Privacy Commissioner.

For EU residents, you may file a complaint with your country’s Data Protection Authority (DPA).

7. Cookies and Tracking Technologies

Our website uses cookies, tracking technologies, and third-party integrations to enhance your experience.

7.1 What Are Cookies?

Cookies are small text files stored on your device that help us provide, improve, and personalize our services.

7.2 Types of Cookies We Use

Essential Cookies: Required for core website functionality such as bookings and secure payments.
Analytics Cookies: Help us understand website usage and improve performance (e.g., Google Analytics).
Marketing Cookies: Enable targeted advertising and remarketing (e.g., Facebook Pixel, Google Ads).
Preference Cookies: Store your language, region, and other settings.

7.3 Third-Party Tracking

We may use third-party tools such as Google Analytics, Google Ads, and Facebook Pixel, which may collect data across websites for analytics and marketing purposes.

7.4 Managing Cookies

You may disable or manage cookies through your browser settings. Please note that disabling essential cookies may affect website functionality.

You can also opt out of targeted advertising through:

Google Ads Settings: https://myadcenter.google.com/customize?hl=es
Facebook Ad Preferences: https://www.facebook.com/

8. Data Security

We implement appropriate security measures to protect your personal information from unauthorized access, alteration, or disclosure.

Security Measures

Our security infrastructure includes:

SSL/TLS Encryption: All data transmission is encrypted using industry-standard SSL/TLS protocols
Secure Payment Gateways: Payment information is processed through PCI-DSS compliant payment processors
Access Controls: Restricted access to sensitive data with role-based permissions
Firewalls and Intrusion Detection: Network-level protections and continuous monitoring systems
Regular Security Audits: Periodic assessments of security controls and vulnerability testing

While we take reasonable steps to protect your information, no system is completely secure. We cannot guarantee absolute security of data transmission over the internet.

8.1 Incident Notification

Data Breach Response

In the event of a personal data breach or security incident involving your information, we will:

Notify you within 72 hours of discovery of the breach (or as required by law)
Provide detailed information including:
- What information was affected
- Date and nature of the incident
- Actions you should take to protect yourself
- Information about our investigation
Describe our remediation efforts, including how we are preventing similar incidents

SMS Messaging Service Security

Our SMS messaging service provider maintains the following security certifications and compliance standards:

SOC 2 Type II Compliance: Independently audited security and operational controls
ISO 27001 Certification: International standard for information security management
Enterprise-Grade Encryption: Bank-level data protection for all message content

9. International Data Transfers

If you access our website from outside the United States, your information may be transferred and processed in the U.S., where privacy laws may differ from those of your jurisdiction.

Data Transfer Mechanisms

For international users, we rely on the following legal mechanisms for data transfers:

EU-US Data Privacy Framework: Our data processors are certified under the EU-US Data Privacy Framework, ensuring equivalent data protection.
Standard Contractual Clauses: Where necessary, we incorporate Standard Contractual Clauses (SCCs) approved by the European Commission.

By using our website, you consent to the transfer of your data to the United States.

10. Children’s Privacy

Our services are intended for adults and customers aged 18 and older. We do not knowingly collect information from individuals under the age of 13.

If we become aware that we have collected personal data from a child under 13, we will delete it promptly.

For users between 13 and 18 years old, parental consent is required before providing any personal information.

11. Legal Compliance

Cielo Travel complies with applicable data protection and privacy regulations across multiple jurisdictions.

11.1 Compliance with TCPA and US Telemarketing Laws

Cielo Travel is fully committed to complying with the Telephone Consumer Protection Act (TCPA) and all applicable US federal, state, and local telemarketing regulations.

Key TCPA Commitments:

Do Not Call and Do Not Text Lists: We maintain internal suppression lists for both voice calls and SMS messages
Respect for Opt-Out Requests: We honor opt-out requests within 24 hours of receipt
No Automated Dialers or Prerecorded Messages: We do not use automated calling systems or prerecorded messages without express written consent
Reasonable Hours Only: We send SMS messages only during reasonable hours, typically 8:00 AM – 9:00 PM in your local timezone
Comprehensive Record Keeping: We maintain detailed call records, message logs, and consent documentation for audit and compliance purposes
Carrier Compliance: We comply with all carrier-specific messaging requirements and regulations established by AT&T, Verizon, T-Mobile, and other major carriers

Opt-Out Authority and Methods:

Customers may opt out of marketing messages using any of the following methods:

SMS: Reply with “STOP”, “UNSUBSCRIBE”, “CANCEL”, “END”, “QUIT”, or “STOPALL” to any SMS message
Email: Contact us at hola@cielo.travel
Phone: Call (+1) 601 514 2624
Mail: Send written request to Cielo Travel, Frisco, Texas, USA

We will confirm all opt-out requests via SMS message within 24 hours.

11.2 Compliance with GDPR

For customers in the European Union or whose personal data is processed within the EU, Cielo Travel is fully committed to General Data Protection Regulation (GDPR) compliance.

Lawful Basis for Processing:

We process your personal data based on one or more of the following lawful bases:

Your Consent: For marketing communications and non-essential processing (with option to withdraw at any time)
Contractual Necessity: For processing required to fulfill travel reservations and bookings you have requested
Legitimate Interests: For fraud prevention, security, and website improvement purposes
Legal Obligation: When required by applicable law or regulatory authority

Data Protection Officer:

For GDPR-related inquiries, you may contact our Data Protection Officer at:

Email: hola@cielo.travel
Address: Cielo Travel, Frisco, Texas, USA

Data Processing Agreements:

All data processors handling EU personal data are bound by GDPR-compliant Data Processing Agreements (DPA) that specify their obligations and our rights.

GDPR-Specific Rights:

EU residents have all rights listed in Section 6 plus the specific protections of GDPR, including the right to lodge a complaint with their local Data Protection Authority.

11.3 Compliance with CCPA and California Consumer Privacy Act

For California residents, Cielo Travel complies with the California Consumer Privacy Act (CCPA) and related California privacy laws.

California residents have the right to:

Know what personal data is collected
Delete personal data (subject to certain exceptions)
Opt out of the sale or sharing of personal data
Non-discrimination for exercising their privacy rights

To exercise CCPA rights, please contact us.

11.4 Compliance with CASL

For customers in Canada, Cielo Travel complies with Canada’s Anti-Spam Legislation (CASL) by obtaining express or implied consent before sending marketing emails and SMS messages.

All marketing communications to Canadian customers include:

Clear identification of the sender
Clear unsubscribe instructions
Valid contact information for the sender

11.5 Compliance with A2P 10DLC Regulations

Cielo Travel complies with Application-to-Person (A2P) 10-Digit Long Code (10DLC) regulations established by the FCC and implemented by major US carriers (AT&T, Verizon, T-Mobile, etc.).

Our Commitments:

No Unlawful Content: Our SMS messages comply with all FCC regulations and do not violate any telecommunications laws
Proper Campaign Registration: Our messaging campaigns are properly registered with carriers and conform to A2P 10DLC standards
Verified Opt-In Documentation: We maintain verifiable evidence of customer opt-in for all messaging campaigns
Privacy Policy Transparency: This policy clearly discloses all aspects of our SMS messaging program, including data handling, sharing restrictions, and user rights

12. Changes to This Policy

We may update this Privacy & Cookie Policy from time to time to reflect changes in our practices, technology, regulations, or other factors.

Updates will be posted on this page with a revised “Effective Date.” Your continued use of our website or services constitutes your acceptance of the revised policy. We encourage you to review this policy periodically to stay informed.

13. Contact Us

For any questions, requests, or concerns regarding this Privacy & Cookie Policy, contact us at:

Email: hola@cielo.travel
Phone: (+1) 601 514 2624
Website: cielo.travel

Mailing Address: Cielo Travel
Frisco, Texas, USA

Document Version: 3.1 – A2P 10DLC Compliant (Provider-Agnostic)
Effective Date: March 13, 2026
Last Updated: March 13, 2026