EOS Tours EOS Tours — Partner Portal
About Destinations Contact Become a Partner Login →
About Destinations Contact
Become a Partner Login →

Privacy Policy

Effective from: 2026-06-01 · Version 1.0

Table of contents

  1. Who We Are
  2. Scope of This Policy
  3. Personal Data We Collect
  4. How We Collect Personal Data
  5. Legal Bases and Purposes of Processing
  6. Sharing of Personal Data with Third Parties
  7. International Transfers
  8. Retention Periods
  9. Your Rights
  10. Traveller Rights — Specific Procedure
  11. Security
  12. Cookies and Tracking
  13. Children's Data
  14. Changes to This Policy
  15. Contact for Privacy Matters

1. Who We Are

SPS EOS TOURS Ltd ("EOS Tours", "we", "us", "our") is a company registered in the Republic of Cyprus, operating as a Destination Management Company (DMC). We provide travel-related services to professional travel agencies (our Partners) through the EOS Tours Partner Portal at https://b2b.eos.tours.

For data protection purposes, we act as the Data Controller in respect of personal data we collect about Partner Representatives and Travellers, as defined below.

2. Scope of This Policy

This Privacy Policy explains how we collect, use, share, and protect personal data when:

  • you access or use the Partner Portal;
  • you submit a partner application;
  • you make a Booking on behalf of a Traveller;
  • you communicate with us via email, phone, or other channels;
  • we receive personal data from third parties (e.g. Suppliers) in connection with a Booking.

This Policy applies to:

  • Partner Representatives — individuals acting on behalf of a partner agency.
  • Travellers — end users whose personal data is submitted by a Partner.
  • Visitors — anyone visiting the public pages of the Portal.

3. Personal Data We Collect

We process the following categories of personal data.

3.1. Partner Representative data

Collected when you apply to become a Partner and during ongoing use of the Portal:

  • Identity: full name, position/role.
  • Contact: business email, business phone, business address.
  • Professional: agency name, country of operation, website, years in business, tax ID (collected at contract stage, not at application).
  • Financial (post-contract): banking details for invoicing and refunds.
  • Account: login credentials (passwords stored as cryptographic hashes only), login activity logs, IP address.

3.2. Traveller data

Submitted by the Partner via the Portal for the purpose of fulfilling a Booking:

  • Identity: full name, gender, date of birth, nationality.
  • Travel documents: passport number, passport expiry date.
  • Booking details: arrival/departure dates, number of guests, room preferences.
  • Special requirements: dietary restrictions, accessibility needs, medical considerations relevant to the Service (e.g. allergies for restaurants).
  • Emergency contacts: name and contact details of an emergency contact (optional).

3.3. Technical data

Collected automatically when you visit the Portal:

  • IP address, browser type and version, operating system, device type;
  • Pages viewed, timestamps of access, referring URL;
  • Functional cookies (session, language preference) — see the Cookies Policy.

3.4. Communications data

  • Email correspondence, support tickets, recorded calls (if any — only with prior notice and consent).

4. How We Collect Personal Data

We collect personal data:

  • Directly from the Partner — via the partner application form, the Portal interfaces, and email/phone communications.
  • From the Partner about Travellers — when the Partner enters Guest Details for a Booking.
  • Automatically — via cookies and server logs when you access the Portal.
  • From third parties — e.g. payment processors confirming receipt of funds, Suppliers reporting on-the-ground events related to a Booking.

5. Legal Bases and Purposes of Processing

We process personal data on the following legal bases (Art. 6 GDPR):

5.1. Performance of a contract (Art. 6(1)(b))

  • Processing Partner Representative data to operate the partnership account, send invoices, and provide Services.
  • Processing Traveller data to fulfil the specific Booking placed by the Partner.

5.2. Legitimate interests (Art. 6(1)(f))

  • Improving the Portal's functionality and user experience;
  • Detecting and preventing fraud or misuse of the Portal;
  • Internal record-keeping and reporting;
  • Direct marketing of related services to existing partners (with opt-out available).

The legitimate interests pursued are balanced against the rights and freedoms of the data subject and do not override them.

5.3. Consent (Art. 6(1)(a))

  • Marketing communications and newsletters (collected via the optional checkbox on the partner application).
  • Non-essential cookies (see Cookies Policy).

Consent can be withdrawn at any time without affecting the lawfulness of processing before withdrawal.

5.4. Legal obligation (Art. 6(1)(c))

  • Retention of accounting records for tax and audit purposes;
  • Compliance with anti-money laundering and other regulatory requirements;
  • Response to lawful requests from public authorities.

6. Sharing of Personal Data with Third Parties

We share personal data with the following categories of recipients, only as necessary for the purposes described above:

6.1. Suppliers (Hotels, Transport Providers, Excursion Operators, Guides, Restaurants)

Traveller personal data is shared with the relevant Supplier solely to enable delivery of the Service:

  • Hotels receive guest names, check-in/out dates, room preferences, and special requirements;
  • Transport providers receive pickup names, contact phone, and pickup/drop-off details;
  • Excursion operators and guides receive guest names, group size, and special requirements;
  • Restaurants receive guest names, group size, and dietary requirements.

Suppliers are contractually required to process this data only for the purpose of delivering the Service and to maintain appropriate security measures.

6.2. Payment processors

Banking and transaction data is shared with payment processors and banking partners to process payments and refunds. These providers act as independent Data Controllers under their own privacy policies.

6.3. Hosting and infrastructure providers

  • Server hosting: Contabo GmbH (Germany) and/or other EU-based providers.
  • Transactional email delivery: ZeptoMail (Zoho Corporation Pvt. Ltd., India / EU data centre) for partner application confirmations, payment notifications, and other service emails.

These providers act as Data Processors under contracts that include the standard GDPR data processing addendum.

6.4. Professional advisors

Accountants, auditors, legal counsel, and similar professional advisors, bound by confidentiality obligations, when necessary for the operation or compliance of the business.

6.5. Public authorities

We may disclose personal data to public authorities (tax, regulatory, law enforcement) when required by Cyprus or EU law, subject to applicable procedural safeguards.

6.6. We do NOT

  • Sell personal data to third parties.
  • Use personal data for behavioural advertising or profiling outside the Portal.
  • Share Traveller data with anyone outside the Booking fulfilment chain or as required by law.

7. International Transfers

Most of our processing takes place within the European Economic Area (EEA).

When personal data is transferred outside the EEA — for example, if a Supplier is located outside the EEA — we ensure appropriate safeguards under GDPR Chapter V:

  • transfers to countries with an adequacy decision by the European Commission; or
  • transfers under Standard Contractual Clauses (SCCs) approved by the European Commission; or
  • other appropriate safeguards as permitted by GDPR.

The Partner may request a copy of the safeguards in place by contacting privacy@eos.tours.

8. Retention Periods

We retain personal data only as long as necessary for the purposes for which it was collected, subject to the minimum periods required by applicable law.

Data category Retention period
Partner Representative data (active partnership) For the duration of the partnership + 7 years (Cyprus tax law)
Traveller data tied to a Booking 7 years from the date of the Booking (accounting and tax law)
Partner application data (rejected applicants) 12 months from rejection, then deleted
Communications and support tickets 3 years from the last interaction
Login activity logs 12 months
Marketing consent records Until consent is withdrawn + 3 years (proof of withdrawal)
Accounting and invoicing records 7 years (Cyprus tax law)

After the retention period, personal data is either deleted securely or anonymised.

9. Your Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right to be informed — you have the right to know how we process your personal data, as set out in this Policy.
  • Right of access — you have the right to obtain confirmation of whether we process your personal data and a copy of that data.
  • Right to rectification — you have the right to correct inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten") — you have the right to request deletion of your personal data in certain circumstances.
  • Right to restrict processing — you have the right to limit how we process your personal data in certain circumstances.
  • Right to data portability — you have the right to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object — you have the right to object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent — where processing is based on consent, you can withdraw it at any time.
  • Right not to be subject to automated decision-making — we do not engage in fully automated decision-making with legal or similarly significant effects.
  • Right to lodge a complaint — you have the right to file a complaint with a supervisory authority (in Cyprus: the Office of the Commissioner for Personal Data Protection — http://www.dataprotection.gov.cy).

To exercise any of your rights, contact us at privacy@eos.tours. We respond to requests within 30 calendar days, extendable by 60 days for complex requests.

10. Traveller Rights — Specific Procedure

Traveller personal data is submitted to us by the Partner, not directly by the Traveller. If a Traveller wishes to exercise their rights regarding data we hold:

  1. The Traveller should first contact the Partner who submitted the data;
  2. The Partner contacts us with the Traveller's request;
  3. We respond directly to the Partner or to the Traveller, as appropriate, within 30 calendar days.

Travellers may also contact us directly at privacy@eos.tours, in which case we will coordinate the response with the relevant Partner.

11. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including:

  • Encryption of data in transit (HTTPS/TLS);
  • Cryptographic hashing of passwords;
  • Role-based access controls within the Portal;
  • Regular security updates and patching of infrastructure;
  • Logging and monitoring of access to sensitive data;
  • Confidentiality obligations on staff and contractors;
  • Periodic backup and disaster recovery procedures.

No system can guarantee absolute security. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the supervisory authority in accordance with Articles 33–34 GDPR.

12. Cookies and Tracking

The Portal uses only functional cookies strictly necessary for the operation of the Portal (e.g. session cookies for login, language preference).

We do not use:

  • Third-party analytics cookies (e.g. Google Analytics);
  • Marketing or advertising cookies (e.g. Meta Pixel, Google Ads);
  • Profiling cookies.

A separate Cookies Policy is available with full technical details.

13. Children's Data

The Portal is intended for B2B use by professional travel agencies. We do not knowingly collect personal data directly from children.

Traveller personal data may include minors travelling as part of a family group — in such cases, the Partner warrants that they have obtained the necessary parental consent before submitting the minor's data to us.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in legal, regulatory, or operational requirements.

  • Material changes (e.g. new categories of data collected, new purposes, new recipients) — we notify affected data subjects in advance and, where required, obtain renewed consent.
  • Minor changes (clarifications, formatting, typographical corrections) — published without individual notification.

The "Effective from" date at the top of this Policy reflects the latest version. Previous versions are available on request from privacy@eos.tours.

15. Contact for Privacy Matters

For any question, request, or complaint regarding personal data:

SPS EOS TOURS Ltd — Privacy & Data Email: privacy@eos.tours Phone: +357 9924 7900 Address: Paphos, Cyprus

Supervisory Authority — Cyprus:

Office of the Commissioner for Personal Data Protection Address: 1, Iasonos street, 1082 Nicosia Tel: +357 22 818 456 Email: commissioner@dataprotection.gov.cy Website: http://www.dataprotection.gov.cy

EOS TOURS

Cyprus DMC — operating since 2012.

Net rates, fast confirmations, direct support.

Quick Links
  • Become a Partner
  • Login
  • Contact
  • About
  • Destinations
Legal
  • Terms & Conditions
  • Privacy Policy
  • Cookies
Contact

EOS TOURS
15 Thombs of the Kings
Pafos, Cyprus

+35799247900
info@eos.tours


© 2026 EOS TOURS. All rights reserved.