Dream Trip Logo

Privacy & Security Policy

Last updated: June 25, 2026

At DreamTrip, we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, process, share, and protect your personal data in strict compliance with the **Saudi Personal Data Protection Law (PDPL)** (Royal Decree No. M/147).

1. Scope and Controller

This policy applies to all personal data collected through the DreamTrip website, booking platforms, and related travel services. For the purposes of the PDPL, DreamTrip acts as the data controller responsible for the processing of your personal data.

2. Categories of Personal Data We Process

To facilitate your travel bookings and fulfill regulatory compliance, we collect and process the following categories of personal data:

  • Identity & Travel Details: Full name, nationality, date of birth, gender, passport number, passport expiration date, national ID number, and visa details.
  • Contact Information: Email address, mobile phone number, and physical mailing address (for IDL delivery).
  • Financial Details: Payment transaction records, billing addresses, and digital wallet balances. Note: We do not store raw credit card numbers on our servers. All card transactions are processed securely via HyperPay.
  • Travel Preferences & History: Flight choices, hotel bookings, package purchases, and eSIM logs.
  • Technical Data: IP address, browser type, device information, and platform access logs.

3. Companion Data Security & Encryption

If you make bookings for other passengers (companions), you must obtain their prior explicit consent before sharing their personal data with us.

PII Encryption at Rest: In compliance with Saudi PDPL requirements for high-risk PII data, all companion passport numbers and identification details are strictly encrypted at rest in our database using advanced AES-256-GCM encryption algorithms. Only authorized systems can decrypt this data to transmit it to booking airlines and hotels.

4. Legal Basis and Purpose of Processing

Under the Saudi PDPL, we process your personal data under the following legal bases:

  • Performance of a Contract: Processing is required to create bookings, issue tickets, secure room reservations, process eSIM activations, and issue IDL licenses.
  • Consent: When you subscribe to promotional offers or provide additional information.
  • Legal Obligation: To comply with ZATCA tax rules, tourism authority reporting, and security directives within the Kingdom of Saudi Arabia.

5. Sharing and Transmitting Data to Third Parties

We only share your personal data with third parties to perform transactions and bookings requested by you:

  • Travel Providers: Airlines (e.g., via Amadeus), hotels (e.g., via GenX/Travzilla), and eSIM operators (e.g., Airalo) to complete your bookings.
  • Payment Processors: HyperPay secure gateway to verify and settle payment transactions.
  • Notification Providers: SMS delivery services (e.g., 4jawaly) and transactional email systems (e.g., Postmark) to send booking confirmations, OTP codes, and tickets.

We do not sell, rent, or trade your personal data to third-party marketers. Any cross-border data transfers required for international airline or hotel bookings are handled in accordance with the regulatory controls of the competent authorities in KSA.

6. Data Retention and Security Measures

We protect your personal data using robust technical, physical, and administrative safeguards:

  • We use secure SSL/TLS encryption for all data in transit.
  • We host our services and databases in environments compliant with local hosting and data localization regulations.
  • We retain your personal data only as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal, tax, or regulatory reporting requirements under Saudi law.

7. Your Rights under the Saudi PDPL

The Personal Data Protection Law of Saudi Arabia grants you the following statutory rights regarding your personal data:

  1. Right to be Informed: You have the right to know the legal basis and purpose for which your personal data is collected and processed.
  2. Right to Access: You have the right to request a copy of your personal data held by us, subject to identity verification.
  3. Right to Correction (Rectification): You have the right to request that any inaccurate, outdated, or incomplete personal data be corrected or updated.
  4. Right to Destruction (Erasure): You have the right to request the deletion or destruction of your personal data when it is no longer required for the purpose it was collected, subject to active booking and ZATCA tax retention rules.
  5. Right to Withdraw Consent: You have the right to withdraw your consent to data processing (where consent is the sole legal basis) at any time.

8. Contact the Data Protection Officer (DPO)

To exercise any of your rights, submit a privacy request, or ask questions about this Privacy Policy, please contact our Data Protection Officer:

Data Protection & Privacy Team
Email: support@dreamtrip-sa.com
DreamTrip Office, Abu Arish, Saudi Arabia