Privacy - MDE.Tours

Privacy Policy of Medellin MDE Tours S.A.S.

Last Updated: April 21, 2025

Introduction and Scope

Medellin MDE Tours S.A.S. (“MDE Tours”, “we”, “us” or “our”) is a legally registered tour operator based in Medellín, Colombia. We are committed to protecting your privacy and handling your personal data in a transparent and secure manner. This Privacy Policy explains what personal information we collect from travelers and website visitors, how we use and share it, and the rights you have regarding your data. It is designed to comply with Colombia’s data protection laws (the constitutional right of Habeas Data and Statutory Law 1581 of 2012) which guarantee individuals the right “to know, update and rectify the information that has been collected about them” . It also aligns with the European Union’s General Data Protection Regulation (GDPR) and relevant United States standards such as the California Consumer Privacy Act (CCPA), to the extent they apply to us. Our goal is to use plain language so this policy is easily understood by travelers globally.

This policy applies to all personal data processed by MDE Tours in the course of our services, including data collected through our website (mde.tours), booking platforms, and communications with you (email, WhatsApp, etc.). By using our services or website, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please do not provide your personal information or use our services.

Personal Data We Collect

We only collect personal information that is necessary for the purposes described in this policy. The types of personal data we collect include:

Identification Data: First name and last name (so we know who you are and can address you properly).
Contact Information: Email address and phone number (including WhatsApp number) for communication about your tours and bookings.
Travel Documents: Passport number (for booking confirmation, insurance coverage, and any legal requirements related to travel).
Payment Details: Payment information such as credit/debit card details or transaction IDs (to process your tour bookings). Note: We do not store full credit card numbers on our servers unless necessary – payments may be handled by secure third-party processors, and any stored payment data is protected with encryption.
Other Information You Provide: Any additional information you choose to give us when filling out a form or contacting us (for example, tour preferences, dietary restrictions, or feedback).

We do not intentionally collect sensitive personal data (such as race, religion, health details) as part of our standard booking process. We ask that you only provide the information we request and avoid sharing sensitive data unless it is necessary (if, for instance, you have a health condition relevant to a tour, you may disclose it at your discretion for your safety). If we ever need to collect any sensitive personal data, we will do so in compliance with applicable laws and with extra care and consent.

How We Collect Your Data

We collect personal data from you in several ways:

Directly from You via Our Website: When you fill out a booking form, contact form, or request information on our website, we gather the details you enter (such as name, email, phone, etc.). For example, during the tour booking process on our site, we’ll ask for your contact and payment details to reserve your spot.
Through Booking Platforms: You might book our tours through third-party booking platforms or travel agencies (such as online tour marketplaces). In these cases, those platforms collect your data and pass necessary information to us so we can fulfill your tour. We receive the details needed to confirm and provide the service (typically your name, contact, and booking specifics). Please note that any data you provide to such third-party platforms is also subject to their own privacy policies.
Follow-up via Email or WhatsApp: If you initiate a booking but some required information is missing or appears incorrect (for instance, an invalid passport number or an incomplete name), we may reach out to you via email or WhatsApp to gather the correct details. We do this to ensure we have accurate information for your reservation, insurance, and communication. We will only ask for the specific additional data needed and will identify ourselves when we contact you.
Automated Means (Cookies and Analytics): When you visit our website, we use cookies and tracking technologies (like Google Analytics and the Facebook Pixel) to automatically collect certain technical data. This may include your IP address, browser type, device information, and browsing behavior on our site (e.g. which pages you visited). We collect this information to understand how users interact with our site and to improve our services. (See Cookies and Tracking below for more details.) This usage data is generally not linked to your identity, and we treat it separately from the personal data you provide in your booking.

We do not obtain personal data from third parties other than the scenarios described above. If we ever receive your information indirectly (for example, if someone purchases a gift tour for you and gives us your details), we will treat that information in line with this policy and, whenever possible, will inform you of the source.

Purposes of Use: How We Use Your Personal Data

We use your personal data only for legitimate and specific purposes. Below are the purposes for which MDE Tours processes your information:

To Facilitate Bookings and Provide Services: We use your identification, contact, and payment details to process your tour reservations and payments, send you booking confirmations or tickets, and ensure you are registered for the tours you chose. For example, your name and booking details are used to reserve your spot, and your email is used to send a confirmation receipt or voucher. This also includes using your data to make any necessary arrangements (such as hotel pick-ups or special accommodations you requested).
Client Communication: Your contact information (email and/or WhatsApp) is used to communicate with you regarding your tour. This includes sending pre-tour information (meeting points, itinerary updates), answering your inquiries, providing customer support, and post-tour follow-ups (like feedback requests or help with any issues). We also might use WhatsApp or phone to reach you for time-sensitive communications (e.g., if there’s a last-minute change due to weather). We will communicate in a respectful manner and you can choose your preferred communication channel.
For Insurance Coverage: We share necessary personal information with our insurance partner, Magenta Seguros, to arrange coverage for your tour. This typically involves providing your name and passport number (and possibly age or contact) to ensure you are covered by the travel insurance/policy during the tour. The use of your data for insurance is purely for your safety and to comply with legal or contractual requirements of having insurance for our travelers.
Marketing and Updates (First-Party Marketing): With your consent (or as allowed by law for existing customers), we may use your email address or WhatsApp number to send you marketing communications, such as our newsletter, special offers, new tour announcements, or travel tips. These communications are intended to be useful and relevant – for example, if you took a tour with us, we might email you a discount for another tour or a holiday greeting with a promo code. You will always have the option to opt out of marketing messages (see Your Rights below), and we will not spam you. We generally limit such marketing to within one year after your last tour or contact with us, unless you continue to engage or consent to ongoing communications.
Legal Compliance and Protection: We may use or retain your data as needed to comply with applicable laws and regulations. For instance, we might need to keep records of transactions for tax and accounting purposes, or we may be required by Colombian tourism regulations to maintain a log of tour participants. Additionally, in rare cases we might use data to protect legal rights and safety – for example, to handle customer disputes, to enforce our Terms and Conditions, or to respond to lawful requests by government authorities (such as for public health, security, or legal investigations). If required by law, we could use your identification details to verify your identity or assist in prevention of fraud or other illegal activities.
Service Improvement and Analytics: We use information like feedback you provide or aggregated data from website analytics to understand our performance and improve our tours and website. For example, knowing how users navigate our site can help us streamline the booking process. If you gave feedback about a tour, we may internally use that to improve the experience. This purpose often uses aggregated or anonymized data and does not typically involve your identifiable personal data, but if we use your identifiable data (e.g., an email to follow up on a complaint), it will only be for that relevant business purpose.
Backup and Record-keeping: We securely store certain data in our systems and backups to ensure business continuity and the ability to recover information in case of technical issues or disasters. This is a general operational purpose, and access to backups is limited to what’s necessary for restoration and compliance checks.
Any Other Purpose Disclosed to You: If we intend to use your information for a purpose not listed here, we will explain it to you at the time of data collection or seek your consent if required. We will not use your personal data for purposes that are incompatible with the ones described above without informing you or obtaining proper authorization.

We ensure that we only collect and process data that is adequate, relevant, and limited to what is necessary for the purposes above (this is the principle of data minimization). We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on you (for example, we do not use algorithms to deny service or adjust pricing to individuals). Any profiling we do (like analyzing which country most of our customers come from) is only to better understand our customer base in general, not to target individuals unfairly.

Legal Bases for Processing Personal Data

We process your personal information under the legal grounds permitted by applicable data protection laws, such as the GDPR for EU residents and Colombian law. The legal bases we rely on include:

Performance of a Contract: When you book a tour with us, you enter into a contract for services. We need to process your personal data (name, contact, payment, etc.) to fulfill our obligations under that contract – for example, to confirm your booking, deliver the tour services you requested, and provide customer support. This is the primary legal basis for most of our data processing related to bookings and tour operations.
Consent: We will ask for your consent in situations where it’s required or appropriate. For instance, we seek your consent to send you marketing emails or WhatsApp messages (unless you are an existing customer in a jurisdiction that allows limited marketing without explicit consent). You also consent to our use of cookies and tracking tools as described (subject to your browser settings or our cookie banner, where applicable). Where we rely on consent, you have the right to withdraw it at any time (see Your Rights below), and we will honor your choice going forward.
Legitimate Interests: We may process your data as necessary for our legitimate business interests, provided that those interests are not overridden by your privacy rights. Our legitimate interests include improving our services, securing our website and systems, understanding our customer base, and marketing to our customers. For example, using your booking history to suggest similar tours you might like is in our business interest, and we believe it also benefits our customers; we do this in a balanced way and you can opt out of marketing if you prefer. When we rely on legitimate interests, we consider and balance any potential impact on you (both positive and negative) and your rights under data protection laws. We do not use legitimate interest as a basis if your rights and interests outweigh ours or if consent is a more appropriate basis.
Legal Obligation: In some cases, we need to process and retain certain personal data to comply with a legal obligation. For example, Colombian accounting laws might require us to keep transaction records (which include personal identifiers) for a set period. Similarly, we might have to provide information to authorities if legally compelled (such as for a court order or a legal investigation). When processing is necessary for compliance with law, this is our legal basis.
Vital Interests: This is rarely applicable, but if ever there is an emergency situation where processing your data is necessary to protect someone’s life or physical safety, we may do so on the basis of vital interests. For example, if you have a medical emergency on a tour, we might share your information with medical personnel. This would be only in critical situations.
Public Interest: In extremely rare cases, we might process data for reasons of substantial public interest (for instance, if public authorities require information for public health contact tracing, etc.). This would align with applicable laws and typically be requested by a government authority.

Which legal basis applies will depend on the context of the data processing. Often, multiple bases might justify our use of your information. For example, sharing your name with the insurance company is both part of fulfilling our contract with you (you expect tour coverage) and a legal obligation under tourism safety regulations. If you have questions about the specific legal basis for a particular processing activity, feel free to contact us (see Contact Information section).

For residents of the European Economic Area (EEA) or United Kingdom: We will ensure we have one of the above legal bases for processing your data as required by GDPR. For California residents: Where the CCPA applies, our collection and use of your data is done either with your consent or to provide you with services you requested (which CCPA refers to as a “business purpose” for collecting the data). We do not sell personal data, as explained below.

Cookies and Tracking Technologies

Like many websites, MDE Tours uses cookies and similar tracking technologies to enhance user experience and gather analytics about our site traffic:

What Are Cookies: Cookies are small text files stored on your device by your web browser. They help websites remember your preferences and actions (like items in your cart, or that you are logged in) and can track your behavior on the site.
Google Analytics: We use Google Analytics to collect information about how visitors use our website. Google Analytics sets cookies to collect data such as the pages you visit, the amount of time spent on each page, how you arrived at our site, and what you click on. We use these analytics insights to understand overall user behavior and to improve our website’s functionality and content. The information collected by Google Analytics is mostly aggregated and does not directly identify you. However, Google Analytics may record your IP address and other device identifiers, which Google uses to provide us with reports. (Google’s ability to use and share information collected by Google Analytics about your visits is governed by the Google Analytics Terms of Use and Privacy Policy.)
Facebook Pixel: We also utilize the Facebook Pixel on our site. This is a piece of code provided by Facebook that allows us to understand the effectiveness of our Facebook ads and to reach people who have visited our website with relevant advertising on Facebook or Instagram. The Facebook Pixel tracks certain actions you take on our site (like clicking a tour or starting a booking) and reports that to Facebook, which can then match it to your Facebook account if you have one. This helps us with “remarketing” – for example, showing you an ad for the tour you viewed. The data shared with Facebook is used for our marketing analytics and targeting; we do not see your individual Facebook profile information, and we cannot identify you from the Pixel data alone. Facebook handles the data under its own privacy policy and may use it for its own purposes as well, in accordance with that policy.
Types of Cookies We Use: In addition to the analytics and pixel above, our site may use essential cookies (necessary for the site to function, e.g., to remember items in your booking cart or to keep you logged in if our site has accounts), functional cookies (to remember preferences like language or currency), and advertising cookies (like the Facebook Pixel) as described. We do not use cookies to collect sensitive personal information, and we do not plant any malware or spyware via cookies.
Cookie Consent: When you first visit our website, you might see a cookie notice or banner (especially if required by your region’s laws, such as in the EU). By using our site after seeing that notice, or by continuing to browse, you agree to the use of cookies and tracking as described. You can always choose to disable non-essential cookies.
Your Choices: You have control over cookies. Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies or alert you when a cookie is being placed on your device. You can also clear cookies from your browser at any time. Additionally, here are some specific options:
- Google Analytics Opt-Out: Google provides an opt-out browser add-on if you want to prevent your data from being used by Google Analytics on all websites.
- Facebook Ad Preferences: You can adjust your ad settings in your Facebook account to control how your data is used for advertising purposes. Facebook also honors the Digital Advertising Alliance’s opt-out, which you can access via tools like the WebChoices tool.
- Do Not Track: Our site currently does not respond to “Do Not Track” signals from browsers, because there is no universal standard for DNT. However, we treat all users equally, and we only use your data as outlined in this policy.
Third-Party Tracking: Apart from Google and Facebook, we do not knowingly allow other third-party advertising networks to track you on our site. If in the future we integrate other analytics or advertising services, we will update this policy. We will never share personally identifiable information with advertisers without your consent.

Please note that disabling certain cookies (especially essential or functional cookies) may affect the functionality of our website. For example, if you disable cookies, our site might not remember your tour selections in the cart. But the informational parts of the site should remain accessible.

By using our site, you agree to our use of cookies and tracking tools as described, unless you disable them through your browser or the options provided. We consider this a fair balance to provide our services while respecting user choice.

Data Sharing and Disclosure

We treat your personal information with care and confidentiality. We do not sell your personal data to third parties for their own marketing or other independent use – no outright selling of information, full stop. However, in order to run our business and provide you with services, we do share your data with certain trusted parties under controlled circumstances, as detailed below:

Magenta Seguros (Insurance Partner): We share relevant personal data with Magenta Seguros, our travel insurance partner, to secure coverage for our tours. This typically includes your name and identification number (passport number) and possibly your contact info, so that the insurance policy is properly issued for you during the tour dates. Magenta Seguros is a reputable insurance company that is also obligated to protect your data and use it only for providing the insurance service. They may retain the data as required for policy administration and claims handling, in line with their privacy practices.
Tour Guides and Operators: In most cases, tours are led by our in-house team (often the company owner). In some instances, we might collaborate with freelance guides or partner guides (for example, if we have many bookings or a specialized tour). If a freelance guide will be leading or assisting with your tour, we may share with them the minimum necessary information about participants so they can conduct the tour (generally names and possibly emergency contact or special notes like “vegetarian” if a meal is involved). These guides are typically under contract with us or are the same personnel as our management, and they are informed that they must protect your information and use it only for the purposes of the tour. We do not distribute your contact details to guides for their independent use, and in most cases the guide will contact you through our central office or using our official channels if needed.
Service Providers and Vendors: We use third-party companies and service providers to help us operate our business smoothly. This includes:
- Payment Processors: to handle credit card transactions or online payments (ensuring your payment details are processed securely according to industry standards, e.g., PCI-DSS compliance). These processors receive your payment information to process the transaction but are not allowed to use your data for other purposes.
- IT and Hosting Providers: We host our website and databases on secure servers, potentially through cloud services. These hosting providers technically have access to stored data, but they are bound by confidentiality and security obligations. We also use services like Cloudflare (a web security and performance provider) which will process data (like your IP address and requests to our site) to protect us from attacks and provide a fast connection. Cloudflare’s role is to filter malicious traffic and cache content; they might incidentally handle personal data in the form of IPs or cookies, but not for their own use.
- Email Service and Communications Platforms: We may use an email sending service or CRM to send out booking confirmations or newsletters (for example, an SMTP service or a marketing email platform). Those providers will handle your email address and the content of emails under our instructions. Likewise, if we use a WhatsApp API service or SMS gateway to send messages, the service will transmit your phone number and message but not use it beyond that.
- Analytics and Advertising Partners: As described in the Cookies section, services like Google Analytics and Facebook receive some data from our site. In those cases, those companies are considered third-party data recipients. Google and Facebook may use the data for their own analytics and ad network purposes. We ensure that we engage with these platforms in compliance with their policies (for example, we adhere to Google Analytics’ data protection terms and Facebook’s Business Tools terms).
- Professional Advisors: On occasion, we might share information with lawyers, accountants, or other consultants who need access to certain data to provide us with advice or to defend our legal interests. For instance, if there’s a legal dispute or audit, our lawyer or accountant might need to see booking records. These parties are bound by professional secrecy or confidentiality agreements.
Business Transfers: If in the future MDE Tours undergoes a business transaction such as a merger, acquisition by another company, or sale of some or all assets, personal data might be transferred as part of that deal. If such a transfer happens, we will ensure that your data remains protected and that you are informed of any changes in ownership or use of your personal information, as well as any choices you may have. The new owner would have to honor the commitments we have made in this Privacy Policy.
Legal Requirements and Protection: We may disclose personal information when required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government demand under law). We may also disclose data if we believe in good faith that it is necessary to: comply with a legal obligation; protect and defend the rights, property, or safety of MDE Tours, our customers, or others; investigate and help prevent security or technical issues; or address emergencies. For example, if law enforcement requires information as part of an investigation, and we are legally compelled, we will provide the data requested. Similarly, if a passenger incident occurs, we might share data with emergency responders.
Aggregated or Anonymized Data: We may share aggregated information that cannot identify you with third parties for research, marketing, or other business purposes. For example, we might share statistics like “X% of our customers come from Europe” or “the most popular tour is ABC Tour” with a tourism board or on our website. This information will not contain any personal identifiers.

Important: All third parties with whom we share personal data are contractually or legally obligated to keep it secure and to use it only for the purposes we specify. Whenever we share your data with service providers, we ensure they are bound by terms that align with this Privacy Policy and applicable privacy laws. We do not give any third party the right to use your data for their own unrelated purposes.

We also want to reassure you that we do not sell or rent your personal information to data brokers or advertisers. In the context of CCPA (for California residents), “selling” includes sharing data for valuable consideration. We do not engage in such practices. The only disclosures of data are those described above, which are generally for business purposes (not sales). If in the future we ever considered selling personal data (which we do not anticipate), we would update this policy and provide opt-out mechanisms as required by law.

International Data Transfers

MDE Tours is based in Colombia, but we serve travelers from all over the world. This means your personal information may be transferred to or accessed in multiple countries, including Colombia, the United States, or other jurisdictions where our service providers are located. We want to be transparent about how we handle these cross-border data transfers:

Data Location: The personal data we collect is primarily stored on secure servers. These servers might be in Colombia or in other countries. For example, if our website hosting or cloud storage is provided by a company in the United States or Europe, your data could reside on servers in those regions. Similarly, data collected via Google Analytics or Facebook Pixel will be transmitted to and stored on Google or Facebook servers, which may be located in the United States or other countries. Communication tools (like email or WhatsApp) also route data internationally by their nature.
Colombia and International Transfers: Under Colombian data protection law (Decree 1377 of 2013), transferring personal data outside of Colombia is permitted in certain cases, including when the destination country has adequate data protection standards or when the data subject has given consent. By using our services and providing information to us, you consent to the transfer of your personal data to outside of your country, including to Colombia. We will always ensure such transfers are done securely.
Transfers from the European Economic Area (EEA) or UK: If you are in the EEA or the United Kingdom, we are aware that your personal data leaving your country must be protected according to GDPR standards. Colombia is currently not on the European Commission’s list of countries with an “adequate” level of data protection. Therefore, when we transfer data from the EEA/UK to Colombia or to any other country that isn’t deemed adequate (such as the United States), we take additional steps:
- We may rely on Standard Contractual Clauses (SCCs) or their UK equivalent in contracts with our service providers. These are legal clauses approved by the European Commission that commit the recipient of the data to protect it according to EU privacy standards.
- In some cases, we might rely on your explicit consent for certain cross-border transfers, especially when using specific optional services.
- We also evaluate on a case-by-case basis any need for supplementary measures (like encryption in transit and at rest, which we do employ) to ensure data is secure during transfer and storage.
Transfers to the United States and Other Countries: Many of our third-party service providers (such as Cloudflare, Google, Facebook, or email services) are U.S.-based companies or have servers in the U.S. The U.S. has different data protection laws than Colombia or the EU. When your data is in the U.S., it may be subject to lawful access requests by U.S. authorities (under frameworks like the CLOUD Act). We strive to choose reputable providers that have robust privacy and security practices. For instance, Cloudflare is a company known for strong security; Google and Facebook are certified under frameworks like the EU-U.S. Data Privacy Framework (the successor to Privacy Shield) which aim to protect European data in the U.S.
Your Acknowledgement: By providing personal information to MDE Tours and/or using our website, you acknowledge that your data will be transferred to, stored, or processed in Colombia and possibly other countries as described. We will handle your data in accordance with this Privacy Policy regardless of where it is processed.
Safeguards: No matter where we process your data, MDE Tours will apply the same level of security and privacy safeguards. We have internal policies and training to ensure our team treats your data lawfully and securely. If any of our providers cannot meet the required safeguards, we will not use them for personal data or we will find alternative means.
International Travelers: If you are traveling to Colombia and booking our tours, note that by engaging our services, your data will be used in Colombia (for booking and during the tour). Colombia’s privacy protections (Law 1581 of 2012) give you rights as a data subject (very similar to GDPR rights) and we honor those. International transfer in this case is inherent in the service (since you, as a data subject, are bringing your data to us in Colombia to arrange the tour). We consider that your use of our services is an explicit consent to this handling, in addition to the other safeguards mentioned.

If you have questions about international data transfers or need more specific information about where your data might be stored or transferred, please contact us. We understand this can be a complex area, and we are happy to provide clarifications. Our aim is that no matter where your data goes, it remains protected and your rights remain intact.

Data Storage and Security Measures

We take data security very seriously at MDE Tours. We have implemented a variety of measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. While no method of transmission over the internet or electronic storage is 100% secure, we follow industry best practices to safeguard your data. Our security measures include:

Secure Servers and Infrastructure: We store your data on secure servers that are protected by firewalls and housed in facilities with strict access controls. Whether our servers are in Colombia or in data centers abroad, they employ robust physical and digital security. Our website hosting environment is regularly updated with security patches to guard against vulnerabilities.
Encryption: Our databases are encrypted, meaning personal data at rest is stored in an encoded form that cannot be read without the proper keys. Additionally, we use SSL/TLS encryption for our website – you’ll notice the padlock or “https://” in your browser’s address bar when interacting with our site. This encrypts data in transit between your browser and our website (such as when you submit a form or payment information), preventing eavesdropping by third parties during transmission. Any sensitive payment information is handled over secure, encrypted channels, and if stored at all, is encrypted or tokenized.
Cloudflare Protection: We utilize Cloudflare services as an added layer of security for our website. Cloudflare acts as a shield against malicious traffic, DDoS attacks (distributed denial of service), and intrusion attempts. It also provides a Web Application Firewall (WAF) that can filter out dangerous requests. This means when you access our site, your connection might pass through Cloudflare’s network which helps ensure that only legitimate traffic reaches our servers. Cloudflare also helps improve site speed via its content delivery network, but importantly, it enhances security by blocking threats and securing DNS. By using Cloudflare, we reduce the risk of data breaches via online attacks.
Access Controls: Internally, access to personal data is restricted to authorized personnel who need to know that information to perform their duties. For example, our booking staff will have access to reservation details, but not every employee of MDE Tours can view your personal data. We implement user accounts, strong passwords, and (where feasible) two-factor authentication for our administrative systems to prevent unauthorized access. Staff are trained on the importance of confidentiality and privacy.
Employee Training and Policies: We educate our team about data protection best practices and the importance of safeguarding personal information. We have internal privacy and security policies that our employees and contractors must follow, including guidelines on handling customer data, using only approved tools, and reporting any suspected incidents.
Regular Backups: We perform regular backups of our databases and files. These backups are encrypted and stored securely. In the event of a technical issue or data loss incident, backups help us restore information and maintain continuity of service. Access to backups is also restricted.
Monitoring and Testing: We monitor our systems for potential vulnerabilities and attacks. This includes keeping our software up to date, using anti-malware tools, and periodically scanning for security issues. If we use third-party platforms or plugins, we ensure they are reputable and updated. We may also engage security experts to perform penetration testing or security audits on our systems to proactively find and fix weaknesses.
Payment Security: If we handle payments directly, we comply with Payment Card Industry Data Security Standards (PCI-DSS). In many cases, we use third-party payment gateways (like a credit card processor or PayPal) so that we do not directly store your card details. Those third parties are PCI-DSS compliant. Any payment details that pass through our site are transmitted securely to the payment gateway and not retained by us (other than perhaps the last four digits of a card or a transaction ID for reference).
Anonymization and Pseudonymization: Where possible, especially in analytics or records, we may remove or replace personal identifiers with codes (pseudonymization) or aggregate data so that it’s no longer tied to an individual (anonymization). For example, after your tour is completed and the data is no longer needed in an identifiable form, we might archive it by replacing your name with an ID, so that if data is used for statistical purposes it can’t easily be traced back to you.
Incident Response Plan: Despite all precautions, if a data breach or security incident were to occur, we have a procedure in place to contain the issue, mitigate any harm, and notify affected parties and authorities as required by law. We would inform you if your personal data was compromised and advise on steps to protect yourself, in line with our legal obligations.

We want you to feel confident in entrusting us with your personal information. However, you should also take steps to protect yourself online. Only share information on our official channels, beware of phishing attempts (we will never ask for sensitive info like your password via email), and keep your own devices secure.

If you suspect any misuse of your data or have any security-related concerns, please contact us immediately (see Contact Information below). We will investigate and take appropriate action. Your security is our priority, and we continuously strive to maintain and improve our protective measures.

Data Retention: How Long We Keep Your Data

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, or as required by law. The retention period can vary depending on the type of information and the reason we have it. Below is an overview of our data retention practices:

General Retention Period: For most personal data related to bookings and inquiries, we keep it for up to 1 year after your last interaction with us. This means if you book a tour or contact us, we will generally retain your information for no longer than one year from the date of your tour or the last communication. We use this one-year period for operational purposes and first-party marketing (for example, sending you a discount for another tour within a year, or maintaining your details in case you have follow-up questions about your recent tour). After one year of inactivity, we will either securely delete your personal data or anonymize it (strip it of identifying details so it can be used for statistical analysis without being tied to you).
Shorter Retention for Unused Data: If you provided information but did not complete a booking (for example, you started a reservation but didn’t finalize payment, or you inquired but never actually took a tour), we might keep your data for a shorter period. We may send a reminder or follow-up within a short window, but if we don’t hear back, we might delete your information within a few months to ensure we’re not holding data unnecessarily. You always have the option to ask us to remove it sooner (see Your Rights).
Marketing Data: If you have consented to receive marketing communications (like newsletters) or if we are sending you such communications under a lawful basis, we will keep your contact details on our marketing list until you opt-out or until the 1-year mark, whichever comes first. If you opt-out or unsubscribe from marketing, we will immediately remove you from the list (though we may keep a record of your request to ensure we respect it going forward).
Payment Information: We do not store full payment card details beyond the immediate needs of the transaction, except possibly a token or record from the payment processor. Transaction records (which may include your name, the last four digits of your card, payment amount, and date) are kept for bookkeeping and in case of disputes or refunds. These records are generally kept for the period required by accounting laws (which can be several years – in Colombia, for instance, financial records might be kept for 5 years for tax purposes). However, such data will be limited to what is necessary (we won’t keep your CVV or full card number).
Legal and Operational Retention: There are scenarios where we might retain data longer than 1 year, if necessary:
- Legal Obligations: If a law or regulation requires us to keep data for a certain period, we will comply. For example, as a registered company, we may need to maintain certain contractual or invoicing information for a statutory period (e.g., tax regulations, tourism regulatory requirements).
- Dispute Resolution: If you have an open dispute or issue with us, or if we reasonably believe there is a prospect of litigation or a legal claim relating to your data or tour, we will retain the relevant information until the issue is resolved and/or for the duration required by law to protect our legal rights.
- Accident/Incident Reports: In the unlikely event of an accident, incident, or insurance claim during a tour, we may need to retain related personal data longer (for example, documentation of what happened, which could include personal data) for insurance and liability purposes.
- Suppression Lists: If you ask us to not contact you in the future (for example, you opt-out of emails or you exercise your right to deletion), we may keep minimal information about you on a “suppression list” to ensure we honor your no-contact request. This is a standard practice to avoid accidentally re-adding you to a contact list against your wishes.
Anonymized Data: We may retain anonymized or aggregated data (which is no longer personally identifiable) indefinitely for business analysis, research, and statistical purposes. For example, overall tour booking numbers by month or general demographic breakdowns (without names) may be kept to help us understand trends. This kind of data has no personal identifiers and cannot be traced back to you.

When we no longer have a legitimate need or legal obligation to keep your personal information, we will securely dispose of it. This could involve erasing electronic records, deleting entries from our databases, and/or shredding physical documents (if any). We use secure deletion methods to prevent data from being recovered or misused.

Summary: We aim to keep your personal data for only as long as necessary. In practice, that means most of your personal info will be gone from our active systems within 12 months after your tour or last contact, with certain information retained longer only if required for specific reasons (like legal compliance). If you have any questions about our retention policy for a specific type of data, you can contact us for more details. And of course, if you want us to delete your data sooner, you have the right to ask (see next section on Your Rights).

Your Rights and Choices

We respect your rights to control your personal data. Depending on the laws that apply to you (Colombian law, GDPR if you are in the EU/EEA or UK, CCPA if you are in California, etc.), you have a number of important rights regarding the personal information we hold about you. We extend these rights to all our customers as a matter of good practice, so you can feel confident about your data no matter where you’re from. Below is a summary of your key rights and how to exercise them:

Right to Access: You have the right to request a copy of the personal data we have about you, as well as information about how we use it. This is sometimes called a “Data Subject Access Request.” We will provide you with the data in a commonly used format. For example, you can ask us to confirm if we’re processing your personal info and to send you a copy of all the data we have on you (e.g., your booking details, contact info on file, etc.). This allows you to know exactly what information we have.
Right to Rectification (Correction): If you believe any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected or updated. For instance, if you realize we have misspelled your name or have an outdated email address, you can ask us to fix it. We strive to keep data accurate and will promptly make the corrections upon your request.
Right to Erasure (Deletion): You have the right to request that we delete your personal data, sometimes known as the “right to be forgotten.” You can ask us to remove your information from our records. We will honor this request provided that we do not have a legal obligation or other valid reason to retain the data. For example, if you withdraw consent for marketing and ask for deletion, we will remove your contact from our marketing list. If you ask us to delete all your data, we will do so unless we must keep certain records (we will inform you if that’s the case, such as needing to keep a transaction record for financial auditing). Once your data is deleted, you might need to provide information again if you use our services in the future, as we won’t have any history remaining.
Right to Withdraw Consent: If we are processing any of your data based on your consent, you have the right to withdraw that consent at any time. For example, if you gave consent to receive promotional emails, you can unsubscribe or tell us you no longer consent. This will not affect the lawfulness of processing based on consent before its withdrawal. Basically, if you change your mind, we will stop the uses of data that rely on your consent.
Right to Object to Processing: You have the right to object to certain types of processing. The most common example is objecting to marketing. You can tell us at any time that you do not want us to use your data for direct marketing purposes, and we will stop. You can also object if you feel our processing is based on a legitimate interest and you have particular reasons to object (for instance, you might object to us using your data for analytics if you feel it infringes on your privacy). We will consider your objection and comply unless we have a compelling legitimate ground to continue or a legal obligation to do so. Note: If you object to some uses of data, it might affect our ability to serve you (for example, objecting to all processing would mean we cannot even keep your booking).
Right to Restrict Processing: This allows you to ask us to limit the processing of your data in certain circumstances. For instance, if you contest the accuracy of your data, you can request we restrict processing while we verify the information. Or if you have objected to processing and we are determining whether our grounds override yours, you can ask us to pause further processing of the data in the meantime. When processing is restricted, we can still store your data but not use it for the time being (except to the extent needed for the issue at hand).
Right to Data Portability: For data that you have provided to us and that we process by automated means on the basis of consent or contract, you have the right to get that data in a structured, commonly used, machine-readable format and have it transferred to another data controller where technically feasible. In simpler terms, you can ask for an electronic copy of the data you gave us (for example, all the personal info you input in a booking) so you can reuse it elsewhere, or ask if we can directly transfer it to a third party of your choosing. This is more relevant for services where you might want to port your profile to a competitor; in our case, it might not be as common, but the right is there for you.
Right to Non-Discrimination (for CCPA, also applied generally): If you exercise any of your rights, we will not discriminate against you or penalize you. For example, if you ask us to delete your data or opt out of marketing, we will not refuse you service or charge you a different price. The quality and cost of our tours will remain the same. (Under the CCPA, California residents have the explicit right not to receive discriminatory treatment for exercising privacy rights , and we uphold this principle for all our customers.)
Right to Know (for California Residents under CCPA): California residents can request that we disclose the specific pieces of personal information we have collected about them, as well as details about our data practices (such as the categories of sources, the business purpose for collecting, and the categories of third parties we share with) . Essentially, this is similar to the access right but has some specific requirements in California. We already cover much of this in our Privacy Policy (as a “right to be informed”), but you can also make a formal request for it.
Right to Opt-Out of Sale (for California Residents): As noted, we do not sell personal data. If you are a California resident, you have the right to direct a business that does sell your data to stop doing so (a “Do Not Sell My Info” right). While we don’t sell data, we respect the spirit of this right. If you ever have concerns about any form of data sharing we do, please let us know and we will clarify or honor any request to limit sharing to the extent applicable.
Rights Related to Automated Decision Making: As mentioned, we do not engage in automated decision-making that has legal or similar significant effects. If that changes, individuals (particularly under GDPR) would have rights to human review of such decisions or to contest them.

How to Exercise Your Rights: You may exercise any of your rights at any time by contacting us via email at [email protected]. Please indicate clearly what right you wish to exercise and provide us with enough information to identify you (this could be your name, the email used for booking, and the date of your tour or booking reference if you have one). For example, you can send an email with the subject “Data Access Request” or “Request to Delete My Personal Data,” and include your name and the tour you took with us, so we can locate your records.

Verification: To protect your privacy and security, we may need to verify your identity before fulfilling certain requests, especially for access, deletion, or portability of data. We might ask you to provide information that matches our records or to use a known email/phone to contact us. This is to ensure we don’t give your data to an imposter.

Response Time: We will respond to your request as soon as possible and no later than the timeframes required by law. Under GDPR, we generally have one month to respond, and under CCPA, we aim to confirm receipt within 10 business days and fulfill the request within 45 days. We strive to be much faster than that in practice. If we expect it to take longer (for example, if the request is complex or we have many requests at once), we will inform you of the delay and the reason, and we might take an extension (GDPR allows an additional two months if necessary, CCPA allows a one-time 45-day extension). But again, most requests should be straightforward and handled promptly.

No Fee in Most Cases: Usually, you will not have to pay a fee to exercise your rights. We will provide the information or take the action free of charge. However, if a request is manifestly unfounded or excessive (for example, extremely repetitive), data protection laws may allow us to charge a reasonable fee or refuse the request. We have never had to do that, and we will try our best to honor all legitimate requests.

Assistance and Guidance: If you are unsure about how to exercise your rights or what you are entitled to, feel free to ask us. We’re happy to guide you on what we can do and how our processes work.

Complaints: We hope to resolve any query or concern you raise about our use of your information. If you feel we have not addressed your questions or if you believe your rights have been infringed, you also have the right to lodge a complaint with a supervisory authority:

In Colombia, the oversight authority for data protection is the Superintendencia de Industria y Comercio (SIC). You can contact them if needed regarding a concern with how your data was handled.
In the EU, you can contact the data protection authority in your country of residence (for example, the CNIL in France, the ICO in the UK, etc.).
In California, you can reach out to the California Attorney General’s office with concerns regarding CCPA.

We would, however, appreciate the chance to deal with your concerns first, so please consider reaching out to us before involving regulators.

In summary, your data is yours. We are just a custodian of that data for the purposes you’ve allowed. We want to make sure you have control over it. Don’t hesitate to exercise these rights – they are a key part of modern privacy laws and we are fully on board with respecting them.

Minors’ Privacy (Children)

Protecting the privacy of minors is especially important. Our website and services are not specifically directed to children, but we recognize that minors (especially teenagers) might be interested in our tours or travel content. Here’s how we handle data in relation to minors:

Website Access: We do not have any strict age gate on our website – meaning, we do not block users based on age, and our content is generally appropriate for a general audience (travel information, cultural and historical tour descriptions). However, our Terms and Conditions for tour bookings typically require that participants be adults (18 or older) or minors accompanied by a parent or legal guardian. We do not knowingly allow unaccompanied minors to book or participate in our tours.
Booking Data for Minors: It’s possible that a parent or guardian may provide personal data of a minor when booking a tour that includes that minor. For example, a family booking might list a child’s name and perhaps age for considerations like ticketing or appropriate arrangements. Such data is provided with the consent and initiative of the parent/guardian. We treat that data with the same care as other personal data. If a minor is under 18 and participating in a tour, we presume the parent/guardian has authority to provide their data and make decisions regarding it.
No Direct Marketing to Minors: We do not knowingly collect contact information from minors for marketing purposes. If you are under 18, please do not sign up for newsletters or provide us personal details without parental consent. If we discover that we have inadvertently collected personal data from a child under 18 without proper consent, we will delete that information promptly.
Children Under 13: We do not target or solicit data from children under 13. If you are a parent or guardian and believe your child under 13 may have provided personal information to us (for example, by interacting with our site or through some miscommunication), please contact us. We will take steps to remove that data from our systems. This is in line with U.S. COPPA regulations (Children’s Online Privacy Protection Act) for any U.S. children, and as a best practice globally.
Accompanied Minors on Tours: If a minor (under 18) is on a tour with a guardian, any personal data related to the minor (like their name on a booking manifest, or a photo that might be taken during the tour for memory) will be managed with the parent/guardian’s knowledge. We might, for instance, have a waiver or consent form that the guardian signs which covers the minor as well. We will not separately contact minors or use their data beyond what’s necessary for the tour participation.
Content Appropriate: We strive to ensure our website content and marketing materials are family-friendly. While some tours may involve historical violence (like discussing Pablo Escobar’s history) or nightlife, we frame content responsibly. If any content on our site is not suitable for younger audiences, we will note it or age-restrict that particular page (though that’s uncommon).
Parental Control: If you are a parent or guardian and have concerns about personal data of your child in relation to our services, you can exercise the rights on behalf of your child (as their legal representative). For example, you can request access to or deletion of your child’s data. We may require verification to ensure you are indeed the guardian.
Teens 13-17: If you are between 13 and 17 years old, please only use our services with permission and involvement of your parent or guardian. It’s great that you want to explore tours and travel, but for any bookings or provision of personal info, involve an adult. We may ask for confirmation of age or parental consent if we suspect a booking is made by someone under 18.

In summary, we intend our services for adults and supervised minors. We encourage families to travel together, but personal data of minors should be provided by adults. We do not intentionally gather information from children without consent. If you think we might have unknowingly collected a child’s data, let us know and we will address it immediately.

Changes to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will do so in the following ways:

Posting the New Policy: We will post the updated Privacy Policy on our website (usually on this same page or a clearly indicated “Privacy Policy” page). The “Last Updated” date at the top will be revised so you can immediately see that a change has occurred.
Notification of Material Changes: If the changes are significant or materially affect how your personal data is processed, we will take additional steps to inform you. This might include prominently posting a notice on our website’s homepage, or sending you a direct notification via email (if we have your email on file and permissible to contact you). For example, if we were to start collecting new types of personal data or share data with a new third party not covered in this policy, that would be a material change.
Reviewing Changes: We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. If you have this page bookmarked, note the date and version changes. We may also archive previous versions for reference.
Consent for New Uses: If we plan to use your personal data for a new purpose that was not originally disclosed to you (and that new purpose is not something you might expect or is incompatible with the original purpose), we will obtain your consent where required by law. We will not apply any material changes retroactively to personal data we collected in the past without your consent.
Continuous Commitment: Our commitment to your privacy will remain. Changes to the policy are often to improve clarity or comply with new legal obligations. We will never reduce your rights under this Privacy Policy without your explicit consent.

By continuing to use our website or services after an updated Privacy Policy is in effect, you will be deemed to have accepted the revised policy. However, if any change requires your consent, we will specifically seek that (for example, via a pop-up or email asking you to agree).

If you have any questions about the changes or any aspect of the Privacy Policy, feel free to reach out to us (see Contact Information below). Your feedback is also welcome – if something is unclear, let us know, and we can try to clarify it.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us. We are here to help and address any issues you may have.

Contact Details for Medellin MDE Tours S.A.S.:

Email: [email protected]

This is our primary contact for privacy inquiries. We monitor this email and strive to reply promptly. Whether you want to exercise your rights, ask a question about what data we have about you, or anything else related to privacy, emailing us is the best way to get in touch.
Postal Address: Medellin MDE Tours S.A.S., Medellín, Antioquia, Colombia.

(Complete address can be provided here if available. For example: “1234 Avenida El Poblado, Office 567, Medellín, Antioquia, Colombia” – replace with actual address.) If you prefer to send us a physical letter, you can do so at this address. Please mark it “Attn: Privacy Officer” to ensure it reaches the right team.
Phone: If we have a customer service phone number, it could be listed here. For instance, “Tel: +57 (XXX) XXX-XXXX (available during business hours, Colombian time zone)”. You can call us with questions, though for detailed privacy requests we might still ask you to submit in writing (for verification purposes).
Website Contact Form: You may also reach out through our contact form on the website. If you mention it’s a privacy-related query, it will be routed to the appropriate personnel.
Data Protection Officer (DPO): (If applicable) Given our company size, we may not be required to have a formal DPO under GDPR. However, we do have a person responsible for privacy matters. Currently, our privacy point-of-contact is [Name/Title]. You can direct communications to them via the above email. If in the future we appoint a formal DPO or representative in the EU/UK, we will update this section with their contact details.

We will address any communications or complaints confidentially and in a timely manner. If you’re contacting us to exercise a specific right, please clearly describe what you need so we can assist effectively. For example, if you email saying “Please delete my data,” it helps to include information like your booking reference or the email you used so we can locate your records.

Remember, your privacy is very important to us. We welcome feedback on this Privacy Policy – if something is unclear or you need more information, just ask. We appreciate the trust you place in MDE Tours and will continue working hard to keep that trust by keeping your personal information safe and respecting your rights.

Thank you for reading our Privacy Policy. We hope you feel informed and secure. Now, let’s go explore Medellín and make some wonderful memories, knowing your data is in good hands!