GDPR Data Subject Rights Notice
Effective Date: March 29, 2026 Last Updated: March 29, 2026
1. Who This Notice Applies To
This notice applies to you if you are located in:
- The European Union (EU)
- The European Economic Area (EEA) — including Iceland, Liechtenstein, and Norway
- The United Kingdom (UK)
Under the General Data Protection Regulation (GDPR) and the UK GDPR, you have specific rights regarding your personal data. This notice explains those rights in plain language and tells you exactly how to use them.
2. Who Controls Your Data
The data controller for personal data collected through cruisealert.com and agents.cruisealert.com is:
Destinations Media & Travel (trading as CruiseAlert) Registered in the Netherlands Email: legal@cruisealert.com Website: cruisealert.com
As the data controller, we determine why and how your personal data is processed. For details about what data we process and why, see our Privacy Policy.
3. Your Eight GDPR Rights
Right 1: Access (Article 15)
What it means: You can ask us to confirm whether we hold personal data about you, and if so, request a copy of it along with information about how we use it.
What you'll receive:
- The categories of data we hold about you
- Why we process it (the purposes)
- Who we share it with
- How long we keep it
- Information about your other rights
- A copy of the actual data itself
How to request: Email legal@cruisealert.com with the subject "GDPR Access Request."
Timeline: We will respond within 30 days. For complex or multiple requests, we may extend this by up to an additional 60 days, and we will notify you if we do.
Right 2: Rectification (Article 16)
What it means: If we hold inaccurate or incomplete personal data about you, you can ask us to correct or complete it.
Examples: Your name is misspelled; your email address is outdated; your home port is wrong.
How to request: You can correct most information directly in your account settings. For data you cannot change yourself, email legal@cruisealert.com with "GDPR Rectification Request" in the subject line.
Timeline: 30 days.
Right 3: Erasure / "Right to Be Forgotten" (Article 17)
What it means: You can ask us to delete your personal data. This right applies when:
- The data is no longer needed for the purpose it was collected
- You withdraw consent (where consent was the legal basis)
- You object to processing and we have no overriding legitimate grounds
- Your data was unlawfully processed
- Deletion is required to comply with a legal obligation
Limitations: We may be unable to delete all data where we have a legal obligation to retain it (for example, financial records or consent audit logs). We will tell you specifically what we can and cannot delete and why.
How to request: Use the account deletion feature in your account settings, or email legal@cruisealert.com with "GDPR Erasure Request" in the subject line. After a 30-day grace period, your data will be permanently deleted.
Timeline: 30 days.
Right 4: Restriction of Processing (Article 18)
What it means: You can ask us to pause (but not delete) the processing of your personal data in certain circumstances:
- You contest the accuracy of the data (we pause processing while we verify it)
- The processing is unlawful but you prefer restriction over erasure
- We no longer need the data for our purposes but you need it for legal claims
- You have objected to processing and we are considering whether our legitimate interests override yours
What it looks like in practice: We will continue to store your data but will not actively use it until the restriction is lifted.
How to request: Email legal@cruisealert.com with "GDPR Restriction Request" in the subject line. Describe why you are requesting restriction.
Timeline: 30 days.
Right 5: Data Portability (Article 20)
What it means: Where we process your data based on your consent or to perform a contract, and the processing is carried out by automated means, you can receive your data in a structured, commonly used, machine-readable format (such as JSON or CSV). You may also request that we transmit it directly to another controller where technically feasible.
What data this covers: Account information, price alert configurations, and tracked sailings — data you provided to us.
What data this does not cover: Data derived from processing (e.g., analytics), server logs, or data held on other legal bases.
How to request: Use the data export feature in your account settings (coming soon), or email legal@cruisealert.com with "GDPR Data Portability Request" in the subject line.
Timeline: 30 days.
Right 6: Objection (Article 21)
What it means: You can object to processing of your personal data in two situations:
A) Processing based on legitimate interests: If we process your data based on our legitimate interests (Article 6(1)(f)), you can object. We will stop processing unless we can demonstrate compelling legitimate grounds that override your rights, or the processing is for the establishment, exercise, or defense of legal claims.
B) Direct marketing: You can always object to your data being used for direct marketing purposes. If you object, we will stop using your data for marketing immediately and unconditionally — no override applies.
How to request: For marketing, click "Unsubscribe" in any marketing email or update your preferences in account settings. For other objections, email legal@cruisealert.com with "GDPR Objection" in the subject line.
Timeline: For direct marketing objections, we will act immediately. For other objections, within 30 days.
Right 7: Not to Be Subject to Automated Decision-Making (Article 22)
What it means: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects.
Our current practice: CruiseAlert does not currently make any automated decisions that produce legal or similarly significant effects. Price alerts are automated notifications, not decisions about your eligibility for services.
If this changes, we will update this notice and obtain any required consent.
Right 8: Withdraw Consent (Article 7(3))
What it means: Where we process your data based on your consent (for example, marketing emails or analytics cookies), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
How to withdraw:
- Marketing emails: Click "Unsubscribe" in any marketing email, or visit account settings
- Analytics cookies: Update your cookie preferences via the cookie settings panel
- Agent matching consent: Contact us at legal@cruisealert.com
Timeline: We will act on consent withdrawals promptly, typically within 72 hours for email preferences and immediately for cookie preferences.
4. How to Submit a Request
Email: legal@cruisealert.com Subject line format: "GDPR [Right Name] Request" (e.g., "GDPR Access Request")
What to include:
- Your full name
- The email address associated with your account
- A description of your request
- For erasure requests: confirmation that you understand this cannot be reversed
Identity verification: To protect your data, we may ask you to verify your identity before processing your request. We will only request what is reasonably necessary to confirm who you are.
5. Response Timeframes
| Request Type | Standard Deadline | Extension (complex/multiple) |
|---|---|---|
| All rights requests | 30 calendar days from receipt | Up to 90 days total (we notify you within 30 days if we need more time) |
If we decline to act on your request, we will tell you why within 30 days and inform you of your right to complain to a supervisory authority.
6. Free of Charge
Exercising your GDPR rights is free. However, if requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable administrative fee or refuse to act, and we will tell you why.
7. Right to Lodge a Complaint
If you are unsatisfied with how we handle your data or your rights request, you have the right to lodge a complaint with your local supervisory authority:
| Location | Supervisory Authority | Website |
|---|---|---|
| EU Member States | Your national data protection authority | edpb.europa.eu/about-edpb/board/members_en |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| Ireland | Data Protection Commission | dataprotection.ie |
| Germany | Your Landesbeauftragte (state DPA) | bfdi.bund.de |
| France | CNIL | cnil.fr |
| Netherlands | Autoriteit Persoonsgegevens | autoriteitpersoonsgegevens.nl |
We would appreciate the opportunity to resolve your concern directly before you contact a supervisory authority. Please contact us first at legal@cruisealert.com.
8. Data Transfers Outside the EEA
Your data may be transferred to and processed in the United States by our infrastructure and service providers. We take steps to ensure these transfers are protected under appropriate safeguards (Standard Contractual Clauses). For details, see our Privacy Policy, Section 7.
9. Contact
For all data rights requests and privacy questions:
Destinations Media & Travel (trading as CruiseAlert) Email: legal@cruisealert.com Website: cruisealert.com/legal/gdpr
We aim to acknowledge receipt of all requests within 5 business days.