Privacy Policy
Effective Date: March 29, 2026 Last Updated: March 29, 2026
1. Introduction
CruiseAlert ("we," "us," or "our") is a service operated by Destinations Media & Travel, a company incorporated in the Netherlands. We operate at cruisealert.com (B2C) and agents.cruisealert.com (B2B). We take your privacy seriously.
This Privacy Policy explains:
- What personal data we collect and why
- How we use and protect your data
- Who we share it with and when
- Your rights and how to exercise them
If you have questions, contact us at legal@cruisealert.com.
2. Who This Policy Applies To
This policy applies to:
- B2C users: Consumers using cruisealert.com to track cruise prices
- B2B users: Travel agents using agents.cruisealert.com
- Visitors: Anyone who visits our websites without creating an account
For travel agents, the Agent Terms of Service and Data Processing Agreement also apply and govern how agents handle consumer data received through our matching service.
3. Data We Collect
3.1 Information You Provide Directly
| Category | Examples | Why Collected |
|---|---|---|
| Account information | Email address, name, password (hashed) | Account creation and authentication |
| Profile information | Travel preferences, home port, cruise line preferences | Personalizing your experience |
| Alert configurations | Targeted sailings, cabin types, price thresholds | Delivering price alerts |
| Communications | Support emails, feedback submissions | Customer support |
Travel agents additionally provide:
| Category | Examples |
|---|---|
| Professional information | Agency name, license/credentials, specialty areas |
| Contact details | Phone number, business address |
| Client handling info | How they prefer to receive and handle consumer leads |
3.2 Information Collected Automatically
When you use the Service, we automatically collect:
| Category | Examples | Why Collected |
|---|---|---|
| Usage data | Pages visited, features used, alert activity | Service improvement and analytics |
| Device information | Browser type, operating system, screen size | Compatibility and debugging |
| IP address | Your internet address at login/signup | Security and fraud prevention |
| Server logs | Timestamps, request paths, error codes | Debugging and security |
3.3 Cookies and Tracking Technologies
We use cookies and similar technologies. See our Cookie Policy for the full breakdown. In summary:
- Strictly necessary cookies: Required for authentication and security
- Analytics cookies: Used only with your consent
- Marketing cookies: Used only with your consent
- Preference cookies: Store your settings (e.g., cookie consent choice)
3.4 Information We Do Not Collect
We do not collect:
- Payment card information (we do not process payments directly)
- Government ID numbers
- Precise geolocation (we may infer general region from IP)
- Biometric data
- Information from children under 13
4. How We Use Your Data
4.1 To Provide the Service
- Create and manage your account
- Deliver price alerts when your tracked sailings meet your configured conditions
- Show you cruise price history and availability data
- Match you with travel agents (only if you explicitly opt in)
4.2 To Communicate With You
- Send transactional emails (price alerts, account notifications, security alerts)
- Send marketing emails (only with your consent, and you can opt out at any time)
- Respond to your support inquiries
4.3 To Improve the Service
- Analyze usage patterns to understand which features are valuable
- Debug issues and optimize performance
- Develop new features
4.4 For Security and Legal Compliance
- Detect and prevent fraud, abuse, and unauthorized access
- Comply with legal obligations (e.g., responding to lawful government requests)
- Enforce our Terms of Service and Acceptable Use Policy
5. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases under the EU General Data Protection Regulation (GDPR):
| Processing Activity | Legal Basis |
|---|---|
| Creating and maintaining your account | Contract (Article 6(1)(b)) — necessary to provide the Service |
| Delivering price alerts you configure | Contract (Article 6(1)(b)) — core service feature you signed up for |
| Sending marketing emails | Consent (Article 6(1)(a)) — we only send marketing with your explicit opt-in |
| Analytics and usage tracking | Legitimate interest (Article 6(1)(f)) — improving the service, balanced against your rights |
| Security and fraud prevention | Legitimate interest (Article 6(1)(f)) — protecting users and the platform |
| IP address logging for security | Legitimate interest (Article 6(1)(f)) — security monitoring |
| Complying with legal obligations | Legal obligation (Article 6(1)(c)) |
| Consent records retention | Legal obligation (Article 6(1)(c)) — demonstrating compliance |
Where we rely on legitimate interests, you have the right to object. Contact legal@cruisealert.com.
Attorney review note: The legitimate interest assessments (LIAs) underlying each "legitimate interest" basis should be documented internally before going live with EU users.
6. Who We Share Your Data With
We do not sell your personal data. We share it only in the following circumstances:
6.1 Service Providers (Processors)
We use third-party companies to help operate the Service. These providers process data only on our instructions:
| Category | Purpose | Data Shared | Location |
|---|---|---|---|
| Database and authentication provider | Account management and secure login | Account data, alert configs | USA |
| Email delivery provider | Sending price alerts and notifications | Email address, name | USA |
| CDN and security provider | Content delivery, DDoS protection, web performance | IP address, request metadata | USA/Global |
| Infrastructure hosting provider | Server hosting and data processing | Server-side data | USA |
All processors are contractually required to protect your data and use it only for the specified purpose.
6.2 Travel Agent Matching (With Your Explicit Consent)
If you choose to be connected with a travel agent through our B2B matching service, we will share your contact information and cruise search preferences with the matched agent. This only happens if you explicitly consent. You may withdraw consent at any time, though we cannot reverse disclosures already made.
Agents who receive your data are bound by our Agent Terms of Service and Data Processing Agreement, which restrict them from using your data for any purpose other than helping you with your cruise inquiry.
6.3 Legal Requirements
We may disclose your data if required by law, court order, or government authority, or if we believe disclosure is necessary to prevent harm or protect our rights.
6.4 Business Transfers
If CruiseAlert is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you by email and/or a notice on our website before your data is transferred and subject to a different privacy policy.
6.5 Aggregated, Anonymized Data
We may share anonymized, aggregated data (e.g., "cruise prices for Caribbean sailings dropped 12% this month") that cannot identify any individual. This is not subject to this privacy policy.
7. International Data Transfers
CruiseAlert is operated by Destinations Media & Travel, incorporated in the Netherlands. Our infrastructure providers are primarily based in the United States. If you are located outside the US, your data may be transferred to and processed in the United States.
7.1 Transfers from the EEA/UK
For transfers of personal data from the EEA or UK to the United States, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to our US-based processors
- Where available, adequacy decisions
Attorney review note: The specific SCC modules and transfer impact assessments (TIAs) need to be implemented before accepting EU users. This is a legally significant area.
8. Data Retention
We keep your data only as long as necessary:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Until you delete your account | Service provision |
| Price alert configurations | Until you delete them or close your account | Service provision |
| Email logs (delivery records) | 90 days | Troubleshooting email delivery |
| Authentication session tokens | 30 days | Security |
| Server logs | 30 days | Security and debugging |
| Consent records | 5 years after last interaction | Legal obligation (demonstrating consent) |
| IP address logs (raw) | 90 days, then hashed | Security monitoring, then privacy protection |
| Aggregated/anonymized price data | Indefinite | Analytics (cannot identify individuals) |
When you delete your account, we begin a 30-day grace period (in case of accidental deletion), then permanently delete your personal data from our systems. Some data may be retained longer where legally required (e.g., financial records if you had a paid subscription).
9. Your Rights (All Users)
Regardless of where you are located, you have these rights:
- Access: You can request a copy of the personal data we hold about you
- Correction: You can update inaccurate or incomplete data via your account settings or by contacting us
- Deletion: You can request deletion of your account and personal data
- Portability: You can request your data in a machine-readable format (JSON or CSV)
- Opt-out of marketing: Unsubscribe from any marketing email using the link in that email, or via account settings
10. GDPR Rights (EEA/UK Users)
If you are located in the European Economic Area or United Kingdom, you have additional rights under GDPR:
| Right | What It Means |
|---|---|
| Right of access (Art. 15) | Receive a copy of all personal data we hold about you |
| Right to rectification (Art. 16) | Correct inaccurate or incomplete data |
| Right to erasure (Art. 17) | Request deletion ("right to be forgotten"), subject to legal retention requirements |
| Right to restrict processing (Art. 18) | Ask us to pause processing your data in certain circumstances |
| Right to data portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Right to object (Art. 21) | Object to processing based on legitimate interests or for direct marketing |
| Right to withdraw consent | Withdraw any consent you've given at any time, without affecting past processing |
To exercise these rights: Email legal@cruisealert.com with the subject line "GDPR Rights Request." We will respond within 30 days.
Right to complain: You have the right to lodge a complaint with your local data protection authority. In the EU, find your authority at edpb.europa.eu. In the UK, contact the ICO at ico.org.uk.
See our full GDPR Data Subject Rights Notice for step-by-step instructions.
11. CCPA/CPRA Rights (California Residents)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
| Right | What It Means |
|---|---|
| Right to know | Request disclosure of the categories and specific pieces of personal information we collect, use, and share |
| Right to delete | Request deletion of personal information we hold about you |
| Right to correct | Request correction of inaccurate personal information |
| Right to opt out of "sale" or "sharing" | We do not sell personal information. We do not share it for cross-context behavioral advertising. |
| Right to limit use of sensitive personal information | Request that we limit use of sensitive PI to what is necessary for the service |
| Right to non-discrimination | We will not discriminate against you for exercising any of these rights |
Categories of personal information collected: See Section 3 above. Business or commercial purpose for collection: See Section 4 above. Do Not Sell or Share: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
To exercise your California rights: Email legal@cruisealert.com with "California Privacy Request" in the subject line, or visit cruisealert.com/legal/ccpa-request. We will verify your identity before processing the request and respond within 45 days (extendable to 90 days with notice).
Attorney review note: Verify whether the "sharing" opt-out applies based on actual analytics and advertising arrangements. The CPRA "sharing" definition is broader than sale.
12. Children's Privacy
The Service is not directed to children under 13 years old (or under 16 in the EEA, under applicable local laws). We do not knowingly collect personal information from children. If you are under the applicable age, do not use the Service.
If you believe a child has provided us with personal information, please contact legal@cruisealert.com and we will delete it promptly.
13. Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encrypted data transmission (HTTPS/TLS)
- Hashed passwords (never stored in plain text)
- Database encryption at rest
- Row-Level Security (RLS) policies that prevent cross-user data access
- Access controls limiting who on our team can access production data
- Security logging and monitoring
No system is 100% secure. If you discover a security vulnerability, please report it to legal@cruisealert.com.
Data Breach Notification: If a breach occurs that is likely to result in risk to your rights and freedoms, we will notify affected users and relevant authorities as required by law (within 72 hours for GDPR-required notifications to supervisory authorities).
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Post the updated policy at cruisealert.com/legal/privacy
- Update the "Last Updated" date at the top of this document
- Notify you by email if the changes affect how we use your existing data
15. Contact
Destinations Media & Travel (trading as CruiseAlert) Registered in the Netherlands
Privacy questions, rights requests, and data protection matters: Email: legal@cruisealert.com Website: cruisealert.com
Attorney review note: Determine whether a formal Data Protection Officer (DPO) is required. Under GDPR Art. 37, a DPO is required for certain types of large-scale processing. If one is required, their contact details must be listed here and registered with the relevant supervisory authority.