Legal documents

Privacy Policy

How we collect, use and protect your agency's data. Servers exclusively in the EU, GDPR compliance and full control over your data — never sold to third parties. Ever.

MULTITOUR SRL · CUI 54200644 Version 1.0 June 2026
In short
Operator
MULTITOUR SRL, Bucharest, Romania
GDPR contact
info@multitour.io — subject: “GDPR Request”
What we collect
Agencies' contact and identification data; login data; platform usage data
What we do NOT collect directly
Traveller data — entered by the agency as the primary controller
Our servers
Exclusively in the European Union
Do we sell data?
No. Ever.
Supervisory authority
ANSPDCP — www.dataprotection.ro

Who we are

NameMULTITOUR SRL
CUI / CIF54200644
Trade Register No.J2026015452001
Registered officeBulevardul Regina Elisabeta 7-9, Room 12, Floor 2, 030016, Bucharest
Emailinfo@multitour.io
Websitemultitour.io

Please review this policy regularly. Any significant changes will be notified to you by email at least 14 days before they take effect.

How we use your data

Below you will find every scenario in which we collect or process data, with all the relevant details.

1 Registration and management of the agency account
Data collected
Agency name, CUI, address, contact person, email, phone, encrypted password
Purpose
Creating and managing the account; performing the service contract; issuing invoices
Legal basis
Art. 6(1)(b) Performance of the contract | Art. 6(1)(c) Legal obligation (invoicing)
Storage
For the duration of the contract + 5 years (identification data) | 10 years (invoicing data — Accounting Law)
Partners with access
Hosting provider (EU servers); transactional email provider (EU)
2 Use of the platform (Tourscanner and Travel CRM)
Data collected
IP address, browser, operating system, in-app actions, activity logs
Purpose
IT security; technical troubleshooting; service stability
Legal basis
Art. 6(1)(f) Legitimate interest — operating and securing the platform
Storage
12 months
Partners with access
Hosting provider (EU servers)
3 Website traffic analysis (Google Analytics)
Data collected
Anonymized IP (last octet masked), browser type, device, pages visited, session duration, traffic source, approximate geographic location (city level)
Purpose
Analyzing user behaviour; optimizing the platform
Legal basis
Art. 6(1)(a) Your consent — given by accepting cookies on your first visit
Storage
26 months (configured in Google Analytics)
Partners with access
Google Ireland Limited (data may be transferred to Google LLC in the USA based on the European Commission's adequacy decision regarding the EU-US Data Privacy Framework)
You can refuse or withdraw consent for analytics at any time from the cookie banner or from your browser settings. Google Analytics will not be activated before your consent.
4 Traveller data entered by agencies into the CRM
Data processed
The agency's end clients' data: name, passport / ID, date of birth, contact, bookings, special requirements
Multitour's role
Processor — we process this data solely on the agency's instructions, under the Data Processing Agreement (DPA) of the service contract
Agency's role
Controller — the agency is responsible to its travellers for the lawfulness of the processing and for obtaining the necessary consents
Our purpose
Providing the contracted CRM services. Multitour does not use traveller data for its own purposes.
Storage
For the duration of the contract + 90 days for export. On request, we delete or return the agency's data.

Who we share data with

We share personal data only with the providers necessary for the operation of the platform, under data processing agreements (DPA) in accordance with Art. 28 GDPR:

Hosting (production and backup)EU provider (Germany / France) — servers exclusively in the EEA
Google AnalyticsGoogle Ireland Limited — transfer to the USA via EC-approved SCCs
Transactional emailEU provider — system notifications and invoices

We do not sell, rent or disclose your data to any third party for their own commercial purposes.

How we protect data

We apply technical and organizational measures in accordance with Art. 32 GDPR:

  • All communications are encrypted via HTTPS / TLS 1.2+.
  • Travellers' identity documents are stored encrypted (AES-256) in the database.
  • Role-based access — each user sees only the data needed for their role.
  • Logging of access to sensitive data (who, when, what).
  • Regular backups on EU servers.
  • In case of a security incident: we notify the affected users and ANSPDCP within 72 hours (Art. 33 GDPR).

If you suspect a breach of the confidentiality of your data, contact us immediately at info@multitour.io.

Your rights

You can exercise any of the rights below by sending an email to info@multitour.io with the subject “GDPR Request”. We respond within a maximum of 30 days.

AccessArt. 15 GDPR
Obtain a copy of all the data we hold about you.
RectificationArt. 16 GDPR
Correct inaccurate data or complete incomplete data.
ErasureArt. 17 GDPR
Request the deletion of data. May be limited by legal archiving obligations (e.g. invoices — 10 years).
PortabilityArt. 20 GDPR
Receive your data in a structured format (CSV / JSON) for transfer to another provider.
RestrictionArt. 18 GDPR
Request the restriction of processing in specific circumstances (e.g. you contest the accuracy of the data).
ObjectionArt. 21 GDPR
Object to processing based on legitimate interest, including for analytics.
Withdrawal of consent
Withdraw consent for cookies at any time — without affecting the lawfulness of prior processing.
Complaint to ANSPDCPArt. 77 GDPR
File a complaint at www.dataprotection.ro if you believe your data is being processed unlawfully.

Where and how long we store data

All data is stored on servers located exclusively in the European Union. We do not transfer data outside the EEA without adequate safeguards in accordance with Chapter V GDPR.

When the periods indicated in Section 2 expire, the data is irrevocably deleted or anonymized, except for data subject to legal archiving obligations.

Data concerning minors

The Multitour platform is intended exclusively for travel agencies and their adult representatives (at least 18 years old). We do not intentionally collect personal data of minors through the registration form.

Minors' data in bookings managed through the CRM is entered by the agency, which is responsible for obtaining parental consent in accordance with Art. 8 GDPR.

Changes to the policy

This policy may be updated from time to time. Minor changes take effect upon publication. Significant changes are communicated to you by email at least 14 days in advance. Continuing to use the platform after the effective date constitutes implicit acceptance of minor changes.

Contact

Email (GDPR requests)info@multitour.io — subject: “GDPR Request”
Response timeMaximum 30 calendar days
Supervisory authorityANSPDCP — www.dataprotection.roanspdcp@dataprotection.ro
ANSPDCP addressBulevardul Gheorghe Magheru 28-30, Sector 1, 010336, Bucharest
Related document
Terms and Conditions