Privacy Statement – Viaferry
Last updated: April 2026
1. Controller
Island Bookings B.V., operating under its trade name Viaferry, registered at Zwarte Kijkerweg 25, 7313 GC Apeldoorn, The Netherlands, Chamber of Commerce registration number: 63689456, is responsible for the processing of personal data as described in this privacy statement.
Website: www.viaferry.com
Email: privacy@viaferry.com
There is no Data Protection Officer appointed. For privacy-related questions, please contact us via the email address above.
2. What personal data do we process?
We process personal data that you provide to us, that we receive from the main booker, or that is necessary for the performance of our services, including:
- Identity and contact details
- Data from fellow travellers on group trips
- Booking, travel and accommodation details
- Payment and billing information
- Communication data
- Technical data (IP address, cookies, browser information)
If you provide us with personal data of other travellers, we expect you to inform them about this privacy statement.
3. Special personal data (medical data)
When booking a trip, you can voluntarily provide additional information, such as dietary requirements, allergies or mobility restrictions.
This concerns special personal data within the meaning of Article 9 GDPR.
We only process this data:
- with your express consent;
- to the extent necessary to make appropriate arrangements.
You are not obligated to provide this information. If you do not provide this information, we may not be able to arrange certain services or may only be able to arrange them to a limited extent.
In principle, this data will be deleted after completion of the trip, unless a longer retention period is necessary in connection with an incident, claim or legal obligation.
4. Purposes and legal bases
We process personal data for the following purposes and based on the associated legal grounds:
- Execution of the travel agreement (Article 6 paragraph 1 sub b GDPR): bookings, group travel, transportation, accommodations, insurance and customer service.
- Compliance with legal obligations (Article 6 paragraph 1 sub c GDPR): administration, tax retention obligations, border and security obligations.
- Legitimate interest (Article 6 paragraph 1 sub f GDPR): improving our services, website analysis, fraud prevention and security.
- Consent (Article 6 paragraph 1 sub a GDPR): newsletters, marketing, cookies.
5. Identification and border control
For some journeys, it may be necessary for us to process identification data, such as:
- passport or identity number
- nationality and validity of travel documents
This data will be used exclusively for the execution of the trip and will, in principle, be deleted after completion, unless a longer retention period is necessary due to legislation or in connection with a claim.
6. Contests and promotional activities
If we organise competitions or promotional activities, we process personal data to enable participation, select winners and award prizes.
Legal basis: execution of the action and/or consent.
Personal data will be deleted after the campaign is completed, unless legal retention obligations require otherwise.
7. Reviews and ratings
We can invite customers to leave a review on our website.
Personal data will only be published with permission or in an anonymised form.
Legal basis: legitimate interest or consent.
8. Recipients of personal data
We share personal data with third parties only if this is necessary for the execution of the trip or our services, such as:
- carriers, accommodations and travel partners
- insurers
- payment service providers
- IT, hosting and marketing service providers
- government agencies if legally required
We conclude processing agreements or other appropriate arrangements with these parties.
9. International transfer
In the context of the execution of travel agreements, it may be necessary to provide your personal data to travel partners outside the European Economic Area (EEA). This may include carriers and other service providers involved in the execution of your trip, such as local ferry companies and bus companies in countries outside the EEA, for example, Indonesia.
These parties only receive the personal data necessary for the execution of the agreement, such as name, travel details, and, if relevant, additional information required for the safe and correct execution of the trip.
These travel partners process your personal data as independent data controllers and are themselves responsible for the lawful processing and protection of your personal data in accordance with the applicable privacy laws.
The transfer of personal data to countries outside the EEA is based on Article 49, paragraph 1, subparagraph b, of the General Data Protection Regulation (GDPR), because this transfer is necessary for the execution of the travel agreement you conclude with us or for the implementation of pre-contractual measures at your request. Please note that some countries outside the EEA may have a different level of data protection than those within the EEA. However, we take appropriate measures to ensure that your personal data is handled with care and is only provided for the purpose of completing your trip.
10. Automated decision-making and profiling
We do not use automated decision-making that has legal consequences for data subjects.
Profiling may take place for marketing purposes only if you have given permission via your cookie settings.
11. Retention periods
- Booking and administrative data: 7 years
- Identification and medical data: in principle, until completion of the trip
- Marketing and newsletter data: until consent is withdrawn
- Customer accounts: as long as active, thereafter a maximum of 2 years
12. Security
We take appropriate technical and organisational measures to protect personal data, including:
- SSL encryption
- access restriction based on role and necessity
- regular security updates and internal procedures
13. Rights of data subjects
You have the right to access, correct, delete, restrict, object to, obtain data portability, and withdraw consent.
You can submit requests via privacy@viaferry.com
14. Complaints
You have the right to lodge a complaint with the Dutch Data Protection Authority via www.autoriteitpersoonsgegevens.nl.
15. Changes
We reserve the right to amend this privacy statement. The current version is always available on our website www.viaferry.com