Skip to content

Legal

Privacy Policy

Last updated: May 2026

Bhutan Tourism ("we", "us", "our") respects your privacy. This Privacy Policy explains what personal information we collect when you use our website and booking platform, how we use it, who we share it with, and the rights you have over your data. By using this site you agree to the practices described below.

1. Information we collect

We collect personal information in the following ways:

  • Account information. When you create an account we collect your name, email address, and an encrypted password. Authentication is handled by Supabase.
  • Trip planning conversations. When you chat with our AI travel assistant (Dorji), we store the messages you send and the itineraries that result so you can return to them later.
  • Booking and visa details. To submit a booking we collect passport numbers, full legal names, nationalities, phone numbers, travel dates, group size, dietary or accessibility needs, and special requests. Bhutanese law requires this information for visa issuance and tour operator licensing.
  • Payment information. Payments are processed by Stripe. We never see or store full card numbers. We retain a payment reference, the amount paid, the currency, and the payment status so we can match payments to your booking.
  • Technical information. Standard server logs (IP address, user agent, timestamps, requested URLs) used to operate the site and detect abuse.
  • Cookies. A session cookie used to keep you signed in. We do not use third-party advertising or cross-site tracking cookies.

2. How we use your information

  • To create and manage your account.
  • To produce and refine your itinerary using our AI travel planner. Conversation content is sent to our AI inference provider (currently Cerebras) only for the purpose of generating the next message, and it is not used to train public models.
  • To process bookings, arrange your in-country guide, vehicle, hotels, and Bhutanese government visa.
  • To send transactional email about your booking (confirmation, status updates, payment receipts). These are sent via Resend.
  • To respond to messages you send through our contact form.
  • To meet legal, accounting, and tax obligations, and to defend against fraud or abuse.

3. Legal bases (for visitors in the EU/UK)

We rely on the following legal bases under GDPR / UK GDPR:

  • Contract. Processing your booking and providing the service you requested.
  • Legal obligation. Sharing passport and traveler details with the Tourism Council of Bhutan and immigration authorities for visa issuance.
  • Legitimate interest. Operating the site, preventing fraud, and improving the planning experience.
  • Consent. Where you have opted in, e.g., to optional marketing email.

4. Who we share information with

We share only the information necessary for each recipient to perform their function:

  • Bhutanese government authorities: passport numbers, names, and nationalities for visa issuance and Sustainable Development Fee (SDF) payment.
  • Our in-country operations team: guides, drivers, and hotels who need your travel dates, group size, accommodation preferences, and special requests.
  • Payment processor (Stripe): to take and refund payments.
  • Email delivery (Resend): to send transactional email on our behalf.
  • Cloud infrastructure (Supabase, Vercel): to host the database and the website.
  • AI inference (Cerebras): to process planning conversations.

We do not sell, rent, or trade your personal information to third parties for marketing.

5. International transfers

Some of our service providers are based outside Bhutan, including in the United States and the European Union. Where required, transfers are made under appropriate safeguards such as the EU Standard Contractual Clauses.

6. Data retention

  • Account and booking records: kept for 7 years to meet accounting and tax obligations.
  • Passport and visa documents: deleted within 90 days of the end of your trip unless we are required by law to retain them longer.
  • Planning conversations and draft itineraries: kept while your account is active. You can delete individual conversations at any time from the planner.
  • Server logs: rotated after 90 days.

7. Your rights

You can:

  • Ask for a copy of the personal information we hold about you.
  • Ask us to correct information that is wrong.
  • Ask us to delete your account and associated data, subject to the retention obligations above.
  • Withdraw consent for any processing based on consent.
  • Object to or restrict processing based on legitimate interest.
  • Receive your data in a portable, machine-readable format and ask us to transmit it to another provider where technically feasible.
  • Lodge a complaint with your local data protection authority if you believe we have mishandled your data.

To exercise any of these rights, contact us using the details below. We respond within 30 days.

8. Security

We use HTTPS for all traffic, encrypted database backups, and least-privilege access for staff. Payments are handled entirely by Stripe; passport details are stored encrypted at rest. No online service can be 100% secure. If you suspect your account has been compromised, contact us immediately.

9. Children

Our service is intended for travelers aged 18 and over. We do not knowingly collect personal information from children under 18 except as part of an adult-led family booking, in which case the responsible adult must provide the child's details.

10. Changes to this policy

When we make material changes we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email.

11. Contact

Questions about this policy or your data can be sent through our contact form.