Privacy Policy

How we collect, use, store, and protect your personal data — in compliance with GDPR and China's PIPL

Last updated: July 9, 2026  |  Effective: July 9, 2026

1. Information We Collect GDPR Art. 13

1.1 Information You Provide Directly

We collect personal data that you voluntarily provide when interacting with our services:

Data CategorySpecific Data PointsCollection Method
Booking InformationFull name, date of birth, nationality, passport number & scan, visa details, emergency contact name & phoneBooking form, email
Medical & Health DataMedical conditions, allergies, medications, fitness level, dietary requirements relevant to trekking safetyMedical declaration form, booking form
Contact DetailsEmail address, phone number, mailing addressBooking form, contact form, account registration
Payment InformationProcessed securely via third-party payment providers (PayPal, Stripe). We do not store full credit card numbers on our serversPayment checkout
Travel InsuranceInsurer name, policy number, 24-hour emergency assistance numberPre-departure form
CommunicationMessages, inquiries, feedback submitted through contact forms or emailContact form, email
Account DataUsername, hashed password, profile photo, booking history, saved preferencesAccount registration

1.2 Information Collected Automatically

Data TypeDetailsLegal Basis
Technical DataIP address, browser type & version, operating system, device type & identifiersLegitimate interest (security, service delivery)
Usage DataPages visited, time spent, referral URL, click patterns, search queriesConsent (analytics), Legitimate interest (service improvement)
Location DataGeneral location based on IP address (not precise GPS)Legitimate interest (currency display, content localization)
Cookie DataSee Section 5 — Cookie PolicyVaries by category (see below)

2. How We Use Your Data GDPR Art. 6

We process your personal data for the following purposes, each with a clear legal basis under GDPR and PIPL:

PurposeData UsedLegal Basis (GDPR)Legal Basis (PIPL)
Booking fulfillmentName, passport, contact, medical, paymentContract performance (Art. 6(1)(b))Necessary for performance of contract (Art. 13)
Safety & emergency responseMedical data, emergency contacts, insuranceVital interests (Art. 6(1)(d))Necessary for life/health (Art. 13)
Legal & regulatory complianceBooking records, payment records, passport copiesLegal obligation (Art. 6(1)(c))Legal obligation (Art. 13)
Website analytics & improvementTechnical data, usage dataLegitimate interest (Art. 6(1)(f))Legitimate interest (Art. 13)
Marketing communicationsEmail, name, trek preferencesConsent (Art. 6(1)(a))Consent (Art. 13)
Fraud prevention & securityTechnical data, payment verificationLegitimate interest (Art. 6(1)(f))Legitimate interest (Art. 13)
Sensitive Data — Explicit Consent Required: We process health and medical data (necessary for your safety on high-altitude treks) only with your explicit, positive consent. You may withdraw this consent at any time, though doing so may affect our ability to safely accommodate your participation.

3. Data Storage & Security

3.1 Data Retention Periods

Data TypeRetention PeriodJustification
Booking & travel records7 years after trip completionLegal/tax requirements under PRC law
Passport & visa copiesDuration of trip + 1 yearRegulatory compliance, dispute resolution
Medical declarationsDuration of trip + 2 yearsSafety liability period
Account dataDuration of account + 2 years after deletion requestLegal compliance period
Marketing preferencesUntil consent is withdrawnConsent-based processing
Analytics data26 monthsGoogle Analytics default retention
Support communications3 years after last contactCustomer service quality
Payment records7 yearsFinancial regulatory compliance

3.2 Security Measures

  • Encryption: All data in transit is encrypted using TLS 1.2+; sensitive data at rest is encrypted using AES-256
  • Access controls: Role-based access with multi-factor authentication for administrative systems
  • PCI DSS compliance: All payment processing meets Payment Card Industry Data Security Standards through our certified payment providers
  • Infrastructure: Hosted on Tencent Cloud with DDoS protection, web application firewall, and automated security patching
  • Incident response: Documented data breach notification procedure compliant with GDPR 72-hour reporting requirement

4. Third-Party Services Disclosure

We share limited personal data with trusted third-party service providers who process data on our behalf or independently for their own purposes. Each third party operates under their own privacy policy.

4.1 Payment Processing

ProviderData SharedPrivacy Policy
PayPal Payment amount, name, email, billing address, card details (processed on PayPal's servers only) PayPal Privacy Policy
Stripe Payment amount, card token, billing details (we never see or store your full card number) Stripe Privacy Policy

4.2 Analytics & Performance

ProviderData SharedPrivacy Policy
Google Analytics Anonymized IP, pages visited, session duration, device/browser info (IP masking enabled; data used for aggregate analytics only) Google Privacy Policy

4.3 Cloud Infrastructure

ProviderData StoredPrivacy Policy
Tencent Cloud Website application data, booking records, uploaded documents (hosted on servers in Hong Kong) Tencent Cloud Privacy Policy
Our Commitment: We require all third-party processors to maintain adequate data protection standards. No third party is authorized to use your personal data for purposes beyond those we have specified.

5. Cookie Policy GDPR Art. 6(1)(a)

We use cookies and similar tracking technologies to operate and improve our website. Below is a detailed breakdown:

CategoryPurposeExamplesDurationLegal Basis
Strictly NecessaryEssential website functionalitySession management, security tokens, currency preference, cookie consent stateSession / 30 daysLegitimate interest
AnalyticsWebsite performance monitoringGoogle Analytics (_ga, _gid, _gat)Up to 2 yearsConsent
FunctionalEnhanced functionality & personalizationCurrency switcher, language preference, recently viewed treks30 daysConsent
MarketingRelevant advertising & retargetingFacebook Pixel, Google Ads conversion trackingUp to 1 yearConsent

Managing Your Cookie Preferences

  • Cookie banner: On your first visit, our cookie consent banner allows you to accept or decline non-essential cookies
  • Browser settings: You can configure your browser to block or alert you about cookies; some features may not function properly
  • Google Analytics opt-out: Install the Google Analytics Opt-out Browser Add-on

6. Your Rights GDPR Art. 15–22

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

RightGDPR ArticleDescription
Right of AccessArt. 15Request a copy of all personal data we hold about you
Right to RectificationArt. 16Request correction of inaccurate or incomplete personal data
Right to ErasureArt. 17Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
Right to Restrict ProcessingArt. 18Request limitation of how we process your data in certain circumstances
Right to Data PortabilityArt. 20Request your data in a structured, machine-readable format for transfer to another service
Right to ObjectArt. 21Object to processing based on legitimate interests or for direct marketing purposes
Right to Withdraw ConsentArt. 7(3)Withdraw consent at any time without affecting the lawfulness of prior processing
Right Not to Be Subject to Automated Decision-MakingArt. 22Not be subject to decisions based solely on automated processing that produce legal effects

How to Exercise Your Rights

  • Email: kunlun@kl-outdoors.com
  • Response time: We will respond to all requests within 30 days (or 60 days for complex requests, as permitted under GDPR)
  • Verification: We may request proof of identity to protect against unauthorized access
  • No fee: Requests are free of charge, except for manifestly unfounded or excessive requests
Supervisory Authority: If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority in the EU/EEA member state of your habitual residence, workplace, or the place of the alleged infringement.

7. PIPL Compliance China PIPL

In addition to GDPR compliance, we adhere to the Personal Information Protection Law of the People's Republic of China (PIPL, effective November 1, 2021) for all processing of personal information of individuals within the PRC.

7.1 Data Localization

Personal information collected from users within China is stored on servers located in Hong Kong SAR, China (Tencent Cloud). We do not transfer PRC users' personal information overseas without completing the required security assessments or entering into standard contract clauses as required by the Cyberspace Administration of China (CAC).

7.2 Cross-Border Transfer Safeguards

  • Security assessment: For transfers exceeding CAC thresholds, we complete the mandatory security assessment
  • Standard Contract Clauses (SCCs): We use CAC-approved standard contract clauses for cross-border personal information transfers
  • Consent: Where required, we obtain separate informed consent for cross-border transfers (PIPL Art. 39)

7.3 Additional Rights Under PIPL

RightPIPL ArticleDetails
Right to be informedArt. 44Know the name, contact, and purpose of the personal information handler
Right to restrict/refuseArt. 44Refuse processing that goes beyond the agreed scope
Right to explanationArt. 48Request explanation of automated decision-making rules affecting your rights
Right to deletionArt. 47Request deletion when processing purpose is achieved, consent withdrawn, or processing violates law

7.4 Delegated Processing & Joint Processing

We maintain a register of all third-party processors acting as our delegated personal information handlers under PIPL. This register includes the processing purpose, data categories, retention periods, and security measures. A summary is available upon request.

8. International Data Transfers GDPR Art. 46

As a trekking company based in China serving international clients, some data processing occurs outside the European Economic Area (EEA). We ensure appropriate safeguards for all international transfers:

8.1 Transfer Mechanisms

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers of EEA residents' data to China
  • Explicit consent: In limited circumstances where SCCs are not applicable, we obtain your explicit, informed consent for the specific transfer
  • Adequacy decisions: Where the European Commission has recognized a country as providing adequate data protection, transfers may proceed without additional safeguards

8.2 Transfer Impact Assessments

For each cross-border transfer, we conduct a Transfer Impact Assessment (TIA) to evaluate the legal framework of the destination country and ensure that the level of protection of your personal data is not undermined.

Primary Data Locations: Booking data and personal information are primarily processed and stored on Tencent Cloud servers in Hong Kong SAR. Payment data is processed by PayPal (Singapore/US) and Stripe (US/Ireland) under their respective data processing agreements.

9. Children's Privacy

Our trekking and adventure travel services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 18 without verifiable parental or guardian consent.

  • Minors aged 16–17 may participate in certain treks only with the written consent of a parent or legal guardian, who must also accompany the booking
  • If you believe a child under 18 has provided us with personal data without consent, please contact us immediately at kunlun@kl-outdoors.com and we will take steps to delete such information
  • Under PIPL, the personal information of minors under 14 is classified as sensitive personal information requiring guardian consent and a dedicated processing rule

10. Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we do:

  • Material changes: We will notify you via a prominent notice on our website and/or by email at least 14 days before the changes take effect
  • Minor changes: Updated "Last updated" date at the top of this page reflects the most recent revision
  • Consent requirements: If a change requires new consent, we will ask for your agreement before continuing processing under the updated terms
  • Version history: Previous versions are available upon request
AI Use Disclosure: Kunlun Outdoors does not use artificial intelligence to make solely automated decisions that have legal or similarly significant effects on individuals without appropriate human oversight. Any AI-assisted tools (e.g., chat support, content personalization) operate under human supervision and do not determine your eligibility, pricing, or legal rights.

Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a data protection concern:

Kunlun Outdoors
Email: kunlun@kl-outdoors.com
Website: kl-outdoors.com
Address: Kunming, Yunnan, China

For EU/EEA residents: You also have the right to lodge a complaint with your local data protection authority under GDPR.