How we collect, use, store, and protect your personal data — in compliance with GDPR and China's PIPL
Last updated: July 9, 2026 | Effective: July 9, 2026
We collect personal data that you voluntarily provide when interacting with our services:
| Data Category | Specific Data Points | Collection Method |
|---|---|---|
| Booking Information | Full name, date of birth, nationality, passport number & scan, visa details, emergency contact name & phone | Booking form, email |
| Medical & Health Data | Medical conditions, allergies, medications, fitness level, dietary requirements relevant to trekking safety | Medical declaration form, booking form |
| Contact Details | Email address, phone number, mailing address | Booking form, contact form, account registration |
| Payment Information | Processed securely via third-party payment providers (PayPal, Stripe). We do not store full credit card numbers on our servers | Payment checkout |
| Travel Insurance | Insurer name, policy number, 24-hour emergency assistance number | Pre-departure form |
| Communication | Messages, inquiries, feedback submitted through contact forms or email | Contact form, email |
| Account Data | Username, hashed password, profile photo, booking history, saved preferences | Account registration |
| Data Type | Details | Legal Basis |
|---|---|---|
| Technical Data | IP address, browser type & version, operating system, device type & identifiers | Legitimate interest (security, service delivery) |
| Usage Data | Pages visited, time spent, referral URL, click patterns, search queries | Consent (analytics), Legitimate interest (service improvement) |
| Location Data | General location based on IP address (not precise GPS) | Legitimate interest (currency display, content localization) |
| Cookie Data | See Section 5 — Cookie Policy | Varies by category (see below) |
We process your personal data for the following purposes, each with a clear legal basis under GDPR and PIPL:
| Purpose | Data Used | Legal Basis (GDPR) | Legal Basis (PIPL) |
|---|---|---|---|
| Booking fulfillment | Name, passport, contact, medical, payment | Contract performance (Art. 6(1)(b)) | Necessary for performance of contract (Art. 13) |
| Safety & emergency response | Medical data, emergency contacts, insurance | Vital interests (Art. 6(1)(d)) | Necessary for life/health (Art. 13) |
| Legal & regulatory compliance | Booking records, payment records, passport copies | Legal obligation (Art. 6(1)(c)) | Legal obligation (Art. 13) |
| Website analytics & improvement | Technical data, usage data | Legitimate interest (Art. 6(1)(f)) | Legitimate interest (Art. 13) |
| Marketing communications | Email, name, trek preferences | Consent (Art. 6(1)(a)) | Consent (Art. 13) |
| Fraud prevention & security | Technical data, payment verification | Legitimate interest (Art. 6(1)(f)) | Legitimate interest (Art. 13) |
| Data Type | Retention Period | Justification |
|---|---|---|
| Booking & travel records | 7 years after trip completion | Legal/tax requirements under PRC law |
| Passport & visa copies | Duration of trip + 1 year | Regulatory compliance, dispute resolution |
| Medical declarations | Duration of trip + 2 years | Safety liability period |
| Account data | Duration of account + 2 years after deletion request | Legal compliance period |
| Marketing preferences | Until consent is withdrawn | Consent-based processing |
| Analytics data | 26 months | Google Analytics default retention |
| Support communications | 3 years after last contact | Customer service quality |
| Payment records | 7 years | Financial regulatory compliance |
We share limited personal data with trusted third-party service providers who process data on our behalf or independently for their own purposes. Each third party operates under their own privacy policy.
| Provider | Data Shared | Privacy Policy |
|---|---|---|
| PayPal | Payment amount, name, email, billing address, card details (processed on PayPal's servers only) | PayPal Privacy Policy |
| Stripe | Payment amount, card token, billing details (we never see or store your full card number) | Stripe Privacy Policy |
| Provider | Data Shared | Privacy Policy |
|---|---|---|
| Google Analytics | Anonymized IP, pages visited, session duration, device/browser info (IP masking enabled; data used for aggregate analytics only) | Google Privacy Policy |
| Provider | Data Stored | Privacy Policy |
|---|---|---|
| Tencent Cloud | Website application data, booking records, uploaded documents (hosted on servers in Hong Kong) | Tencent Cloud Privacy Policy |
We use cookies and similar tracking technologies to operate and improve our website. Below is a detailed breakdown:
| Category | Purpose | Examples | Duration | Legal Basis |
|---|---|---|---|---|
| Strictly Necessary | Essential website functionality | Session management, security tokens, currency preference, cookie consent state | Session / 30 days | Legitimate interest |
| Analytics | Website performance monitoring | Google Analytics (_ga, _gid, _gat) | Up to 2 years | Consent |
| Functional | Enhanced functionality & personalization | Currency switcher, language preference, recently viewed treks | 30 days | Consent |
| Marketing | Relevant advertising & retargeting | Facebook Pixel, Google Ads conversion tracking | Up to 1 year | Consent |
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
| Right | GDPR Article | Description |
|---|---|---|
| Right of Access | Art. 15 | Request a copy of all personal data we hold about you |
| Right to Rectification | Art. 16 | Request correction of inaccurate or incomplete personal data |
| Right to Erasure | Art. 17 | Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations |
| Right to Restrict Processing | Art. 18 | Request limitation of how we process your data in certain circumstances |
| Right to Data Portability | Art. 20 | Request your data in a structured, machine-readable format for transfer to another service |
| Right to Object | Art. 21 | Object to processing based on legitimate interests or for direct marketing purposes |
| Right to Withdraw Consent | Art. 7(3) | Withdraw consent at any time without affecting the lawfulness of prior processing |
| Right Not to Be Subject to Automated Decision-Making | Art. 22 | Not be subject to decisions based solely on automated processing that produce legal effects |
In addition to GDPR compliance, we adhere to the Personal Information Protection Law of the People's Republic of China (PIPL, effective November 1, 2021) for all processing of personal information of individuals within the PRC.
Personal information collected from users within China is stored on servers located in Hong Kong SAR, China (Tencent Cloud). We do not transfer PRC users' personal information overseas without completing the required security assessments or entering into standard contract clauses as required by the Cyberspace Administration of China (CAC).
| Right | PIPL Article | Details |
|---|---|---|
| Right to be informed | Art. 44 | Know the name, contact, and purpose of the personal information handler |
| Right to restrict/refuse | Art. 44 | Refuse processing that goes beyond the agreed scope |
| Right to explanation | Art. 48 | Request explanation of automated decision-making rules affecting your rights |
| Right to deletion | Art. 47 | Request deletion when processing purpose is achieved, consent withdrawn, or processing violates law |
We maintain a register of all third-party processors acting as our delegated personal information handlers under PIPL. This register includes the processing purpose, data categories, retention periods, and security measures. A summary is available upon request.
As a trekking company based in China serving international clients, some data processing occurs outside the European Economic Area (EEA). We ensure appropriate safeguards for all international transfers:
For each cross-border transfer, we conduct a Transfer Impact Assessment (TIA) to evaluate the legal framework of the destination country and ensure that the level of protection of your personal data is not undermined.
Our trekking and adventure travel services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 18 without verifiable parental or guardian consent.
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we do:
If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a data protection concern:
Kunlun Outdoors
Email: kunlun@kl-outdoors.com
Website: kl-outdoors.com
Address: Kunming, Yunnan, China
For EU/EEA residents: You also have the right to lodge a complaint with your local data protection authority under GDPR.