Last updated: 13 May 2026
Elite Vacation Homes L.L.C. ("Elite Vacations DXB", "we", "us") is committed to protecting your privacy. This Policy explains the personal data we collect when you visit elitevacationsdxb.com, submit an enquiry, or book a Stay, and how we handle it under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL") and, where it applies, the EU General Data Protection Regulation 2016/679 ("GDPR").
1. Data controller
The data controller for personal data collected through this Site is:
- Elite Vacation Homes L.L.C.
- DTCM Holiday Home Operator licence 931642
- Office 613, Onyx Tower 1, Sheikh Zayed Road, PO Box 449183, Dubai, UAE
- Privacy contact: privacy@elitevacationsdxb.com
2. What we collect
We collect only what we need to deliver the service you've asked for, meet a legal obligation, or improve the Site. By category:
a. Identity & contact data
Name, email, mobile/WhatsApp number, country of residence, and (for bookings) a copy of your passport or Emirates ID — required by the UAE Department of Economy and Tourism (DTCM) for guest registration.
b. Booking data
Property booked, check-in and check-out dates, number of guests, special requests, channel of origin (direct, Airbnb, Booking.com, VRBO, Expedia, Tripadvisor), pricing, and notes from our concierge team.
c. Payment data
Card-payment details are entered directly into Stripe's or Tap's hosted form. We never see or store your full card number — we receive only a tokenised reference, the last four digits, and the brand/issuer country for fraud-screening.
d. Communications
Emails, WhatsApp messages, contact-form submissions, and call recordings (when made for service-quality purposes; you'll always hear a notice before the recording starts).
e. Technical data
IP address, browser type and version, device, operating system, time-zone, language preference, referring URL, pages visited, and clickstream — collected via cookies and similar technologies (see our Cookie Policy).
f. Marketing data
Newsletter subscriptions, your preferences, and engagement signals (open / click) from our email platform.
3. How we collect it
- Directly from you — when you book, enquire, subscribe, call, or message us.
- Automatically — via cookies, server logs, and analytics scripts when you use the Site.
- From booking channels — Airbnb, Booking.com, VRBO, Expedia, and Tripadvisor share guest contact and booking data with us so we can fulfil the Stay.
- From payment providers — Stripe and Tap share fraud-screening and authorisation data with us.
- From public sources — for example, business contact details for landlord and corporate-stay enquiries.
4. Legal bases (GDPR Art. 6 / PDPL Art. 5)
We rely on one or more of:
| Basis | Used for |
|---|---|
| Contract | Delivering the Stay you booked. |
| Legal obligation | DTCM guest registration, VAT and tax records, AML checks. |
| Legitimate interests | Fraud prevention, site security, basic analytics, defending legal claims. |
| Consent | Marketing emails, optional analytics and marketing cookies. You can withdraw consent at any time. |
5. How we use it
- Confirm and operate your Stay (housekeeping, concierge, transfers, smart-lock codes).
- Process your payment, send your invoice, collect VAT and Tourism Dirham, and handle refunds or chargebacks.
- Comply with DTCM guest registration (Cabinet Decision 41/2013 Art. 12), tax law, and anti-money-laundering rules.
- Manage your account and respond to your enquiries.
- Send transactional emails (booking confirmation, check-in instructions, post-stay receipt, review request).
- With your consent: send you marketing updates about new homes, seasonal offers, and concierge experiences.
- Detect, prevent, and investigate fraud, abuse, or security incidents.
- Improve the Site by analysing aggregated, anonymised usage data.
6. Who we share it with
We share personal data only with carefully selected processors who help us operate the service. Each is bound by a written data-processing agreement.
| Recipient | Purpose | Location |
|---|---|---|
| Hostaway | Channel manager — syncs availability, bookings, and reservations across OTAs. | EU |
| Stripe | International card payments. | Ireland (EU) |
| Tap Payments | AED card payments, Apple Pay, Mada. | UAE / Saudi Arabia |
| Resend | Transactional emails (confirmations, receipts). | USA |
| Mailchimp (Intuit) | Marketing newsletter (consent-based only). | USA |
| 360dialog / WhatsApp | WhatsApp Business API messaging. | Germany / Ireland |
| Supabase | Encrypted Postgres database hosting. | AWS us-east-1 |
| Vercel | Site hosting and serverless functions. | Global edge network |
| Cloudflare Images | Image CDN and optimisation. | Global edge network |
| Sanity | Content management system. | EU |
| Google (GA4, Maps) | Anonymised analytics, embedded maps. | USA |
| Meta, TikTok | Pixel-based advertising attribution (consent-based only). | USA / Ireland |
| Microsoft Clarity, Hotjar | Anonymised session replay for UX research (consent-based only). | USA / Malta |
| DTCM, FTA, and other UAE authorities | Statutory guest registration and tax compliance. | UAE |
We do not sell or rent your personal data to anyone.
7. International transfers
Some of our processors are located outside the UAE. Where transfers occur, we rely on the standard contractual clauses approved by the UAE Data Office or the European Commission, and on the processor's adherence to recognised security frameworks (e.g. SOC 2, ISO 27001, PCI-DSS).
8. Retention
We keep personal data only for as long as we need it:
| Category | Retention |
|---|---|
| Booking and tax records | 7 years from end of Stay (UAE VAT and corporate-tax law) |
| Passport / Emirates ID scans | Deleted within 90 days of departure, except where law requires longer |
| Enquiry / contact records | 24 months after last contact |
| Marketing data | Until you unsubscribe + 30 days |
| Server logs and analytics | Aggregated after 14 months, raw data deleted |
| Account session cookies | Up to 7 days |
9. Your rights
Under the UAE PDPL and (where it applies) the GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data, subject to legal retention requirements.
- Restrict or object to processing in certain circumstances.
- Portability — receive your data in a machine-readable format.
- Withdraw consent for marketing or optional cookies at any time.
- Lodge a complaint with the UAE Data Office or your local data-protection authority.
To exercise any of these, email privacy@elitevacationsdxb.com. We will respond within 30 days.
10. Children's data
The Site is intended for adults (21+). We do not knowingly collect data from anyone under 18. If you believe a child has provided data to us, please contact us and we will delete it.
11. Security
We protect your data with industry-standard technical and organisational measures:
- Encryption at rest and in transit (TLS 1.3 on every connection; AES-256 at rest in Postgres).
- Role-based access for staff; admin accounts protected by strong-password policy and rate-limited login.
- Webhook traffic verified with HMAC signatures (Stripe, Tap) or HTTP Basic Auth (Hostaway).
- Regular security reviews of code and infrastructure.
- A documented incident-response procedure; in the event of a data breach affecting your rights we will notify you and the relevant authority within 72 hours where required.
12. Changes to this Policy
We may update this Policy from time to time. The current version, with its Last updated date, always lives at this URL. Material changes will be flagged at the top of this page for at least 14 days.
13. Contact
For any privacy question or to exercise a right:
- Email: privacy@elitevacationsdxb.com
- Post: Privacy Officer, Elite Vacation Homes L.L.C., Office 613, Onyx Tower 1, Sheikh Zayed Road, PO Box 449183, Dubai, UAE