Price Drop Refund

Get refunded if price drops after you book!

Download

VOLA.RO Privacy Policy

How we collect Users data and how we protect it

Vola.ro Privacy and Data Protection Policy

§1. General provisions

  1. Data Controller: Vola.ro SRL, registered office: Splaiul Unirii 165, TNO 2, 2nd floor, Sector 3, Bucharest (“Vola”, “we”, “us”).
  2. Data Protection Officer (DPO): Ana Tatu, email: privacy@vola.ro 
  3. This Privacy Policy applies to the Vola.ro website, the mobile application, contact channels (forms, email, telephone), social media profiles and related services (e.g., flights, hotels, holidays, car rental — provided via partners).

§2. Categories of personal data we process and their sources

  1. Depending on how you use our services, we may process the following categories of personal data:
    1) Account and identification data: first name, last name, email address, phone number, login credentials, account identifiers.
    2) Booking and travel data: itinerary, dates, passenger data (including data required by carriers, e.g., date of birth, document number - where necessary), baggage/seat preferences, booking history.
    3) Payment and billing data: payment status, transaction identifiers, invoice data; we do not store full card details if payments are handled by a payment service provider.
    4) Communication and customer support data: content of enquiries and complaints, call recordings (where used - you will be informed at the start of the call), correspondence, data necessary to provide services such as Trip Protect/Fast Refund, etc.
    5) Technical data: IP address, device identifiers, system logs, browser/app data.
    6) Social media data: profile identifier, comments, reactions, private messages - in accordance with your account settings and the rules of the relevant platform.
    7) Cookies/SDK data: cookie identifiers, activity data within the website/app - in accordance with your consent choices in “Cookie settings”.
    8) Special categories of data (where applicable): health-related information (e.g., requests for special assistance or medical documentation) only if you voluntarily provide it or if it is necessary to handle a specific request/refund/complaint).
    9) AI and messaging data: information that you provide when interacting with our AI-powered tools, including the WhatsApp chatbot, AI Deal Finder and AI Hotel Finder, such as your messages, travel preferences, destinations, travel dates, contact details you voluntarily provide, booking-related information shared during the conversation, and technical information necessary to provide the service.
    10) Sources of data: from you, from travel service providers (e.g., airlines - to the extent necessary to service the booking), from payment service providers, and from your device (cookies/SDK).
     
  2. Is providing data mandatory?

Providing data that is necessary for booking (e.g., contact data, passenger data required by the carrier, billing data) is a condition for entering into and performing the contract - if you do not provide such data, we will not be able to complete the booking/provide the service. Providing marketing data and consenting to analytics/marketing cookies is voluntary and does not affect your ability to purchase. Certain optional features (e.g., enhanced personalisation) may not be available without such cookies.

§3. Purposes and legal bases for processing

We process personal data only where a lawful basis applies, in particular:

  1. Account creation and management; booking and contract performance (purchase of tickets/services) - Art. 6(1)(b) GDPR.
  2. Customer service (24/7), communications, handling requests/complaints and contract-related matters -  Art. 6(1)(b), Art. 6(1)(c) and/or Art. 6(1)(f) GDPR, as applicable.
  3. Accounting, tax and statutory compliance - Art. 6(1)(c) GDPR.
  4. Security, prevention of misuse and fraud, maintaining systems and logs - Art. 6(1)(f) GDPR.
  5. Direct marketing of our own services via email/SMS/push - Art. 6(1)(a) GDPR (consent), where required by applicable law.
  6. Analytics and personalisation based on cookies/SDK (where not strictly necessary) - Art. 6(1)(a) GDPR.
  7. Marketing profiling/retargeting - Art. 6(1)(a) GDPR.
  8. Establishing, exercising or defending legal claims - Art. 6(1)(f) GDPR.
  9. Handling special assistance requests and/or medical documentation (where applicable) - Art. 6(1)(b) GDPR and, where health data is involved, Art. 9(2)(a) GDPR (explicit consent) or Art. 9(2)(f) GDPR (legal claims), as appropriate to the case.
  10. Providing AI-powered customer assistance and travel recommendations (including the WhatsApp chatbot, AI Deal Finder and AI Hotel Finder), responding to enquiries, suggesting travel offers and personalising future interactions – Art. 6(1)(b) GDPR where the processing is necessary to provide requested pre-contractual assistance or perform a contract, and/or Art. 6(1)(f) GDPR where necessary for our legitimate interest in improving customer support and providing personalised travel recommendations.
  11. Improving the continuity and quality of AI-assisted customer interactions by retaining conversation history for a limited period to personalise future recommendations and maintain conversation context – Art. 6(1)(f) GDPR.
  12. We do not use customer personal data to train or improve artificial intelligence models. Should this practice change in the future, this Privacy Policy will be updated before such processing begins.

§4. Recipients of personal data

A. Personal data may be disclosed (to the extent necessary) to the following categories of recipients:

  1. Travel service providers: airlines, GDS/consolidators, insurers and partners providing ancillary services (e.g., Trip Protect/Fast Refund), entities handling refunds/changes
  2. Payment service providers and financial institutions (settlements).
  3. IT/hosting, maintenance, support and communication tool providers (as processors).
  4. AI technology providers supporting our AI-powered customer assistance and recommendation services.
  5. Messaging platform providers, including Meta Platforms Ireland Limited, where you choose to communicate with us through WhatsApp Business.
  6. Analytics and marketing providers - strictly in accordance with your cookies/SDK choices.
  7. Public authorities - where required by law.
  8. Group companies (where applicable): personal data may be shared within Vola.ro group for internal administrative purposes and support functions (e.g., IT, security, risk management, finance), either as separate controllers or as processors, depending on the specific processing activity, with appropriate safeguards and agreements in place.

B. With each processing partner we enter into an agreement appropriate to the relationship: a data processing agreement (Art. 28 GDPR), a joint controllership arrangement (Art. 26 GDPR), or arrangements reflecting separate controllership, as applicable.

C. We select providers that provide sufficient guarantees of an appropriate level of personal data protection and only on the basis of an agreement or another legal instrument permitted under applicable law.

Ryanair

Depending on your package choice, you may need to interact with the Ryanair website in order to finalise your booking. Where this is the case, your Vola.ro cookie preferences will be applied to any Ryanair websites accessed as part of your booking journey. Data collected by the Ryanair websites via these cookies will be used by Ryanair only and will not be shared with Vola.ro. If you have already customised your Ryanair website cookie preferences, please be aware that these preferences will not be shared with us and therefore will not apply when accessing these domains through Vola.ro. For more information on Ryanair’s Cookie and Privacy Policy please see Ryanair’s Privacy Policy and Ryanair’s Cookie Policy.

Nuitée

For accommodation services, Vola.ro works with Nuitée Travel Limited ("Nuitée"), a hotel technology and inventory provider operating a white-label platform integrated into Vola.ro.

In relation to booking data (name, contact details, payment card data, stay details), Nuitée acts as an independent data controller for the processing required to confirm, manage, and process payment for your booking, rather than as a mere processor on Vola.ro's behalf. Your data is transmitted to Nuitée solely for the purpose of completing the booking you initiated.

You should be aware that property descriptions, photos, reviews, and other information displayed on Vola.ro for accommodation bookings may originate from Nuitée's platform, which aggregates data from multiple suppliers and applies automated (AI-assisted) processing, including review analysis and, for photo galleries, images that may be edited or enhanced using AI. This processing does not involve transmitting your personal data to Nuitée for content-aggregation purposes, it relates solely to descriptive property content, not your personal data.

In order to process your booking, Vola.ro shares with Nuitée: the traveller's/travellers' name and contact details, stay details (property, dates, rate), and, where applicable, payment data necessary to confirm the booking. Nuitée Travel Limited is registered in Ireland; processing of your data by Nuitée generally takes place within the European Economic Area. Where Nuitée transfers data to providers outside the EEA (for example, the booked property), the transfer is carried out subject to the safeguards required under applicable data protection law.

For further information on how Nuitée processes your data as an independent controller, see Nuitée's Privacy Policy.

AirClaim

In the event your flight is affected by a disruption within the scope of Regulation (EC) No. 261/2004, Vola.ro may process your contact details (email, phone number) and basic flight data (flight number, date) to notify you of your possible eligibility for compensation, using the legitimate interest basis under Article 6(1)(f) GDPR, given the direct connection to your existing booking. This notification includes a link to a platform operated by our compensation partner, AirClaim.

If you access AirClaim's platform and choose to proceed, you provide your consent and further data directly to AirClaim, which acts as an independent controller for the purpose of assessing and pursuing your compensation claim. Vola.ro may separately transfer supporting booking data (e.g. ticket reference, itinerary details) to AirClaim, but only after you have given this consent, and solely to support the claim you authorised.

You can review AirClaim's own privacy practices at AirClaim privacy policy. You may withdraw consent for the claim directly with AirClaim at any time; this does not affect your right to pursue compensation independently or through the airline.

§5. Transfers outside the EEA

Where we use service providers located outside the European Economic Area ("EEA"), including providers of AI technologies, personal data may be transferred outside the EEA where necessary to provide the requested service.

Where such transfers occur, we rely on one or more of the transfer mechanisms provided under Chapter V GDPR, including:

  • an adequacy decision adopted by the European Commission (where applicable); 
  • the European Commission's Standard Contractual Clauses (SCCs); 
  • supplementary technical and organisational safeguards where required. 

Our AI-powered customer assistance tools are supported by OpenAI. While conversation data is stored within our infrastructure located in the European Union, personal data submitted through AI interactions may be processed by OpenAI in accordance with the applicable international transfer safeguards described above.

§6. Storage periods

We retain personal data only for as long as necessary, in particular:

  1. Bookings/settlements: for the period required by accounting and tax laws applicable to Vola.ro (including archiving obligations) and for the limitation period for claims - no longer than necessary for these purposes.
  2. User account: until account deletion/deactivation plus a reasonable period for settlements/disputes, i.e., until the relevant matter (including court proceedings, where applicable) is completed.
  3. Complaints/customer support: until the case is closed plus the limitation period for claims.
  4. Marketing: until consent is withdrawn/objection is raised or activities are concluded (depending on the channel).
  5. Recruitment: until the recruitment process ends or (where consent is given) until consent is withdrawn or a valid objection is raised, but no longer than 3 years.
  6. Security logs: as a rule (e.g., 6–24 months) or shorter/longer if required due to an incident.
  7. Cookies/SDK: in accordance with Cookie settings.
  8. AI conversations: cached for up to 24 hours to ensure service continuity and stored for up to 30 days for operational support, troubleshooting, fraud prevention and service improvement, including personalisation of future interactions.
  9. WhatsApp communications: retained for the period necessary to handle your request and thereafter for up to 30 days, unless a longer retention period is required for legal claims or compliance purposes.

§7. Your rights

  1. You have the following rights with regard to your personal data: 
    • access, 
    • rectification, 
    • erasure, 
    • restriction of processing, 
    • data portability, 
    • objection (for processing based on Art. 6(1)(f)) GDPR, and 
    • withdrawal of consent (for Art. 6(1)(a)) GDPR - without affecting the lawfulness of processing prior to withdrawal.
  2. If you have given consent, you may withdraw it at any time. Withdrawal affects the permissibility of processing going forward and does not affect processing carried out before withdrawal.
  3. Where we rely on a balancing of interests, in particular Art. 6(1)(f) GDPR, you may object to the processing. This applies in particular where the processing is not necessary for the performance of a contract with you. When you object, we may ask you to specify the reasons for your objection. We will then cease or adjust processing unless we demonstrate compelling legitimate grounds for processing or the processing is necessary for the establishment, exercise or defence of legal claims.
  4. You may lodge a complaint with the supervisory authority ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) if you consider that our processing infringes the GDPR.
  5. To exercise your rights, please contact us in writing or by email using the contact details set out in §1(1), (2) of this Policy or via the contact form available on our website.
  6. We may verify your identity before fulfilling a request, to protect your data and prevent unauthorised access. As a rule, we respond within one month, which may be extended in justified cases under the GDPR.

§8. Automated decision-making and profiling

We may use artificial intelligence tools to provide travel recommendations, answer customer enquiries and personalise user interactions.

These tools assist users by generating recommendations and responding to requests but do not make decisions producing legal effects or similarly significant effects concerning you within the meaning of Article 22 GDPR.

Where personalisation is provided, it is intended solely to improve your customer experience and is based on information you voluntarily provide during your interactions with us. You may stop using these tools at any time.

§9 Artificial Intelligence and WhatsApp Customer Assistance

We provide certain customer assistance services through artificial intelligence ("AI") technologies, including our WhatsApp chatbot, AI Deal Finder and AI Hotel Finder.

These services help users discover travel options, obtain information about our products and services and receive personalised travel recommendations. They currently provide travel inspiration and recommendations only and do not process bookings or issue travel services.

If you choose to interact with us through WhatsApp Business, your communications are transmitted through Meta Platforms in accordance with Meta's applicable privacy documentation.

AI functionality is provided using OpenAI technology.

Conversation history is temporarily cached for up to 24 hours to maintain service continuity and stored for up to 30 days to enable customer support, troubleshooting and the personalisation of future interactions. 

Customer personal data is not currently used to train or improve artificial intelligence models.

Where personal data is transferred outside the EEA in connection with AI services, such transfers are protected using the safeguards described in Section 5 of this Privacy Policy.

§10. Data security

We apply technical and organisational measures appropriate to the risks (including access control, encryption in transit, security monitoring, backups and incident response procedures). In the event of a personal data breach, we act in accordance with the GDPR (including notification where required).

§11. User security

To reduce the risk of fraud and account compromise, we recommend in particular:

  1. Use only official website and app addresses; verify the domain and the HTTPS certificate.
  2. Do not click payment links received in suspicious messages; if in doubt, type the website address manually or contact customer support via official channels.
  3. Verify the sender of email/SMS/push notifications — attackers may impersonate companies (phishing). Never provide passwords, one-time codes or card data in response to messages.
  4. Use a strong, unique password and do not reuse it across services; enable additional account protections where available.
  5. Secure your device (PIN/biometrics), keep the system and browser updated; avoid logging in and paying via public Wi-Fi without additional protection.
  6. Make payments only through trusted channels (e.g., payment provider/bank pages). If you see unusual requests for additional payments or changes to payment details — stop and verify.
  7. Check booking and payment details (amount, currency, payee); keep transaction confirmations and booking numbers.
  8. Beware of requests for “additional baggage payment” or “ticket surcharge” sent from unofficial addresses.
  9. If you suspect unauthorised access to your account or data, change your password immediately and contact us through official channels - as above in §1(1), (2) of this Policy.

These recommendations are informational and do not constitute a security guarantee; however, we apply protective measures appropriate to the risk in line with applicable laws.

§12. Cookies and similar technologies (Website + App)

  1. What cookies/SDK are
    Cookies and similar technologies (in the app: SDKs) store or read information on your device to ensure the operation of the website/app, security, analytics or marketing. Examples include cookies used to identify logged-in users, remember choices to place an order and generate anonymous statistics about how the website is used, or tailor content to user preferences.
  2. Legal basis for cookies
    1) Strictly necessary cookies (technically required to provide the service) — do not require consent (the service cannot be provided without them).
    2) Other cookies/SDK (analytics, functional, marketing) — used only with your consent expressed via the Consent Management Platform (CMP). Analytics and marketing cookies/SDK and related tags (e.g., conversion/remarketing pixels) are inactive by default and are activated only after you provide consent in the CMP.
    3) In addition to the GDPR, the use of cookies/SDKs is governed by the national rules implementing the ePrivacy framework (in Romania, in particular Law no. 506/2004). Any cookies/SDKs other than strictly necessary are activated, sent or read only after the user has provided valid prior consent via the CMP. In such cases, legitimate interests are not relied upon as an alternative to consent.
  3. How we collect consent
    Our banner:
    1) enables “Accept” and “Reject” on an equivalent basis,
    2) allows granular selection of cookie categories,
    3) does not condition access to the service on giving consent,
    4) allows you to change your decision at any time (“Cookie settings”).
  4.  Multi-device consent
    Consents are generally assigned to a device/browser. Synchronisation of consents across devices may occur only for logged-in users and only following their active choice, ensuring:
    1) clear information on the scope of synchronisation,
    2) the ability to refuse synchronisation without losing access to the service, and
    3) equally easy withdrawal of consent on each device.
  5.  Managing cookies
    Users are provided with a genuine and freely given choice regarding non-essential cookies and similar technologies through a consent management platform (CMP), which is the primary way to manage consent preferences. Such technologies are disabled by default and are activated only after explicit user consent. Acceptance and rejection options are presented in an equivalent and easily accessible manner, without the use of dark patterns or forced consent mechanisms.
    Browser or device settings alone do not constitute valid consent for the purposes of non-essential cookies or electronic marketing. Browser settings are an additional technical option that may affect cookie storage but do not replace the CMP consent mechanism. 
    You can manage cookies through your browser settings (which may allow you to disable acceptance of all or certain cookies). This option is usually available under Security/Privacy settings. Your browser may request confirmation of changes. Please note that blocking all cookies may prevent access to certain parts of our website.
    Please note that third parties may also use cookies to analyse how you use their websites and we have no control over that processing. 
    More information about cookies can be found at http://www.allaboutcookies.org and in those parties’ privacy settings.
  6.  Cookie list and retention periods
    The current list of cookies/partners and their retention periods is available in the consent banner after clicking “Personalise/Customise”.

§13. Social media

  1. We operate official profiles on, among others: Facebook, Instagram, LinkedIn, YouTube, X and TikTok. The scope of data depends on your privacy settings on those platforms.
    Joint controllership
    1) With respect to Facebook/Instagram, we may act as joint controllers of statistical data (Insights) together with Meta Platforms. Details follow from Meta’s Page Insights terms. For the purposes of exercising your GDPR rights in relation to Page Insights, you may contact us (see §7 (5)) and/or Meta Platforms. The essence of the joint controllership arrangement (allocation of responsibilities) is made available by Meta in the Page Insights terms.
    2) In some cases (e.g., Facebook/Instagram and similar statistics on other platforms), Vola.ro may act as a joint controller together with the platform operator for the creation and provision of page/profile statistics.
    3) The platform operator usually remains solely responsible for most processing of user data (account, login, ads, profiling on the platform). Vola.ro has limited influence over that scope.
    4) Further details about processing and the allocation of responsibilities can be found in the relevant platforms’ privacy policies and terms.
  2. Purposes and legal bases
    We process social media data for the following purposes:
    1) Communication and handling enquiries (customer care) - responding to messages, comments and reports;
    2) Legal basis: Art. 6(1)(f) GDPR (legitimate interest: communication and support) or Art. 6(1)(b) GDPR where interaction concerns pre-contractual steps or service performance (e.g., a booking issue).
    3) Moderation and community safety - responding to terms breaches, spam and abuse;
    Legal basis: Art. 6(1)(f) GDPR (legitimate interest: safe communications and protection of users/brand).
    4) Marketing and brand communications - publishing content, running campaigns, informing about offers;
    5) Legal basis: Art. 6(1)(f) GDPR for organic activities on the platform; if marketing is connected with tracking on the website/app (pixel/remarketing) - see cookies/SDK consents.
    6) Fanpage statistics and analytics (Insights) - summaries and statistics of reach/engagement;
    Legal basis: Art. 6(1)(f) GDPR (legitimate interest: assessing communication effectiveness), taking account of the platform’s role.
  3. Source of data
    Data comes:
    1) directly from you (when you post/comment/message), and
    2) from the social media platform (in the scope of statistics and functionalities provided to page administrators).
  4. Recipients of social media-related data and campaigns
    1) Your data may be disclosed to:
    a) providers of tools supporting social media operations (e.g., moderation and inbox management tools) - as processors,
    b) marketing agencies/partners supporting campaigns - to the extent necessary and on the basis of agreements,
    c) public authorities — where required by law.
    2) Campaigns, remarketing and cookies/SDK linkage
    If Vola.ro runs advertising campaigns in social media (e.g., Meta Ads, TikTok Ads, YouTube/Google Ads):
    a) the platform may process user data under its own rules as an independent controller, and
    b) Vola.ro may receive campaign effectiveness reports (usually aggregated).
    3) If campaigns involve conversion measurement, remarketing or pixels/trackers on the website/app (e.g., Meta/Facebook Pixel, conversion tags), such mechanisms:
    a) are activated only after you consent in cookies/SDK settings (marketing/analytics category depending on CMP configuration), and
    b) can be disabled at any time in “Cookie settings”.
    4) Vola.ro does not use practices intended to hinder refusal of consent (no “dark patterns”) and ensures equal accessibility of Accept/Reject options on the first layer of the cookie banner, in line with EU best practice.
  5. Embedded content and plug-ins
    1) If we embed social media content in Vola.ro services (website/app) (e.g., YouTube videos, TikTok/Instagram content), such embeds may result in the transmission of data to the content provider (e.g., IP address, identifiers).
    2) Where embeds are not technically necessary, Vola.ro activates them only after consent in “Cookie settings” (e.g., “external media”/“marketing” depending on CMP configuration).
    3) Provider details and embed functionality are available in “Cookie settings”.
  6. Storage periods (social media)
    1) Private messages and correspondence: until the matter is handled and thereafter for the period necessary to defend against claims (typically until limitation periods expire, or shorter where there is no basis for further retention).
    2) Comments/reactions: generally available within the platform until you delete them or according to platform rules; Vola.ro may remove content that violates moderation rules.
    3) Statistical data (Insights): as provided by the platform’s scope and retention.
  7.  Data subject rights
    1) Your rights correspond to those described in §7 (access, rectification, erasure, restriction, objection, portability where applicable, and withdrawal of consent where processing is based on consent, e.g., cookies/SDK).
    2) Requests relating to your interaction with Vola.ro (e.g., correspondence) should be sent to privacy@vola.ro
    3) Requests relating to processing by the platform (account data, profiling on the platform) should be exercised via your account settings and the platform’s support channels.
  8. Moderation rules
    Vola.ro may remove content that is unlawful, offensive, contains third-party data without authorisation, constitutes spam or violates platform rules. Where necessary, Vola.ro may report violations to the platform operator.

§14. Changes to the policy

This Policy may be updated from time to time. The current version is dated July 10, 2026.