Meili Platform Privacy Notice

1. Introduction

Meili Travel Technology Limited (“Meili”, “we”, “us”, “our”) provides technology services that enable access to car rental services offered by third-party providers through partner websites and applications.

Meili is committed to protecting personal data and complying with applicable data protection and privacy laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection and privacy laws in the jurisdictions in which we operate or provide our services.

Meili is committed to applying consistent data protection standards globally, regardless of the location of the data subject.

This Privacy Notice explains how personal data is processed in connection with the Meili services.

2. Our Role as a Data Processor

Meili acts solely as a data processor when processing personal data in connection with the services.

This means:

• We process personal data only on the documented instructions of data controllers
• We do not determine the purposes or means of processing
• We do not use personal data for our own independent purposes

Meili’s services are typically integrated into third-party websites or applications. As a result, you interact directly with the relevant partner or provider, rather than with Meili itself.

Meili does not have a direct relationship with end users and does not collect or use personal data for its own independent purposes.

Data Controllers

Depending on how you access the services, the data controllers may include:

• Car rental providers, who act as the primary data controllers for bookings and rental services
• Partner websites or applications, where Meili services are embedded and where you choose to provide your data

For an individual booking, the data controller will typically be:

• the host of the website or application used to make the booking; and
• the rental provider with which the booking is made

These organisations are responsible for:

• Determining how and why your personal data is processed
• Providing you with their privacy notices
• Ensuring a lawful basis for processing
• Responding to your data protection rights

The legal basis for processing your personal data is determined by the relevant data controller and will be set out in their privacy notice, which you will be presented with at the point where you submit your personal data.

No Sale or Independent Use of Data

Meili does not sell personal data and does not use personal data for cross-context behavioural advertising or any independent commercial purposes.

3. Personal Data We Process

We process personal data strictly on behalf of the data controllers and only as necessary to provide the services.

Categories of Data Subjects

We may process personal data relating to the following categories of individuals, depending on how the services are used:

• Individuals making bookings
• Passengers included in bookings
• Loyalty programme members
• Employees, agents or representatives of the Customer
• Supplier representatives

Categories of Personal Data

The categories of personal data processed may include any information you provide at the time of booking or through your use of services powered by Meili, such as the following:

Identification Data

• Name
• Postal address
• Email address
• Telephone number
• Date of birth
• Age category
• Country of residence
• Loyalty programme membership number
• Supplier loyalty number
• Unique user identifier
• Passport number (where required)

Transaction Data

• Passenger Name Record (PNR) data
• Booking references
• Rental details
• Travel dates
• Booking status
• Flight numbers

Technical Data

• IP address
• Device identifiers
• Cookie identifiers
• API logs
• System logs
• Device and browser information

Marketing Data (where enabled by the Controller)

• Marketing consent status
• Consent timestamp
• Communication preferences
• Campaign interaction data

Special Categories of Data

Meili does not knowingly process special categories of personal data (as defined under applicable law).

Where such data is processed, this occurs only on documented instructions from the data controller and subject to appropriate safeguards.

Children’s Data

Meili does not knowingly process personal data relating to children except where instructed by the relevant data controller.

4. Nature and Purpose of Processing

Meili processes personal data only on behalf of and under the instructions of the data controllers for the following purposes:

• Performing the services under the applicable agreement
• Enabling and operating Meili services within partner environments
• Facilitating and managing car rental bookings with suppliers
• Supporting travellers with queries and support obligations
• Enabling loyalty programme integrations
• Supporting analytics, reporting and operational optimisation
• Facilitating fraud prevention, platform security and system integrity
• Maintaining system logs and audit trails
• Supporting optional marketing services where explicitly activated by the controller
• Complying with documented instructions and applicable legal obligations

Where required by applicable law, Meili may process personal data independently of controller instructions, in which case we will inform the controller unless prohibited by law.

5. Data Storage and Retention

Meili stores and processes personal data solely on behalf of the data controllers and in accordance with their documented instructions.

This means:

• Personal data is stored only for the purposes defined by the controller
• Personal data is retained only for the duration specified by the controller or required by law

In practice, personal data may be retained:

• For the duration of the agreement with the controller
• For any additional period required to comply with legal or regulatory obligations
• For backup and disaster recovery purposes in line with standard retention cycles

Upon termination of services:

• Personal data is deleted, anonymised, or returned in accordance with controller instructions, unless retention is required by law

Where personal data remains in encrypted backups:

• Access is strictly restricted
• Data is securely deleted in accordance with standard retention schedules

6. Data Subject Rights (DSAR)

As Meili acts as a data processor, we do not independently determine how personal data is used and do not typically respond directly to data subject rights requests.

If you wish to exercise your rights (including access, rectification, erasure, restriction, or portability), you should contact the relevant data controller.

Where required by applicable law, Meili may assist directly in responding to such requests.

If Meili receives a request:

• We will promptly forward or redirect the request to the appropriate controller; and
• Assist the controller in fulfilling their obligations where required

7. Data Sharing and Sub-processors

Meili may engage authorised third-party service providers (“sub-processors”) to support the delivery of the services.

These may include providers of:

• Cloud hosting and infrastructure
• IT and security services
• Analytics and logging tools
• Customer support systems

All sub-processors:

• Are engaged in accordance with applicable data protection laws (including Article 28 GDPR)
• Are contractually bound to provide a level of data protection no less protective than that set out in our agreements with controllers

8. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), the United Kingdom, or other relevant jurisdictions, Meili ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Other lawful transfer mechanisms under applicable data protection laws

9. Security

Meili implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk in accordance with applicable data protection laws (including Article 32 GDPR).

These measures include:

• Security policies, risk assessments, and governance controls
• Encryption of data in transit (TLS 1.2 or higher) and at rest
• Network security controls, monitoring, and logging
• Segregation of production, development, testing and staging environments
• Vulnerability scanning and penetration testing
• Patch and release management

Access to personal data is restricted to authorised personnel with a legitimate business need and subject to confidentiality obligations.

10. Marketing Services

Meili may provide marketing-related services where this has been explicitly enabled by the relevant data controller.

In such cases:

• The data controller is responsible for obtaining and managing your consent and ensuring a lawful basis for marketing communications
• Meili processes marketing-related personal data only on the documented instructions of the data controller

If you wish to withdraw your consent or manage your preferences, you should follow the instructions provided in the communication or contact the relevant data controller directly.

11. Contact Details

For general queries regarding this Privacy Notice:

Meili Travel Technology Limited
1 Grant’s Row
Lower Mount Street
Dublin 2, D02HX96
Ireland

📧 dataprotection@meili.travel

12. International Users

Data protection and privacy laws may vary depending on your location.

Where required by applicable law, you may have additional rights in relation to your personal data. These rights should be exercised with the relevant data controller, as Meili acts solely as a processor.

Meili will assist data controllers in fulfilling such obligations where required under applicable law.

13. Changes to this Privacy Notice

Any changes to this Privacy Notice will be posted on our website so you are always aware of how personal data is processed in connection with the services, and under what circumstances, if any, we may disclose it.