This GDPR Statement applies to persons in the European Economic Area (“EEA”), including those based in the United Kingdom. This GDPR Statement supplements our Statement; however, where the Statement conflicts with the GDPR Statement, the GDPR Statement will prevail as to persons located in the EEA.

Tripadvisor LLC is the controller of personal information we collect; however, in accordance with applicable data privacy law, we have appointed representatives within the European Union and United Kingdom.

The contact details of our European Union representative are:

Tripadvisor Ireland Limited
C/O Matheson
70 Sir John Rogerson's Quay
Dublin 2
D02 R296
Ireland

The contact details of our United Kingdom representative are:

Tripadvisor Limited
7 Soho Square
London
W1D 3QB
United Kingdom
Attn: Privacy Officer

Tripadvisor Ireland Limited and Tripadvisor Limited’s roles in this respect are limited solely to being a contact point for questions on data protection from European (including UK) residents and data protection supervisory authorities. For the avoidance of doubt, neither Tripadvisor Ireland Limited nor Tripadvisor Limited can field other communications or legal process on behalf of Tripadvisor LLC.

You have certain rights regarding your personal information.

Your rights with respect to your own personal information include the following:

• The right to request access to your personal information. This enables you to receive a copy of the personal information we hold about you.
• The right to request correction of your personal information if it is inaccurate. You may also supplement any incomplete personal information we have, taking into account the purposes of the processing.
• The right to request deletion of your personal information if:

• your personal information is no longer necessary for the purposes for which we collected or processed them; or
• you withdraw your consent if the processing of your personal information is based on consent and no other legal ground exists; or
• you object to the processing of your personal information and we do not have an overriding legitimate ground for processing; or
• your personal information is unlawfully processed; or
• your personal information must be deleted for compliance with a legal obligation.

• The right to object to the processing of your personal information. We will comply with your request, unless we have a compelling overriding legitimate interest for processing or we need to continue processing your personal information to establish, exercise, or defend a legal claim.
• The right to restrict the processing of personal information, if:

• the accuracy of your personal information is contested by you, for the period in which we have to verify the accuracy of the personal information; or
• the processing is unlawful, and you oppose the deletion of your personal information and request restriction; or
• we no longer need your personal information for the purposes of processing, but your personal information is required by you for legal claims; or
• you have objected to the processing for the period in which we have to verify overriding legitimate grounds.

• The right to data portability. You may request that we send this personal information to a third party, where feasible. You only have this right if it relates to personal information you have provided to us where the processing is based on consent or necessity for the performance of a contract between you and us, and the processing is conducted by automated means.
• You also have the right to lodge a complaint before your national data protection authority.

You will not usually have to pay a fee to access your personal information (or to exercise any of the other rights described in this Statement). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights).  To the extent you use a third party to submit a data request on your behalf, we may need to take reasonable steps to verify the authenticity of the request. These are security measures to ensure that personal information is not disclosed to any person who has no right to receive it. In an effort to speed up our response, we may also contact you to ask you for further information in relation to your request. You can exercise several of your rights through the personal information section of your account. To exercise your other rights you can file a request by clicking here.

We will only use your personal information under the circumstances permitted by the law or you.

Pursuant to GDPR, we will use your personal information in one or more of the following circumstances:

Your personal information may be stored or transferred to countries outside the EEA and the UK for the purposes described in this Statement. When we store or transfer your personal information outside the EEA and the UK, we take the following precautions to ensure that your personal information is properly protected.

Whenever we store or transfer your personal information outside the EEA and the UK, we will do so in accordance with applicable law, and we will ensure a similar degree of protection is afforded to it by implementing appropriate safeguards. Transfers of personal information are made:

• to a country recognised by the European Commission as providing an adequate level of protection; or
• to a country which does not offer adequate protection but whose transfer has been governed by the standard contractual clauses of the European Commission or by implementing other appropriate cross-border transfer solutions to provide adequate protection.

By using our Services, you understand that your personal information may be transferred to our facilities and those third parties with whom we share it, as described in this Statement.

In addition to the further details as described in the Statement, we make the following disclosures:

• We may collect, disclose, and use the following categories of personal information for our business and commercial purposes: Identifiers/Contact Information, transactional information, commercial information, Internet or other electronic network activity information, geolocation, visual and audio information and inferences drawn from the above.
• We may collect the following categories of sensitive personal information: government identification cards such as driver’s license; precise geolocation data. We may also collect race, ethnicity, sexual orientation, or religion where you voluntarily disclose it to us, including, for example, in the context of diversity and inclusivity disclosures you choose to make.
• We collect and use these categories of personal information for the business and commercial purposes described in Section 2 of this Statement.
• We may disclose each of these categories of personal information for the commercial and business purposes described in this Statement to the extent permitted by applicable law to the categories of third parties as described in Section 3 of this Statement.
• We collect these categories of personal information from the sources described in Section 1 of this Statement.
• We may” sell” or “share” categories of personal information, including Identifiers/Contact Information, Internet or other electronic network activity information and inferences drawn from the above. We may “sell” or “share” these categories of personal information to or with the categories of third parties described in Section 3 of this Statement. We do so for the commercial or business purposes described in Section 2.

This California Privacy Statement is provided pursuant to California laws. It applies to California residents and supplements our overall Statement with additional disclosures and rights.

Your California Rights

California residents are permitted one time each year to request certain details about how their personal information is shared with third parties for their direct marketing purposes. To make a request, please submit a request, or write to us at the address listed below. Indicate in your letter that you are a California resident making a “Shine the Light” inquiry.

California residents may also take advantage of the following rights:

• Access. You may request, that we disclose to you the categories and specific pieces of personal information that we have collected about you, the categories of sources from which we collected your personal information, our business or commercial purpose for collecting your personal information, the categories of personal information that we have disclosed for a business purpose, any categories of personal information about you that we have sold, the categories of third parties with whom we have disclosed your personal information, and the business or commercial purpose for collecting, selling, or sharing your personal information, if applicable.
• Deletion. You may request that we delete your personal information that we maintain about you, subject to certain exceptions. As described in more detail in our Statement, there are some reasons for which we will not be able to fully address your deletion request, such as if we need to complete a transaction for you, to detect and protect against fraudulent and illegal activity, to exercise our rights, or to comply with a legal obligation. You can also access, update, and remove your information by visiting the Member Profile page on our website.
• Correction. You can request that we correct inaccurate personal information that we maintain about you.
• Do Not Sell or Share My Personal Information. You may request to opt out of our sale or sharing of your personal information to third parties. For purposes of this California Privacy Statement, “sell” means the sale of your personal information to a third party for monetary or other valuable consideration, subject to certain exceptions set forth in applicable California law. For purposes of this California Privacy Statement, “share” means disclosure of personal information to third parties for cross-context behavior al advertising purposes, subject to certain exceptions in applicable law. To effect the opt out, please click on the “Do Not Sell or Share My Personal Information” button on the bottom of the homepage or submit a request in writing to the contact information below. As described above, we, and certain other companies, place tracking technologies, such as cookies, on our websites which allow us, and those companies, to receive information about your activity on our websites that is associated with your browser or Device. We and these companies may use that data to customize content for you and to serve you more relevant ads on our websites or others. Note that if you would like to opt out of tracking for behavior al advertising purposes, you will need to set your preferences by clicking the “Cookie consent” link at the bottom of the webpage or you may broadcast an opt-out preference signal recognized by Tripadvisor, such as the Global Privacy Control opt-out preference signal (on the browsers or browser extensions that support such a signal). We do not knowingly sell or share the personal information of minors under 16 years of age.

To take advantage of any of these rights, please contact us via our dedicated privacy portal by clicking here or writing to us at Tripadvisor LLC: 400 First Avenue, Needham, Massachusetts, 02494, USA. California residents may designate an authorized agent to make a request on their behalf. When submitting the request, please ensure the authorized agent is identified as an authorized agent. We may need to verify your identity or elements of the request to enable us to process your request. We will take reasonable steps to verify your identity; these verification steps will vary depending on the sensitivity of the personal information and whether you have an account with us. We may deny certain requests, or fulfil a request only in part, based on our legal rights and obligations. For example, we may retain personal information as permitted by law, such as for tax or other record keeping purposes, to maintain an active account, and to process transactions and facilitate customer requests. We value your privacy and will not discriminate against California residents in response to your exercise of privacy rights.

This Multi-State Privacy Statement is provided pursuant to applicable state laws and applies to Virginia, Connecticut, and Colorado residents, and supplements our overall Statement with additional disclosures and rights.

If you are a resident of Virginia, Connecticut, or Colorado you may take advantage of the following rights in accordance with applicable law:

• Confirmation/Access. You can request to confirm whether we process your personal information. Subject to certain exceptions, you can also request a copy of your personal information you provided to us.
• Deletion. You can request that we delete personal information we have about you.
• Correction. You can request that we correct inaccurate personal information we maintain about you.
• Opt Out of Sale. You can request to opt out of the sale of your personal information to a third party.
• Opt Out of Targeted Advertising. We may display advertisements to you where the ad was selected based on personal information obtained from (or in some instances inferred) from your activities over time and across unaffiliated websites or online applications to predict your preferences or interests. To the extent permitted by law, you can request that we stop using your personal information for such targeted advertising by clicking on the “Cookie consent” link that may be in the footer of our websites. Additionally, you can opt out of certain uses of cookies for advertising purposes by visiting www.aboutads.info/choices. For more information, please see Section 9 above. Your opt-out of cookie-based tracking for advertising purposes is specific to the device, website, and browser you are using; it is deleted whenever you clear your cookies or your browser’s cache.

To take advantage of any of these rights, please contact us via our dedicated privacy portal by clicking here  or in writing at Tripadvisor LLC: 400 First Avenue, Needham, Massachusetts, 02494, USA. Note that Connecticut and Colorado residents may designate an authorized agent to request on their behalf that we stop selling or processing their personal information for targeted advertising purposes. We will take reasonable steps to authenticate your identity prior to responding to your requests. The authentication process will vary depending on the sensitivity of the personal information and whether you have an account with us. We will use commercially reasonable efforts to authenticate the identity of authorized agents and their authority to submit requests on your behalf.  

We may deny certain requests, or fulfil a request only in part, based on our legal rights and obligations. You have the right to submit an appeal if you are not satisfied with the outcome of your request by submitting a request here.

This Korea Statement applies to persons in the Republic of Korea. This Korea Statement supplements our Statement; however, where the Statement conflicts with the Korea Statement, the Korea Statement will prevail as to persons in Korea.

We process the personal data we have collected for the purposes set forth below. We will retain your personal data in accordance with the Statement and as described in further detail below.

You have certain rights regarding your personal data. Your rights with respect to your own personal data include those under the Statement and the following:

• The right to consent to the collection of your personal data. When we request your personal data, the data that is mandatory for the services that are being provided will be marked accordingly. You can choose not to provide us with the requested data but this may impede your use or access of the relevant services.
• The right to consent to the sharing of your personal data, delegation of processing of your personal data or international transfer of your personal data.
• The right to request access, correction, deletion and suspension of processing of personal data to the extent permitted under Article 35, Section 5 and Article 37, and Section 2 of the Personal Information Protection Act.
• You can exercise your rights by filing a request here. You may also appoint an attorney-in-fact to exercise your rights by submitting a power of attorney to us in the form of Appendix 11 prescribed under the Regulations of the Personal Information Protection Act. We reserve the right to request specific information from you to help us confirm your identity or verify the identify and relationship of your attorney-in-fact and ensure your right to access your personal data (or to exercise any of your other rights).

Tripadvisor is a general audience site and does not offer services directed to minors. We do not knowingly collect data relating to minors. If a person whom we know is under 14 years of age sends us personal data, we will delete or destroy this information as soon as reasonably possible.

We may share information with third parties, such as those listed below, in order to facilitate some of our Services and products. There may also be legal reasons for which we have to share your personal data. Some of our Services and products require that we share information with the third parties listed below. There may also be legal reasons that we have to share your personal data.

To efficiently provide our Services to you, we have delegated certain processing functions as described below to the third parties listed below. We will obtain your consent when you provide your information and delegate processing to such third parties pursuant to the agreements in place with such third parties.

Your personal data may be stored or transferred to countries outside Korea for the purposes described in this Statement. When we store or transfer your personal data outside Korea, we will notify you and request your consent unless such transfer is being made for the purpose of performing the services requested by you and to further your convenience.

We want you to feel confident about using our Services so we are committed to protecting the information we collect. We have implemented the following administrative, technical, and physical security procedures to help protect the personal information that you provide us.

• Administrative Security Procedures: Only a limited number of authorized workers are permitted access to personal data in accordance with internal access controls. Access is granted on a role permission basis only for permitted business functions.
• Technical Security Procedures: Personal data is encrypted when it is transmitted. We use firewalls and intrusion detection systems to help prevent unauthorized persons from gaining access to personal data. Certain user data may be hashed depending on its sensitivity.
• Physical Security Procedures: Data is secured in lockdown restricted cages. This data is stored in restricted data centres. Hard drives are physically destroyed when replaced and we have internal procedures in place to secure access to restricted server rooms and physical assets.

We will destroy or delete your data when the data retention period has lapsed, when you no longer maintain your account or if the purpose of data collection has been achieved.

The procedure and method of destruction and deletion is as follows:

• Procedure: Personal Information is disposed of, destroyed, or deleted for the protection of information in accordance with our internal company policy and other applicable laws, after the purpose of its collection has been fulfilled.
• Method: Personal Information in paper format will be destroyed using paper shredder, and Personal Information stored in electronic format will be destroyed using technical methods which make the records unrecoverable.

You can exercise several of your rights through the personal information section of your account. To exercise your other rights, you can file a request by clicking here, or you can contact our representative in Korea, who has been appointed in accordance with the applicable Korean law for the purpose of handling personal data protection questions or requests in Korea.

The contact details of our representative are:

LAB Partners (Managing Partner: Youngju Kim)

Tel: 02-6956-6311

Email: tripadvisor@labpartners.co.kr

Address: 8th Floor, VPLEX, 501 Teheran-ro, Gangnam-gu, Seoul, Korea 06168

LAB Partner’s role in this respect is limited solely to being a contact point for questions or requests on personal data protection from persons in Korea and data protection supervisory authorities. For the avoidance of doubt, LAB Partners cannot field other communications or legal process on behalf of Tripadvisor LLC.

This LGPD Statement is applicable whenever you access our website and application provided in Brazil. This LGPD Statement supplements our Statement; however, where the Statement conflicts with the LGPD Statement, the LGPD Statement will prevail as to persons in Brazil.

This LGPD Statement is intended to help you understand what information is collected, why we collect it, whether we share it, and with whom. In addition, this LGPD Statement is intended to inform you of your rights in connection with this information and how to exercise them.

Tripadvisor LLC is the data controller of personal information we collect; however, in accordance with applicable Brazilian data privacy law, we have appointed a Data Protection Officer (“DPO”) in Brazil:

Opice Blum, Bruno e Vainzof Advogados Associados

tripadvisor@opiceblum.com.br

We will only use your personal data when the law allows us.

Pursuant to LGPD, we may use your personal information in one of or more of the following circumstances:

• Meet the purpose given at the time of collection, including to allow the performance of the contract we have entered into with you.
• Comply with legal or regulatory obligations, regulations of government agencies, tax authorities, judiciary, and/or other competent authorities.
• Allow the regular exercise of our rights guaranteed by law, including as evidence in judicial, administrative, or arbitration proceedings.
• Enable the necessary activities for our operations involving the continuity of our operations whilst balancing against your interests and expectations so as not to cause a detriment to your interests, rights and fundamental freedoms.
• Fulfill the purpose for which the information was provided or for other purposes compatible with them and informed to you at the time of collection of your data. For example, we may process your data when contacting our service channels, including for information about our products or for your feedback.
• Based on our legitimate interests, we may also process your personal information, for example, to enable our communication and marketing activities and improve our products, services, and relationships with our customers and partners whilst balancing against your interests and expectations so as not to cause a detriment to your fundamental rights or freedoms.
• Prevent fraud and ensure your safety to detect, prevent, and investigate fraudulent activity.

You have the following rights relating to your services:

• Know if we process any of your personal information, including the types of personal information.  
• Correct incomplete, inaccurate, or outdated personal information.
• Request anonymization, blocking or deletion of unnecessary, excessive, or perhaps unlawful information.
• Request the portability of your information to another service provider or product.
• Request the deletion of the data processed with your consent.
• When the processing activity requires your consent, you may refuse to provide your consent, and we will inform you of the consequences of your refusal.
• When the processing activity requires your consent, at any time you can revoke it.

You may exercise these rights directly on our website and application, for example by editing your registration information directly in your member profile. You can also submit a request directly on our privacy portal by clicking here.

You may also contact our DPO, whose contact details are made available at the beginning of this LGPD Statement.

You will not have to pay fees to access your personal information (or to exercise any of the other rights described in this LGPD Statement).

We may need to request specific information from you to confirm your identity and secure your right to access your personal information (or exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to anyone who does not have the right to receive it. In an effort to speed up our response, we may also contact you to request more information regarding your request.

In specific cases, your request may not be fulfilled. In these cases, we will explain the justifications for our refusal. For example, requests involving personal information and/or documents of other individuals will not be shared so as to protect the privacy of those individuals unless permitted by applicable law.

In the case of request for deletion, we may keep your personal information if there is a legal basis that authorises us to do so, as in the case of mandatory storage for a minimum period determined by applicable laws.

We may share information with third parties in order to facilitate some of our services and products. There may also be legal reasons that we have to share your personal information. Some of our services and products require that we share information with third parties. There may also be legal reasons that we have to share your personal information.

To efficiently provide our Services to you, we have delegated certain processing functions to third parties. Please see “Information Sharing” section above for more information.

Your personal information may be stored or transferred to countries outside Brazil for the purposes described in this Statement. Such transfers are generally made for the purpose of performing the Services made available to you and are made in accordance with any applicable legal requirements, including with the relevant safeguards and security.

We have implemented the following administrative, technical, and physical security procedures to help protect your personal information.

• Administrative security procedures: a limited number of authorized workers have access to personal data in accordance with internal access controls. Access is granted based on role permission only for allowed business roles.
• Technical security procedures: The personal information is encrypted when it is transmitted. We use firewalls and intrusion detection systems to help prevent unauthorized people from accessing personal data. Certain user data can be hashed or encrypted depending on its sensitivity or processing activity.
• Important security procedures: the data is protected and stored in restricted data centers. Hard drives are physically destroyed when replaced, and we have built-in procedures to ensure access to restricted server rooms and physical assets.

We may retain your information if it is necessary to comply with a legal or regulatory obligation or for our legitimate interests in connection with the purposes set out in this Statement. In addition, we may retain your information for the duration of any period necessary to establish, exercise or defend any legal rights.

The procedure and method of destruction and exclusion are as follows:

• Procedure: Personal information is deleted, destroyed, or deleted in accordance with our company's internal policy and other applicable laws.
• Method: Personal information in paper format will be destroyed securely, such as using paper shredders. Personal information stored in electronic format will be destroyed using technical methods that make records unrecoverable.

Previous version: https://tripadvisor.mediaroom.com/privacy-policy-2022-in