Policies & Legal
Data Processing Agreement
Version 1.0 · 6 July 2026
This Data Processing Agreement (DPA) is available to travel-trade partners and agents who share guests’ personal data with ZimTravellers for the purpose of arranging travel. It supplements our commercial agreement with those partners.
1. Roles
Where a partner passes guest data to us to arrange travel, the partner acts as data controller and MHLTravels AS acts as processor (or independent controller where we contract directly with the guest). We process only the data needed to deliver the services requested.
2. Scope of processing
Categories: guest contact details, travel documents where required for bookings, travel preferences, dietary and medical notes relevant to safety. Purpose: arranging and operating the booked travel services. Duration: the life of the booking plus statutory retention periods.
3. Our commitments
- Process data only on documented instructions
- Keep guest data confidential and train those who handle it
- Apply appropriate technical and organisational security measures
- Assist with data-subject requests and breach notifications without undue delay
- Delete or return personal data at the end of the engagement, unless law requires retention
4. Sub-processors
We use vetted sub-processors for hosting, analytics and communications, and we remain responsible for their performance. A current list is available on request.
5. International transfers
Guest data may be processed in Norway, Zimbabwe and the EU/EEA. Where data moves outside the EEA we rely on appropriate safeguards, including standard contractual clauses where required.
6. Requesting a signed DPA
Trade partners can request an executable copy of this DPA by writing to josh@zimtravellers.com.