Personal Data Protection Policy

This Personal Data Protection Policy complies with the provisions of Law No. 29733 – Personal Data Protection Law and its Regulation (Supreme Decree No. 003-2013-JUS), as well as current complementary regulatory provisions. By using the services and tourist products offered by MACHUPICCHU TERRA SRL, RUC No. 20564091490, you authorize the collection, processing, and, where applicable, transfer of your personal data in accordance with the terms outlined below.

---

1. Personal Information We Collect

For the proper provision of our tourist services, we may request personal information, including but not limited to:

• Identification Data: First name, last name, ID card or passport.
• Contact Data: Address, phone number, and email.
• Booking and Contracting Data: Information necessary for booking tourist packages, such as itineraries, preferences, and billing information.
• Financial Data: Credit or debit card information (number, expiration date, and CVV) for purchase transactions, always in secure environments.
• Other Relevant Data: Data necessary for the proper execution of the contract or to address specific requests made by the customer.

---

2. Purposes of Data Processing

MACHUPICCHU TERRA SRL, as the data controller, will use personal data for the following purposes:

• Contract Execution and Management: To ensure the development, fulfillment, and execution of the contracted tourist services.
• Customer Service: To handle inquiries, requests, complaints, and provide post-sale support.
• Booking and Payment Processes: To facilitate the booking of packages and the secure processing of payments.
• Continuous Improvement: To analyze information and optimize our services and customer experience.

2.1 Processing of Sensitive Data

To ensure your safety during our tourist services, we may request sensitive data (health information, food allergies, religious restrictions). The processing of such data requires your explicit consent through a specific checkbox, which will not be pre-checked.

Special Conditions:

• Exclusive Purpose: To ensure your safety and coordinate food services
• Restricted Access: Only the booking coordinator, assigned tour guide, and emergency medical staff
• Enhanced Security: Data encrypted with auditable access controls
• Retention: 30 days after the service, unless legally required
• Transfer: Not transferred to third parties unless strictly necessary for the service with your consent

You can withdraw your consent by contacting our Personal Data Officer.

2.2 Data Transfer to Third Parties

To provide our tourist services, we share your personal data with:

• Tourism Providers: transportation companies, hotels, restaurants, certified guides, activity operators. Data shared: name, nationality, dietary preferences, emergency contact
• Payment Processors: payment gateways and banks. Data shared: encrypted financial information under PCI-DSS standards
• Authorities: Ministry of Culture (Machu Picchu permits), SUNAT (tax obligations)

All third parties are contractually obligated to protect your data. We do not sell or rent your personal data for commercial purposes.

---

3. Data Retention

Personal data will be retained for as long as necessary to fulfill the contractual relationship and, where applicable, for the legally established periods to comply with fiscal, commercial, or legal obligations. In other words, we will retain the information until all necessary procedures are completed.

---

4. Security Measures

MACHUPICCHU TERRA SRL will implement administrative, technical, and physical measures necessary to protect your personal data against unauthorized access, loss, alteration, or disclosure.

4.1 Notification of Security Breaches

In the event of a security breach compromising your personal data, we will notify the National Authority for the Protection of Personal Data within 5 business days and inform you directly if there is a high risk to your rights, detailing the nature of the incident, affected data, measures taken, and protection recommendations.

---

5. ARCO Rights of the Data Subject

Under Law 29733, you have the following rights:

Right of Access: To know what data we process about you, for what purpose, with whom we share it, and how long we retain it.

Right of Rectification: To correct inaccurate, incomplete, or outdated data.

Right of Cancellation: To request deletion when data is no longer needed or if you have withdrawn your consent. Limitation: We do not delete data required by law to be kept (e.g., invoices for 5 years) or necessary for ongoing contracts.

Right of Opposition: To oppose processing when you have not granted consent or if it harms your interests.

Right of Revocation: To withdraw your consent at any time without retroactive effect.

How to exercise your rights:

• Web Form: ARCO Rights page (insert link to /en/rights-arco/)
• Email: datospersonales@machupicchuterra.com
• Postal Address: Street Recoleta Angosta #208, Cusco – Attn: Personal Data Officer

Timeframes: Response within 10 business days (extension of 5 days for complex cases). Execution within 5 additional business days if approved.

Exercising these rights is FREE OF CHARGE.

If we do not properly address your request, you may file a complaint with the National Authority for the Protection of Personal Data (ANDP) – Ministry of Justice, Av. Gregorio Escobedo 680, Jesús María, Lima. Tel: (01) 204-8020. Website: https://www.gob.pe/anpd

---

6. Legitimacy and Consent

Legal basis: Processing is based on your free, prior, express, and informed consent; the execution of the tourist services contract; and legal obligations (tax, commercial).

How we obtain your consent:

• Web Forms: Unchecked checkbox clearly informing about collected data, purposes, third-party recipients, retention time, and ARCO rights
• Email: Confirmation with a link to this policy
• Physical Contracts: Specific clause with your signature

Evidence: We record the date/time, consent method, specific data accepted, and the current policy version. This evidence is available through your Right of Access.

Revocation: You may withdraw your consent at any time. This does not affect prior processing done while your consent was valid.

---

7. Personal Data Officer

MACHUPICCHU TERRA S.R.L. has appointed [OFFICIAL NAME], [POSITION], as the Personal Data Officer responsible for ensuring compliance with the Personal Data Protection Law and handling your inquiries.

Contact:

• Email: datospersonales@machupicchuterra.com
• Phone: (+51) 994 349 441
• Address: Street Recoleta Angosta #208, Cusco

The Officer handles ARCO requests, data processing inquiries, protection incidents, and coordinates with the ANDP.