Privacy Policy
Nan Hwa (Express) Travel Service Limited
Last Updated: 1 April 2025
We value the trust you place in us. This Privacy Policy explains how Nan Hwa (Express) Travel Service Limited (“we,” “us,” or “our”) collects, uses, discloses, and protects your personal information when you visit our website (nanhwa.com), use our mobile applications, or book our travel and related services (collectively, the “Services”).
1. Information We Collect
a. Information You Provide Directly
When you register an account, book travel arrangements, make enquiries, or interact with our Services, we may collect:
- Username and password
- Full name, gender, and date of birth
- Mailing address, email address, telephone/fax number
- Company name and job title
- Hong Kong ID card number, passport number, and/or nationality
- Credit card details (cardholder name, card number, billing address, expiry date) – processed only through PCI DSS-compliant channels (see Section 8)
- Any other information you voluntarily provide (e.g., travel preferences, support requests)
b. Information Collected Automatically
- Log Data: IP address, browser type, device information, domain name, access times, and referring URLs
- Cookies and Similar Technologies: We use cookies to improve your experience (e.g., remembering login details, screen preferences, or comment information). You can manage cookie preferences via your browser settings; however, disabling cookies may limit certain features.
c. Information from Third Parties
We may receive limited information from payment processors, airlines, hotels, and authorised travel partners strictly to fulfil your bookings.
2. How We Use Your Information
We use your personal information to:
- Process bookings, payments, and travel arrangements
- Confirm and manage your itinerary
- Respond to enquiries and provide customer support
- Verify your identity when you log in
- Send marketing communications (special offers, newsletters, promotions) – you may opt out at any time
- Detect and prevent fraud or abuse
- Improve our website, services, and overall customer experience
- Comply with legal and regulatory obligations
3. Legal Bases for Processing (where applicable)
If you are located in the EEA, UK, Switzerland, Hong Kong, or other jurisdictions with similar requirements, we process your data based on:
- Performance of a contract (e.g., fulfilling your travel booking)
- Legitimate interests (service improvement, fraud prevention, direct marketing where permitted)
- Your consent (e.g., for non-essential marketing)
- Legal obligations
4. How We Share Your Information
We do not sell or rent your personal information. We only share it in the following limited cases:
- With airlines, hotels, ground handlers, and authorised travel agents – only the information necessary to fulfil your travel arrangements
- With PCI DSS Level 1-certified payment processors and our bank – solely for transaction authorisation and settlement
- With service providers under strict confidentiality obligations (e.g., IT hosting, analytics, email delivery)
- When required by law, court order, or government/law enforcement authorities
- In the event of a merger, acquisition, or sale of assets (successors will be bound by this policy)
5. Data Retention
We keep your personal data only as long as necessary to fulfil the purposes above or as required by law (e.g., tax or travel regulatory requirements). Full credit card details are never stored on our systems after authorisation.
6. Your Rights & Choices
Depending on your location, you may have the right to:
- Access, correct, or delete your personal data
- Object to or restrict certain processing
- Withdraw consent (where processing is consent-based)
- Opt out of marketing communications at any time
- Lodge a complaint with the relevant data protection authority
To exercise these rights or opt out of marketing, please email [email protected].
7. Security of Your Information
We implement industry-standard physical, technical, and administrative safeguards (including firewalls, encryption in transit and at rest, and access controls) to protect your data. However, no internet transmission or electronic storage method is 100% secure, and we cannot guarantee absolute security.
8. Payment Card Data & PCI DSS Compliance
We are fully compliant with the Payment Card Industry Data Security Standard (PCI DSS v4.0.1). Key protections include:
- We do not store your full card number, CVV/CVC, or magnetic stripe data after authorisation
- All card data is processed through PCI DSS Level 1-validated payment processors and our acquiring bank
- Any temporary handling of card data occurs in isolated, encrypted, and continuously monitored environments
- We undergo regular independent PCI DSS assessments
9. Third-Party Websites
Our Services may contain links to third-party websites (e.g., airline or hotel partners). We are not responsible for their privacy practices. We encourage you to review their privacy policies before providing any personal information.
10. International Data Transfers
Your information may be transferred to and processed in countries outside your jurisdiction (including Hong Kong, Singapore, and countries where our travel partners operate). We use appropriate safeguards (such as contractual clauses) to protect your data during such transfers.
11. Children’s Privacy
Our Services are not intended for children under 13 (or higher where required by law). We do not knowingly collect personal information from children. If we discover such data has been collected, we will delete it immediately.
12. Changes to This Privacy Policy
We may update this policy from time to time. The latest version will be posted here with an updated “Last Updated” date. If we make material changes affecting previously collected information, we will notify you via email or a prominent notice on our website and provide an opportunity to opt out.
13. Contact Us
For any questions, to exercise your rights, or to opt out of marketing:
Email: [email protected]
Note: In the event of any discrepancy between the English and Chinese versions of this Privacy Policy, the English version shall prevail.
Who we are
Nan Hwa (Express) Travel Service Limited has been built on trust between our customers and ourselves. We only collect personal information to provide you with better services and products.
To ensure you can make informed decisions and feel confident about supplying personally identifiable information relating to you when using our website. We maintain the following privacy principles:
Information collection and use
When you browse nanhwa.com and have not registered any online service from Nan Hwa (Express) Travel Service Limited, you browse anonymously. Personal information – such as your name, address, phone number or E-mail address – is not collected as you browse. The types of information we collect, depending on the specific part of the site services channel you are using, are:
- User name and password
- Name
- Gender
- Date of birth
- Mailing address
- Email address
- Telephone number / Fax number
- Company name and job title
- Hong Kong ID Card number / Passport number / Nationality
- Credit card information including name of cardholder, credit card number, credit card billing address and expiry date
We may also use your information to process your request on purchasing our product(s) and service(s); to confirm your travel arrangements; to fulfil your request when you use our online services; to contact you regarding your enquiries; to identify you for login and for our own marketing purposes, such as sending you updates on our special offers, promotions, newsletter subscription, brochure request and so on. If you do not want us to use your contact information to send details of our products to you please let us know in an email to: [email protected] .
We do not pass details of your personal information to third parties except as described in below:
- We may disclose your information to airlines, hotels and/or related travel and booking agents. We will provide only the information necessary to ensure the successful fulfilment of your travel arrangements.
- When paying by credit card we pass your card details to our bank for authorization of the transaction and for payment.
- Apart from sharing your information as mentioned above, we do not disclose your details to any other person without your consent unless there is an emergency situation that requires it and disclose the information when required by law or court order, or as requested by other government or law enforcement authorities, or in the good faith that disclosure is otherwise necessary or advisable including and without limitation to protect the rights. This also applies when we have reason to believe that disclosing the information is necessary to identify, contact or bring legal action against someone who may be causing interference with our rights or properties, whether intentionally or otherwise, or when anyone else could be harmed by such activities.ion service.
Cookies
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Log Files
We may collect information regarding your IP address, browser type, domain name and access time. This information is used for our internal research purposes and is separate from the information. We do not link IP addresses to any personal information.
Security
We take security matters very seriously and treat all personally identifiable information obtained from users of our websites confidential, as well as preventing from unauthorized access and ensuring the correct use of the information. In addition to the firewalls and other sophisticated equipment implemented, we also provide appropriate physical, electronic and managerial measures to protect our system, and the information and data contained in them from accidental or malicious disruption or destruction. When you type in sensitive information, it will be automatically converted into codes before being securely dispatched over the Internet. However, complete confidentiality and security is not yet possible over the Internet, and privacy cannot be assured in your communications to us. You acknowledge that personal information is disclosed at your own risk, and may be subject to unauthorized use by others. This may result in you receiving unsolicited messages from other parties. We are not responsible in any manner for direct, indirect, special or consequential damages, howsoever caused arising out of the communication of information to us.
Links
This site contains links to other sites that have their own seperate privacy statements. Please be aware that we are not responsible their privacy policies or compliance with the law, and do not vouch for their security of such other websites.
You should therefore be fully aware the provision of the link does not constitute an endorsement, approval, or any form of association by or with our company. You should therefore remain alert when you leave our site, and read the privacy statements of other websites. We have no control over data that is submitted to these third parties. You access the data on such websites at your own risk and we recommend you read such statements when entering these sites.
Payment Card Industry (PCI) and Data Security Standard (DSS) Compliant
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Changes to our privacy statement
We will post our new statement on this page once we have changed our privacy statement, so that you are always informed of the way we collect and use the information. If at any point we decide to use the information you submitted under this current statement in the revised condition, you will be given the opportunity via the website, email or in writing to opt out or otherwise prevent from such usage. If you have any queries or concerns regarding our Privacy Statement, or if at any time you need help related to our services, please send email to: [email protected]
Note: In case of discrepancies between the English and Chinese versions, the English version shall apply and prevail.
