Subscribe to ALEX-TUURS News

We use cookies 🍪

This website uses cookies in accordance with Regulation (EU) 2016/679 (GDPR) and the ePrivacy Directive to ensure proper site functionality, security, and usage analytics. By continuing to use this website, you confirm that you have been informed about the use of cookies.

Privacy Policy Security Policy

Cart0 item(s) - 0€ 0

  • Your shopping cart is empty!

0

Security Policy

Security Policy

Security Policy

1. Who we are

The owner of the website tuurs.ee and the party responsible for information security, data processing, and the proper operation of the website is:

  • Company: ALEX-TUURS OÜ
  • Registration code: 17163628
  • EMTAK (2025): 79111 (Travel agencies)
  • IBAN: EE972200221090156798

ALEX-TUURS OÜ operates the website tuurs.ee, which is built on the OpenCart 3 platform. This system is used to present travel services, receive inquiries, process customer requests, and ensure convenient interaction between users and the company.

The company acts as the data controller within the scope of its activities and applies reasonable technical and organisational measures to protect information processed through the website. This includes both data voluntarily provided by users (for example, when filling out forms) and technical data automatically processed by the system to ensure the proper functioning of the website.

ALEX-TUURS OÜ does not sell, transfer, or disclose users’ personal data to third parties, except in cases where such disclosure:

  • is necessary to provide the requested service (for example, transferring data to a tour operator or partner for booking purposes);
  • is expressly required by applicable law;
  • is carried out upon a lawful request from public or supervisory authorities;
  • is carried out with the user’s consent.

In all such cases, the scope of the data transferred is limited strictly to what is objectively necessary to fulfil obligations or comply with legal requirements.

The information provided in this section is intended to ensure transparent identification of the website owner and the party responsible for security matters and does not create any additional financial or legal obligations for the user beyond the scope of the specific services ordered.

2. Scope of application

This Security Policy applies to all processes, systems, and activities related to the use of the website tuurs.ee and the provision of services by ALEX-TUURS OÜ in the online environment.

The Policy applies in particular to:

  • the website tuurs.ee, its structure, pages, subdomains (if applicable), functional modules, contact forms, and inquiry forms implemented on the OpenCart 3 platform;
  • all user communications, including but not limited to travel inquiries, information requests, messages submitted via website forms, and related correspondence;
  • personal and technical data processed during the operation of the website, including data voluntarily entered by users and data automatically processed by the system to ensure secure, stable, and proper website operation;
  • internal information systems, software, server infrastructure, and devices used by the company to process inquiries, store information, and communicate with customers;
  • interactions with partners, tour operators, and service providers (such as hosting providers, email services, payment systems, and analytics tools), to the extent that such parties are involved in the technical operation of the website or the provision of requested services.

This Security Policy does not govern the terms of specific travel services, contractual obligations of tour operators, or the rules of third-party websites that may be linked from tuurs.ee. The use of such resources is governed by their own policies and terms.

The Policy applies regardless of the device or country from which the website is accessed, provided that the services of tuurs.ee are used.

3. What data and information we protect

In the course of operating the website tuurs.ee and providing services, ALEX-TUURS OÜ takes measures to protect all data and information whose processing is necessary for lawful, secure, and proper interaction with users.

In particular, we protect the following categories of data:

  • Users’ personal data
    This may include first and last name, telephone number, email address, preferred language of communication, the content of the inquiry, and other information voluntarily provided by the user through website forms or correspondence and necessary for travel selection, consultation, or service arrangement.
  • Inquiry, order, and request data
    This includes the history of inquiries, travel parameters (destination, dates, budget, number and composition of travellers, etc.), information about selected offers, and service-related correspondence associated with processing such requests.
  • Technical and operational information
    To ensure the security and stable operation of the website, technical data may be processed automatically, such as IP address, browser type and version, device type, date and time of access, error logs, security events, and other technical logs. Such data is used solely to the extent necessary for administration, security, and troubleshooting.
  • Commercial and service-related information
    We also protect information related to offer conditions, commercial arrangements, internal documents, and materials used in customer service and cooperation with partners, to the extent such information is processed within the scope of our activities.

We do not collect or process personal data that is not related to the provision of travel services or interaction with the user via the website. Users have the right not to provide excessive information that is not requested by website forms.

Data processing is carried out in accordance with the principles of data minimisation and proportionality: the volume of data and retention periods are limited to what is objectively necessary to fulfil obligations towards the user, comply with legal requirements, and ensure security.

4. Security principles

When organising information protection, ALEX-TUURS OÜ follows the fundamental principles of information security and the requirements of applicable legislation, including the General Data Protection Regulation (GDPR). These principles apply to all data and processes related to the operation of the website tuurs.ee.

  • Confidentiality
    Access to personal, commercial, and technical data is granted only to authorised employees and contractors for whom such access is objectively necessary to perform their duties. All persons with access to data are required to comply with confidentiality obligations and to use information strictly within the scope of their authority.
  • Integrity
    We take measures to prevent unauthorised alteration, deletion, or distortion of data. Access control mechanisms, permission segregation, and technical and organisational procedures are used to detect suspicious activity and system errors.
  • Availability and resilience
    We strive to ensure the stable operation of the website and the availability of information for users and staff. This includes measures to maintain system operability, perform backups, and enable the restoration of data and services following technical failures, errors, or security incidents.
  • Data minimisation and proportionality
    The volume of processed data, applied security measures, and retention periods are determined based on actual business needs and risks, without excessive data collection or unjustified interference with users’ privacy.
  • Risk management
    We regularly assess potential risks to data and information systems and select protection measures proportionate to the nature of the processed information, technical capabilities, and current threats.
  • Continuous improvement
    Security measures are not static. As the website develops, the technical platform (OpenCart 3) changes, new threats emerge, or legal requirements evolve, we review and, where necessary, update the applied security measures.

The applied approach corresponds to the concept of “technical and organisational measures” (TOMs) as provided for by the GDPR and is aimed at ensuring a reasonable and balanced level of data protection without reducing user convenience.

5. Technical security measures

To protect information and ensure the stable operation of the website tuurs.ee, ALEX-TUURS OÜ applies a set of technical measures implemented at the level of the OpenCart 3 platform, server infrastructure, and used services.

  • Encrypted connections (HTTPS/TLS)
    Data transmission between the user and the website takes place via secure communication channels using the HTTPS/TLS protocol. This reduces the risk of interception or modification of information during transmission. The level of protection also depends on the security of the user’s device and network.
  • Updates and vulnerability management
    We regularly update website software components, including the OpenCart core, extensions, and server software, and apply security patches as they become available. Updates are performed with due consideration for compatibility and system stability.
  • Access segregation and control
    Access to the administrative area of the website and internal systems is granted according to the principle of least privilege. Unique user accounts, passwords, and, where technically feasible, additional authentication measures are used to reduce the risk of unauthorised access.
  • Logging and monitoring
    Technical events, errors, and anomalous activity are logged within the website and server systems. These data are used for troubleshooting, security incident analysis, and improving system resilience and are not used for user profiling.
  • Backup and recovery
    Backup procedures are applied for critical data. Backup copies are used exclusively to restore information and system functionality in the event of technical failures, errors, or security incidents. We aim to ensure the restoration of data availability within a reasonable timeframe.
  • Protection against common attacks
    Depending on infrastructure capabilities, protection measures are applied against common threats such as automated password guessing, malicious requests, unauthorised access attempts, and other typical network attacks. These measures are intended to reduce risk but cannot completely eliminate all possible threats.
  • Content security policies and browser-level restrictions
    Where necessary, additional security mechanisms may be applied at the browser level (for example, restrictions on loading and executing external resources) to reduce the risk of malicious code injection and enhance overall website security.

The applied technical measures are selected taking into account the scale of the company’s activities, the nature of the processed data, and current risks. We consciously use a reasonable and proportionate level of protection without creating unnecessary barriers for users or reducing the usability of the website.

6. Organisational measures

In addition to technical solutions, ALEX-TUURS OÜ applies organisational measures aimed at reducing risks related to the human factor, access management, and interaction with third parties.

  • Responsibility and access management
    The company defines a circle of persons who are granted access to inquiries, personal data, and internal systems. Access is provided strictly to the extent necessary for the performance of official duties and may be restricted, modified, or revoked when roles change or cooperation ends.
  • Awareness and basic cyber hygiene rules
    Employees and authorised persons are informed about the basic principles of secure information handling, including caution when working with email, protection of user credentials, use of strong passwords, and responsible management of documents and access rights.
  • Work with contractors and partners
    When engaging contractors, service providers, or partners (such as hosting, email, payment, or analytics services), we take into account security and confidentiality requirements. Where necessary, agreements are concluded that provide for information protection obligations and compliance with applicable legislation.
  • Allocation of responsibility
    In cases where data processing is carried out jointly with partners (for example, tour operators or payment service providers), the areas of responsibility of the parties are defined in accordance with their roles and contractual arrangements. Each party is responsible for data security within its own technical and organisational sphere of control.
  • Regular assessment and review of measures
    We periodically assess the effectiveness of the applied organisational and technical measures, taking into account changes in activities, the technical platform, the volume of processed data, and current risks. Where necessary, security measures are reviewed and updated.

Organisational measures complement technical safeguards and are aimed at fostering a responsible and conscious approach to security without unnecessarily complicating processes for customers or staff.

7. Payments and security of payment data

When providing services involving payments, ALEX-TUURS OÜ strives to organise payment processes in a way that minimises risks for users and excludes the processing of sensitive payment data on the tuurs.ee website.

Where online payments are available on the website, payments are generally processed through third-party payment service providers and payment gateways. Entry of payment card details (card number, expiration date, CVC/CVV code) takes place directly on the payment service provider’s side and is not stored or processed on the website’s servers.

The tuurs.ee website may receive from the payment service provider only a limited set of technical information necessary to confirm the fact of payment (for example, payment status or transaction identifier), without access to the user’s full payment card details.

The security of payment data processing is governed by the rules and standards of the respective payment systems and providers. In the payment industry, the international PCI DSS standard is applied to protect cardholder data. The scope of responsibility and specific security measures depend on the chosen payment method and the terms of the relevant payment service provider.

ALEX-TUURS OÜ is not responsible for the operation of third-party payment pages, technical failures, or the security policies of payment service providers, but cooperates with them within its competence to resolve issues related to payments.

Users are advised to carefully review the terms and security policies of the selected payment service provider before making a payment.

8. Security incidents and response

A security incident may be considered any event that potentially threatens the confidentiality, integrity, or availability of information and services of the tuurs.ee website. Such events may include, in particular, suspected hacking, data breaches, malicious activity, unauthorised access to forms or administrative areas, website availability disruptions, or data alteration or loss.

In the event of identification or a reasonable suspicion of a security incident, ALEX-TUURS OÜ takes reasonable and proportionate response measures, including, where applicable:

  • recording and initial analysis of the event to determine its nature and potential impact;
  • taking measures to limit the spread of the incident and reduce potential damage;
  • restoring the operation of the website and the availability of services as quickly as reasonably possible;
  • analysing the causes of the incident and implementing corrective measures to prevent similar situations in the future;
  • cooperating with technical contractors, hosting providers, and service providers within their areas of responsibility;
  • where there are legal grounds, cooperating with competent public or supervisory authorities.

In cases where an incident may affect users’ personal data and falls under applicable legal requirements, the company acts in accordance with relevant legal provisions, including obligations related to notification and documentation of the incident.

Within the European Union, increasing attention is being paid to cyber risk management and organisational preparedness for incidents (including in the context of the NIS2 Directive). Even if the activities of ALEX-TUURS OÜ do not fall directly under such requirements, we regard the principles of risk assessment, preparedness, and response as best practice for responsible business conduct.

It should be noted that no information system can be completely protected against all possible threats; however, our objective is to minimise risks, respond to incidents in a timely manner, and reduce their potential impact on users.

9. What we expect from users

The security of interaction via the tuurs.ee website depends not only on the measures applied by us but also on responsible user behaviour. In this regard, we ask users to observe the following recommendations:

  • Do not submit information via website forms or communication channels that is not requested or required to process your inquiry, including full payment card details, passwords, verification codes, or other sensitive data.
  • Use up-to-date versions of browsers, operating systems, and applications, and where possible, secure network connections. This helps reduce the risk of data compromise on the user’s side.
  • Take care of the security of your own devices and user credentials, do not share access with third parties, and avoid using public devices to transmit confidential information.
  • If you notice suspicious activity, errors in the operation of the website, a possible vulnerability, or receive messages that appear to be related to tuurs.ee, please notify us as soon as possible using the contact details provided on the website.

Following these simple recommendations helps reduce risks and contributes to a safer and more comfortable experience for all users.

10. References to related documents

This Security Policy forms part of the overall set of informational and legal documents of the tuurs.ee website and should be reviewed together with the following materials:

  • Privacy Policy — a document describing in detail which personal data are collected, on what legal grounds they are processed, the purposes of processing, retention periods, and users’ rights.
  • Cookies Policy — a document containing information about the use of cookies and similar technologies, including technical, analytical, and, where applicable, marketing tools, as well as options for managing user consent.
  • Terms of Use / Terms of Sale — documents governing the use of the website, the submission of inquiries, booking procedures, and the provision of travel services, as well as the allocation of responsibilities between the parties (where such documents are available on the website).

This Security Policy does not replace the above documents but complements them by specifically describing approaches to information protection, risk management, and the organisation of security within the operation of the website.

In the event of any discrepancies between the provisions of this Policy and other documents, priority shall be determined in accordance with their purpose and applicable legal regulations.

11. Policy updates

ALEX-TUURS OÜ reserves the right to amend and update this Security Policy as the tuurs.ee website develops, technical solutions change (including the OpenCart 3 platform), business processes evolve, or legal requirements are amended.

The updated version of the Security Policy is published on this page and enters into force from the moment of its publication, unless otherwise stated. Users are encouraged to review this section periodically to stay informed about the current security terms and practices.

Continued use of the website after the publication of changes constitutes the user’s acceptance of the updated Security Policy to the extent permitted by applicable law.

12. Security contacts

If you discover a potential vulnerability, suspect fraudulent activity, encounter suspicious behaviour, or wish to report a problem related to website security or data processing, please contact us.

To do so, use the contact details provided on the tuurs.ee website in the “Contacts” section. When contacting us regarding security matters, we kindly ask you to describe the situation in as much detail as possible so that we can respond promptly and appropriately.

We review all security-related reports and strive to take reasonable measures to investigate and address identified issues within the scope of our responsibility.

Last updated: 13.12.2025