Last updated: May 14, 2026
At GreatChile we value the privacy of those who visit our sites and use our services. This policy explains what personal data we collect, the purposes for which we process it, who we share it with, and what rights you have over it. It is written in accordance with Chilean law (Law No. 19.628 on the Protection of Private Life and its amendments) and applies criteria aligned with the European Union General Data Protection Regulation (GDPR) for visitors from European jurisdictions.
1. Identity of the data controller
Legal name: Great Chile SPATax ID (RUT): 76.978.647-3Business address: Av. San José María Escrivá de Balaguer 13.105, Oficina 717, Lo Barnechea, Santiago, ChileOperated websites: greatchile.com, greatpatagonia.com, torresdelpaine.com, sanpedroatacama.com, valparaiso.com, aysen.com, rutahistorica.cl, salaruyuni.cl, and associated subdomains.Privacy contact email: privacidad@greatchile.comPhone: +56 223 347 802
2. What data we collect and for what purpose
2.1 Data you provide to us
Source Typical data Purpose Inquiry and booking forms (quote, contact, booking)First name, last name, country of residence, email, phone/WhatsApp, travel dates, number of passengers, ages where applicable, customer notes, flight number and schedule where applicable Attend to your inquiry, prepare the quote, coordinate the service with the corresponding providers, and confirm the booking. Passenger data (full form prior to payment)Full name of each passenger, ID / passport numbers, dates of birth, nationality Issue named vouchers, comply with provider requirements (lodging, airlines, national parks), comply with Chilean tax obligations. Payment data Credit/debit card details or payment instrument data (bank transfer, PIX, etc.), depending on the chosen method Process the booking payment. Payment-method data is processed directly by the providers listed in §4.2 (Stripe, Transbank, Virtualpos, Global66) and is not stored on our servers. Communications with our chat (Freshchat)Messages you send through the chat widget Attend to online inquiries. Reviews and ratings Name (or pseudonym), rating, and comment Publication of reviews on the corresponding pages, with your authorisation at the time of submission.
2.2 Data collected automatically
Technical browsing data: IP address, browser identifier (user-agent), preferred language, referring site, pages visited, date and time of visits. Collected through the server and, when you give consent, through cookies.Internal analytics data: when you give your analytics consent, we record aggregated metrics of your visit in our database (sessions, pages viewed, referrer, language, time on site). This data is independent of Google Analytics (see §4.2) and stays exclusively under our control, on our own infrastructure.Cookies and similar technologies: see §6 for details. The current list of cookies and their purpose is shown in our consent-management banner, where you can adjust your preferences at any time.
2.3 Data we do NOT request
We do not request special categories of data (racial or ethnic origin, political opinions, religious beliefs, health data, sexual life, biometric data). If on your own initiative you include health information relevant to your trip (for example, dietary restrictions or medical requirements) in the notes field, we process it exclusively to coordinate your service and for the time strictly necessary.
2.4 Technical data we do NOT store
By design of our system, we do not store the IP address or browser identifier (user-agent) in form-submission records . This data may be logged temporarily in the server logs (see §7) but is not associated with your submission.
3. Legal basis for processing
The processing activities described in this policy rely on the following legal grounds:
Performance of a contract or pre-contractual measures (GDPR art. 6.1.b / Law 19.628 art. 4): handling your inquiry, preparing the quote, managing the booking, and providing the travel service you request.Consent (GDPR art. 6.1.a / Law 19.628 art. 4): express acceptance of this policy when submitting a form, and granular consent for non-essential cookies through our consent-management banner.Legal obligation (GDPR art. 6.1.c / Law 19.628 art. 4 final paragraph): retention of tax and accounting records as required by Chilean law.Legitimate interest (GDPR art. 6.1.f): site security, fraud prevention, operational improvements based on aggregated, non-identifiable data.
4. Who we share your data with
We share personal data only with third parties strictly necessary to provide the service you request, and under agreements that bind them to process the data solely for that purpose.
4.1 Tourism service providers
We share your data with providers only in two situations, and only the strictly necessary data in each case:
(a) To perform the contracted service. When we confirm a booking, we transfer the strictly necessary data — and only the strictly necessary data — to the operators and providers that appear in your itinerary: hotels, tour operators, ground and air transport companies, national parks, and other tourism providers. This transfer is essential to materialise the booking. Each provider uses the data exclusively to deliver the contracted service.(b) To respond to a message directed at a provider. Some of our forms are designed for the visitor to inquire directly with a specific provider (for example, an inquiry directed at a hotel). In those cases, your message and your contact data are forwarded to that provider so they can reply. We retain a technical copy of the submission for one month (see §7).
4.2 External processors
Provider Function Shared data Main location Stripe, Inc. Card payment processing in international currencies (mainly USD). Because Stripe does not operate directly in Chile, the merchant account that receives these payments is operated by NG Mundo Group (see next row) Order ID, amount. Card data is processed directly within Stripe’s environment (PCI-DSS) and is not stored on our servers United States NG Mundo Group US-based payment intermediary, commercially affiliated with Great Chile SPA. Operates the Stripe merchant account that receives our customers’ card payments and transfers them to Great Chile SPA via international bank transfer Cardholder name, billing address (when Stripe captures it), amount, order ID United States (Miami, Florida) Transbank S.A. (Webpay)Card payment processing in Chilean pesos (CLP) Order ID, amount. Card data is processed directly within Transbank’s environment and is not stored on our servers Chile Virtualpos SpA PIX payment processing for customers in Brazil Order ID, amount, and data required by the PIX flow (cardholder name, CPF where applicable) Chile Global 81 SpA (Global66)Reception of international bank transfers in local currencies Order ID, amount, source-account and account-holder data Chile Freshworks Inc. (Freshdesk, Freshchat)Support ticketing system and unified messaging. Freshchat consolidates in a single inbox the conversations from the site chat and from the external channels WhatsApp Business, Instagram Direct, and Facebook Messenger (the latter provided by Meta Platforms, Inc. — see next row) Name, email, content of the inquiry or conversation United States / India Meta Platforms, Inc. (WhatsApp Business, Instagram Direct, Facebook Messenger)Channels for receiving messages that the customer sends through Meta’s networks. Conversations are automatically routed to our Freshchat inbox. Use is strictly reactive and transactional : we reply to customer-initiated messages and do not use these channels for marketing campaigns Profile identifier on each network, message content, phone number where applicable (WhatsApp) United States Google LLC — Analytics 4 + Tag Manager Aggregated site-usage metrics Technical identifiers, navigation events — only when you give analytics consent United States Google LLC — Ads (conversions)Measurement of advertising-campaign effectiveness Conversion identifiers, objective event — only when you give marketing consent ; blocked by our consent-management system until then United States Google LLC — reCAPTCHA Protection against automated abuse on forms Technical browser identifiers, behaviour during interaction with the form United States Google LLC — Workspace (Gmail / Vault) Sending and receiving email communications between GreatChile and our customers and providers Email content and metadata United States / European Union Meta Platforms, Inc. (Pixel, via Google Tag Manager)Measurement of advertising campaigns on Meta Conversion-event identifiers — only when you give marketing consent ; blocked by our consent-management system until then United States Calendly, LLC Scheduling of appointments with advisors Name, email, selected time United States Trustindex Kft. Aggregated display of reviews Reading of identifiers from review platforms European Union (Hungary) Cloudflare, Inc. Distribution network and protection against abuse for the integrated external services (Freshchat, Calendly, etc. operate behind Cloudflare) Technical browser data, IP United States Defiant, Inc. (Wordfence)Protection and firewall system for our sites. Analyses incoming traffic, blocks IP addresses associated with attacks, and maintains local lists updated through a global threat feed. To feed that feed, it may transmit technical information about traffic identified as malicious (including IPs and attack patterns) to its headquarters Visitor IP addresses and technical traffic data, mainly when suspicious activity is identified United States Siete PM SpA (RUT 76.701.118-0)Managed hosting: technical administration of the servers and operational maintenance of the site. Maintains two backup layers (see §7): a daily copy overwritten in each cycle, and a small set of older point-in-time backups (up to 24 months), kept as contingency against security incidents detected after the fact. Technical server access; under normal operating conditions they do not consult the contents of the database Chile DigitalOcean, LLC Cloud infrastructure provider: physical hosting of the servers that run the site and store the database Technical access to the underlying infrastructure. Servers operate in the SFO3 region (San Francisco, United States) United States
Google Ads and Meta Pixel advertising identifiers are loaded via Google Tag Manager, but the corresponding tags do not fire until the visitor grants explicit marketing consent through our consent-management banner. Without that consent, no advertising events are sent to these platforms.
4.3 Authorities
When there is a binding judicial or legal requirement (tax, law-enforcement, or judicial authority), we will share the data strictly required.
5. International transfers
Several of the processors listed in §4.2 have their headquarters outside Chile (mainly the United States and the European Union). In such cases:
The companies mentioned have published data-protection policies and adhere to frameworks such as the EU-US Data Privacy Framework where applicable.
These providers process the data as data processors , exclusively for the agreed purpose.
If you need specific information about the safeguards applied, you can request it via the email indicated in §1.
6. Cookies and similar technologies
We use cookies and similar technologies so the site works, to remember your preferences, to measure its use, and — when you accept — to personalise advertising content. Cookies are grouped into the following categories:
Functional (always active): session, language, currency, cart contents, consent preferences. Without these, the site cannot function correctly.Analytics: site-usage measurement via Google Analytics (external service) and via our internal analytics tool (data stored locally in our database), both only with your consent.Marketing/Advertising: Google Ads (conversions), Meta Pixel (when active), only with consent.Embedded third-party cookies: Freshchat, Calendly, YouTube, and reCAPTCHA may set their own cookies when you interact with their widgets or iframes. Their privacy policies additionally apply when you do so.
The detail per individual cookie (name, purpose, duration, origin) is available in the consent-management banner, where you can also change your preferences or withdraw your consent at any time.
The banner’s behaviour adapts automatically to your jurisdiction of residence , according to applicable local regulation:
Visitors from the European Union, United Kingdom, Brazil, or South Africa: prior-consent model (opt-in ). Non-essential cookies remain inactive until you accept them explicitly.Visitors from the United States, Canada, or Australia: notice-with-opt-out model. Some cookies may activate on first access; you can disable them at any time and, where applicable, exercise specific rights (for example, Do Not Sell or Share My Personal Information for California residents under the CCPA/CPRA) directly from the banner.
In all cases, the banner displays the cookie notice specific to your jurisdiction and lets you consult and modify preferences at any time.
7. How long we retain your data
Data type Retention period Submissions to provider-direct contact forms (the inquiry is forwarded to the provider and we keep a technical copy) 1 month from submission. Identifying data (name, email, phone, subject, message) is deleted; the technical trace copy is anonymised for aggregate analysis. Submissions to inquiry / quote forms that did not result in a booking 1 month from submission (same procedure as the previous point). Submissions to the passenger-data form during the booking process 1 month from submission; these records are deleted in full (not just anonymised), since the canonical copy of the passenger data is linked to the corresponding order. Orders and bookings — customer billing data (name, email, phone, RUT/document)90 days from the trip check-in date. After that period, the order’s billing fields (first name, last name, email, phone, document number) are deleted. The order is retained as a commercial record. Orders and bookings — administrative notes Order notes related to payment are retained for accounting reasons; other notes are deleted 90 days after check-in. Tax documents (boletas, invoices, credit and debit notes)Minimum 6 years under article 17 of the Chilean Tax Code. In practice, tax documents actually issued are retained indefinitely as an accounting backup. Draft tax documents that never reach the SII (cancelled, corrected, or abandoned) are purged at month-end close. For boletas mainly the customer name is retained; for invoices the full data of the receiving company is retained (legal name, RUT, business line, address, contact). Support tickets (Freshdesk) 18 months from the last interaction on the ticket; then deleted or anonymised according to the provider’s configuration. Chat communications (Freshchat) 12 months from the visitor’s last interaction; then deleted according to the provider’s configuration. Emails sent from our Google Workspace mailboxes (confirmations, replies to inquiries, coordination with providers)Up to 24 months from sending; older emails are deleted in periodic reviews. Copies kept by the recipient in their own email are outside our control. We do not maintain a duplicate local log on our website. (Pending confirmation: if Google Workspace Vault is enabled, this period will be reduced to 18 months with automatic enforcement.) Internal user accounts (operators) While the user is active, and for the legal periods applicable after termination. Published reviews Indefinite while they remain published; may be withdrawn at the author’s request. Technical browsing data (server logs) 12 months. Internal analytics data (sessions, pages viewed, referrer, language, time on site)24 months in the active database. After that period, the tool generates an aggregated backup file stored on the server; the specific retention policy for this file is defined in our internal operational procedures. System backup We maintain two layers of system backups. (a) Daily copy of the full system, overwritten in each cycle: when we delete personal data according to the retention periods above, its trace in this copy disappears within a maximum of 24 hours. (b) Older point-in-time backups (up to 24 months retention), kept as contingency against security incidents detected after the fact — for example, intrusions that compromise system integrity and require restoring a verified prior point. These backups are not used in normal operation; if after a restore personal data reappears that should already have been deleted, the corresponding deletion procedure is applied again. Cookies According to the duration indicated for each cookie in the consent banner.
After the applicable period expires, personal data is irreversibly deleted or anonymised. Deletion processes run automatically via daily scheduled tasks.
8. How we protect your data
We apply reasonable technical and organisational measures proportionate to the risk:
Encryption in transit via HTTPS/TLS on all sites.
Processing of payment methods through specialised providers (Stripe, Transbank, Virtualpos, Global66) in their respective secure environments — we do not store full card numbers or banking credentials on our servers.
Access control to internal tools (Freshdesk, admin panel) by user and minimum necessary permissions.
Protection against automated abuse via reCAPTCHA.
Backups and regular infrastructure auditing.
No system is 100% secure. If we detect a breach affecting your personal data, we will notify you within the timeframes and through the channels required by applicable law.
9. Your rights
As a personal data subject you have the right to:
Access the data we process about you.Rectify inaccurate or out-of-date data.Delete (“right to be forgotten”) data whose processing is no longer necessary, subject to the legal retention obligations indicated in §7.Object to processing and withdraw consent at any time, without affecting the lawfulness of prior processing.Request portability of your data in a structured, machine-readable format.Lodge complaints with the competent authority. In Chile, the Council for Transparency and the ordinary courts currently handle these claims; with the entry into force of the new personal data protection law, the Personal Data Protection Agency will be the responsible body.Additional rights under your jurisdiction. If your local law grants you rights beyond those listed above — for example, California residents under the CCPA/CPRA (right to know, right to delete, right to correct, right not to sell or share personal information), or specific rights under Brazil’s LGPD , Canada’s PIPEDA , South Africa’s POPIA , among others — you may exercise them by contacting us at the email indicated in §14. We will handle each request applying the standard most favourable to the data subject.
To exercise any of these rights, write to us at the email indicated in §1. We will reply within a maximum of 30 calendar days from receipt of the request. We may require additional information to verify your identity before processing the request.
10. Automated decisions and profiling
We do not take decisions that produce legal effects on you based solely on automated processing. Nor do we carry out profiling beyond the typical segmentation of aggregated advertising campaigns (when you accept marketing cookies).
11. Minors
Our services are aimed at persons over 18 years of age. When a trip includes underage passengers, their personal data is provided by their parents or responsible guardians, who guarantee that they have obtained the corresponding consent.
We do not deliberately request or collect personal data from minors under 14 years of age without the express consent of their parents or legal representatives. If you believe a minor has provided us with data without such authorisation, contact us so we can delete it.
12. Changes to this policy
We may update this policy to reflect changes in our practices, in the technology used, or in applicable law. The date indicated at the beginning reflects the current version. If the change is substantial, we will notify you through the channels we usually use.
13. Binding language of this policy
This policy may be available in other languages (English, Portuguese) to make it easier to read for visitors who do not speak Spanish. The Spanish version is the only one that is legally binding . In the event of any discrepancy between the versions, the Spanish text prevails.
14. Contact
For any inquiry, exercise of rights, or complaint regarding the processing of your personal data:
Phone: +56 223 347 802
Email: privacidad@greatchile.com
Postal address: Av. San José María Escrivá de Balaguer 13.105, Oficina 717, Lo Barnechea, Santiago, Chile
