Confidentiality Policy

Thank you for taking a few minutes to read the Confidentiality Policy ChangeYourFlight, S.L. (hereinafter referred to as CARAVELO, "CVO", "us", "we", "our", "company") have put together for the public. Your interest in our website or services is appreciated, as well as your communication with the company by written or oral means. The aggregate of our public and official website ( ("Website"), products and services offered, information shared and communications made from or to you is regarded from now on in this document as the "Service".

CVO commits to protecting the confidentiality of their associates, staff and any user that engages with the Service regarding any information they may provide to us in the development of our business activities.

What will you find in this document?

  • Commitment

  • Principles

  • Legislative Framework

  • Disclosure

  • Breaches of Confidentiality

  • Non-compliance

  • Related documentation

It is very important that all this information is very clear to you, leaving no misunderstandings out in the open.

If you do not agree with this policy, do not visit the Website, engage with any of our products or services, communicate with us or otherwise interact with CARAVELO.


All CVO employees must comply with this confidentiality policy in the context of our commitment to information security and data protection.

CVO Management shall ensure that all employees have an appropriate level of training and awareness regarding information security and data protection.

In particular:

  • Third-party information shall be processed with the maximum levels of integrity, confidentiality and restricted availability.

  • Internal information classified as confidential or restricted shall be processed with the maximum levels of integrity, confidentiality and restricted availability.

  • CVO must comply with the applicable legislation regarding data protection.

  • CVO commits to the non-disclosure of information without consent from the individual concerned, except in the circumstances detailed in "Disclosure".

  • CVO shall not attempt to collect information they have not been authorized to.

  • Processing of information shall be done according to the "Principles".

  • Information shall be dismissed or destroyed when it is no longer necessary for the purposes of the processing.

  • CVO shall ensure the integrity of personal information, avoiding its corruption, loss or unauthorized access and correcting it if inaccurate.

  • CVO shall make personal information available to the individuals concerned under request from them.

Additionally, we commit ourselves to regularly revise and update this policy to increase transparency and meet GDPR requirements. Any amendments made to this Confidentiality Policy will be communicated through the Website, emails or other channels.


CVO shall implement the necessary security measures to ensure that the processing of information is done under the following principles:

  • Data shall be processed lawfully, fairly and transparently in relation to the data subject.

  • Data shall be collected for specified, explicit and legitimate purposes.

  • Data shall not be further processed for any purpose other than the specified one(s).

  • Data shall be adequate, relevant and limited to what is necessary to fulfill its  purposes.

  • Data shall be accurate and updated, and otherwise corrected or erased.

  • Data shall not be kept for longer than what is necessary to fulfill its purposes.

  • Data shall be processed ensuring security, protection against unauthorized or unlawful processing and against loss, destruction or corruption.

Refer to "Related Documentation" for further information.

Legislative Framework

The main regulatory and legislative framework that CVO adheres to regarding data protection are:

  • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Visit)

  • Real Decreto 1720/2007, of 21 December, approving the Reglamento de desarrollo de la Ley Orgánica 15/1999, of 13 December, de protección de datos de carácter personal. (Visit)


CVO shall make sure that personal information collected to fulfill appropriate business operations is kept confidential. In the event that information must be disclosed to third parties, CVO shall explain to the individual concerned the reasons for the disclosure and obtain their consent to do so.

However, there are circumstances that permit disclosure even without the consent of the individual concerned, in order to ensure public safety, compliance with the law or judicial requirement. In particular, these circumstances include:

  1. National security

  2. Defense

  3. Public security

  4. Prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties.

  5. Important objectives of general public interest of the European Union or of a Member State, including monetary, budgetary, taxation, public health and social security.

  6. Protection of judicial independence and proceedings.

  7. Prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.

  8. Monitoring, inspection or regulatory functions connected to the exercise of official authority in the cases referred to in (1), (2), (3), (4), (5), (7).

  9. Protection of data subjects or the rights and freedoms of others.

  10. Enforcement of civil law claims.

  11. When there is evidence of a fraud.

Breaches of Confidentiality

Accidental breach

CVO recognizes that information security incidents may occur occasionally, and shall make sure that steps to report it and further prevent it are in place.

In the event of an accidental breach of confidentiality, CVO will follow the procedure detailed in Article 33 of the GDPR:

  • Employees that detect a possible data breach shall promptly report it to their supervisor or to the ITSec responsible in the company.

  • As defined in the GDPR, Personal Data Breaches shall be reported to a supervisory authority within 72h of the incident.

  • An assessment on the severity of the personal data breach shall be made before initiating legal contact with the supervisory authority.

  • The relevant supervisory authority that CVO should contact is: Agencia Española de Protección de Datos (AEPD).

  • If CVO requires a disproportionate effort to establish direct communication with the supervisory authority, the data breach reporting can be substituted, for example, by a public alert.

  • If the data breach is very serious or concerns sensitive personal information, CVO will inform the data subject as well.

Deliberate breach

If an employee feels that a breach of confidentiality is required in a particular situation:

  • Employees shall refer to their immediate supervisor and present the case for which they belief a breach of confidentiality is necessary and legitimate, and what would be achieved by doing so.

  • Supervisors shall discuss together with the concerned employees if any of the circumstances detailed in "Disclosure" apply to the situation and which options are available.

  • If a supervisor feels that a breach of confidentiality is required, they should present the case to CVO Management, briefly explaining the situation, the grounds for disclosure, and keeping confidentiality when doing so.

  • The supervisor is responsible for ensuring that all actions are appropriately initiated and carried out.

  • If Management decides that confidentiality should not be breached, this is the final decision of CVO.


Employees that fail to comply with this Confidentiality Policy and are found responsible for an accidental or unauthorized breach of confidentiality may face disciplinary action after an appropriate investigation process.

Related Documentation

Please read CVO's Privacy Note for further information on the types of data we collect and process, and the purposes for the processing.