Confidentiality Policy

Thank you for taking a few minutes to read the Confidentiality Policy ChangeYourFlight, S.L. (hereinafter referred to as CARAVELO, “CVO”, “us”, “we”, “our”, “company”) have put together for the public. Your interest in our website or services is appreciated, as well as your communication with the company by written or oral means. The aggregate of our public and official website ( (“Website”), products and services offered, information shared and communications made from or to you is regarded from now on in this document as the “Service”.

CVO commits to protecting the confidentiality of their associates, staff and any user that engages with the Service regarding any information they may provide to us in the development of our business activities.

What will you find in this document?

It is very important that all this information is very clear to you, leaving no misunderstandings out in the open.

If you do not agree with this policy, do not visit the Website, engage with any of our products or services, communicate with us or otherwise interact with CARAVELO.


All CVO employees must comply with this confidentiality policy in the context of our commitment to information security and data protection.

CVO Management shall ensure that all employees have an appropriate level of training and awareness regarding information security and data protection.

In particular:

Additionally, we commit ourselves to regularly revise and update this policy to increase transparency and meet GDPR requirements. Any amendments made to this Confidentiality Policy will be communicated through the Website, emails or other channels.


CVO shall implement the necessary security measures to ensure that the processing of information is done under the following principles:

Refer to “Related Documentation” for further information.

Legislative Framework

The main regulatory and legislative framework that CVO adheres to regarding data protection are:


CVO shall make sure that personal information collected to fulfill appropriate business operations is kept confidential. In the event that information must be disclosed to third parties, CVO shall explain to the individual concerned the reasons for the disclosure and obtain their consent to do so.

However, there are circumstances that permit disclosure even without the consent of the individual concerned, in order to ensure public safety, compliance with the law or judicial requirement. In particular, these circumstances include:

  1. National security
  2. Defense
  3. Public security
  4. Prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties.
  5. Important objectives of general public interest of the European Union or of a Member State, including monetary, budgetary, taxation, public health and social security.
  6. Protection of judicial independence and proceedings.
  7. Prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.
  8. Monitoring, inspection or regulatory functions connected to the exercise of official authority in the cases referred to in (1), (2), (3), (4), (5), (7).
  9. Protection of data subjects or the rights and freedoms of others.
  10. Enforcement of civil law claims.
  11. When there is evidence of a fraud.

Breaches of Confidentiality

Accidental Breach

CVO recognizes that information security incidents may occur occasionally, and shall make sure that steps to report it and further prevent it are in place.

In the event of an accidental breach of confidentiality, CVO will follow the procedure detailed in Article 33 of the GDPR:

Deliberate Breach

If an employee feels that a breach of confidentiality is required in a particular situation:


Employees that fail to comply with this Confidentiality Policy and are found responsible for an accidental or unauthorized breach of confidentiality may face disciplinary action after an appropriate investigation process.

Related Documentation

Please read CVO’s Privacy Note for further information on the types of data we collect and process, and the purposes for the processing.