Why should I choose Tumodo?

Tumodo is an all-in-one business travel platform, where you can book any services for business trips in one window. We guarantee full transparency, the protection of user data and reliable interaction.

What is included in the cost of using the Tumodo platform?

After you start working with Tumodo, you get not only a multifunctional platform for business trips, where you can arrange any services and set up integrations with accounting systems. We provide 24/7 support service and an extensive database of suppliers.

Are Tumodo prices different from airline and hotel websites?

No, they’re not. Tumodo has no overcharge or hidden fees. The amounts you see in your search are transferred to our system directly from suppliers.

How to start working with Tumodo?

Here’s how you can start working with Tumodo: 1) leave a request on our website; 2) write to hello@tumodo.io; 3) call +971(4)550-39-00. Our manager will contact you and help you conclude an agreement.

How does Tumodo help after connecting to the platform?

Your company is provided with a personal manager who not only provides training, but also helps in setting up the necessary functionality. The specialist always stays in touch with you — you can ask him any question about working with the platform.

Consent Management Policy

1. INTRODUCTION

This Consent Management Policy defines Tumodo's framework for obtaining, managing, and documenting consent in compliance with applicable data protection regulations. The policy ensures that all personal data collected from individuals is processed lawfully, transparently, and with explicit consent, where required, in line with regulatory standards. In compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, to be referred to as 'EU-GDPR'), Federal Decree by Law No. (45) of 2021 Concerning the Protection of Personal Data (UAE PDPL), Personal Data Protection Law (KSA PDPL), Digital Personal Data Protection Act, 2023 (Act 22 of 2023) (‘DPDPA'), Law of the Republic of Kazakhstan on Personal Data and Its Protection" (Law No. 94-V), enacted on May 21, 2013 and other applicable data protection laws which are to be collectively referred to as “the Acts", this policy ensures that consent is freely given, informed, specific, and revocable. This Consent Management Policy establishes a clear process for obtaining consent in a user-friendly manner, managing consent preferences, and allowing individuals to easily withdraw consent at any time. It safeguards the rights of individuals, ensuring that Tumodo's processing of personal data is fully compliant with privacy regulations, while maintaining transparency and trust with data subjects.

2. Purpose

The objective of this Consent Management Policy (this "Policy") is how Tumodo ("we,” “our,” "us") collects, processes, and manages the Personal Data of its customers, employees, and other individuals whose data is collected. The Policy ensures that Data Subjects are informed about how their Personal Data is handled, to obtain their explicit consent where necessary, and to uphold their rights under the acts. This Policy sets forth the procedures for obtaining, managing, and withdrawing consent, and ensures that all Personal Data processing activities are conducted in a transparent, lawful, and fair manner.

3. SCOPE

This Policy applies to all employees of Tumodo, including full-time and part-time employees, third-party vendors, and any other personnel who may have access to Personal Data directly or indirectly, within the scope of their duties at Tumodo. The scope of this Policy extends to the collection, processing, and withdrawal of consent pertaining to Personal Data. This includes instances wherein consent for the processing of Personal Data is obtained directly from the Data Subject.

4. DEFINITIONS

Acts: It shall mean the EU-GDPR, UAE PDPL, KSA PDPL, Kazakhstan PDP, DPDPA, and other applicable law.
Adjudicating Authority shall mean and include the following:

3. The Supervisory Authority for the respective EU member state.

4. The Data Protection Board of India (DPBI) for Data Subjects residing in India.

5. Saudi Data & Artificial Intelligence Authority (SDAIA) for Data Principals residing in the Kingdom of Saudi Arabia

6. UAE Data Office for Data Principals residing in the United Arab Emirates

7. Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan
Consent: It shall mean any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of Personal Data relating to them
Data Controller/ Data Fiduciary: It shall mean a person who, either alone or jointly with other persons, determines the purposes and means of processing any Personal Data. The Data Controller shall also be referred to as a Data Fiduciary with respect to Data Subjects residing in India. For Data Subjects residing in California, Data Controller shall also refer to a business that collects consumers' personal information and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information.
Data Processor: A person or organisation that processes Personal Data on behalf of a Data Controller
Data Subject/Data Principal: A Data subject is the individual the personal data relates to. The Data Subject shall also be referred to as a Data Principal with respect to Data Subjects residing in India. For Data Subjects residing in India, where such an individual is a child, the term includes the parent or lawful guardian of the child. Where the individual is a person with disability, it includes their lawful guardian acting on behalf of such individual
Employee: It shall mean all the employees of Tumodo including part-time and full-time employees and consultants.
Legal Basis for Processing: It shall mean the legal basis on the basis of which the processing of Personal Data is considered lawful.
Personal Data: It shall mean any information relating to a living individual who is, or can be, identified, including data that can be combined with other information to identify an individual. This can be a very wide definition, depending on the circumstances, and can include data which relates to the identity, characteristics or behaviour of an individual or influences the way in which that individual is treated or evaluated.

9.1. Processing:

It shall mean performing any operation or set of operations on Personal Data, including:
1. obtaining, recording or keeping data;
2. organising or altering the data;
3. retrieving, consulting or using the data;
4. disclosing the data to a third party (including publication); and
5. erasing or destroying the data.
Third Parties: It shall mean a natural or legal person, public authority, agency or body other than the Data Subject, Data Controller, Data Processor and persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process Personal Data. Contractors and Vendors are also Third Parties under this Policy.

5. ROLES AND RESPONSIBILITIES

The individual designated by the company to oversee consent management shall be responsible for ensuring that all processes related to obtaining, recording, and managing user consents are conducted in a lawful, transparent, and accountable manner. This includes developing and maintaining appropriate mechanisms for capturing consent, enabling data subjects to easily access, modify, or withdraw their consent, and ensuring that all such actions are properly documented and auditable as given under this Policy. The person responsible shall also be expected to frame and define specific roles and responsibilities in alignment with applicable data protection laws and internal policies, ensuring that consent practices remain compliant, up-to-date, and user centric. The data subjects shall be further informed about the consent management authority in due course of time with the upgradation of policies and procedures.

6. LEGAL BASIS FOR PROCESSING

Tumodo processes Personal Data based on various legal grounds, including the explicit consent of the Data Subject. Consent is sought where necessary, in accordance with the acts and obtained clearly, transparently, and unambiguously. In situations where consent is not required, Personal Data may be processed based on other lawful grounds such as the performance of a contract, compliance with legal obligations, protection of vital interests, or legitimate interests pursued by Tumodo.

7. GENERAL PRINCIPLES

Whenever the consent of the Data Subject is the lawful basis of the processing of Personal Data the following general principles of consent are to be followed:

7.1 Consent should be freely given, specific, informed, and unambiguous:

7.1.1 Freely given: Consent shall be given voluntarily without any form of coercion, pressure, or undue influence.

7.1.2 Specific: Consent shall be provided specifically for the identified processing operation(s). If processing has multiple purposes, consent should be given for each. Consent should be limited to such personal data as is necessary for the specified purpose. If consent exceeds the stated purpose, it may be deemed as limited to the necessary data.

7.1.3 Informed: Data Subjects shall be clearly informed of the purposes for which their Personal Data will be used. The notice accompanying a request for consent must include the personal data to be processed, the purpose, how rights may be exercised, and how to file complaints.

7.1.4 Unambiguous: Consent shall be expressed in a clear, understandable manner that leaves no doubt as to the individual's intention. Consent should not be implied unless it is reasonable based on the context.

7.2 Clear Information:

Tumodo shall provide Data Subjects with clear and concise information about the purpose and nature of data processing.

7.3 Simplified Language:

Tumodo shall use language that is appropriate for the target audience's age and comprehension level and explain complex terms in a simple and clear manner.

7.4 For Data Subjects:

Tumodo shall present every request for consent in clear and plain language, providing the option to access such requests in English. Contact details of the Data Protection Officer or an authorized representative will also be provided for any communication regarding the exercise of rights under this Act.

7.5 Separate and granular Consent:

Tumodo shall obtain separate and granular consent for different purposes of data processing if applicable.

7.6 Documented:

Tumodo shall document all consent notices.

7.7 Easy Withdrawal:

Tumodo shall provide Data Subjects with an easy mechanism to withdraw their consent at any time, subject to legal or contractual restrictions. The ease of withdrawal shall be equal to the ease of providing consent. Individuals shall be informed of the implications of withdrawal. Upon withdrawal of consent, the processing of the data should cease "within a reasonable time."

7.8 Transparency:

Tumodo shall be transparent about how and why Personal Data is being collected and processed, disclosing the methods of consent collection and processing activities. Information will be provided about any third parties involved, including whether data will be shared and with whom.

7.9 Assistance and Support for Privacy Settings:

Tumodo shall provide accessible and readily available support for configuring privacy settings, including dedicated helplines, FAQs (Frequently asked questions) in accessible formats, and trained staff to assist with adjustments.

7.10 Reasonable Expectations of Data Subjects:

Tumodo will take into account the reasonable expectations of individuals when seeking consent. Consent shall not be obtained under misleading circumstances or for purposes beyond what the individual could reasonably expect.

7.11 Consent Managers:

Tumodo shall integrate processes that allow consent to be managed, reviewed, and withdrawn through Consent Managers as prescribed by the DPDPA. These Consent Managers will act as intermediaries for the Data Subjects to facilitate the management of their consent through an accessible and transparent platform. (DPDPA)

7.12 Consent via Authorized Representatives:

Consent may be provided by an authorized representative, such as a legal guardian or individual holding power of attorney, in situations where the Data Subject is unable to provide direct consent.

7.13 Complaint Handling:

Tumodo shall display the contact details of the designated officer responsible for handling complaints and any concerns of the Data Subjects on the processing of Personal Data based on consent.

8. MODES OF COLLECTION

Tumodo shall use the following methods for obtaining consent, ensuring it is freely given, informed, unambiguous, and unconditional in line with the acts:

8.1 Opt-In Checkboxes:

Consent may be indicated by ticking an opt-in box on the website. The opt-in mechanism must be a clear affirmative action, and pre-ticked boxes will not be considered valid consent. (Does not have preference canter on the website, just a banner is being displayed)

8.2 Technical Settings and Preferences:

Consent can be obtained through the selection of technical settings or preferences within user dashboards. Users should have control over these settings, and changes should be simple and accessible.

8.3 Email Consent:

Consent may be provided by responding to an email expressly seeking consent. The email must clearly inform the individual about what they are consenting to and offer a straightforward way to withdraw consent.

8.4 Cookies and Tracking Technologies:

Consent may be obtained through cookies and similar tracking technologies. Users must be given a clear choice to accept or reject cookies, with an ACCEPT COOKIES button or equivalent, and consent should not be implied by merely browsing the site. Consent must be unambiguous, meaning explicit action (e.g., clicking the button) is required to confirm consent. (No preference centre)

8.5 Forms:

Consent may be given by completing and signing a form that collects information and informs the individual about its use. The form should clearly explain the purposes of data collection and allows individuals to decline consent for unnecessary data processing.

8.6 Opt-Out Mechanisms:

Consent may be provided by checking a box to request that personal information not be provided to other organizations. Opt-out options should be clear and easily accessible, without any hidden requirements.

8.7 Product or Service Use:

Consent may be obtained at the time an individual uses a product or service. Information on data collection must be provided in a transparent manner, ensuring the user understands the processing purpose before engaging with the product or service.

9. LIFE CYCLE OF CONSENT

9.1 Obtain Consent:

Tumodo shall consider the following points while obtaining consent from the Data Subjects.

9.2 Drafting a Consent Request:

Consent requests need to be prominent, concise, and easy to understand and separate from any general terms and conditions. Tumodo shall:

9.2.1 Employ consistent language and methods across various consent options.

9.2.2 Utilize clear and straightforward language.

9.2.3 Ensure their consent requests are both concise and specific, avoiding any vague or broad language.

9.3 Information to be provided to Data Subject for obtaining consent:

To ensure specific and informed consent, Tumodo shall provide the following details while seeking consent:

Identification of the Data Controller and Data Processor: Clearly state and provide details about the entity responsible for determining the purposes and means of data processing (the Data Controller) and any third-party entities responsible for processing personal data on behalf of the Data Controller (the Data Processor).
Description of Personal Data Processed: Offer a description of the categories and nature of Personal Data that will be processed on behalf of or by the Data Controller.
Explicit Disclosure of Processing Purposes: Clearly disclose the purposes for which the Personal Data will be processed. If distinct processing operations require separate consent, this should be explicitly communicated.
Specification of Data Type: Specify the types of data collected and utilized during the processing activities.
Notification of the Right to Withdraw Consent: Explicitly inform Data Subjects of their right to withdraw consent at any time and provide a clear and accessible process for doing so.
Information about Data Subject Rights: Provide information about the rights of Data Subjects, including contact details for inquiries or complaints regarding their Personal Data.
Disclosure of Third Parties: Disclose any third parties to whom the Data Controller may disclose or has disclosed Personal Data, ensuring transparency in data sharing practices.
Disclose Data Retention Periods: Disclose data retention periods or the criteria used to determine them, ensuring transparency and allows the data subject to understand how long their data will be stored.
Identification of the Collecting Organization: Clearly identify the organization collecting consent and any third party relying on such consent, ensuring transparency and accountability.
Information Regarding Automated Processing: If applicable, provide information about the use of collected data for decisions based on automated processing, such as profiling, to keep data subjects informed about potential automated decision-making processes.

9.4 Alternatives to obtaining consent:

Tumodo is authorized to process Personal Data without the explicit consent of the Data Subject when such processing is necessary for the following purposes:

9.4.1 Fulfilling Contractual Obligations: Processing Personal Data to meet contractual obligations and provide requested services is permissible.

9.4.2 Compliance with Legal Obligations: Processing Personal Data is allowed if the regulations mandate it for a specific purpose.

9.4.3 Vital Interest: Processing Personal Data is justified without consent when it is necessary to safeguard someone's life.

9.4.4 Public Interest: If processing Personal Data is necessary to carry out official functions or tasks in the public interest, such processing is permissible.

9.4.5 Legitimate Interests: Processing Personal Data without consent is acceptable if Tumodo has a genuine and legitimate reason, including potential commercial benefit, provided it does not outweigh harm to the individual's rights, freedom, and interests. Tumodo shall ensure fairness, transparency, and accountability to prevent unwarranted impact on Data Subjects.

9.4.6 Addressing Pre-contractual Inquiries: Processing Personal Data can address any pre-contractual inquiries from Data Subjects.

9.5 Recording Consent:

Tumodo shall maintain clear and verifiable documentation detailing when and how consent was obtained from the Data Subject. This ensures that Tumodo can furnish evidence upon inquiry. The records maintained should include the below details:

9.6 Identity of the consenting party:

This includes the name of the Data Subject, or any identifier directly linked to the Data Subject.

9.7 Time of consent:

Documentation, either physical or online, with a clear timestamp, such as a dated document or online records.

9.8 Information provided to Data Subjects during consent:

A primary copy of the document or data collection form containing the consent statement used at the time, along with any separate privacy statement. This should include version numbers and dates matching the consent date.

9.9 Method of consent:

For online consent, records should include the submitted data and a timestamp linking it to the corresponding version of the data collection form.

9.10 Withdrawal of consent:

The date and time of consent withdrawal. It is advised that, especially when recording verbal consent, the withdrawal should also be recorded digitally or confirmed through communication with the Data Subject such as via letter, email, or SMS. Archival of this data is necessary.

9.11 Management of Consent:

Managing consent is a dynamic and integral aspect of Tumodo's ongoing commitment to establishing and maintaining a relationship of trust with Data Subjects. Tumodo shall employ the following strategies to effectively manage consent:

9.12 Offer ongoing choice and control:

Tumodo shall provide Data Subjects with continuous options and control over their consent preferences. Tumodo shall also ensure that data subjects can modify their consent preferences at any time, even after giving consent. A user-friendly mechanism for individuals to manage or modify their preferences, such as privacy dashboards should be implemented.

9.13 Facilitate Withdrawal of consent:

Data Subjects shall have the right to withdraw their consent at any time. Tumodo shall ensure a smooth process for Data Subjects to exercise this right seamlessly. The right to withdraw consent must be as easy as providing it. Data subjects should be informed that withdrawing consent will not affect the lawfulness of the data processing that occurred before the withdrawal.

9.14 Regular Consent Review:

Tumodo shall regularly review consent collection practices and documentation to ensure compliance with the acts and internal policies, enabling timely updates and renewals. When consent is obtained for data processing that is ongoing or periodic, there should be periodic reminders to data subjects to review or refresh their consent preferences, especially if new processing activities are introduced. Tumodo shall consider renewing Data Subject's consent in the following scenarios:

9.14.1 Whenever there is a change in the laws or regulations governing privacy and data protection.

9.14.2 If the purpose of further processing of Personal Data is incompatible with the purpose for which it was initially collected, Data Subjects must be informed, and additional consent must be obtained.

9.14.3 Significant changes in Tumodo's procedures for processing user data that might impact the Data Subject's privacy rights.

9.15 Withdrawal of Consent:

Data Subject must be able to withdraw consent easily at any time without detriment. Consent should not be regarded as freely given if the Data Subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the Data Subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

9.16 Procedure for Withdrawal of Consent requests from Data Subject

9.16.1 Submission of Withdrawal Request: Data Subjects may submit their withdrawal requests through multiple channels, including email, written correspondence, or an online form facilitated by Tumodo ("Unsubscribe").

9.16.2 Verification of Identity: Upon receipt of a withdrawal request, ensure the security and authenticity by requesting the Data Subject to verify their identity. Specify acceptable documentation for identity verification, such as Government-issued ID, Passport, Driving License, or Birth Certific