Privacy

Privacy Notice

How Bivara handles personal data when you use our flight booking and related travel services.

Notice on the Processing of Personal Data of Natural Persons in Connection with the Booking of Airline Tickets and Related Services


Last updated: 21 April 2026

By means of this notice, Bivara d.o.o. informs natural persons about the manner in which their personal data is processed in connection with the search, booking, purchase, modification, cancellation, and administration of airline tickets and related services. This notice applies regardless of the domain, platform, communication channel, or device through which our services are used.

Personal data means any information relating to an identified or identifiable natural person, directly or indirectly. The scope and nature of the processing depend primarily on the specific service you use, the way you interact with us, and the legal and operational requirements associated with travel booking.

Personal data is processed in accordance with the applicable laws of the Republic of Serbia, primarily the Law on Personal Data Protection.

1. Data Controller

The data controller is:

Bivara d.o.o.
Dure Jaksica 1
Belgrade, Republic of Serbia
E-mail: info@bivara.rs
Telephone: +381 62 8232817

For general questions related to personal data protection, as well as for the exercise of your rights as a data subject, you may contact us using the following details:

E-mail for privacy-related matters: info@bivara.rs
Postal address for requests: Dure Jaksica 1, Belgrade, Republic of Serbia

2. Categories of Data Processed

In connection with the booking of airline tickets and related services, we may process the following categories of personal data:

2.1. Identification and Travel Data
We may process your first and last name, middle name or additional name, date of birth, address, nationality, gender, passport or other travel document details, as well as other information required by airlines, global distribution systems, airports, public authorities, or other travel service providers for the creation, confirmation, and performance of a booking.

2.2. Contact Data
We may process your e-mail address, telephone number, and other contact details for the purpose of sending booking confirmations, itineraries, invoices, flight change notifications, information about additional services, and for communicating with you regarding your request or booking.

2.3. Payment and Transaction Data
We may process the data necessary to carry out a payment, confirm a transaction, issue documents, process refunds, and resolve payment-related disputes. If payment is made by bank card or another electronic method, the payment instrument data may be processed directly by the payment provider or payment gateway. Bivara does not necessarily have access to the full card details, but only to the information necessary to confirm the transaction, reconcile payments, handle claims, prevent fraud, and provide customer support.

2.4. Communication Data
If you contact us by mail, telephone, e-mail, contact form, chat, or through another channel, we may process your name, contact details, the content of your message, attached documents, the date and time of the request, as well as information relating to the further handling of your request.

2.5. Technical Data and Access Data
We may process technical data generated through the use of our websites, systems, and communication channels, such as the date and time of access, transaction identifiers, technical logs, device data, browser type, operating system, IP address, time zone, and similar information, to the extent necessary for security, the functioning of systems, confirmation of actions, and the resolution of technical issues.

2.6. Data Relating to Special Passenger Needs
In certain cases, we may process data indicating health status, the need for medical assistance, accompaniment, special meals, or other travel-related circumstances, where such information is necessary for the arrangement of the service or the provision of appropriate assistance during travel.

2.7. Telephone Call Recordings
If Bivara uses call recording in its customer service centre, the recording of the conversation, call data, call time, and other related information may be processed. Such processing may be necessary to confirm a customer request, protect against unauthorised booking changes, improve service quality, train staff, and resolve disputes. If calls are recorded, the user must be informed of this in advance and in an appropriate manner, and where required, the relevant consent must be obtained or another valid legal basis must apply.

3. Sources of Data

We obtain personal data mainly:

  • directly from you, when you search for, book, purchase, modify, or cancel a service;
  • from the person for whom the booking is made, or from the person making the booking on your behalf;
  • from partners through whom you found or booked a flight or another travel service;
  • from airlines, global distribution systems, booking systems, and other service providers involved in the performance of the booking;
  • from payment providers and financial institutions, to the extent necessary to confirm or carry out the transaction;
  • from technical systems, logs, and security records generated through the use of our websites and services.

4. Purposes of Processing and Legal Bases

We process your personal data for the following purposes:

4.1. Steps Prior to Entering into a Contract and Performance of a Contract
Data is processed for the search of flights, preparation of an offer, booking, ticket issuance, communication regarding the booking, provision of additional services, amendments or cancellation of the booking, refunds, and the general administration of the contractual relationship.

4.2. Compliance with Legal Obligations
Data is processed where necessary to comply with obligations arising under the laws of the Republic of Serbia or other applicable regulations, including accounting, tax, consumer, supervisory, audit, and other obligations.

4.3. Protection of Legitimate Interests
We may process data for the protection of the legitimate interests of Bivara or third parties, in particular for the purposes of:

  • ensuring IT and network security;
  • preventing abuse, fraud, and unauthorised use of services;
  • maintaining internal evidentiary records;
  • handling complaints, disputes, and claims;
  • protecting the business, employees, customers, and technical systems;
  • improving the quality of services and business processes.

4.4. Consent
Where required by law or where no other legal basis applies, processing is carried out on the basis of your consent. This may concern, for example, the processing of certain special categories of data or the recording of telephone calls where such processing cannot be justified on another legal basis.

4.5. Protection of Vital Interests
In exceptional cases, especially in the event of a medical emergency or similar circumstances, processing may be necessary to protect your vital interests or those of another natural person.

5. Mandatory Provision of Data

The provision of certain personal data is a contractual or practical requirement for the conclusion and performance of a booking. If you do not provide the information necessary to identify the passenger, create the booking, issue the ticket, process the payment, or communicate in relation to the trip, we may be unable to conclude the contract, create the booking, or provide the requested service.

6. Recipients and Categories of Data Recipients

Personal data may be disclosed to the following categories of recipients to the extent necessary and lawful:

  • airlines and other transport or travel service providers, for the performance of the booking and provision of the service;
  • global distribution systems, computer reservation systems, and other booking platforms, for the creation, modification, and administration of the booking;
  • partners through whom you searched for or booked the service, including aggregators, comparison portals, affiliate partners, and other intermediaries, where necessary for support, complaint handling, or booking administration;
  • payment providers, payment gateway providers, banks, and financial institutions, for the processing of transactions and prevention of abuse;
  • customer support providers and call centres, for customer communications and request administration;
  • IT providers, cloud and hosting providers, cybersecurity service providers, and helpdesk providers, for system support and infrastructure protection;
  • accountants, auditors, lawyers, insurers, consultants, and other professional advisers, where necessary for lawful operations or the protection of legal interests;
  • public authorities, regulators, supervisory authorities, police, courts, and other competent institutions, where disclosure is required by law or necessary for the establishment, exercise, or defence of legal claims;
  • debt collection agencies or legal representatives, in the event of outstanding obligations, including unfounded chargeback requests.

Depending on the specific booking, flight itinerary, additional services, payment method, and business model, the actual recipients may vary. Therefore, it is not always possible to publish in advance an exhaustive and continuously updated list of all individual recipients; usually, only the categories of recipients are indicated. Upon request, we may, to the extent possible and permitted, provide additional information about the recipients relevant to your specific booking.

7. Relationships with Travel Service Providers as Independent Controllers

When you book a flight or another travel service, in many cases the contract is concluded directly with the relevant airline or other service provider. In such cases, that provider may act as an independent controller with regard to the personal data it processes for its own purposes. This means that it independently determines the purposes and means of processing within the framework of its business, compliance, and regulatory obligations.

Before completing a booking, it is recommended that you review the privacy policy and general terms and conditions of the relevant service provider.

8. Fraud Prevention

Bivara may implement procedures and controls to prevent abuse, fictitious bookings, unauthorised transactions, unfounded chargeback claims, and other forms of fraudulent behaviour. For these purposes, identification data, contact data, booking data, transaction data, and relevant technical information may be processed.

Risk assessment is generally not necessarily fully automated and may include review by authorised employees or contractors. If an increased risk is identified or there are indications of fraud, Bivara is entitled to take reasonable and proportionate measures, including additional checks, temporary suspension of processing, refusal or cancellation of a booking, internal recording of the incident, reporting to the competent authorities, and the protection of its legal interests.

Such processing is based on Bivara’s legitimate interest in preventing financial and other harm, protecting its customers, and maintaining business security.

9. Technical Analysis, Security, and System Integrity

To ensure the proper functioning of systems, data integrity, and process security, Bivara may process identification, contact, booking, transaction, and technical data. Such processing may be necessary, for example, for:

  • detecting and correcting technical errors;
  • analysing unsuccessful or incorrectly executed bookings;
  • reconciling data between systems;
  • maintaining the accuracy and completeness of information;
  • preventing security incidents and unauthorised access;
  • improving the quality of products and processes.

This processing is based on Bivara’s legitimate interest in using secure and functioning information systems and ensuring the accuracy and reliability of business data.

10. Transfer of Data to Other Countries

Given the nature of international air transport and global booking systems, personal data may be transferred to recipients in the Republic of Serbia, Member States of the European Union, States of the European Economic Area, as well as other countries outside Serbia, where this is necessary for booking, performance of the contract, customer support, payment processing, hosting, system maintenance, or other lawful purposes.

Where data is transferred to a country or international organisation that does not ensure an adequate level of protection, Bivara shall, where required, apply appropriate safeguards, such as contractual protective clauses, internal policies, technical and organisational measures, or other mechanisms permitted by law. In certain cases, the transfer may also be necessary for the performance of a contract concluded in the interest of the data subject.

11. Data Retention Periods

We retain personal data only for as long as necessary to achieve the purposes for which it was collected, including:

  • the period of negotiations and contract conclusion;
  • the duration of the booking, trip, modifications, cancellation, and refund;
  • compliance with accounting, tax, audit, and other legal obligations;
  • the handling of complaints, disputes, and claims;
  • the defence or exercise of legal claims;
  • the period until consent is withdrawn, where processing is based on consent, unless another valid legal basis exists for continued retention.

After the expiry of the relevant periods, the data is deleted, anonymised, or its further processing is restricted, unless longer retention is required by law or justified on another valid legal basis.

12. Rights of the Data Subject

In accordance with applicable law, you have the right to request from Bivara:

  • information about the processing of your personal data;
  • access to your personal data;
  • rectification of inaccurate data or completion of incomplete data;
  • erasure of data where legal grounds exist;
  • restriction of processing where legal grounds exist;
  • data portability where legal grounds exist;
  • objection to processing based on legitimate interest;
  • withdrawal of consent at any time, where processing is based on consent.

A request may be sent to info@bivara.rs or by post to the controller’s address. Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal.

13. Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data is carried out in violation of the law, you have the right to lodge a complaint with the competent supervisory authority:

Commissioner for Information of Public Importance and Personal Data Protection
Republic of Serbia

14. Automated Decision-Making and Profiling

Bivara does not make decisions producing legal effects or similarly significantly affecting a person solely on the basis of automated processing, unless such processing is expressly permitted by applicable law and all legal requirements have been met. If such processing is introduced in individual cases, the data subject will be separately informed accordingly in compliance with the law.

If we use risk assessment, fraud prevention, or technical analytics tools, such processing will generally be accompanied by an appropriate level of human review and oversight.

15. Data Security

Bivara applies appropriate technical, organisational, and legal measures to protect personal data against unauthorised access, loss, destruction, abuse, alteration, or unlawful disclosure. Such measures are regularly reviewed and adapted taking into account the nature of the processing, the level of risk, technological developments, and the specifics of the business.

16. Changes to this Notice

Bivara reserves the right to amend or supplement this notice in order to align it with changes in legislation, judicial or administrative practice, technical solutions, business processes, or the structure of services. The current version of the notice is published on the Bivara website or otherwise communicated in an appropriate manner.