Klook Travel Technology Limited ('Klook', 'we', 'us', 'our') are committed to protecting and respecting your personal data privacy and complying with data protection principles and provisions under applicable laws.
Scope of Terms
Collection of Information
We may collect Personal Information about you that you provide to us while using Klook Platform and information about how you use Klook Platform including when you open your user account ('User Account'), visit Klook Platform or make reservations for any intended Services or using the Services. Providing your Personal Information to Klook is always on a voluntary basis. However, we might not be able to provide you with certain services if you choose not to give us your Personal Information. For example, we cannot open your user account or make reservations for you if we do not collect your name and contact details.
1) Opening Your User Account
- When you open with us a User Account or amend any information of your User Account, we may collect your Personal Information, such as your name, email address, username, password and telephone number.
2) Visit Klook Platform, Making Reservations for the Services or Using the Services:
- (a) When you visit Klook Platform (even you have not registered an User Account or logged in), make reservations for any intended Services or use the Services, we may collect and process certain information (which may contain your Personal Information or may contain non-personally identifiable information but nevertheless linked to your Personal Information) including but not limited to those set out below: Copies of correspondence (whether by e-mail, instant or personal messaging or otherwise) between you and us, and between you and the Operators;
- (b) Details of your usage of Klook Platform (including traffic data, location data and length of user sessions);
- (c) Feedback on and responses to surveys conducted by Klook relating to the Services and newsletters which may be published, circulated or distributed by Klook;
- (d) Information automatically collected and stored in our server or the server of our third party services provider by using or accessing to Klook Platform (including the log-in name and password for your User Account, your computers Internet Protocol (IP) address, browser type, browser information, device information (including unique device identifier), pages visited, previous or subsequent sites visited).
Storage of Information
- When it is no longer necessary for us to process your Personal Information, we will either delete or anonymise the data or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information.
- We will endeavor to anonymise or aggregate your data if we intend to use it for analytical purposes or trend analysis.
- Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access. Klook does not give any representation, warranty or undertaking that the Personal Information you provide to us will be secure at all times, and to the extent Klook has fulfilled its obligations under no circumstances shall Klook be responsible for any losses, damages, costs and expenses which you may suffer or incur arising from unauthorised access to or use of your Personal Information.
- All payment transactions carried out by us or our chosen third-party provider of payment processing services will be encrypted using online encryption technology. You are responsible for keeping your chosen password confidential and not to share your password with any third party.
Usage of Information
- We process the Personal Information collected in as far as necessary for performance of the contract with and providing services to you. Besides, we process the other Personal Information collected on the basis of our legitimate interests, which are the further improvement of the services and for direct marketing purposes.
- For example, Klook will use Personal Information and other data collected through Klook Platform or when making purchases for the Services to create your User Account, to provide you with the Services, to continually improve Klook Platform and the Services, and to contact you in relation to the Services. This includes using your Personal Information or such other data to achieve faster purchase requests, better customer support and to provide you with timely notice of new Services and special offers.
- From time to time, we may also make use of your Personal Information to contact you for feedback on your use of Klook Platform, to assist us in improving Klook Platform, or to offer special savings or promotions to you, where you have indicated your consent to receiving such communications. If you would prefer not to receive notices of special savings or promotions, you may simply opt-out from receiving them by replying to us through the hyperlink provided in these notices.
Disclosure of Information
- We may from time to time share and disclose your Personal Information and other data to third parties, some of whom may be located outside your home country. The circumstances under which such sharing and disclosure will take place may include without limitation, the following:
- 2) If you are a visitor, to the relevant Operator in connection with a Services which you have made reservations for or intend to make reservations for.
- 3) If you are an Operator, to any visitor in connection with the Services you are offering.
- 4) To our third party service providers (including Google Analytics), which we engage amongst others for the performance of certain services on our behalf, such as web hosting services, data analysis, marketing, market research, and to otherwise provide you with customer service.
- 5) If and to the extent required by any applicable law, order of court or requests by any governmental authority to make such disclosure.
- 6) Within the Klook group of companies. In case of a corporate transaction, in connection with the sale, merger, acquisition, or other corporate reorganization or restructuring of our corporation, your Personal Information may be disclosed, shared or transferred to the new controlling entity or its authorised third party for carrying on our business.
- 7) To our advisors, agencies or other parties concerned in order to protect the rights and property of Klook.
- 8) In any other case, to any third parties with your prior written consent (and in which case we will make it possible for you to withdraw your consent as easily as it was to provide consent).
- We may also share aggregate or anonymous information with relevant third parties, including our advertisers. Such information does not contain any Personal Information and will not identify you personally. However, in some occasions, these third parties may possess information about you or obtain your information from other sources. When they combine such information with our aggregate information, they may be able to identify you personally.
- Your Personal Information may be transferred outside of your home country and outside of the European Union, for the abovementioned purposes. If such transfer takes place to a country that does not provide an adequate level of protection, Klook will use reasonable endeavours to ensure that appropriate safeguards are in place. Such safeguards include but are not limited to (i) standard contractual clauses of the European Commission; (ii) the EU-US and Switzerland-US privacy shield; and/or (iii) any other appropriate cross-border transfer mechanisms.
- Cookies are widely used in order to make websites work, or work more efficiently. When you visit our Website, we collect some of your Personal Information transmitted to us by your browser via cookies. This enables you to access Klook Platform and helps us to create better user experience for you. You will find more details about cookies and similar technologies that we use, in our Cookies Policy.
- You may at all times access, correct or erase your Personal Information through Klook Platform via the user portal, under “My Account”. Alternatively, you may make your data access, correction or erasure request by sending your request by email at email@example.com.
- Where mandatory under applicable legislation, you may also request restriction of processing of your Personal Information or object to processing by sending your request or objection by email at firstname.lastname@example.org. You may also request a copy of the information that we hold about you by sending your request by email at email@example.com.
- Please contact us via the contact details mentioned below if you have a complaint regarding the processing of your Personal Information.
- When handling any of these requests described above, we have the right to check the identity of the requester to ensure that he/she is the person entitled to make the request.
European General Data Protection Regulation
- Klook Travel Technology Ltd has designated Klook Travel Technology BV (Weesperstraat 61 1018VN Amsterdam, Netherlands) as its representative in the European Union for the purposes of the European General Data Protection Regulation. If you are within the European Union, you have the right to file a complaint with the appropriate data protection authority.
Last updated on: 10th April 2019.
Bug Bounty Program
Klook Travel Technology Limited (“Klook”) recognizes and rewards independent security researchers in keeping Klook and our customers secure. We appreciate your willingness to participate in this Bug Bounty Program (“Program”) and will award monetary rewards for the discovery of security vulnerabilities.
Your participation in our Bug Bounty Program is voluntary. By making a report disclosing a vulnerability to Klook, you acknowledge that you have read and agreed to the terms and conditions on this page (“Terms”).
Responsible Disclosure Policy
While participating in our Program, you warrant that:
- You shall protect Klook's and our users' privacy and data in good faith. You will not access or modify other user's data without our prior written consent.
- You shall ensure that in good faith, no disruption is caused to the production systems, degradation of user experience and destruction of data during this testing.
- If you inadvertently cause a privacy violation or disruption in the absence of any malicious intention (such as accessing account data, service configurations, or other confidential information) while investigating an issue, please disclose this immediately to us.
- You shall refrain from running any technical exploit and/or proceeding with subsequent testing of a security issue you discover for any reason (including demonstrating additional risk etc).
- You shall not violate any other applicable laws or regulations, including but not limited to the laws and regulations of Singapore, Hong Kong, and the European Union.
If you comply with the Terms when reporting a security bug to Klook, Klook will not initiate a lawsuit or law enforcement investigation against you in response to your submission.
In principle, any Klook-owned web service, mobile applications that handles data (including personal data) is intended to be in scope. This includes but not limited to the following domains:
- Klook iOS mobile application
- Klook Android mobile application
To participate in our Program, you must not:
- Be a resident of, or send submissions from, a country against which the United States has issued export sanctions or other trade restrictions;
- Be in violation of any national, state, or local law or regulation with respect to your activities related to Klook's Bug Bounty Program (directly or indirectly);
- Be employed by Klook or any of its affiliates;
- Be an immediate family member of a person employed by Klook or any of its affiliates; or
- Be less than 18 years of age.
To qualify for a reward under this program, you should send a clear textual report with the following description:
- Be the first to report a vulnerability to firstname.lastname@example.org
- Written details of the description of finding e.g. vulnerability title, vulnerability type)
- List the associated technical information e.g. URL(s), cookie information, POST/GET parameters
- List of steps to reproduce the finding to verify the vulnerability
- Include attachments such as screenshots or proof of concept code as necessary.
- Disclose the vulnerability report directly and exclusively to us.
General Testing Rules:
- Creation of multiple or mass number of accounts to perform security testing against Klook applications and services is prohibited.
- Brute force testing and dictionary attacks of all forms to determine whether rate limiting is in place for particular website, APIs or other functionality are not allowed.
- Interaction is only allowed using accounts you own or others' accounts with the explicit permission of the account holder
- If any accounts are blocked during the course of testing, you may submit a request and the Klook Security team will investigate your request and notify you if any further action is taken.
Ownership of Testing Results
For the purposes of this section, “Testing Results” means information about vulnerabilities discovered and submitted to Klook by you. You hereby agree that you will disclose and assign all Testing Results and its corresponding rights (including intellectual property) to Klook.
Out of Scope
When reporting vulnerabilities, you shall consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope from this Program, and we will not accept any of the following types of attacks:
- Denial-of-service attacks
- Spam, social engineering or email phishing techniques (e.g. phishing, vishing, smishing)
- Email spoofing
- Any security vulnerability on the client side (e.g. browsers, plugins)
- Software version disclosure
- Reflected file download
- Any physical access issues
- Publicly accessible pages
- Any weakness or disclosure of information which does not lead to a direct vulnerability
- Email or account enumeration
- CSV command execution and CSP weaknesses
- Any vulnerabilities in third-party apps or websites are generally not within the scope of our Program.
You may be eligible to receive a bounty if:
- the vulnerability submitted is verifiable and determined to be a valid security issue by Klook; and
- you have complied with all Terms.
Bounty payments will be determined at Klook's sole discretion. All determinations as to eligibility and amount of bounty payments made by Klook are final and Klook shall not entertain any appeal, nor be obligated to make payments.
Klook determines bounty amounts based on various factors, including but not limited to impact and risk of exploitation of the security issue. In event of duplicate reports, Klook awards a bounty only to the first notifier.
||Bounty Range (USD)
||9.0 - 10
||1000 and above
||7.0 - 8.9
||600 – 900
||4.0 - 6.9
||250 – 500
||0.1 – 3.9
||100 – 200
If Klook determines that:
- you have breached any of the Terms; or
- your participation in the Program could adversely impact Klook (including but not limited to, any threat to Klook's systems, security, finances and/or reputation),
Klook may immediately terminate your participation and disqualify you from receiving any bounty payments.
Any information you receive or collect about Klook, our affiliates or any of our users through the Program and the submissions themselves (“Confidential Information”) must be kept confidential. You may not use, disclose or distribute Confidential Information without Klook's prior written consent.
Confidential information must only be used in connection with the Program.
You hereby agree to indemnify and hold Klook, its affiliates and the officers, directors, agents, joint ventures, employees and suppliers of Klook and its affiliates, harmless from any claim or demand made or incurred by any third party due to your submissions, your breach of these Terms and/or your improper use of the Bug Bounty Program.
Changes to Terms
Klook reserves the right to modify or cancel this Bug Bounty Program and its policies at any time, without prior notice.
Accordingly, Klook may amend these Terms and/or its policies at any time by posting a revised version on Klook's website. You accept the modified Terms if you continue to participate in the Bug Bounty Program after changes are made to the Terms.
The other language versions of this Agreement have been prepared solely for reference. If there is any conflict or inconsistency between the English version and the other language versions, the English text shall prevail.