Effective 14 June 2026. This policy is written to comply with Oman’s Personal Data Protection Law (Royal Decree 6/2022, the “PDPL”) and its executive regulations.
1. Who is responsible for your data
Horizon Blue (“we”, “us”), a marine tourism operator at Al Mouj Marina, Street 6, Muscat 113, Sultanate of Oman, is the controller of the personal data described in this policy. Contact for anything data-related: horizonblue.om@gmail.com or +968 93232 837.
2. What we collect
- Booking details — your name, WhatsApp/phone number, email address, trip date, group size (adults/children), permit category (Omani / non-Omani resident — required by the Environment Authority for reserve permits), and any notes you add (dietary needs, accessibility, occasions).
- Payment — payments are processed entirely by Paymob, a licensed payment provider. We receive confirmation of payment and a transaction reference; we never see or store your card number.
- Enquiries — messages you send through the contact form (name, email, message) together with your IP address, which we keep for abuse prevention.
- Partner accounts — if you register on our partner portal: company name, contact name, email, phone, and booking/commission records.
- Technical data — our forms are protected by Cloudflare Turnstile, which processes technical signals from your browser to block bots. We do not run advertising trackers.
3. Why we use it
- To perform your booking — confirmations, permits, trip communications by WhatsApp and email, payment processing and refunds.
- Legal and safety obligations — passenger information for maritime safety, Environment Authority permit requirements, and record-keeping required of Omani businesses.
- Legitimate operations — responding to enquiries, preventing fraud and abuse, and improving the website. We only send marketing if you have asked for it; there is no marketing list you are added to automatically.
4. Who we share it with
We share personal data only with the service providers needed to run your trip, and never sell it:
- Paymob — card payment processing;
- Environment Authority (Oman) — guest details required for Daymaniyat Islands Nature Reserve permits;
- Google (Firebase) — our secure booking database and website hosting;
- Resend — delivery of confirmation and enquiry emails;
- Cloudflare — bot protection on our forms;
- Meta (WhatsApp) — when you choose to message us on WhatsApp, your use of WhatsApp is governed by Meta’s own terms.
5. International transfers
Some of these providers process data on servers outside the Sultanate of Oman. Where that happens we rely on providers with recognised security certifications and contractual safeguards, in line with the PDPL’s requirements for transferring personal data outside Oman.
6. How long we keep it
- Booking and payment records — kept as required for Omani commercial, tax and audit purposes;
- Contact enquiries — up to 24 months, then deleted;
- Partner account data — for the life of the partnership plus the record-keeping period above.
7. Your rights under the PDPL
Subject to the conditions in the PDPL, you have the right to ask us for: access to the personal data we hold about you; correction of inaccurate data; erasure of data we no longer need; a copy of your data (portability); and to withdraw consent where processing is based on consent. To exercise any of these, email horizonblue.om@gmail.com — we respond within the timeframes the law requires. You also have the right to complain to the Ministry of Transport, Communications and Information Technology, the authority responsible for personal data protection in Oman.
8. Cookies
The website uses only what is needed to function: strictly necessary cookies and Cloudflare Turnstile’s bot-protection signals. We do not use advertising cookies or cross-site tracking. If we ever add analytics, this policy will be updated first.
9. Children
Bookings are made by adults. We collect children’s details only as needed for the booking (count and permit category), provided by the responsible adult.
10. Security
Booking data is stored in access-controlled cloud infrastructure (Google Firebase) with encryption in transit and at rest; payment data never touches our systems; staff and partner access is role-restricted. No system is perfectly secure, but we keep the data we hold to the minimum needed to run your trip.
11. Changes to this policy
We will post any changes on this page with a new effective date. Material changes will be flagged on the booking page.
Questions? Contact us — or read our Terms & Conditions.
