Personal data protection

Policy for the Processing and Protection of Personal Data


ADDRESS: Cusco, Av. La Cultura, Urb. Manuel Prado N-4

TAX ID: 20524295106


1.- Article One Definitions

AUTHORIZATION: prior, express, and informed consent of the data subject to carry out the processing of personal data.

DATABASE: organized set of personal data subject to processing. The "databases" have this condition regardless of the medium in which they are contained, whether physical, electronic, manual, automated, computer tools, etc.

PERSONAL DATA: any information linked or that can be associated with one or more identified or identifiable natural persons.

DATA SUBJECT: natural person whose personal data is subject to processing.

PROCESSING: any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.

PRIVACY NOTICE: verbal or written communication generated by the data controller, addressed to the data subject, regarding the processing of their personal data. It informs them about the existence of the information processing policies that will be applicable, how to access them, and the purposes of the intended data processing.

PUBLIC DATA: data that is not semi-private, private, or sensitive. Public data includes, among others, data relating to the civil status of individuals, their profession or occupation, and their status as a trader or public servant. By their nature, public data can be contained, among others, in public records, public documents, official gazettes and bulletins, and duly executed court judgments that are not subject to confidentiality.

SENSITIVE DATA: sensitive data refers to those that affect the data subject's privacy or whose misuse may lead to discrimination. This includes data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in unions, social organizations, or organizations promoting human rights or the interests of any political party, as well as data relating to health, sexual life, and biometric data.

TRANSFER: the transfer of data occurs when the data controller and/or data processor, located in Peru, sends information or personal data to a recipient who is also responsible for processing and is located inside or outside the country.

TRANSMISSION: processing of personal data that involves the communication of such data within or outside the territory of the Republic of Peru when it is intended for processing by the processor on behalf of a single data controller.

2.- Article Two Principles

In the development, interpretation, and application of Law 1581 of 2012, the following guiding principles will be applied in a harmonious and comprehensive manner:

PRINCIPLE OF PURPOSE: The processing must be carried out for a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the data subject.

PRINCIPLE OF FREEDOM: The processing can only be done with the prior, express, and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that exempts consent.

PRINCIPLE OF TRUTH OR QUALITY: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented data that may mislead is prohibited.

PRINCIPLE OF TRANSPARENCY: The data subject's right to obtain information about the existence of data concerning them from the data controller or data processor must be guaranteed at all times and without restrictions.

PRINCIPLE OF ACCESS AND RESTRICTED CIRCULATION: The processing is subject to the limits arising from the nature of personal data, the provisions of the law, and the Constitution. In this sense, the processing may only be carried out by persons authorized by the data subject and/or by persons provided for by law.

Personal data, except for public information, may not be available on the internet or other mass media unless access is technically controllable to provide limited knowledge only to data subjects or authorized third parties.

PRINCIPLE OF SECURITY: The information subject to processing by Inca World must be handled with the technical, human, and administrative measures necessary to provide security to the records, preventing their alteration, loss, consultation, unauthorized access or use, or fraud.

PRINCIPLE OF CONFIDENTIALITY: Inca World is obligated to guarantee the confidentiality of the information, even after its relationship with any of the activities comprising the processing has ended. Supplying or communicating personal data is only allowed when it corresponds to the development of activities authorized by law.

3.- Article Three. Rights of the Data Subject

The data subject has the following rights regarding their personal data:

  1. Know, update, and rectify their personal data in front of Inca World as the data controller. This right can be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented data that may mislead, or data whose processing is expressly prohibited or has not been authorized.

  2. Request proof of the authorization granted to Inca World, except when expressly exempted as a requirement for processing (cases where authorization is not necessary).

  3. Be informed by Inca World, upon request, regarding the use given to their personal data.

  4. Submit complaints to the Superintendence of Industry and Commerce for violations of Law 1581 of 2012 and other regulations modifying, adding, or complementing it.

  5. Revoke the authorization and/or request the deletion of the data when the processing does not comply with constitutional and legal principles, rights, and guarantees.

  6. Access their personal data that have been processed free of charge.

4. Article Four: Duties of Inca World

Under this policy of treatment and protection of personal data, the following are the duties of Inca World:

  1. To guarantee the holder, at all times, the full and effective exercise of the right to habeas data.

  2. To request and keep a copy of the respective authorization granted by the owner.

  3. To duly inform the owner about the purpose of the collection and the rights granted to them under the authorization given.

  4. To keep the information under the necessary security conditions to prevent its alteration, loss, consultation, unauthorized or fraudulent use or access.

  5. To rectify the information when it is incorrect and communicate the relevant updates.

  6. To process the inquiries and claims made by the owners.

  7. To inform the data protection authority in case of security breaches and risks in the management of the owners' information.

  8. To comply with the requirements and instructions issued by the Superintendence of Industry and Commerce regarding the specific matter.

  9. To inform, at the request of the owner, about the use given to their data.

  10. To guarantee that the information is truthful, complete, accurate, up-to-date, verifiable, and understandable.

  11. To update the information, attending to any updates regarding the data of the owner. Additionally, all necessary measures should be implemented to keep the information up-to-date.

  12. To respect the security and privacy conditions of the owner's information. To identify when certain information is under discussion by the owner.

  13. To only use data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012.

5. Article Five. Events in which the authorization of the data subject is not necessary

The authorization of the data subject will not be necessary in the following cases:

  1. Information required by a public or administrative entity in the exercise of its legal functions or by a court order.

  2. Data of a public nature.

  3. Cases of medical or health emergency.

  4. Treatment of information authorized by law for historical, statistical, or scientific purposes.

  5. Data related to the Civil Registry of individuals.

6. Article Six. Authorization for the exercise of the data subject's rights

The rights of the data subjects may be exercised by the following individuals:

  1. By the data subject, who must sufficiently prove their identity through the various means made available by Inca World.

  2. By the successors of the data subject (in cases where the data subject is deceased or incapacitated), who must prove such status.

  3. By the representative and/or attorney-in-fact of the data subject, upon accreditation of the corresponding representation or power of attorney.

  4. By stipulation in favor of another or for another.

  5. The rights of children and adolescents shall be exercised by the individuals authorized to represent them.

7. Article Seven. Processing and purpose of data

The collected information is used to process, confirm, fulfill, and provide the services and/or products acquired, directly and/or with the participation of third-party product or service providers. It is also used to promote and advertise our activities, products, and services, carry out transactions, submit reports to various national or international administrative control and surveillance authorities, police authorities, or judicial authorities, banking entities, and/or insurance companies, for internal and/or commercial administrative purposes such as market research, audits, accounting reports, statistical analysis, billing, and offering and/or recognition of benefits under our loyalty programs.

By accepting this DATA PROCESSING AND PROTECTION POLICY, our guests, visitors, clients, users, and suppliers as data subjects authorize Inca World to partially or fully process their data, including collection, storage, recording, use, circulation, processing, and deletion for the execution of activities related to the acquired services and products, such as making reservations, modifications, cancellations, and changes, refunds, handling inquiries, complaints and claims, payment of compensations and indemnities, accounting records, correspondence, processing and verification of credit cards, debit cards, and other payment instruments, fraud identification, prevention of money laundering and other criminal activities, and for the operation of loyalty programs and other purposes indicated in this document.

This is without prejudice to other purposes that have been informed in this document and in the terms and conditions of each of the products and services offered by each of our business units.

We note that third-party providers may be involved in these activities, such as reservation system providers, travel agencies, call centers, banking entities, insurers, etc.

In addition, our travelers, clients, and users as data subjects, by accepting this privacy policy, authorize us to:

  1. Use the information received from them for marketing purposes of their products and services, as well as the products and services of third parties with whom Inca World maintains a business relationship.

  2. Provide personal data to control and surveillance authorities, police or judicial authorities, in compliance with legal or regulatory requirements, and/or use or disclose this information and personal data to defend their rights and/or their assets in relation to the products and/or services contracted by their travelers, clients, and users.

  3. Allow access to the information and personal data by auditors or third parties contracted to carry out internal or external audits related to the commercial activity we develop.

  4. Consult and update personal data at any time in order to keep such information up to date.

  5. Contract with third parties for the storage and/or processing of information and personal data for the proper execution of contracts entered into with us, under the security and confidentiality standards to which we are obliged.

8.- Article Eighth. Personal data of children and adolescents

The processing of personal data of children and adolescents is prohibited. It is prohibited except in the case of data of a public nature, and when said treatment complies with the following parameters and/or requirements:

  1. that respond to and respect the best interests of children and adolescents.

  2. that ensure respect for their fundamental rights.

  3. that have the authorization from the parent or legal guardian of the child or adolescent.

9. Article Ninth. Persons to whom the information may be provided

The information that meets the conditions established by law may be provided to the following individuals:

  1. To the data subjects, their successors in interest (in case of their absence) or their legal representatives.

  2. To public or administrative entities exercising their legal functions or by court order.

  3. To third parties authorized by the data subject or by law.

10. Article Tenth. Authorization

The collection, storage, use, circulation, or deletion of personal data by Inca World requires the free, prior, express, and informed consent of the data subject. Inca World, as the data controller, has implemented the necessary mechanisms to obtain authorization from the data subjects, ensuring that it is possible to verify the granting of such authorization.

By granting said authorization, the customer accepts the policies and conditions established in this document.

11. Article Eleventh. Form and mechanisms for granting authorization.

The authorization of the data subject will be documented in each of the channels and mechanisms for data collection by Inca World. It may be in a physical, electronic, or any other format that allows for subsequent consultation. The authorization will be provided by the data subject prior to the processing of their personal data, in accordance with the provisions of Law 1581 of 2012.

Through the consented authorization procedure, it is ensured that the data subject has been informed of the collection and use of their personal information for specific and known purposes, as well as their option to know any alterations to the data and the specific use that has been made of it. This is done to enable the data subject to make informed decisions regarding their personal data and to control the use of their personal information.

12. Article Twelfth. Procedure for the storage of personal data information

Inca World will adopt appropriate and sufficient technical and administrative measures to ensure the care and preservation of the personal data of the data subjects, preventing their alteration, loss, consultation, unauthorized or fraudulent use or access.

Likewise, the implementation of these measures will allow for the preservation of the authorization granted by the data subjects for the processing of their personal data.

Inca World will employ all necessary mechanisms to maintain the confidentiality of the information and refrain from using it for purposes other than those expressly authorized by the data subject.

However, the customer assumes the risks associated with providing this information over the internet, which is subject to various variables - attacks by third parties, technical or technological failures, among others. Inca World will make its best technological effort to ensure the security of personal information of all its customers and/or users, using reasonable and current security methods to prevent unauthorized access, maintain data accuracy, and ensure the proper use of the information.

13. Article Thirteenth. Procedure for the use and circulation of information.

In the event that third parties unrelated to Inca World need to validate, rectify, or confirm information corresponding to personal data of the data subjects contained in Inca World's databases, the prior and express authorization of the data subject will be required for the provision of the information to enable the transfer.

Inca World will refrain from using the information provided by the data subjects for marketing purposes other than its specific programs and services.

14. Article Fourteenth. Procedure for handling inquiries.

Data subjects may request Inca World to provide access to their personal data. This request must be made in writing and addressed to the email address: The request should specify the type of data to be consulted, as well as the requester's full name, identification number, telephone number, and email address to which the corresponding information will be sent.

Inca World will provide the consulted information to the data subject, which will include a list of all the information linked to the data subject's identification in the database. The inquiry will be addressed within a maximum period of fifteen (15) business days, starting from the day following the receipt of the request. If it is not possible to address the inquiry within this timeframe, the interested party will be notified, stating the reasons for the delay and indicating the date on which the inquiry will be addressed. In no case shall this date exceed eight (8) business days following the expiration of the initial period. The inquiry will be addressed in writing and will not incur any cost for the data subject.

15. Article Fifteenth. Procedure for the deletion, correction, or updating of information.

Data subjects may at any time request from Inca World the deletion, correction, or updating of their personal data and/or revoke the authorization granted for the processing of such data by submitting a claim in the following manner:

  1. The claim shall be made through a communication addressed to the email:, including the identification of the data subject, a description of the facts that give rise to the request, the address, and accompanied by any applicable supporting documents.

  2. If the claim is incomplete, Inca World will request the data subject, within five (5) business days following the receipt of the claim, to remedy the deficiencies. If two (2) months have elapsed since the date of the request without the data subject providing the requested information, it will be understood that the data subject has withdrawn the claim.

  3. Once the complete claim is received, a note stating "claim in process" and the reason for the claim will be included in the database, which must be done within a maximum period of two (2) business days. This note must be kept until the claim is resolved.

  4. The maximum period to address the claim will be fifteen (15) business days, starting from the day following its receipt. If it is not possible to address the claim within this timeframe, the interested party will be informed of the reasons for the delay and the date on which the claim will be addressed, which in no case shall exceed eight (8) business days following the expiration of the initial period.

16. Article Sixteenth. Temporality of personal data processing

The information provided by customers and users will be stored for a period of fifteen (15) years from the date of the last processing, in order to fulfill legal and/or contractual obligations, especially in accounting, tax, and fiscal matters.

17. Article Seventeenth. Modifications to Inca World's privacy policy

Inca World reserves the right to make modifications or updates to this Privacy Policy at any time, in order to address legislative changes, internal policies, or new requirements for the provision or offering of its services or products.

More Information

For more information about our privacy practices, please feel free to contact us at any time. Or send us an email at Contact.

Inca World
👋 Hi! How can we help you?...

Visit Pirwa Hostels Cusco

We offer fantastic experiences in our Hostels