- when a person visits our website (regardless of where visited from) themselves; or
- when a person uses our online systems available through our website to book for themselves or on behalf of third parties.
- Important information and who we are
Email address: firstname.lastname@example.org
Address: Suite 3a 38 Queen Street, Glasgow, Scotland, G1 3DX
Phone number: 0141 739 8556
All individuals have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with any concerns before a complaint is made to the ICO so please contact us in the first instance.
Accuracy of Data
It is important that the personal data we hold is accurate and current. Each individual providing us with personal data (about themselves or others) is responsible for ensuring the accuracy at the point of being provided. Please keep us informed if any personal data changes while we hold and process it.
- The personal data we collect
Personal data, or personal information, means any information about an individual from which that person can be identified. That can be from the information alone or in combination with other data. It does not include data where the identity has been removed (anonymous data).
We collect personal data about individuals in a variety of ways. Sometimes we collect personal data directly from an individual and at times we may receive personal data from other sources and third parties. This will include where an individual has made a booking on behalf of a third party and provided us with their personal data to enable the booking to be completed. We also collect personal data automatically when individuals interact with our website.
We may collect, use, store and transfer different kinds of personal data which we have grouped together as follows:
- Identity Data includes first name and last name.
- Contact Data includes billing address, delivery address, email address, and telephone numbers.
- Financial Data includes bank card details and billing address.
- Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices used to access this website.
- Profile Data includes purchases or orders made, feedback, and survey responses.
- Usage Data includes information about how individuals use our website, products, and services.
- Marketing and Communications Data includes preferences in receiving marketing from us.
We do not knowingly collect any Special Categories of Personal Data (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Our website and systems are not designed for use by children under the age of 13 so we do not directly collect personal data about children. We may indirectly collect this information where an individual makes a booking or otherwise provides us with personal data on behalf of a third party who is under the age of 13. In these cases, the individual providing the personal data is responsible for ensuring they are able to share the personal data with us.
If we are not provided with personal data
If an individual fails to provide data which we need to collect by law, or under the terms of a contract we have with the individual, we may not be able to perform the contract we have or are trying to enter into (for example, to provide the individual with services). In this case, we may have to cancel a service but we will confirm with the individual at the time.
- How is personal data collected?
We will not use personal data without either (a) letting the individual know at the point of collection or (b) acting as a processor in respect of personal data and having appropriate terms in place.
We use different methods to collect personal data including:
Direct interactions. Where an individual gives us personal data themselves, by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data provided when an individual:
- applies for our products or services;
- subscribes to our service;
- requests marketing correspondence is sent to them;
- signs-up to attend a sales webinar;
- requests /and or attends a sales meeting at an event;
- gives us feedback or contacts us.
Automated technologies or interactions. As individuals interact with our website, we will automatically collect Technical Data about equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about individuals if they visit other websites employing our cookies.
Third parties or publicly available sources. We will receive personal data from various third parties as set out below:
- Technical Data from analytics providers such as Google based outside the EU, advertising networks such as Google Ad Words based outside the EU; and search information providers such as Google based outside the EU.
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services such as GoCardless (based within the EU) and Stripe (based outside the EU).
- Traveltek as a processor
Where we act as a data processor for any individual making bookings through online booking systems accessed via our site on behalf of third parties, we receive some personal information direct from the relevant individual responsible for making the booking. Any processing that we do in this role is covered by data processing arrangements in our terms and conditions. There may, on occasion, be special category data provided and we will always ensure there are adequate technical and organisational measures in place to protect the integrity and confidentiality of this data.
- How we use personal data
Our use of personal data will only be where the law allows us to and in most cases will be based on one of the following lawful grounds:
- Where we need to perform the contract we are about to enter into or have entered into with an individual.
- Where it is necessary for our legitimate interests (or those of a third party) and the individual’s interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation.
Generally, we do not rely on consent as a legal basis for processing personal data although we will get your consent before sending third party direct marketing communications to any individual via email or text message. Individuals will always have the right to withdraw consent to marketing at any time by contacting us
Purposes for which we will use personal data
We have set out below, in a table format, a description of all the ways we plan to use personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
We may process personal data for more than one lawful ground depending on the specific purpose for which we are using the personal data. Please contact us if you need details about the specific legal ground we are relying on where more than one ground has been set out in the table below.
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|To register as a new customer||(a) Identity
|Performance of a contract|
|To administer the services, including confirmation of identity, management of any requests or bookings made through our online booking system and management any payments required (including any late payments or recovery of debts due)||(a) Identity
(e) Marketing and Communications
|(a) Performance of a contract
(b) Necessary for our legitimate interests (to process orders, to manage payments and to recover debts due to us)
|To manage our relationship with customers, which will include:
(b) Asking customers to leave a review or take a survey
(d) Marketing and Communications
|(a) Performance of a contract
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
|To enable customers to partake in a survey||(a) Identity
(e) Marketing and Communications
|(a) Performance of a contract
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
|To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||(a) Identity
|(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
|To deliver relevant website content and advertisements and measure or understand the effectiveness of the advertising we serve||(a) Identity
(e) Marketing and Communications
|Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)|
|To use data analytics to improve our website, products/services, marketing, customer relationships and experiences||(a) Technical
|Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)|
|To make suggestions and recommendations about goods or services that may be of interest to individual customers||(a) Identity
(f) Marketing and Communications
|Necessary for our legitimate interests (to develop our products/services and grow our business)|
Marketing / Promotional offers: We may also use personal data to inform individuals of news or offers we think they may find interesting, or to send promotional materials relating to any new features and offers relating to any of the products or services we provide through our website.
Third party marketing: Marketing
We will get express opt-in consent before we share any personal data with any third party for marketing purposes.
If an individual wants to opt out of or stop receiving marketing messages, they can do so at any time by following the opt-out links on any marketing message sent or by contacting us at any time.
Where an individual opts out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, product/service experience or other transactions.
Each individual user of our website can set their browser to refuse all or some browser cookies, or to alert when websites set or access cookies. If cookies are disabled or refused, please note that some parts of this website may become inaccessible or not function properly. Users are advised that if they wish to deny the use and saving of cookies from this website on to their computers hard drive they should take necessary steps within their web browser’s security settings to block all cookies from this website and its external serving vendors.
Cookies are small files saved to the user’s computer’s hard drive that track, save and store information about the user’s interactions and usage of the website. This allows the website, through its server to provide the users with a tailored experience within this website.
- Disclosures of your personal data
We may share personal data in certain circumstances and will always require third parties to respect the security of any personal data we share. We will not permit third party service providers to use personal data for their own purposes and limit data sharing to a specific purpose where possible.
- In certain circumstances we may share personal information with affiliated companies and service providers who perform functions on our behalf like Salesforce, Pardot, GoCardless & Stripe (without limitation) and our IT service providers. We may also share personal data with professional advisors where required.
- We may also supply personal information to government bodies and law enforcement agencies but only: if we are required to do so by the requirements of any applicable law; if in our good faith judgment, such action is reasonably necessary to comply with legal process; to respond to any claims or actions; or to protect our rights or those of our customers and the public.
- International transfers
Given the global nature of the Travetek business, personal data may be accessed by Traveltek entities in a number of locations worldwide. We ensure personal data is protected by requiring all our group companies to follow the same rules when processing your personal data.
Please contact us if there are any questions on the specific mechanism used by us when transferring personal data out of the UK or EEA or where it is accessed from out of the UK.
- Data security
We demonstrate our commitment to data privacy and protecting personal information by ensuring appropriate standards of technology and operational security are used, such as using a secure server and network firewall connection. Operationally, access to personal information is restricted to authorised personnel who are under a duty to maintain the confidentiality and security of such information. Where data is shared with third parties, they will only process personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and notify individuals and any applicable regulator of a breach where we are legally required to do so.
- Data retention
We will only retain personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Details of retention periods for different aspects of personal data are available on request.
In some circumstances, we will anonymise personal data (so that it can no longer be associated with an individual) for research or statistical purposes, in which case we may use this information indefinitely without further notice to the individuals concerned.
- Individual legal rights
All individuals have certain rights under data protection laws in relation to their personal data. If an individual wants to exercise the rights (which we have detailed in the section below), this can be done by contacting Traveltek on the details set out at the start of this policy.
Individuals have the right to:
- Right of access (commonly known as a “data subject access request”). Individuals have the right to request access to personal data held by a controller, which enables them to receive a copy of the personal data held and to check it is being lawfully processed.
- Right to rectification. This enables an individual to have any incomplete or inaccurate data corrected, though we may need to verify the accuracy of the new data provided to us.
- Right to erasure. Individuals can request that personal data is deleted or removed in the following circumstances:
- where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- when the individual withdraws consent, and the data was originally collected based on said consent.
- when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- the personal data was unlawfully processed.
- the personal data has to be erased in order to comply with a legal obligation.
This does not provide an absolute “Right to be forgotten”. Where the personal data in question has been disclosed to a third party, we will inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. Personal data will be erased from our internal and cloud servers. Note that we may not always be able to comply with a request of erasure for specific legal reasons which will be notified to the individual, if applicable, at the time of request. If an individual withdraws consent, we may not be able to provide certain products or services, but we will advise if this is the case at the time consent is withdrawn.
- Right to restrict processing. This enables individuals to ask us to suspend the processing of personal data in the following scenarios:
- to establish the data’s accuracy.
- where our use of the data is unlawful but the individual does not want us to erase it.
- where the individual needs us to hold the data even if we no longer require it to help them to establish, exercise or defend legal claims.
- the individual has objected to our use of personal data but we need to verify whether we have overriding legitimate grounds to use it.
- Right to object. Where we are relying on a legitimate interest (or those of a third party) and there is something about the particular situation which makes an individual want to object to processing on this ground (for example it feels like it impacts on fundamental rights and freedoms), an individual can object to processing. They can also object where we are processing for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data which overrides the individuals rights and freedoms (and can continue processing in that circumstance).
- Right to complain. Individuals also have the right to make a complaint or refer a matter to the ICO if they feel any of their rights have been infringed.
Some of the rights listed above are limited to certain defined circumstances and we may not always be able to comply with requests. We will keep individuals informed if this is the case
No fee usually required
In most cases we will not charge a fee to exercise any of the above rights. However, we may charge a reasonable fee if a request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with a request in these circumstances.
What we may need
We may need to request specific information from the individual concerned to help us confirm identity and ensure the person making the request is entitled to do so. This is a security measure to ensure that personal data is handled in a way it should not be or shared with a person who has no right to receive it. We may also contact individuals to clarify requests if required.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if a request is particularly complex or where a number of requests have been made. In this case, we will keep the individual updated on response times.