Data Protection and Privacy Policy

We collect a considerable amount of personal data about you and this statement sets out how seriously we take your data privacy and security.

This policy tells you about what personal data we collect from you, why we do this and what we will do with it. It also tells you about some of the key rights which you have under data protection laws. You and your personal data is protected by the UK General Data Protection Regulation (which is otherwise known as UK GDPR) and the UK Data Protection Act 2018. In this privacy policy, we refer to this legislation as data protection laws.

We will only process your personal data as set out in our privacy policy or otherwise notified to or agreed by you or as we are otherwise permitted to do in accordance with data protection laws.

When we refer to “you” in this privacy policy, we mean the lead passenger, anyone else we communicate with in respect of an enquiry, quote or booking (for example, the person by or through whom payment is made if not the lead passenger), all persons who travel or are intended to travel on holiday and the parent/guardians of any minors who travel or who are intended to travel.

Inntravel understands and respects the importance of your privacy. We are committed to safeguarding your personal data and this policy outlines our commitment to you;
• we will be transparent about the data we collect and what we will do with it;
• we will use the data you give us only for the purposes described in this policy;
• we will use the data to help understand your needs and provide more relevant offers;
• if you tell us to cease marketing messages, we will stop sending them (albeit we will continue to send important information relating to a product or service you have purchased to keep you informed about your booking and travel itinerary);
• we will put in place measures to protect your data and keep it secure;
• we will respect your data protection rights and data protection laws.

Sharing of personal data across Hotelplan UK
We are part of the Hotelplan UK group, which comprises Explore Worldwide Ltd, Inntravel, Inghams, Esprit and Santa’s Lapland, as such we manage our data within a Single Customer View (SCV) for all five brands. This means that whilst each brand can only see the data relevant to their brand, if you have given your data to two or more of the brands, any updates to your personal data with one, will update the SCV as a whole to maintain the data’s integrity and currency; this includes, but is not exclusive to, your name and your contact details.

We have appointed a Data Privacy Manager ([email protected]) who is responsible for responding to questions you may have. The Hotelplan UK Group has also appointed a Data Protection Officer ([email protected]) who is a point of escalation should you feel your request has not be dealt with satisfactorily by the Data Privacy Manager. If you feel your data has been incorrectly handled, or you are unhappy with our response to any requests you have made, you have the right to make a complaint to the Information Commissioner’s Office (ICO). You can contact them on 0303 123 1113 or go online to ico.org.uk/make-a-complaint/.

Confirms our role for the purposes of data protection laws.
 
For the purposes of data protection laws, we, Inntravel, are a data controller in respect of the personal data you provide us with.

Summarises the meaning of personal data and processing. 

When we refer to personal data, we mean any information which relates to an identified or identifiable individual.

Where we refer to process or processing, we mean anything which we may do with your personal data including collecting, storing, using, disclosing to third parties and erasing it.

Summarises what personal information we collect, and why.

In order to respond to an enquiry, provide a quote, administer and fulfil your booking or send you any promotional material, we need to process personal data we obtain from you.

Data that you provide us with can take many forms, but where you make an enquiry or wish to make a booking it is likely to include:
    • your name, gender, date of birth, contact details (postal address, email address and telephone number) and marketing preferences;
    • your preferred rooming arrangements and other special requests (which may include special categories of personal data, see below);
          • special dietary information
          • information in respect of any medical condition, disability or reduced mobility which may affect anyone travelling – this comes within special categories of personal data (see below)
    • the name and telephone number of an emergency contact person (whom we will only contact in urgent circumstances while you are away);
    • your travel insurance details;
    • your passport details and other information directly required to provide your holiday arrangements;
• when you call us or correspond with us about your booking, we may record the call and/or keep information on why you contacted us, and the advice we gave you;
• when you make a payment to us, we will receive information from you including details of your payment card or your bank account (this information is processed using a third party payment services provider and is not stored by us);
• on your return from holiday we e-mail or post a satisfaction survey to you. This gives us specific feedback on any issue you may have experienced, and statistical data we can amalgamate in order to monitor the quality of our holidays;
• when you visit us at a public event, such as trade show or exhibition or participate in one of our surveys, competitions or prize draws, we may ask for information, such as your name, contact details, interests and marketing preferences;
• when you use our online services, we may receive content that you choose to upload such as reviews, comments, photos, forum posts or details of your interests and marketing preferences;
• you may also provide us with written or photographic content for us to load on to our website, including reviews and articles.

DATA WE MAY COLLECT FROM OTHER SOURCES
We may also collect data from publicly available sources and third parties, including:
• from a Travel Agent acting on your behalf in the sale of a travel arrangement to you, and sharing some data about you and your purchase with us;
• data about you from other Hotelplan UK Group companies that you interact with;
• payment information from our payment services provider including debit/credit card numbers, bank account and other details in order to issue refunds;
• information relating to your use of any of our social network applications, pages or plugins.

DATA WE MAY COLLECT WHEN YOU USE OUR WEBSITE
Our websites provide us with information about your use, including:

• details of the content that you view and interact with during a browsing session and how long you spend looking at specific pages; through behavioural metrics, heatmaps and session replay to improve and market our products/services at specific pages through tools such as Microsoft Clarity and Microsoft Advertisisng
• technical information such as, but not limited to, service, product or server logs, IP address, time and location, domain, device and application settings, errors and hardware activity etc;
• interests and preferences that you specify during the curation of your holiday arrangements;
• email/chat communications you have with us may be monitored and logged.

AGGREGATED INFORMATION DERIVED FROM YOUR PERSONAL DATA
We collect, use and share aggregated data such as statistical and demographic data for analytical purposes. Whilst derived from your personal data, it is not considered personal data as this data does not directly or indirectly reveal your identity.

SPECIAL CATEGORIES OF PERSONAL DATA
Personal data which concerns your health or which reveals your racial or ethnic origin or your sexual orientation are special categories of personal data. Other information also comes within special categories but this is unlikely to be relevant to the booking and provision of travel arrangements.

Generally speaking, the processing of special categories of personal data requires the explicit consent of the person concerned.

Accordingly, information concerning any disability, medical condition, restricted mobility or other health related issue (and related requirements) as well as dietary restrictions which disclose your religious beliefs or any health issue are special categories of personal data. We will ask for your consent to our processing this information at the time you make your booking or your booking enquiry or whenever you otherwise provide or indicate that you intend to provide such information. This consent should be provided to us by the party leader on behalf of the person concerned who must authorise the party leader to do so.

In the case of special categories of personal data which relates to children and young people under the age of 18 when the consent is required, consent will need to be provided by the party leader on behalf of the individual’s parent or legal guardian who must authorise the party leader to do so.

We will only collect, use and share special categories of personal data about you only where it is strictly necessary in order to deliver the travel arrangements you have purchased (for example, to assist with visa applications or ensure appropriate food for those with serious/life threatening allergies).

IF YOU FAIL TO PROVIDE PERSONAL DATA
Should you fail to provide data required either by law, or necessary to provide your chosen travel arrangements, we will not be able to provide the services you have booked or are attempting to book. This may result in Inntravel being unable to process your booking and be forced to cancel the booking. In this case, we will treat this as a ‘cancellation by you’ in accordance with the relevant Booking Terms & Conditions and notify you accordingly.
 
We ask that you please take care when submitting information to us, in particular when completing free text fields or uploading documents and other materials. Some of our services are automated and we may not recognise that you have accidentally provided us with incorrect or sensitive information.

This explains how we may use and share the information we collect for a wide range of purposes.

We may use and share the data we collect for a wide range of purposes to ensure we give you the best possible customer experience and ensure the appropriate performance of the contract.

GENERAL
Where you make a booking, appropriate personal data will be passed on to the relevant suppliers of your chosen travel arrangements. If you ask us to book any additional services we will have to pass on your details to the supplier of those services. Suppliers and other third parties will be named in the booking documentation and are likely to include the following depending on the travel arrangements booked:
• accommodation, restaurants and transport providers;
• local ground partners and agents, where we use them;
• equipment hire operators, including our cycling partners and ski hire providers;
• guides, tutors and local attractions where booked on your behalf.

In order to deal with and administer your booking we will use your personal data:
• to provide you with information on our products and services, and also to deal with your requests and enquiries regarding holiday arrangements;
• to contact you if we need more information or if there are changes to your travel arrangements;
• to provide customer care and to deal with any questions or issues that you have prior to, during, or on your return from holiday.

We may also use your personal data
• for staff training and quality assurance purposes;
• to ask for your opinions on our products and services (via ourselves or through a third party agent);
• to conduct prize draws, contests and other promotional offers;
• to consider employing you if you send us your details in response to our recruitment advertising or if you approach us with a speculative employment enquiry.

When you make a booking, you will be prompted to give credit/debit card or other payment details to a third party payment processor. Whilst it may feel like we are collecting this information, it is actually being collected by the payment processor directly in order to take authorised payments.

Personal data may also be provided to government / public authorities such as customs or immigration if required by them, or as required by law.

We may also make personal data available to other companies who provide services on our behalf, such as direct marketing, administration, customer care, legal or professional advice, website hosting and the re-organisation/structuring/sale of our business.

To help us design our website and improve your experience, we may collect information about the way you use and access our website, as explained in our cookies policy. Our website may use technologies such as Microsoft Clarity to help analyse how users navigate our web pages, links and forms and help us provide you with a good experience when you browse. Where Microsoft Clarity is in use Microsoft collects or receives personal data from us to provide their services. A link to the Microsoft Privacy Statement appears here: https://privacy.microsoft.com/en-us/privacystatement

We only provide third parties with the personal data they require in order to deliver their services. Other than in relation to government / public authorities (over whom we have no control), we will take appropriate steps which are intended to ensure that anyone to whom we pass your personal data for any reason agrees to keep it secure, only uses it for the purposes of providing their services and does not collect any personal data from you in the course performing their services.

In the event of our insolvency we, or any appointed insolvency practitioner, may disclose your personal information to the CAA and/or ABTOT so that they can assess the status of your booking and advise you on the appropriate course of action under any scheme of financial protection. The CAA’s General Privacy Notice is at https://www.caa.co.uk/Our-work/About-us/General-privacy-notice/ and ABTOT's Privacy Policy is at https://www.abtot.com/privacy-policy-cookies/.

Some of our online services allow you to upload and share messages, reviews, photos, video and other content and links with others. We will obtain consent if we publish this information on our websites, marketing collateral or social media profiles. You should not expect any information that you make publicly available to others via our online services to be kept private or confidential and you should always exercise discretion when using such services.

MARKETING COMMUNICATIONS
If you wish to receive any promotional materials from us, for example brochures, newsletters and other communications, or if you wish to enter a competition or take part in a survey, we will need your name and the contact details applicable to the form of communication you have consented to. For example, if you wish to receive information by e-mail, we will need your e-mail address.

PERSONALISED AND TARGETED CONTENT, RECOMMENDATIONS AND ADVERTISEMENTS
We may use the information we collect to personalise and more effectively target our services, content, recommendations, adverts and communications. For example, you may see an advertisement for a holiday that you have recently viewed on one of our websites when browsing at a later stage.

This personalisation and targeting on our websites or in our online advertisements and communications may make use of cookies set by us or our third party advertising partners. Please see our Cookie Policy for more information.

STATISTICS
We may use your personal data to create anonymous, aggregated statistics about the use of our websites, products, services and loyalty programs, which we may share with third parties and/or make available to the public.

PRODUCT IMPROVEMENT
We may use your personal data to develop and improve new and existing products and services, recommendations, advertisements and other communications and learn more about our customers’ holiday preferences in general.

PUBLISH YOUR REVIEWS, COMMENTS AND CONTENT
Where you upload or provide us with product reviews, comments or content to our websites that are publicly visible, we may link to, publish or publicise these materials elsewhere including in our own advertisements.

COMBINING THE INFORMATION WE COLLECT
We may link or combine the information that we collect from the different sources outlined above (including information received from other Hotelplan UK Group companies) via a unique identifier, such as a cookie or email address. We may do this to provide a more seamless customer support whenever you contact us and to provide you with better, personalised services, content, marketing and adverts.

Your personal data may be transferred, processed or stored by individuals or service providers outside the UK or European Economic Area (EEA). EEA countries are all member states of the European Union together with Norway, Iceland and Liechtenstein. This sets out the precautionary measures and available steps taken to protect your data.

We may need to transfer your data to third parties based outside the UK or EEA and who may process, share and store your personal data in order to fulfil the holiday arrangements you have booked with us. By submitting your personal data, you are acknowledging this transferring, storing and processing.

For all other transfers of personal data outside the UK or EEA, we will ensure personal data will not be transferred to a country outside the UK or the EEA unless (1) the country to which it is transferred is one which the UK government considers to provide an adequate level of data protection or (2) the personal data is transferred to a company which is required by our contract with them only to deal with the data in accordance with our instructions and to maintain appropriate security to protect the personal data which we are satisfied they have or (3) we are obliged to provide the personal data to a government / public authority in order to provide your booking.

Details how we use your personal data to send you marketing communications, and how you can change your marketing preferences.

BROCHURES AND OTHER PRINTED MATERIALS
We sell our holidays directly to customers and so sending out brochures and other marketing communications by post from time-to-time is very important to the way we do business.

We use data we have collected from bookings, brochure requests and other forms of engagement to decide what marketing information our customers may like to receive, and we have identified and assessed this as our Legitimate Interest.

We do however provide an opportunity to opt-out of this direct marketing during the booking or enquiry process and in subsequent communications. You may contact us at any time to opt-out of this direct marketing, full contact details can be found in the “Contact us” section of our Privacy Policy.

EMAIL COMMUNICATIONS
When you communicate with us, we may give you the opportunity to subscribe to our weekly email newsletter. Once subscribed, you can choose to unsubscribe at any time:
• to unsubscribe from an email sent to you, follow the ‘unsubscribe’ link and/or instructions placed (typically) at the bottom of the email;
• this method will only unsubscribe specifically for the e-newsletter or other communication received. Should you receive other marketing such as brochure mailings, you will need to opt-out separately by contacting us to change your marketing preferences.

GENERAL
You can contact us using the details in the “Contact us” section below in order to change your marketing preferences at any time.

Please note that despite opting out of marketing communications, you will still receive service communications where necessary, for example, to confirm your booking or to provide you with an update on its status.

If you ask us to stop sending marketing communications, we will retain your personal data for the purposes of indicating that you do not want to receive marketing communications. You may continue to receive postal communications for up to 4 weeks and emails for up to 5 days after your requested change while our systems are fully updated.

Identifies our legal rationale as to why we may collect and process your personal data, which could alternate between contractual obligations, legitimate interest, legal compliance or consent depending on the nature of its use.

We will only process your personal data where we have a legal basis to do so. The legal basis will depend on the reason or reasons we collected and need to use your data. Under data protection laws in almost all cases the legal basis will be:
• because we need to use your data to process your booking, fulfil your travel arrangements and otherwise perform the contract we have with you;
• because there is a Legitimate Interest to use your personal data to operate and improve our business as a tour operator and travel provider (a Legitimate Interest assessment is performed prior to making this determination);
• because we need to use your personal data to comply with a legal obligation;
• because you have consented to us using your data.

Explains how long we will keep your personal data to fulfil the purposes described in this policy, and what happens to your data at the end of that retention period.

We will not process your personal data in a form which enables you to be personally identified for any longer than is necessary in order to fulfil the purpose for which it was originally collected or for any other legitimate business purpose. For example, where you book a holiday with us, we will keep the information related to your booking, so we can fulfil the specific travel arrangements you have made and after that, we will keep the information for a period which enables us to handle or respond to any complaints, queries or concerns relating to the booking and to fulfil our obligations to our third party suppliers who provided your holiday arrangements. The information may also be retained so that we can continue to improve your experience with us while you continue to engage with and purchase from us.

If you have consented to receiving marketing communications from us, we may continue to use your personal data for this purpose until you withdraw your consent or otherwise for as long as we reasonably consider your consent remains valid and effective.

We will actively review the data we hold and delete it securely, or in some cases anonymise it, when there is no longer a legal requirement, business need or customer interest for it to be retained.

By law we have to keep basic information about our customers for legal and tax purposes (including identity, contact, financial and transaction data) for up to 7 years and sometimes longer after they cease being customers.

Lists the steps we take to protect your personal data and keep it secure.

We take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, which is appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.

The steps we include where appropriate:
• ensuring that we are PCI compliant when processing your payments;
• putting in place physical, electronic, and procedural safeguards in line with industry standards to limit access to the data we collect about you;
• monitoring our system for possible vulnerabilities and attacks to identify ways to further strengthen our security.

Our websites use cookies placed on your computer to collect and log information and visitor behaviour in order to distinguish you from other users. This helps to optimise performance and personalise content as well as ensuring the site operates efficiently.

Please note that in order for us to provide you with the optimum service, we use ‘Cookies’ on our website. Cookies are small text files sent to your computer when you access our site. The cookies used on our site are anonymous and contain no personal data (such as name and address) or card details, but do identify your computer so that you can navigate our site more easily and our website can remember your preferences. For more information regarding deleting and controlling cookies, please visit www.aboutcookies.org.uk.

Please refer to our Cookie Policy.

Explains how you can access your personal data and outlines your rights, for example requesting corrections and asking us to exclude you from direct marketing.

For a copy of the personal data that we store about you in our customer databases, please contact us using the details given in the “Contact us” section below. You will be asked to provide some proof of identification so that we can verify that it is you making the request. No fee will be charged unless it is obviously unfounded or excessive or we have previously provided the same information. We will respond to your request without delay and in any event within 1 month unless the request is complex or you have made numerous requests, in which case we may be able to extend our response time by a further 2 months.

This is in addition to your legal rights including;
• the right to access a copy of your personal data;
• the right to request the deletion or updating of any inaccurate personal data;
• and the right to object, in certain circumstances, to our processing of your personal data for direct marketing.

If you believe that any of your personal data we hold about you is inaccurate, out of date or incomplete please tell us as soon as possible. We will rectify the problem within 1 month or within 3 months if the rectification request is complex.

You can ask us to erase your personal data in certain circumstances, for example where you have withdrawn your consent to further marketing material where the data in question has only been processed for this purpose. However, we cannot always agree to delete your data. Please see the paragraph “How long do we keep personal data” for further information on the period of time we may retain personal data.

If you are concerned that we have not complied with your legal rights or applicable privacy laws, you may contact the Information Commissioner’s Office (ico.org.uk) which is the regulator responsible for data protection in the United Kingdom, where Inntravel is located. Alternatively, if you are located outside of the United Kingdom, please contact your local data protection authority.

Explains that our websites may occasionally contain links to or from third-party websites and that this privacy policy and our responsibility does not extend to these other websites.

Our website may contain links to other websites that are not operated by Inntravel. Whilst we try to link to sites that share our high standards and respect for privacy, we are not responsible for the content, security or privacy practices of those websites. You should view the privacy and cookie policies displayed on those websites to find out how your personal data may be used.

Provides contact details for you if we not have answered your questions satisfactorily, or to request what personal data we hold on you.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if any of the details you provide to us should change, during the course of your relationship with us.

If you need further assistance or would like to make a comment, you can contact us in a number of ways:
1. By post to Data Privacy Manager, Inntravel, Near Castle Howard, York, YO60 7JU, UK
2. By telephone on 01653 617771
3. By email on [email protected]

The appointed Data Protection Officer (DPO) for the Hotelplan UK Group can also be contacted in the following ways:
1. By post to Data Protection Officer, Nelson House, 55 Victoria Road, Farnborough, Hampshire, GU14 7PA, UK
2. By email on [email protected]