Privacy Policy
Hays Travel privacy NOTICE (15th November 2024)
Introduction
1- Hays Travel Limited or Hays Tour Operating Limited (collectively referred to as “Hays Travel”, “we”, “us” or “our”) is the controller and responsible for your personal data. We are committed to respecting your and your child’s/children’s (collectively referred to as “you” or “your”) privacy and protecting your personal information.
This Privacy Notice sets out:
- When we collect personal data about you;
- What types of personal data we collect;
- Our legal basis for using your personal data;
- How we keep it safe;
- Who we share personal data with;
- Marketing communications;
- Data retention;
- Your rights and choices about the personal data that we hold;
- Contact us; and
- Making a complaint.
2- This Privacy Notice was last updated on 15th November 2024.
When we collect personal data about you
3- We collect personal information about you whenever you make a booking or otherwise interact with us in person or via telephone, our websites, our app, email or other contact methods (whether directly with us or through agents acting on our behalf).
The types of personal data we collect and why we collect it
4-Personal information, or personal data, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
(A) Identity Data
This includes data relating specifically to your identity, such as your first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, passport details and utility bill.
(B) Contact Data
This includes data relating to how you may be contacted, such as your billing address, delivery address, email address, telephone numbers, emergency contact details and next of kin contact details.
(C) Financial Data
This includes data relating to your means and methods of payment, such as your bank account details to set up direct debits, payment card details and source of funds.
(D) Transaction Data
This includes data relating to the transactions you have carried out with us, such as details about payments to and from you and other details of products and services you have purchased from us.
(E) Technical Data
This includes data that we may obtain when you interact with our website or app, such as your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.
(F) Profile Data
This includes the data that we receive when you create a profile on our website and/or app, make use of that profile and other data relating to the products and services you have purchased from us, such as your username and password, unique reference(s), booking reference(s), purchases or orders made by you, your interests, preferences, feedback and survey responses.
(G) Usage Data
This includes data relating to how you interact with ourwebsite and/or app, products and services.
(H) Marketing and Communications Data
This includes data relating to your preferences in relation to whether or not you want to receive marketing information from us and/or our third parties and also your communication preferences.
We also collect, use and shareAggregated Datasuch as statistical or demographic data for the purposes set out in the table below. Aggregated Data may derive from your personal data but is not considered personal data in law as this data doesnotdirectly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we will treat the combined data as personal data which will be used in accordance with this Privacy Notice.
Special Categories of Personal Data
We also collect the following Special Categories of Personal Data about you. For example, details concerning your:
- dietary requirements which may disclose your religious or philosophical beliefs;
- health (including but not limited to details relating to disabilities); and
- nationality which may disclose your race or ethnicity.
We collect and process the above Special Categories of Personal Data only where it is strictly necessary to do so, for example to enable us to deliver the travel service that you have purchased. Furthermore, we will only collect and process the above Special Categories of Personal Data where you have provided us with your explicit consent to do so.
You are not under any obligation to provide your explicit consent to us processing your sensitive personal data. However, without your explicit consent, we won’t be able to make the necessary arrangements to provide the travel service that you have purchased. As a result, if you do not provide your explicit consent, we will be unable to provide you with the travel service you have purchased.
If you are happy to provide your explicit consent to our use of your sensitive personal data, you will also be able to withdraw your explicit consent at any time. However, this may prevent us from providing the travel service you have purchased meaning we will be required to treat any withdrawal of explicit consent as a cancellation of your booking and the cancellation charges set out in our Terms and Conditions will become payable.
We use different methods to collect personal data from and about you, including through:
- your interactions with us. You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- make a booking of travel services;
- create an account on our website;
- subscribe to our newsletter or other publications;
- request marketing to be sent to you;
- enter a competition, promotion or survey;
- leave us a review or give us some feedback;and/or
- submit a web enquiry.
- automated technologies or interactions. As you interact with our website and/or app, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policyfor further details.
- third parties or publicly available sources. We will collect or receive personal data about you from various third parties and, where applicable, public sources, for example:
- Companies House;
- Electoral Register;
- Trust Pilot;
- analytics, advertising networks (including but not limited to Ozone, Criteo and Conectia) and search information providers such as Google;
- social media platforms such as Facebook, Instagram, TikTok, YouTube and/or X; and
- technical, payment and delivery service providers such as Worldpay;
The law requires us to have a legal basis for collecting and using your personal data. We have set out in the table below the lawful bases we rely on to process your personal data:
Purpose/Activity |
Type of data |
Lawful basis for processing including basis of legitimate interest |
To register you as a new customer. |
(a) Identity; and |
(a) Performance of a contract with you; (b) Necessary for our legitimate interests (to provide website and app users with the option of booking their holidays themselves); and (c) Consent. |
To process and deliver your booking (including, but not limited to, travel arrangements and insurance) including: (a) Manage payments, fees, charges and refunds; and (b) Collect and recover money owed to us. |
(a) Identity; |
(a) Performance of a contract with you; and |
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or Privacy Policy; and (b) Asking you to leave a review or take a survey. |
(a) Identity; |
(a) Performance of a contract with you; |
To enable you to partake in a prize draw, competition or complete a survey. |
(a) Identity; |
(a) Performance of a contract with you; and |
To administer, operate and protect our business, this website and app (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). |
Technical |
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business re-organisation or group restructuring exercise); and |
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you. |
(a) Identity; |
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy). |
To use data analytics to improve our website and app, products/services, marketing, customer relationships and experiences. |
(a) Technical; and |
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website and app updated and relevant, to develop our business and to inform our marketing strategy). |
To make suggestions and recommendations to you about goods or services that may be of interest to you. |
(a) Identity; |
Necessary for our legitimate interests (to develop our products/services and grow our business). |
To monitor our communications with you in order to check any instructions given to us, for training purposes, for crime prevention and to improve the quality of our customer service. |
(a) Identity; |
(a) Necessary for our legitimate interests (to assist us in training our employees); and |
To sign you up as a member and/or to receive our marketing (for example emails). |
(a) Identity; |
|
To communicate and/or follow up your enquiry via our website and app, email and/or social media channels. |
(a) Identity; |
Necessary for our legitimate interests (to provide you with the information you have requested). |
To communicate with you as a supplier or partner of ours. |
Identity; and Contact. |
Performance of a contract with the business you represent. |
To manage claims made by you via your credit card provider. |
Identity; and Profile. |
Necessary to comply with a legal obligation (Section 75 Consumer Credit Act 1974). |
To manage, respond and resolve your complaint(s), offer future services that may be of interest to you and provide you with a point of contact. |
Identity; Contact; and Profile. |
Performance of a contract with you; Necessary for our legitimate interests (to enable us to deliver/continue to deliver a high-quality service, for example to resolve your complaint(s)); and Consent. |
To process requests for cancellations, special assistance and erratas from supplier and tour operators. |
Identity; Profile; and Special Categories of Personal Data. |
Performance of a contract with you; Necessary for our legitimate interests (to enable us to cater for your needs and requirements); and Consent. |
To invite you to attend our events. |
Identity; and Contact. |
Necessary for our legitimate interests (to be able to fulfil our event planning and delivery processes); and Consent. |
To showcase the quality of our products and services by sharing recommendations and feedback from other customers. |
Identity Technical |
Necessary for our legitimate interests (to promote our products and services). |
To report health and safety incidents. |
Identity; Contact; and Special Categories of Personal Data. |
Necessary to comply with a legal obligation. |
To protect our business and property interests for legal compliance with the relevant legislation and/or to establish or defend legal claims. |
Identity; Contact; Financial; Transaction; Profile; Marketing and Communications; Usage; and Special Categories of Personal Data. |
Performance of a contract with you; Necessary for our legitimate interests (to enable us to establish claims made by us, or defend claims made against us); and Necessary to comply with a legal obligation. |
Our legal basis for using your personal data
5- We will only process your personal data where we have a legal basis to do so. Depending on the circumstances, the legal basis will almost always be one or more of the following:
- so that we can make and fulfil your booking or otherwise perform our contract with you;
- because it is in our legitimate interests to use your personal data to operate and improve our business as a travel agency;
- to comply with a legal obligation;
- to protect the vital interests of you or another person; and/or
- because you have consented to us using your personal data for a particular purpose.
How do we keep your personal data safe?
6- Protecting the confidentiality and integrity of your personal data is a responsibility that we take seriously at all times. We use appropriate technical and organisational measures to keep your personal data secure against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.
Who do we share your personal data with?
7- In order to provide products or services requested by you, we may share your personal data with our suppliers and other third parties concerning your travel arrangements, including but not limited to airlines, accommodation providers and insurance providers. In most cases such suppliers will themselves separately be controllers of your personal data. For example, we use the following suppliers to assist with the day-to-day running of our business:
- storage suppliers including, but not limited to, Smartsheet, Microsoft, IBM Cloud, OneDrive and Smartsheet;
- social media platform providers including, but not limited to, Facebook, Instagram, TikTok, YouTube and X;
- marketing, IT and system administration service providers including, but not limited to, Google Analytics, Hotjar, Campaigner, Vonage, Smoothwall, Unitrend and IceWarp;
- payment processing providers including, but not limited to, Worldpay
- other suppliers and partners including, but not limited to, Rush Insurance Services Limited, easyJet holidays, TUI, Royal Caribbean International, Jet2holidays, P&O Cruises, Travelport, TravCom, Holiday Webtech, Mitel, Emplifi, Microsoft and Pyramid Analytics;
- professional advisers and regulatory authorities including, but not limited to, lawyers, bankers, auditors, border control, insurers who provide consultancy, banking, health and safety, legal, insurance and accounting services; and
- third parties (including internal) to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
8- We may share your personal data within the Hays Travel group of companies (for example Hays Tour Operating Limited, Hays Beds Limited, Hays Transfers Limited, Hays Foreign Exchange Limited and/or Hays Transport Limited) to enable us to provide you with the services you have requested. This Privacy Notice applies to their processing of your personal data on behalf of Hays Travel.
9- It is often necessary for us to send your personal data outside the UK and European Economic Area (EEA) to fulfil your travel arrangements. This is because the suppliers providing your travel services are located around the world. Also, your personal data may need to be transferred to border control and immigration outside of the EEA for security and anti-terrorism purposes. This may involve sending your personal data to countries where, under their respective local laws, doesn’t hold the same level of protection as required by the UK data protection legislation. Whenever we transfer your personal data out of the UK and EEA to service providers, we ensure a similar degree of protection is afforded to it by ensuring that the following safeguards are in place:
- we will only transfer your personal data to countries that have been deemed by the UK to provide an adequate level of protection for personal data; or
- we may use specific standard contractual terms approved for use in the UK which give the transferred personal data the same protection as it has in the UK, for example the International Data Transfer Agreement.
Marketing communications
10- When you book or register with us, we will ask if you would like to receive marketing communications. If you have previously agreed to receive marketing communications, we may send you relevant offers and news about our products.
11- You can change your marketing preferences by contacting us using the details set out below, by using the ‘unsubscribe’ link in our marketing emails, by replying STOP to our marketing text messages or by replying UNSUBSCRIBE / STOP to our WhatsApp marketing messages.
12- We will respect your choice as to what communications you wish to receive and the methods by which you are sent them.
Data retention
13- We will keep your personal data for only as long as it is necessary for thepurposesset out in this Privacy Notice. For example, after travel we will keep the information related to your booking so that we can respond to any complaints and fulfil our record keeping obligations. After this time, we will securely erase or anonymise your personal data. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Your rights and choices about the personal data that we hold
14- You have a number of rights under the UK data protection legislation in relation to your personal data, including:
- asking us for a copy of the personal data that we hold about you;
- asking us to correct any personal data which you do not think is correct;
- asking us to delete the personal data we hold about you;
- objecting to our processing of your personal data where we are relying on legitimate interest as the legal basis and/or are processing your personal data for marketing purposes;
- requesting us to transfer your personal data to you or to a third party;
- requesting us to restrict the processing of your personal data; and
- withdrawing your consent to us processing your personal data where we are relying on consent as the legal basis.
15- To comply with these requests, we may need you to confirm your identity by providing us with relevant documents and/or additional information.
Contact us
16- We have appointed a Data Protection Manager who is responsible for overseeing matters in relation to this Privacy Notice. If you have any questions or concerns about our use of your personal data, please contact the Data Protection Manager using the details set out below:
Data Protection Manager
Hays Travel Limited
Gilbridge House
Keel Square
High Street West
Sunderland
SR1 3HA
You can also emaildpmanager@hays-travel.co.ukor call us on 0333 033 9985.
(Please note that standard call charges may apply. If you are unsure whether these charges apply, please contact your network provider).
Making a complaint
17- You can complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have used your personal data. The ICO’s address is:
Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website:https://www.ico.org.uk