This Privacy Notice explains the types of personal data we collect about you when you deal with us. It also explains what we do with that data, how we keep it safe, and your rights in relation to our processing of it.
Who are we?
We are Spa Breaks Ltd (company number 06404659), and if you have any questions regarding the way we process your personal data you can get in touch with our Data Protection Officer:
Data Protection Officer
What do we do with your data?
We are a spa booking agent, and we process your personal data in order to:
- deal with any enquiry you make about the holidays we sell;
- handle administration associated with any holiday arrangements you book with us (for example making amendments to the arrangements, collecting payment from you or asking you to review your trip);
- ensure that our suppliers (e.g. hotels, airlines) are able to provide the services that make up your holiday;
- contact you about the products we sell, which we hope will be of interest to you;
- ensure the smooth running of our online services and call centre operations.
In the sections below we describe the ways in which we process your data, including:
- in each case, the ‘lawful basis’ on which we rely;
- which information about you we collect;
- how we use it;
- how long we keep it for;
- any rights you have to opt out of or object to the processing.
We may share your personal data with third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
The following definitions apply in the sections below:
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting firstname.lastname@example.org.
Contract legal basis means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
How do we process your information when you enquire about our holidays?
We collect some information about you if you make contact with us in order to obtain information before you make a booking. This contact might be made by filling in a form on our website, or by telephone or email. In each case, we might ask you for your:
- email address;
- telephone number(s);
- postal address;
We will process your personal data so that we can give you the information that you requested, and we rely on the ‘contract’ lawful basis when we perform this processing.
If you provide us with contact details (e.g. an email address) when you request information prior to making a booking, we will also use those contact details in order to send you information about other, similar holidays sold by us in the future. At the point we collect your contact details (email address, telephone number or postal address) we will ask you if you would prefer not to receive marketing materials from us.
Even if you choose to receive these materials, you can tell us to stop sending them at any point in the future, either by clicking the ‘unsubscribe’ link in an email, by calling us, or by contacting email@example.com. When we process the personal data received in the course of a sale (or negotiations for a sale) in order to send marketing materials, we are doing so under the lawful basis called ‘legitimate interests’.
How do we process your information when you make a booking?
When you make a booking with us, we might ask for more personal data so that our suppliers can fulfil our (or their) obligations to you. For example, if you book a flight we will ask for your date of birth and passport number so that we can make the appropriate arrangements with the airline. We will only ask for details that are necessary in order to deliver the services you have booked with us, and we will only process them in order to deliver those services.
The arrangements we make for your holiday are fulfilled by our suppliers: hotels, airlines etc. When we confirm your booking we make sure you are aware of all the companies involved in delivering the services you have requested, and we pass on to them only the details that they need so that they can deliver those services. For example, if you book a hotel stay with us we will make sure that they are aware of your name, the date you are arriving, and how long you will stay.
Both we and our suppliers of travel services act as data controllers when you book with us. We never give our suppliers contact details for you unless it is absolutely necessary to provide the services you have requested, and even in this case our contract with them does not allow those details to be used for marketing purposes. They may independently ask if you are happy for them to use you personal data in other ways; if you consent, this will be a direct arrangement between you and them. If you have any questions about how our suppliers process your information you can call us or email firstname.lastname@example.org.
Between the time you book with us and the time you travel we may need to contact you directly about your booking using the details you have given us. For example, we might email you in order to request that you pay your balance, or call you to tell you about a change of flight time.
When you book with us we will ask you to make sure that other members of your party are happy for us to process their details in the same way as your own.
We rely on the ‘contract’ legal basis for all of the processing we perform in order to provide the services you have booked with us.
Independently of this, we would like to ask you for a review both of our booking process and of your trip after you have travelled. For this processing we rely on our ‘legitimate interests’, but you can ask us at any time not to process your details for this reason.
How do we process your information when you phone us?
When you call us our systems automatically record some details, for example the number you called us from, who you spoke to, and how long you spoke to us for. We also record the audio of all calls in and out of our call centres.
We process this information under our ‘legitimate interests’ in order to help us resolve complaints or disputes. These recordings and call details are kept for long enough that we still have access to them for a reasonable amount of time after each booking has travelled; at present, this time period is 12 months.
How do we process your information when you email us?
When you email us, we keep a record of the email to help us with the administration of your booking and to resolve any complaints or disputes that might arise. We rely on our ‘legitimate interests’ for this processing.
How do we process your information when you visit our website?
When you visit our websites we keep logs of your visit containing such information as the IP address from which you made each request, the type of browser you were using and the pages you viewed. Unless you explicitly give it to us, for example by making an online booking, we don’t store any information other than your IP address that might identify you to us, and we only keep these logs for long enough to ensure that we are able to fix any technical problems that might arise.
We use Google Analytics in order to analyse how our visitors use our websites, and to measure the effectiveness of our marketing on the Internet. This information is only ever processed in aggregate, and we never link it back to any personal identifier.
When you visit our websites we might show you a phone number which is unique to your current visit. If you phone us on that number, we link it to the activity during your visit, but there is no way for us to link it to any other information about you. We do this in order to analyse which marketing campaigns and pages on our website are most likely to lead to phone calls, and to ensure that when you call us you are put directly in contact with the department best able to help you.
If you make a booking with us we sometimes pay a commission to a third party that linked you to our website. We store and pass back to the third party only enough information about this activity to ensure that we are able to pay these commissions correctly, but the third party (e.g. a cashback or voucher code site) may process your information in other ways relying on your direct agreement with them.
We use a system called FullStory in order to make visual recordings of some visits to our websites in order to improve the user experience and identify technical problems. These recordings are linked back to a unique identifier stored in a browser cookie for the duration of those visits, but we don’t store anything that would enable us to link the recordings back to a person.
What rights do I have when you process data about me?
The General Data Protection Regulation (GDPR) gives you rights regarding the way we process your information, and we aim to allow you to exercise these rights easily.
Right to be informed
We inform you about the ways in which we process your personal data both here and in specific messages you will see on our websites when we record your data. Our call centre staff are also trained to keep you informed about the way your data will be processed throughout the booking process. If you have any questions about the way your data is processed you can contact us by phone, or email email@example.com.
Right of access
We are always happy to give you a copy of the information we hold about you. We may sometimes ask you for some information to confirm your identity before we are able to send the information, and we may sometimes ask you to clarify your request. You can email any request for the information we hold about you to firstname.lastname@example.org.
Right to rectification
If you believe any information we hold about you is inaccurate or incomplete, please let us know by email to email@example.com.
Right to erasure
If we are processing any information about you purely for marketing purposes, we are always happy to erase it. If you have made a booking with us, we sometimes have to retain the information in order to comply with the law or, for example, with the obligations imposed upon us by our contract with our insurers. If you contact us to request erasure of the personal data we will comply with your request insofar as we are able, and if we are not able to we will explain why.
Right to restrict processing
If you believe that you have grounds to request that we restrict our processing of your information, please contact us.
Right to data portability
If you request it, we will do our best to provide the information we hold about you in machine-readable form using open formats. The type of information we hold is such that we are unlikely to be able to perform a controller-controller transfer, as there are no open standards relating to such transfers.
Right to object
You have an absolute right to object to processing your personal data for marketing purposes, and we are always happy to comply with requests to exercise these rights. We will do our best to comply with other requests to stop processing your data, but in some circumstances we will be unable to – if that is the case, we will always explain why.
Rights related to automated decision making including profiling
We do not perform any automated decision making or profiling using the personal data that we process.
Third party data processors
We have agreements with third parties (data processors) who process personal data for us in accordance with our instructions. Below is a list of the data processors who may be processing your data on our behalf, and a brief summary of the type of processing they perform.
Google will process your personal data on our behalf as provider of our email services, as hosting provider for our websites and internal systems and as operator of Google Analytics and AdWords.
SendGrid provides our transactional email services and process, for example, the emailed copy of your booking documents.
PCA Predict (GB Group plc.) provides postcode lookup services on our websites.
Crafty Clicks provides postcode lookup services for our internal booking management systems.
Freshdesk (Freshworks Inc.) hosts the system that we use to manage contact with our customer services department.
Pay360 (Capita plc.) and Stripe provide our payment processing services.
Trustpilot hosts the software we use for recording and managing reviews of our booking process.
Emarsys provides our email marketing service.
GI Insight analyses our data to help us plan our marketing activities.
Your right to lodge a complaint with a supervisory authority
If you believe there is any problem relating to the way we are processing your personal data, you can always contact us by telephone or as firstname.lastname@example.org. If you are not satisfied with the way we have handled your query, you can contact the Information Commissioner’s Office.