1. What we collect
- Identity & contact: name, email, phone.
- Traveller details: date of birth, nationality, passport information where required for air travel; loyalty numbers (optional).
- Booking data: itineraries, flight PNRs, hotel details, price, currency.
- Payment data: tokenised card/payment details via our payment providers (we do not store full card numbers).
- Technical data: device, browser, IP, approximate location, cookies.
- Support communications: messages and issue history.
2. Why we use your data (legal bases)
- Fulfil bookings & provide services (contract).
- Customer support & safety notices (contract/legitimate interests).
- Fraud prevention & security (legitimate interests/legal duty).
- Analytics & product improvement (legitimate interests; aggregated where possible).
- Marketing communications with consent; you can withdraw at any time.
3. Sharing your data
- Suppliers (airlines, hotels) via Duffel to issue and manage bookings.
- Payment providers (Stripe, Duffel Payments).
- Insurance partners (when you choose insurance).
- Vendors for hosting, email, and analytics (minimal necessary).
- Authorities where required by law.
4. International transfers
Where partners are outside the UK/EEA, we apply appropriate safeguards (e.g., SCCs, UK IDTA).
5. Retention
- Booking & invoicing records: usually 6–7 years (tax/accounting).
- Support tickets: up to 24 months after closure.
- Marketing data: until you unsubscribe.
Minimal logs may be kept longer if legally required.
6. Your rights (UK GDPR)
You can request: access, correction, erasure, restriction, data portability, or to object to processing.
You can also withdraw consent for marketing at any time.
Complaints can be made to the Information Commissioner's Office (ICO) at ico.org.uk.
7. Cookies
We use cookies for core functionality, analytics, and (if you consent) marketing. You can manage preferences via our cookie banner.
8. Updates
We will update this policy as needed and post the revised version here with a new date.