Customer Privacy Notice

Important information

This Privacy Notice is a source of information that explains how we, Cavell Travel Limited, as a data controller processes your personal data using this website or other means, including any data you may provide through this website when you purchase a product or otherwise interact with us.

Processing is a broad term and includes (amongst other things) collecting, recording, storing, amending, reviewing, using and deleting personal data.

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The data controller decides how your personal data is processed and for what purpose. The processing of personal data is governed by the General Data Protection Regulation (GDPR).

This website is not intended for children and we do not knowingly collect data relating to children.

Information about us

Cavell Travel Limited is a registered company in England and Wales (company number 07788898) with a registered address of The Old House, Station Road, Whissendine, Rutland LE15 7HG. Our offices are at The Old House, Station Road, Whissendine, Rutland LE15 7HG. Mobile 00 44 (0) 7971 088153.

The personal information we collect and use

Information collected by us

If you have requested a quote or booked with us, we will have collected and processed necessary personal information as supplied by you. In addition, by using our website, we also collect information about how you use our services, such as types of content you view or engage with or the frequency and duration of your activities. In addition, our servers, logs and other technologies automatically collect certain information (see below) to help us administer, protect and improve our services; analyse usage and improve users’ experience. We share personal information with others only as described in this policy, or when we believe that the law permits or requires it.

Information we collect automatically

Cookies: We may use cookies and other technologies such as web beacons, web storage and unique advertising identifiers to collect information about your activity, browser or device. This data helps us to build a profile of our users. Some of this data will be aggregated or statistical, which means that we will not be able to identify you individually. If you prefer, you can remove or reject browser cookies through the settings on your browser or device. However, rejecting or removing cookies could affect the availability and functionality of our services.

Device information:

We may also collect information about your device each time you use a site. If you have an account with us, we may collect information from or about the computers, phones or other devices where you log into our services. We may associate the information we collect from your different devices, which helps us provide consistent services across your devices.

Here are some examples of the device information that we collect:

  • Attributes such as the operating system and hardware version

  • Browser type and IP address

  • Log information

We also collect log information when you use our website including:

  • Details about how you’ve engaged with us

  • Device information, such as web browser type and language

  • Access times

  • Pages viewed

  • IP address Identifiers associated with cookies or other technologies that may uniquely identify your device or browser

  • Pages you visit before or after navigating to our website

How we use your personal information

We use your information in several different ways.

The table below sets this out in detail, showing what we do, and why we do it

Purpose of Processing Legal basis under GDPR
Title, name(s), address, contact details, date of birth, gender, nationality, passport information, visa details, travel or holiday contract, legitimate travel likes and dislikes etc To book your travel or holidayPerformance of contract, legitimate interests
Send you a message by email or text, such as booking or travel updatesPerformance of contract, legitimate interests
Send you information by email or post about our new products or servicesConsent
Fraud prevention and protectionLegal obligation
Payment information (we only store this information with your consent)Take payment and give refundsPerformance of contract, legitimate interests
Fraud prevention and protectionLegal obligation
Contact history with the company including in writing, by phone, emails and social mediaProvide customer service and supportPerformance of contract, legitimate interests
Train our staffLegitimate interests
Information about your phone and laptop, and how you use our websiteTo improve our websiteLegitimate interests
Fraud prevention and protectionLegal obligation

Special categories of personal data

Information collected by us

During our interactions, we may collect special categories of personal data about you as detailed below. This may be because you want us to have the information, or we may obtain this inadvertently. It may also be because we need to know certain personal data about you, which is special category data, in order that we can provide you with the best possible service and advise you whether a trip is suitable for you. Health is one of the best examples of this.

Other examples are if we receive a group booking from a specific religious association, we will inadvertently have details of religious beliefs of those individuals. The same can be said for groups from political associations and trade union associations. Also, we are sometimes asked whether certain medication is allowed to be taken into certain jurisdictions, which discloses certain medical conditions.

Special categories of personal data which we may end up receiving from you could include details about your:

  • dietary requirements which may disclose your religious or philosophical beliefs

  • health

  • race or ethnicity

  • sex life or your sexual orientation

  • political opinions

  • trade union membership

  • genetic and biometric data

We collect and process the above data only where it is strictly necessary to do so. Furthermore, we will only collect and process the above special categories of sensitive personal data where you have provided us with your explicit consent to do so.

You are not under any obligation to consent to us processing your sensitive personal data. If you are happy to consent to our use of your sensitive personal data, you will also be able to withdraw your consent at any time.

Who we share your personal information with

We share your data with the following categories of companies as an essential part of being able to provide our services to you:

  • Companies that help us fulfil your travel and holiday requirements, for example payment service providers, airlines, flight aggregators, car hire and transfer companies, boat operators and property owners or their appointed representatives

  • Professional service providers, such as website hosts and travel management software who help us run our business

  • Credit reference agencies, law enforcement and fraud prevention agencies, so we can help tackle fraud

  • Companies approved by you, such as social media sites

  • In some countries, the law requires passport details to be lodged with the local police. In some instances, we will share them directly with the police, in others we may be required to transmit them to the property owner or their appointed representative to pass on to the police

  • If you have raised a complaint, we may share your data with ABTA or legal bodies where we are legally required to do so

Is your personal data transferred outside the EEA?

If you are travelling outside the European Economic Area (EEA), we do transfer your personal data outside the EEA in order to satisfy our contract with you. If you are not travelling outside the European Economic Area (EEA), data may still be transferred outside the EEA by our service providers however whenever this is the case, we will ensure a similar degree of protection is attached to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.

  • Where we use certain service providers, we may use specific countries approved by the European Commission which give personal data the same protection it has in Europe.

  • Where we use service providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.

How long will your personal data be kept?

We will hold on to your information as long is needed to be able to provide our service to you and to maintain our company transactional records. Where you have given consent to contact you with offers and other marketing purposes, we will retain your personal data until you notify us otherwise.

If reasonably necessary or required to meet legal or regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may also keep hold of some of your information as required, even after it is no longer needed to provide the service to you.

At the end of the retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for business planning.

Your rights in relation to your personal data

You have the following rights in relation to our processing of your personal data:

1. Right to be informed

2. You have the right to be informed about how your personal data is being used - hopefully this Privacy Notice explains it all.

3. Right to access. You have the right to access the personal data we hold on you which allows you to be aware of and verify the lawfulness of the processing.

4. Right to rectification. You have the right to have personal data rectified if inaccurate, out of date or incomplete.

5. Right to erasure. You have the right in certain circumstances to have personal data erased, also known as ‘the right to be forgotten’.

6. Right to restrict processing. You have the right to request the restriction of your personal data in certain circumstances. When processing is restricted, we are permitted to store the personal data, but not use it.

7. Right to object. You have the right to object to any personal data processing which is based on legitimate interests of the controller or public interest unless there are compelling legitimate grounds for the processing which are sufficient to override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

8. Right to data portability. You have the right to request that, in the case of automated data only, where possible we transfer elements of your personal data to another data controller.

9. Right to automated decision making and profiling. You have the right not to be subjected to decisions based solely on automated processing.

For further information on each of these rights, including circumstances in which they apply, please refer to the Information Commissioner’s Office (ICO) website www.ico.org.uk

If you wish to exercise any of the above rights, you can make a request to us verbally, by email or in writing. You will be asked for information to identify yourself with your name and address. The information will be provided by us within one month of request. We may extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of receipt of request and explain why the extension is necessary.

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you feel any part of the processing of your personal data has not been handled in accordance with the GDPR.

Keeping your personal data secure

We take your privacy very seriously and comply with our obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate security measures are in place to protect personal data.

We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach where we are legally required to do so.

Updating this privacy notice

We will regularly review and, where necessary, update the privacy information in this Privacy Notice. Last reviewed 01/04/2020.