When you share your personal, or business, information with Travel Vogue Ltd (trading as Anex Tour), you trust us with your information. We are committed to protecting and respecting your privacy and take this trust very seriously.
- WHO WE ARE
- WHAT INFORMATION DO WE COLLECT FROM YOU?
- WHY DO WE COLLECT THIS INFORMATION?
- HOW WE USE YOUR PERSONAL INFORMATION
- POLICY FOR CHILDREN
- THE OPTIONS YOU HAVE REGARDING YOUR INFORMATION
- UNSUBSCRIBE FROM COMMUNICATIONS
- HOW WE PROTECT YOUR INFORMATION
- COMPLIANCE AND COOPERATION WITH REGULATORY AUTHORITIES
- CONTACT US
- OUR RIGHT TO COMPLAIN TO THE ICO
- DOLPHIN DYNAMICS & DOLPHINANYWHERE HOSTING
1. WHO WE ARE
We are Travel Vogue Ltd (trading as Anex Tour), 1st Floor, Brunswick House, Regent Park, 297 Kingston Road, Leatherhead, Surrey. KT22 7LU. Our registered office is: 1st Floor, Brunswick House, Regent Park, 297 Kingston Road, Leatherhead, Surrey. KT22 7LU and our company number is 02857123.
2. WHAT INFORMATION DO WE COLLECT FROM YOU?
We may collect information about you in a variety of ways including on our website, when you make a travel enquiry or a travel booking, through our social media channels, at our events, through competitions or prize draws we run, and via other forms of communication including email and direct mail.
The information we collect may include:
If you subscribe to join our mailing list we will ask for information that may include your name, postal address, email address, telephone number, age, gender, occupation, details of holiday habits and details you are interested in receiving further information on.
In addition, when you make a travel enquiry or booking, information gathered may include credit/debit card details or bank details, passport numbers of people travelling, visa information, health information and other personal data.
Occasionally, we may offer visitors to our websites an opportunity to participate in a survey or competition. We may also run competitions and surveys in magazines, newspapers, radio, television, by direct mail, with third parties including on their websites and on other similar media. Information collected by Travel Vogue Ltd when you participate may include your full name, age, postal address, email address and telephone number.
By accessing our website and social media channels, our servers may also collect derivative data about you, such as your IP address, your browser type, your operating system, your access times, the device you are using to view our sites on, and the pages you have viewed directly before and after accessing our sites.
3. WHY DO WE COLLECT THIS INFORMATION?
Having accurate information about you permits us to provide you with a smooth, efficient, and customised experience. Specifically, we may use the information collected about you to:
Facilitate, fulfil and manage your travel booking, including liaising with third party suppliers such as airlines, tour operators and ancillary travel product providers.
Notify you about updates and changes regarding your travel arrangements.
Provide you with a tailored travel quotation.
Compile anonymous statistical data and analysis for use internally.
Deliver targeted advertising, newsletters, promotions and other information regarding our website, and business practices to you.
Email you regarding your ongoing and future travel requirements
Send you relevant newsletters.
Send you relevant communications by post to your given address.
Contact you by SMS about relevant information.
Generate a personal profile about you to make future visits to our website more personalised.
Increase the efficiency and operation of our website.
Monitor and analyse usage and trends to improve your experience of our website.
Notify you of updates to our website and booking conditions.
Offer information on relevant new products, services, and/or recommendations to you.
Perform other business activities as needed.
Request feedback and contact you about your use of our website, and the service we provide you.
Respond to customer service requests.
4. HOW WE USE YOUR PERSONAL INFORMATION
We may process, use or share information we have collected about you in certain situations as explained above.
In general, the data we hold on you will be used for the purpose of processing your travel booking, in accordance with your booking terms and conditions. We only share your information with preferred suppliers when fulfilling your travel bookings, HM Revenue & Customs where necessary. In addition, we may process your data for use in our marketing activities, either with having your explicit consent to do so, or when we have highlighted a Legitimate Interest, this may include engaging with third party agencies to perform our own marketing activities only. We do not sell, rent or trade your personal information to third parties for marketing purposes without your express consent. In the event that we need to transfer your data outside of the European Union, to fulfil the contract we have with you to process your travel booking, we will ensure the organisation receiving the data has adequate safeguards in place that comply with the most up to date UK privacy laws, that individuals’ rights are enforceable and effective legal remedies for individuals are available following the transfer. In the event that we need to transfer your data outside of the European Union, to fulfil the contract we have with you to process your travel booking, we will ensure the organisation receiving the data has adequate safeguards in place that comply with the most up to date UK privacy laws, that individuals’ rights are enforceable and effective legal remedies for individuals are available following the transfer. Furthermore, your information may be processed and disclosed as follows:
With your consent
Where possible we will explicitly seek your consent to use your information for any purpose other than what it was collected for. By becoming a customer, we may also rely on another legal basis to process your personal information, such as having a Legitimate Interest. Before we do this, we will carry out a suitable test to ensure it is the appropriate lawful basis for processing your personal information, and it does not infringe your rights and freedoms. We will inform you if we intend to process your information in this way, and provide a simple method for you to opt-out of the communication if you wish to do so.
For Contractual Purposes
We may disclose only relevant information about you to uphold our contractual obligations to you as a customer in fulfilling your travel arrangements. This may include disclosing relevant personal information with third party businesses and organisations, including airlines, tour operators, travel ancillary providers, banking organisations, and public authorities such as customs/immigration. This may include transferring your data outside of the European Union.
By Law or to Protect Rights
If we believe the release of information about you or your business is necessary to respond to legal process, to investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of others, we may share your information as permitted or required by any applicable law, rule or regulation. This includes exchanging information with other entities or fraud protection and credit risk reduction.
For training purposes
If you telephone us, calls may be recorded for training and quality purposes. We will only share your personal information with our authorised travel service providers, and only as necessary to complete a transaction that you have specifically requested.
On our website
A cookie is a small file that a website transfers to the cookie file of the browser on your computer’s hard disk so that the website can remember who you are. Cookies identify the computer you are using, not you personally.
On www.anextour.co.uk we use Google Analytics to understand which website pages you are visiting and to help improve the customer journey through the website and site effectiveness. This data allows us to improve the quality of your visit and develop programs, navigation and content that will be of interest to you. Google Analytics leaves cookies on your browser but this does not identify you personally.
We currently do not use third party cookies or web beacons. The website www.anextour.co.uk system is protected by firewalls. We collect information about your computer (not your name, address, email address or telephone number) through your permanent cookie file for the purpose of assessing the effectiveness of site content and traffic. This data allows us to improve the quality of your visit.
You should be aware that getting a new computer, installing a new browser, upgrading an existing browser, or erasing or otherwise altering your browser’s cookies files may also clear certain opt-out in/out cookies, plug-ins, or settings.
The below highlights the specific legal bases we intend to use to process personal data:
Type of Data
Lawful basis for processing
To respond to your travel enquiry
To respond to your travel enquiry
Performance of a contract with you
Communicating special offers to you
General accounting purposes
Performance of a contract
Contacting you in an emergency in relation to your booking
To communicate general information about our business and our services
Surveys and feedback questionnaires
Partaking in prize draws, promotions, offers and incentives
Reporting and analysis
Performance of a contract with you
To administer and protect our business (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
We may also pass your details to any successor to our business (or any relevant part of it). Information you provide may also be used for statistical purposes.
6. POLICY FOR CHILDREN
We do not knowingly solicit information from or market to children under the age of 13. If you become aware of any data we have collected from children under the age of 13, please contact us using the contact information provided below.
7. THE OPTIONS YOU HAVE REGARDING YOUR INFORMATION
You may at any time review, change, request to see or request for the information to be deleted that we hold on you. We will deal with your request in accordance with the statutory UK law relating to Data Protection, whichever is enforced in the United Kingdom and its territories at the time of your request.
We are committed to upholding your full rights contained in the GDPR, which include:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
To make a request regarding your personal data, or for more information, please contact us using the information provided below.
8. UNSUBSCRIBE FROM COMMUNICATIONS
If you no longer wish to receive correspondence, emails or other communications from us, you may opt-out by:
Clicking and following the unsubscribe link found in the footer of all email communications we send to you
Contacting us using the contact information provided below
9. HOW WE PROTECT YOUR INFORMATION
Transferring your data outside of the UK
If we need to transfer your data outside of the United Kingdom (e.g. If your holiday is outside of the UK) we will ensure the organisation receiving the data has adequate safeguards in place that comply with the most up to date UK privacy laws, that individuals’ rights are enforceable and effective legal remedies for individuals are available following the transfer.
10. COMPLIANCE AND COOPERATION WITH REGULATORY AUTHORITIES
When we receive formal written complaints, we will contact the person who made the complaint to follow up. We work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that we cannot resolve with our users directly.
11. CONTACT US
The Data Protection Team Travel Vogue Ltd 1st Floor, Brunswick House, Regent Park, 297 Kingston Road, Leatherhead, Surrey. KT22 7LU
Phone: 01372 855522 Email: email@example.com
12. YOUR RIGHT TO COMPLAIN TO THE ICO
If you are not satisfied with our use of your personal data, or our response to any request you send to us to exercise any of your rights, then you have the right to complain to the Information Commissioners Office:
Information Commissioners Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Tel: 0303 123 1113 Email:firstname.lastname@example.org
13. Dolphin Dynamic. DolphinAnywhere
Under the General Data Protection Regulation (“GDPR”), a “controller” determines why and how personal data is processed. A “processor” processes personal data on behalf of the controller. Dolphin Dynamics has limited knowledge of the personal data (“Customer Data”) that each DolphinAnywhere User (“Dolphin User”) processes via the DolphinAnywhere hosting infrastructure. Also, Dolphin Dynamics only processes Customer Data in accordance with the Dolphin User’s instructions. Therefore, Dolphin Dynamics is a processor of Customer Data hosted on DolphinAnywhere servers; Dolphin Users are controllers.
Dolphin Dynamics treats Customer Data as sensitive and confidential. This section describes the infrastructure and processes that are in place to protect this data. The DolphinAnywhere primary hosting service and associated disaster recovery hosting service operate within secure private cloud hosting facilities accessed via secure websites accepting TLS 1.2 connections. Client applications are accessed via Remote Desktop, which utilises RSA Security's RC4 cipher, encrypted using a 56 or 128-bit key, based on the maximum level allowable by your local client.
Dolphin Dynamics uses ICE ICT, one of the Travel Industry's leading hosting service providers, as its sub processor. ICE ICT provide an additional layer of security to prevent intrusion and protect against DDOS attacks. A secure multi-layered firewalled architecture restricts access to data solely to business layer APO’s. Rigid separation of internal and production systems to protect Customer Data is enforced by design. Sensitive data including passwords, account details and lodge card details are encrypted using AES encryption when written to the database. Dolphin Dynamics will continue to invest in the security behind the DolphinAnywhere hosting service to ensure it remains compliant with applicable legislation. Dolphin Dynamics uses Customer Data only to provide the services agreed upon with the Dolphin User. Dolphin Dynamics never mines such data for marketing, advertising or related purposes. Dolphin Dynamics restricts the storage of Customer Data to the primary and disaster recovery datacentres as well as optionally making the Customer Data available to the Dolphin User for downloading. Should a copy of a Dolphin User’s database need to be transported elsewhere for any reason, such as error fixing or customer support, all Customer Data will be permanently removed from that copy before it is transported. Where the Dolphin User makes travel bookings with 3rd party travel suppliers through the Dolphin system, Customer Data will be transferred to those suppliers as required by those suppliers. Dolphin Dynamics takes stringent measures to protect Customer Data from inappropriate access, including limits for Dolphin personnel and subcontractors. While Dolphin Users can access their own Customer Data at any time and for any reason. If a Dolphin User ceases to use the DolphinAnywhere hosting service, Dolphin Dynamics follows strict standards and specific processes for removing that Dolphin User’s database from the DolphinAnywhere hosting environment. Dolphin Dynamics uses 3rd party disposal companies for obsolete hardware and hard drives are wiped and physically destroyed.
Dolphin User Data
Dolphin Dynamics will, from time to time, monitor and capture Dolphin User’s activity within the Dolphin products to identify usage trends, common issues, errors and system performance to proactively improve the end user experience of the product. Dolphin Dynamics uses Microsoft Azure’s Insights platform to conduct such activity. Information captured includes end user workflows through various dialogs in the system and time spent within them. The following end user data is captured to allow for proactively identifying and resolving issues, errors and performance.
IP Address: This allows Dolphin Dynamics to Identify where the traffic originates.
City: This is identified by the IP address by Microsoft Azure to indicate the city from which the access originates.
User ID: This is the computer login that is used by the end user.
Operating System. This identifies and helps Dolphin Dynamics to understand the operating system that the Dolphin product is being used on.
Device Type: This is the type of computer the Dolphin product is running on.
Session ID: This is the identifier of the current end user’s session.
BMM Version: This identifies the BMM version the end user is using.
DB Name: This is the name of the database that has been used. - Clarify with Steve this is still valid
Additionally, data regarding the name of dialogs opened, time spent on a dialog, errors, exceptions and other key pieces of information required for troubleshooting will also be recorded. Any Customer Data entered by the end user regarding customers, bookings, payments etc, will not be captured by Microsoft Azure.
Physical access to the sites containing the DolphinAnywhere hosting infrastructure is restricted and controlled 24 x 7 by security guards. Physical access requests for hardware vendor engineers and any other visitors must be raised by an authorised ICE ICT employee. The site requires vehicle registration, government issued photo ID and multiple security gate controls. Network level access is granted only to Dolphin Dynamics staff who require access and to the 3rd party datacentre management company that Dolphin Dynamics engages for this purpose. Passwords are secure and expire at regular intervals and users are locked down to specific security groups. Access is reviewed on a regular basis. Employees’ accounts are disabled immediately when they cease employment at Dolphin Dynamics.
Vulnerability & Penetration testing is carried out regularly using vulnerability scanning tools and 3rd party penetration testing providers. Vulnerabilities are addressed at the earliest opportunity. Routine patching of the DolphinAnywhere hosting environment hardware and operating systems is undertaken at regular intervals by Dolphin Dynamics’ 3rd party datacentre management company and verified by Dolphin Dynamics IT.
Full nightly backups of Dolphin User databases are sent to the physically separate and secure disaster recovery facility and retained for 8 days. All data is mirrored in real-time in our Disaster Recovery facility.
A log is maintained for reporting any suspected security incidents which are investigated and addressed according to Dolphin’s incident response plan. Should a personal data breach of Customer Data be identified, Dolphin will inform the Dolphin User as stipulated under the GDPR.
Questions regarding Dolphin Dynamics role as a Data Processor
Address any questions directly to the Information Security Officer by email via ISO@dolphind.com or by post at Dolphin Dynamics Limited, 3rd Floor, 162-164 Upper Richmond Road, London, SW15 2SL or telephone 020 8394 6000