Privacy Policy

1. Data Controller & Contact Information

Sky Travel Services Ltd ("we," "us," "our") is the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Company Name: Sky Travel Services Ltd
Email Address: info@skytravelservices.co.uk
Phone: As displayed on our website
Website: https://skytravelservices.co.uk
Data Protection Officer: Designated Company Director

For all data protection enquiries, please contact us at: info@skytravelservices.co.uk

2. Scope & Application

This Privacy Policy applies to:

Personal data collected through our website (skytravelservices.co.uk)
Data collected during telephone consultations and enquiries
Information obtained through email correspondence
Data from third-party travel suppliers related to your bookings
Marketing communications and newsletter subscriptions
Information collected through online booking forms and enquiry forms
Call recordings for quality and training purposes

3. Categories of Personal Data We Collect

A. Identity & Contact Data

Full name, title, gender, date of birth
Residential address, email address, telephone numbers
Passport details (number, expiry date, nationality, place of birth)
Driving licence details (for car hire arrangements)
Emergency contact information

B. Financial & Transaction Data

Bank account and payment card details (processed securely via PCI-DSS compliant providers)
Billing address and payment history
Booking history, preferences, and special requirements
Transaction records and invoice details

C. Special Category Data (Sensitive Data)

Health information relevant to travel (mobility requirements, dietary restrictions, medical conditions affecting travel)
Religious beliefs (for pilgrimage tours or dietary preferences)
Racial or ethnic origin (from passport details for border control compliance)
Any disabilities requiring special assistance

D. Technical & Usage Data

IP address, browser type and version, time zone setting
Operating system and platform, device information
Website navigation paths, page interaction information
Cookies and similar tracking technologies data
Login data and website preferences

E. Marketing & Communications Data

Preferences in receiving marketing from us
Communication preferences and history
Survey responses and feedback
Service reviews and testimonials

4. Lawful Bases for Processing

We process your personal data under the following lawful bases defined by UK GDPR:

Processing Activity	Lawful Basis	Explanation
Booking processing & itinerary management	Contractual Necessity	Necessary to fulfil our contract with you
Sending booking confirmations & travel documents	Contractual Necessity	Essential service delivery
Collecting & sharing API/PNR data with authorities	Legal Obligation	Required under Immigration & border control laws
Processing special category health data	Explicit Consent	Required for sensitive information about disabilities/health
Fraud prevention & security	Legitimate Interests	Protecting our business and customers
Direct marketing about similar services	Legitimate Interests	Business development (with opt-out rights)
Newsletter subscriptions	Consent	Voluntary marketing communications
Customer service improvements	Legitimate Interests	Enhancing service quality
Financial record keeping	Legal Obligation	Required under UK tax laws (7 years)
Complaint handling and dispute resolution	Legitimate Interests	Resolving issues and maintaining service standards

5. Data Collection Methods

A. Direct Interactions

Completion of enquiry forms on our website
Telephone conversations with our travel consultants
Email correspondence regarding travel services
Booking forms and preference questionnaires
Contract signing and agreement to terms
In-person meetings and consultations
Feedback forms and review submissions

B. Automated Technologies

Cookies that enhance website functionality
Analytics tools (Google Analytics) with anonymisation
Server logs recording website access
Website performance monitoring tools
Security and fraud detection systems

C. Third-Party Sources

Travel suppliers (airlines, hotels, tour operators)
Payment service providers (transaction confirmation)
Publicly available sources (sanctions lists, fraud databases)
Social media platforms (if you interact with our profiles)
Business partners and referral sources
Credit reference agencies (for fraud prevention)

6. Purpose-Specific Processing Details

A. Travel Booking Processing

We process your personal data to:

Arrange transportation, accommodation, and other travel services
Secure visas and travel authorisations where required
Communicate with travel suppliers on your behalf
Prepare detailed itineraries and travel documentation
Process payments and issue invoices/receipts
Manage changes, cancellations, and refunds
Provide customer support during travel

B. Legal & Regulatory Compliance

We are legally required to:

Provide Advance Passenger Information (API) to border authorities
Retain financial records for 7 years under UK tax law
Screen against sanctions and anti-money laundering lists
Report suspicious activities to relevant authorities
Comply with Package Travel Regulations 2018
Meet ABTA/ATOL reporting requirements if applicable

C. Customer Relationship Management

We maintain records to:

Provide personalised travel recommendations
Respond efficiently to enquiries and complaints
Monitor customer satisfaction and service quality
Manage loyalty programs or repeat customer benefits
Send service updates and important travel information
Conduct market research and service improvement

7. Data Sharing & Third-Party Disclosures

Essential Service Providers (Data Processors)

Payment processing companies (Stripe, PayPal, Worldpay)
Cloud hosting and IT service providers
Email marketing platforms (Mailchimp, Sendinblue)
Customer relationship management (CRM) software
Accounting and bookkeeping software
Document storage and management systems

Travel Suppliers (Independent Controllers)

Airlines, rail operators, ferry companies
Hotel chains and accommodation providers
Car hire companies and transfer services
Tour operators and excursion providers
Travel insurance providers
Visa processing agencies

Regulatory & Legal Authorities

UK Border Force and Immigration officials
HM Revenue & Customs for tax purposes
Law enforcement agencies with valid requests
Courts and tribunals as required by law
ABTA/ATOL if we are members
Information Commissioner's Office (ICO)

International Data Transfers

When transferring data outside the UK:

We use Standard Contractual Clauses approved by UK authorities
We ensure adequate safeguards for countries without adequacy decisions
We minimise data transferred to only what's necessary for your booking
We conduct risk assessments for international transfers
We notify you of international transfers in advance where required

8. Data Retention Schedule

We retain personal data only as long as necessary for the purposes collected:

Data Category	Retention Period	Legal Basis for Retention
Booking records & financial data	7 years from transaction	Legal obligation (tax laws)
Passport/ID copies	5 years from travel completion	Legitimate interests (rebooking)
Special category data (health)	2 years from travel completion	Consent withdrawal option
Marketing consent records	3 years from last interaction	Consent management
Enquiry data (no booking)	3 years from enquiry	Legitimate interests (follow-up)
Call recordings	90 days	Legitimate interests (training)
Website analytics	26 months	Legitimate interests (improvements)
Complaint records	6 years from resolution	Legal obligation (contract disputes)
Email correspondence	5 years from last contact	Legitimate interests (relationship)

9. Your Data Protection Rights Under UK GDPR

A. Right of Access

Request confirmation of whether we process your data
Obtain a copy of your personal data in a structured format
Receive supplementary information about our processing

B. Right to Rectification

Correct inaccurate personal data we hold
Complete incomplete data with supplementary statements

C. Right to Erasure ("Right to be Forgotten")

Request deletion of personal data when:

It's no longer necessary for original purposes
You withdraw consent (where processing was based on consent)
You object to processing under legitimate interests
Data was unlawfully processed
Legal obligation requires erasure

D. Right to Restriction of Processing

Request temporary processing restriction when:

You contest data accuracy
Processing is unlawful but you oppose erasure
We no longer need the data but you require it for legal claims
You've objected to processing pending verification

E. Right to Data Portability

Receive your data in a structured, commonly used, machine-readable format
Transmit that data to another controller without hindrance
Applicable to automated processing based on consent or contract

F. Right to Object

Object to processing based on legitimate interests
Object to direct marketing at any time (absolute right)
Object to processing for statistical/research purposes

G. Rights Related to Automated Decision-Making

Not be subject to decisions based solely on automated processing
Obtain human intervention in automated decisions
Express your point of view and contest automated decisions

How to Exercise Your Rights:

Submit written requests to: info@skytravelservices.co.uk

We respond within one calendar month (extendable by two months for complex requests)
No fee usually required unless requests are manifestly unfounded or excessive
We may require identity verification before processing requests
You can use third parties to exercise rights on your behalf with written authorization

10. Cookies & Tracking Technologies

A. Essential Cookies

Session management and security cookies
Shopping cart functionality cookies
Load balancing and performance cookies
Authentication and login cookies

B. Analytical/Performance Cookies

Google Analytics (anonymised data collection)
Heat mapping and user behaviour analysis
A/B testing and website optimisation tools
Performance monitoring cookies

C. Functionality Cookies

Language preference and regional settings
Previously viewed items and search history
Personalised content recommendations
Font size and display preferences

D. Targeting/Advertising Cookies

Retargeting and remarketing campaigns
Social media integration and sharing buttons
Advertising network participation (with opt-out mechanisms)
Affiliate marketing tracking

Cookie Management:

We obtain consent via cookie banner upon first visit
Browser settings allow cookie control and deletion
Third-party opt-out mechanisms available for advertising networks
Separate Cookie Policy available on request

11. Children's Data Protection

We do not knowingly collect data from children under 13 without parental consent
For family bookings, we collect child data only as provided by parents/guardians
We protect children's data with enhanced security measures
Parents/guardians may exercise data rights on behalf of their children
We verify parental consent for children under 16 where required
Special protections apply to marketing directed at children

12. Data Security Measures

Technical Measures

Encryption of data in transit (TLS 1.2+ protocols)
Encryption of data at rest (AES-256 standard)
Regular security patching and vulnerability scanning
Multi-factor authentication for system access
Secure backup systems with encryption
Firewall protection and intrusion detection
Secure password policies and management

Organisational Measures

Staff training on data protection and security
Confidentiality agreements with all employees
Access controls based on role and necessity
Incident response plan and breach notification procedures
Regular privacy impact assessments for high-risk processing
Clear desk and clear screen policies
Secure disposal of physical documents

Third-Party Security

Due diligence on all data processors and suppliers
Contractual data protection clauses in all agreements
Regular audits of processor security practices
Immediate termination rights for security breaches
Supplier security assessment questionnaires
Monitoring of third-party security certifications

13. Data Breach Procedures

Internal Detection & Assessment

Immediate investigation of suspected breaches
Risk assessment regarding potential harm to individuals
Determination of notification requirements
Containment and recovery actions
Root cause analysis and prevention measures

Regulatory Notification

Report to ICO within 72 hours if risk to rights and freedoms
Document all breaches regardless of notification requirement
Cooperate fully with regulatory investigations
Maintain breach register as required by law

Individual Notification

Inform affected individuals without undue delay if high risk
Provide clear description of breach and potential consequences
Recommend protective measures individuals can take
Maintain communication channels for breach-related enquiries
Provide credit monitoring if financial data compromised

14. Complaints & Supervisory Authority

Internal Complaint Resolution

Submit complaints to: info@skytravelservices.co.uk
We acknowledge complaints within 5 working days
We investigate and respond substantively within 30 days
We provide escalation paths for unresolved complaints
We maintain complaint records for 6 years
We use complaints for service improvement

Supervisory Authority

You have the right to lodge complaints with:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: https://ico.org.uk/concerns

15. Policy Review & Updates

We review this policy annually or when:

Changes in data processing activities occur
New legal or regulatory requirements emerge
Technological changes affect data protection
Business operations significantly change
Customer feedback indicates need for clarification
Security incidents reveal improvement opportunities

Update Notification

We will notify you of material changes via email
Continued use of services constitutes acceptance of changes
Previous policy versions archived for reference
Significant changes highlighted in update notices
Archive available upon request