This statement explains what personal data we collect when you visit our site, how and why it is used, whether it is shared, how long it is retained, your rights, and how we protect your privacy.
This Policy does not form part of any contract that you may have with the Travel Innovation Group’s companies. It is provided for information purposes only. It is aligned with UK GDPR requirements and additional guidance for the travel/aviation sector:
Who we are
Travel Innovation Group (“we”, “us”, “our”) is the data controller for the personal data you provide on this website, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
The data we collect and why
- Website visitors
- Cookies and usage data: to improve site functionality.
- Customers and travel agents
- Contact and booking data: for flight bookings, itineraries, billing, and communications.
- PNR/API data (e.g., name, DOB, passport number, contact details, travel itinerary): to fulfill contracts, meet immigration/security obligations, and support legitimate interests like customer service.
Lawful basis for processing
- Contractual necessity: necessary to fulfill your booking or service.
- Legal obligation: meeting statutory requirements such as PNR/API under the Immigration Act 1971 and related Orders.
- Legitimate business interests: like billing management and customer support, these interests are balanced with your rights.
- Consent: Customers may receive marketing information from us relating only to our products, service and promotions for the purposes of our legitimate business interests. Customers wishing to opt out of such communications will be given an opportunity to do so on each occasion that such a contact is made.
Data sharing and international transfers
- Data may be shared with:
- Border control, law enforcement, airlines, ground handlers, hotels and if required sharing is always under secure protocols and only as legally permitted or necessary.
- IT service providers and booking platforms under contractual terms and with appropriate protections.
- PNR/API data may be shared with UK authorities (e.g. Home Office), EU and third-country PIUs, Europol, Eurojust, and other competent agencies for counter-terrorism, serious crime prevention, or to protect vital interests.
- Transfers are governed by UK data adequacy provisions and, where needed, standard data-sharing and PNR/API message formats.
Data retention periods
- Booking-related contact details are kept until no longer needed for service delivery or as required by law.
- Passenger names: deleted 400 days after the last flight.
- DOB, addresses, passport details: deleted 90 days after the last flight
- PNR/API data is retained and depersonalised in line with the 2018 Regulations, being anonymised after 6 months and deleted after a maximum of 5 years.
Security of your data
We implement appropriate technical and organisational measures, in line with Privacy by Design principles, to protect data against unauthorised access, loss, or destruction. We may need to request specific information from you to help us confirm your identity and ensure your rights or to change the information. This is an appropriate security measure to ensure that personal information is not disclosed to any person who does not have the right to receive it.