a) interact or use our websites; or
b) if you use any of our products, services or applications (collectively the “services”) in any manner.
As a company with a global presence, we are subject to the varying requirements of data protection legislation in jurisdictions where we operate. Our aim is to be as consistent as possible and obey all applicable laws and apply the highest standard of privacy laws to our approach. For example, if you are a resident of the EU, we are bound by EU local laws including the General Data Protection Regulation (“GDPR”) or if you are a resident of California, we also respect the local laws of California, The Californian Consumer Privacy Act (“CCPA”).
We collect and process the personal data that you provide when interacting with us, either online or via email, mobile, phone or post. Such personal data may include the following:
a) First name and surname;
b) Postal address;
c) Email address;
d) Telephone number;
e) Gender, date of birth;
f) Country of residence, nationality, language preference;
g) Unique identifier information (e.g. your customer username or number and password);
h) Financial information (e.g. payment card or bank account information);
i) Some details provided by your device such as IP address, device ID, device type, and location data.
Source and categories of personal data
The source of the above information is received from either, yourself for instance if you buy the Service direct, or where TWDI Limited is a benefit of your payment card issuer (such as a bank), we may receive the information from them. The category of information is Personal data. The information is only used for business purposes to supply the Service.What we use your personal data for, and our legal basis for doing so
We must have a legal basis to process your personal data. In most cases, that will be for us to provide the contracted service. The table below sets out the purposes for which we use your personal data and our legal basis for doing so:
|What we use your information for||Our legal basis for doing so|
|Provide you with access to our website and or our mobile app||To provide the contracted service|
|Provide access to travel experiences within the service program||To provide the contracted service|
|Process any payment required for the products and services you have requested||To provide the contracted service|
|Store your payment card details, in order to be able to take agreed payments, as explained in the Conditions of Use||To provide the contracted service|
|Provide you with information you have requested, including without limitation, quotations, service documentation, brochures, and responses to applications||Where we have your consent|
|Provide you with newsletters, and other communications about the services you have purchased or chosen to opt into.||Where we have your consent|
|Offer customer surveys to improve our products and services||For our legitimate interests to improve our services|
|Analyse your usage of our services in order to be able to personalise your service and improve our products||For our legitimate interests to improve usage of our services|
|Respond to any enquiries from you regarding our products and services||To provide the contracted service|
|Where you have agreed, provide you with information about certain other goods and services which we believe may be of interest to you||Where we have your consent|
|Meet our legal and regulatory obligations to investigate and prevent fraudulent activities||To comply with our legal obligations|
Personal data sharing and transferring
We will not share rent or sell your personal data to anyone unless you agree to this, or such sharing is necessary to fulfil our contract with you, or we are legally allowed or required to do so. Moreover, your personal data will only be shared with selected organisations which comply with our security procedures and policies.
Organisations we may share your personal data with include:
a) Another member of our group of companies where they help provide or improve our services to you;
b) Third party service providers and subcontractors: We employ other companies and individuals to perform other functions on our behalf. Examples include processing credit card payment, customer services, and analysing data. They help us provide our services to you. This is provided under written contract where the personal data is only processed for the specific business purpose of providing the service to you. Service providers are prohibited from selling the personal data that we supply to them in the terms of the contract;
c) The lounges or merchants which you visit, as part of your programme benefits, so they can record and account for your visit;
d) A regulating body or other authority where we need to comply with a regulatory or legal obligation;
e) Fraud prevention or debt collection organisations when required to protect our legitimate interests;
f) Partners or clients with which we offer or engage in joint marketing activities;
g) With your consent: Other than as set out above, you will receive notice when information about you might go to third parties, and you will have the opportunity to choose not to share the information.
Where service is a benefit of your payment card issuer (such as your bank), we may share your personal data with that card issuer and the payment card brand associated with that card.
Some of those organisations may be based in a country outside the European Economic Area or where different data privacy laws apply. We will only transfer your personal data to that country if they ensure an adequate level of protection of your rights and freedoms, or that organisation is contractually bound to meet European Economic Area data protection law using EU approved model contract clauses.
Personal data protection and storage
We handle your personal data in accordance with adequate and reasonable procedures and technologies in order to maintain and protect its security, availability, confidentiality and integrity, and prevent its unlawful or unauthorised processing, accidental loss or damage, from its collection until its destruction.
Where personal data is transmitted across the internet, it will be encrypted
Where we have given you (or where you have chosen) a password which enables you to access certain parts of your personal data, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Personal data disposal and retention
We will only keep your personal data for as long as it is needed for the purposes for which it was collected and we will remove from our systems all personal data which is no longer required.
We will only retain your personal data for only as long as it is necessary and for a specified and limited purpose, where we are required to do so and in line with our retention policies, in order to meet a regulatory or legal obligation.
Cookies and Do Not Track Disclosure (“DNT”)
Currently, various browsers (including internet explorer, Firefox and Safari) offer a DNT option that relies on a technology known as a DNT header, that sends a signal to a website visited by the browser user about the user’s DNT preference. You can usually access your browser’s DNT option in your browser preferences.
A “Do Not Track” (DNT) standard is not available today therefore our website does not respond to DNT signals from browsers.
You can block or opt-out of non-essential cookies either using our cookie management tool or using your browser.
If you would like to access, review, update, rectify, and delete any personal data we hold about you, or exercise any other data subject right you can email us at data.protection@TWDIGROUP.com. Our privacy team will examine your request and respond to you as quickly as possible.
Please note that we may still use any aggregated and de-identified personal data that does not identify any individual. We may also retain and use your information as necessary, for example, to comply with our legal obligations, resolve disputes, and enforce our agreements.
We respect all applicable local laws for data subject rights. For example, under the California Consumer Privacy Act, California residents have certain rights regarding the personal data that businesses have about them. This includes the rights to request access or deletion of your personal data, as well as the right to direct a business to stop selling your personal data. We also offer data subject rights as defined under the GDPR as an additional arrangement.
|The right to object to the processing||To provide the contracted service.|
|The right to information
||You have the right to object to the processing of your personal data in certain situations.|
|The right of access||Subject to certain exceptions you have the right to obtain a confirmation as to whether or not we process your personal data, and if we do, request access to your data.|
|The right to rectification||If the personal data that we process is incomplete or incorrect, you have the right to request their completion or correction at any time.|
|The right to deletion||Subject to certain exceptions, if you consider that we should stop processing some or all of your personal data, you have the right to request its deletion. However, there may well be reasons why an immediate deletion may not be possible (for example where retention is required to meet legal or regulatory obligations).|
|The right to restrict the processing||You have the right to request that we restrict the processing of your personal data in certain situations:
a) If you contest the accuracy of your personal data, you may request that its processing is restricted while we verify its accuracy
b) If the processing of your personal data is considered unlawful, but you do not require the deletion of your personal data
c) If we no longer need the data for the purposes of its processing, but you need it for the establishment, exercise or defence of legal claims
d) If you object to our processing of your data based on our legitimate interests
|The right to data portability||Where the processing takes place on the basis of your consent or contract, and is carried out by automated means, you have the right to request that we provide your personal data to you in a machine-readable format.|
|Your rights in relation to automated decision making and profiling||You have the right to object to decisions based exclusively on the automated processing of your personal data.|
|The right to withdraw your consent||If your personal data is processed on basis of your consent, you have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.|
If you wish to exercise your rights, you can get in touch with us by contacting the Data Protection Officers from the information on the “Contact Information” section of this privacy notice.
Once we receive your request, members of our Data Protection Team will endeavour to get back to as soon as possible to confirm receipt. Where we use service providers to hold your personal data, a process exists to process the data subject right request also.
Our website may contain links to other sites
We may have links to other sites promoting our partners and clients. These links may take you to other companies who have their own privacy notice and our privacy notice will not cover their use of data. They may collect additional information therefore we encourage you to look at these linked site privacy notice.
We may choose to buy or sell assets and may share or transfer customer information in connection with the evaluation of these transactions. Also, if we, or our assets, are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, personal data could be one of the assets transferred to or acquired by a third party.
We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited, and the audits are reviewed at senior level.
To exercise any of your rights, or if you have any questions about our privacy notice, or if you wish to make a complaint about the use of your personal data, or want to report a security issue, please contact our Data Protection Officer via Data.Protection@TWDIGROUP.com
For the purposes of data protection legislation, TWDI LIMITED, is a company registered in England and Wales and offices at Chessel Street, Bristol, United Kingdom.
If you are unsatisfied with our response, you can contact the Information Commissioner’s Office (ICO). Further information can be found at https://ico.org.uk/.
Information pertaining to children
We do not knowingly collect or solicit personal data from anyone under the age of 18. If you are under 18, please do not attempt to register for our services or send any personal data about yourself to us. If we learn that we have collected personal data from a child under age 18, we will delete that information as quickly as possible. If you believe that a child under 18 may have provided us personal data, please contact us a soon as possible.
Automated decision making or profiling
We do not engage in profiling or any processing related to automated decision-making activity.
Changes to our policy
We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on our website. This privacy notice was last updated on 15 May 2020.