PRIVACY POLICY

1. Who We Are

Data Controller: Alight Travel Ltd

Registered Address: 11 Old Bond Street, Mayfair, London, W1S 4PN

Company Number: 17094672

Contact: rafi@alighttravel.com

For all data protection enquiries, please contact us at the above address or email.

2. What Personal Data We Collect

We may collect and process the following categories of personal data:

• Identity data: full name, title, date of birth, passport or government-issued ID details (where required for aviation or security services).
• Contact data: email address, telephone number, postal address, WhatsApp contact details.
• Booking data: travel itinerary, flight or vehicle preferences, dietary requirements, accessibility needs, and other service-specific information.
• Financial data: bank account details (for refund purposes only), payment confirmation references. Card data is processed by Stripe and is not stored by Alight Travel.
• Communication data: records of correspondence via email, WhatsApp, telephone, or any other channel.
• Technical data: IP address, browser type, device information, and usage data collected when you visit alighttravel.com via cookies and analytics tools.
• Special category data: health or medical information provided voluntarily in connection with a Booking (e.g., accessibility requirements). This is processed only with your explicit consent and solely to fulfil your request.

3. How We Collect Your Data

We collect personal data through:

• Direct interactions — when you make an enquiry, submit a booking request, contact us via WhatsApp or email, or complete a form on our website.
• Our website — via contact forms, cookies, and analytics (see Section 9).
• Third parties — where a booking is made on your behalf by an assistant, PA, or corporate client.

4. How We Use Your Data

We process your personal data for the following purposes and on the following lawful bases:

• To fulfil and manage your Booking — lawful basis: performance of a contract.
• To communicate with you about your Booking, including confirmations, updates, and service changes — lawful basis: performance of a contract.
• To process payments and manage invoicing — lawful basis: performance of a contract.
• To comply with legal and regulatory obligations (e.g., aviation passenger manifests, anti-money laundering checks) — lawful basis: legal obligation.
• To protect the safety and security of our clients and staff — lawful basis: legitimate interests.
• To improve our services and website experience — lawful basis: legitimate interests.
• To send service-related communications (not marketing) — lawful basis: legitimate interests.
• To contact you with information about our services where you have provided explicit consent — lawful basis: consent (which may be withdrawn at any time by contacting rafi@alighttravel.com).

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

5. Marketing

We will only send you marketing communications — including information about our services, new offerings, or relevant updates — where you have given your explicit consent to receive them. Consent is collected via a tick-box on our website contact form or through direct written confirmation.

You may withdraw your consent to receive marketing at any time by contacting us at rafi@alighttravel.com. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal.

6. Who We Share Your Data With

We share personal data only where necessary and with appropriate safeguards in place:

• Operators and service providers: airlines, charter operators, ground transportation providers, hotels, security contractors, and other third-party service providers engaged to fulfil your Booking. These parties receive only the data necessary to deliver the service.
• Payment processors: Stripe (card payments) and Wise Business (international bank transfers). These providers process data under their own privacy policies and comply with applicable data protection law.
• Communication platforms: WhatsApp Business (Meta), for client communications. Messages may be stored in accordance with Meta's data retention policies.
• IT and infrastructure providers: email hosting via Fasthosts; website hosted on Squarespace. Both providers operate under applicable data protection frameworks.
• Legal and regulatory authorities: where required by law, court order, or regulatory requirement (e.g., HMRC, law enforcement).

Where personal data is shared with Operators or third-party providers, we take reasonable steps to ensure they process data lawfully and securely.

7. International Transfers

Some of our third-party providers (including Stripe and Meta/WhatsApp) may process data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place — such as standard contractual clauses approved by the ICO — to protect your personal data to an equivalent standard as required under UK GDPR.

8. Data Retention

We retain personal data for as long as necessary to fulfil the purposes set out in this policy, or as required by law. In general:

• Booking and financial records: retained for 7 years in accordance with HMRC requirements.
• Client correspondence: retained for 3 years following the last interaction.
• Enquiry data (where no Booking resulted): retained for 2 years from the end of our last communication, in case you return to us at a later date. After this period, data is securely deleted.
• Marketing consent records: retained for 2 years from the date consent is given, or until consent is withdrawn, whichever is earlier.
• Website analytics data: retained in accordance with the policies of the relevant analytics provider.

Once data is no longer required, it is securely deleted or anonymised.

9. Cookies and Website Analytics

Our website at alighttravel.com uses cookies and similar tracking technologies to:

• Ensure the website functions correctly (essential cookies).
• Analyse website traffic and user behaviour (analytics cookies, via Squarespace Analytics).
• Support third-party integrations such as our WhatsApp chat widget.

Non-essential cookies are only placed with your consent, which you may provide or withdraw via the cookie consent banner on our website. You may also manage cookies through your browser settings. Note that disabling certain cookies may affect website functionality.

Our website may contain links to third-party websites, plug-ins, and applications (including social media platforms). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Alight Travel does not control these third-party websites and is not responsible for their privacy policies. We encourage you to read the privacy policy of every website you visit when you leave alighttravel.com.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include secure email communications, encrypted payment processing via Stripe, and restricted internal access to client data on a need-to-know basis.

While we take reasonable steps to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.

11. Children

Our services are not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will promptly delete it.

12. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to request correction of inaccurate or incomplete data.
• Right to erasure — to request deletion of your personal data where there is no lawful basis for continued processing.
• Right to restriction — to request that we limit the processing of your data in certain circumstances.
• Right to data portability — to receive your data in a structured, commonly used format.
• Right to object — to object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at rafi@alighttravel.com. We will respond within one calendar month. If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The current version will always be available at alighttravel.com. Where changes are material, we will notify affected clients directly where reasonably practicable. Your continued engagement with Alight Travel following any update constitutes acceptance of the revised policy.