Terms and Conditions continued

International Data Transfers

To deliver our services, we may need to share your personal information with relevant overseas travel service providers. These providers will typically receive your information either in the country where they will perform the services or where their business operations or management are located.

Your personal data may be processed within the UK, the European Economic Area (EEA), or outside these regions. When transferring data outside the EEA, we ensure adequate protection through:

1. Transfers to countries deemed to have adequate data protection by the European Commission.
2. Implementation of standard contractual clauses to ensure data is handled securely.

Note: We may also transfer personal data to countries that do not have an adequacy decision from the European Commission. In such cases, we ensure that the recipient company is contractually obligated to handle your data strictly according to our instructions and to maintain robust security measures to protect it.

Data Security and Protection

We implement robust administrative, technical, and physical measures to safeguard your personal data against unauthorised access, accidental loss, or unlawful processing. Our security protocols include restricting access to your data to only those who need it for business purposes and ensuring that any third-party service providers are contractually bound to maintain data confidentiality and security. Additionally, we have procedures in place to address and report any data breaches in accordance with legal requirements.

Data Retention and Storage Period

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, and reporting requirements. Typically, we keep basic information for a minimum of six years following the end of our relationship with you, in compliance with tax regulations.

For data related to bookings, we store personal information for up to eight years from the date of departure. Marketing-related data is kept for eight years from the last interaction. After these periods, we may either delete your data or anonymize it for research or statistical purposes, depending on the context.

We review our data retention policies regularly to ensure compliance with legal requirements and adjust as necessary. For details on how to request data deletion or further information on our retention policies, please refer to the relevant sections in this policy.

Recruitment Privacy Policy

At Oliver’s Travels, we take your privacy seriously. This notice explains how we handle your personal data during our recruitment process, in line with UK GDPR.

Who We Are

Oliver’s Travels Ltd is the data controller responsible for the information you provide during the recruitment process.

What Data We Collect

We collect and process the information you provide in your application (such as your CV, covering letter, and contact details). We may also take notes during interviews or assessments.

How We Use Your Data

We use your information only to:

• Assess your skills and experience against the role applied for.
• Communicate with you about the recruitment process.
• Keep records required for legal or compliance purposes.

How Long We Keep Your Data

• Unsuccessful applications: We keep your details for up to 6 months after the role closes, to allow us to respond to any queries or legal claims. After this, your data will be securely deleted.
• Talent pool: With your consent, we may keep your CV for up to 12 months for future opportunities. You can withdraw your consent at any time.

Who Has Access

Your information will only be shared internally with staff directly involved in the recruitment process. We do not share your data with third parties for marketing purposes.

Your Rights

Under UK GDPR, you have the right to access, correct or delete your data, and withdraw consent (if you previously agreed to us keeping your CV for future roles). If you would like to exercise any of these rights, please contact us at jobs@oliverstravels.com or our DPO at DPO@oliverstravels.com.

Contact & Complaints

If you have questions about how we handle your data, please contact our DPO at DPO@oliverstravels.com. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

Call Tracking & Attribution (Call360)

Purpose: To better understand how our online marketing activities lead to phone enquiries and sales, we use a call tracking and attribution service provided by Call360 (or a similar provider). This service helps us identify which digital marketing channels, such as paid search, organic traffic, or social media, are most effective in generating calls to our business.

Dynamic phone numbers may be shown on our website depending on the source of your visit. This allows us to match website visits and phone calls to specific marketing campaigns, search keywords, or referring websites. In some cases, calls may also be recorded for training, analysis, and operational insights (with clear notice provided at the start of the call).

What Data Is Collected and Why

1. Essential Data (Strictly Necessary – No Consent Required)

Pages visited on our website and time spent; Session ID or temporary cookie to maintain session state; Referring website; Landing page URL; Timestamps; Duration and call status; Technical error logs or spam/bot detection signals. This information helps operate the site, route enquiries, and protect against abuse.

2. Consent-Based Data (Requires Your Agreement)

Marketing attribution data via cookies or URL tracking (e.g., UTM parameters, tracking cookies, cookie ID/persistent browser ID) and call recording (with a pre-call notice). Recordings are transcribed automatically, personally identifiable information (PII) is redacted, and audio recordings are deleted after redaction is complete. You can opt out via cookie settings or by telling us during the call.

3. Personal Data Collected Under Legitimate Interests

Caller phone number (where available), time/date of the call, and call metadata linked with a marketing source (e.g., campaign, keyword). We use this to measure campaign effectiveness and improve responses. Opt-out options are available.

Data Redaction and Minimisation

All call recordings are transcribed and redacted of PII before use; original audio files are deleted once redaction is complete; website tracking is session-based unless cookie consent is given.

Cross-Session Linking (Cookies)

Where cookies are accepted, we may use a persistent identifier to associate multiple website visits and calls with the same browser. You can disable this by rejecting non-essential cookies.

Automated Decision Making

We may use interaction data to help prioritise responses to enquiries or tailor communications. This is not used to make legal or similarly significant decisions about you, and you can object at any time.

Approximate Location

We may infer your approximate location (e.g., city or region) using your IP address to understand which locations generate the most enquiries. This is processed under our legitimate interests and is not used to personally identify you.

Lawful Basis for Processing

Legitimate interests (to evaluate marketing performance and respond effectively), and consent where legally required (e.g., for cookies or recording calls). When relying on legitimate interests, we conduct a balancing test to ensure our interests do not override your rights and freedoms.

Data Sharing

Your data may be shared with Call360 (or another appointed provider) as a data processor, sub-processors for transcription/redaction, cloud infrastructure providers, and internal marketing/analytics teams. All service providers are contractually bound to UK GDPR standards; no personal data is sold to third parties.

Data Retention

Attribution metadata and call metadata: up to 12 months. Call recordings: automatically deleted after transcription and redaction are complete (typically within 12 hours). Only redacted text transcripts may be retained without personally identifiable information.

Your Rights and How to Opt Out

You can opt out of marketing attribution cookies by rejecting non-essential cookies via our cookie banner or your browser settings. If you would prefer not to have your call recorded (where applicable), please tell us at the start of the call and we will provide an alternative communication method.

Contact Information

Oliver’s Travels Ltd | Data Protection Officer (DPO): Rory Lowe | Email: DPO@oliverstravels.com | Phone: 0333 888 0205 | Address: Unit 1.01, Chester House, Kennington Park, 1 -3 Brixton Road, Oval, SW9 6DE

Use of Artificial Intelligence Tools

We may use artificial intelligence (AI) tools, including ChatGPT by OpenAI, to assist with tasks such as customer support, internal content creation, and process automation. These tools may process limited personal data strictly for the purposes of providing and improving our services.

OpenAI acts as a data processor on our behalf. Data processed through ChatGPT is governed by OpenAI’s Data Processing Addendum, which incorporates Standard Contractual Clauses (SCCs) to safeguard any international data transfers.

We do not use AI tools to make automated decisions that produce legal or similarly significant effects without human involvement.

Our lawful basis for this processing is legitimate interests in enhancing the efficiency and quality of our services. We ensure that only the minimum necessary data is shared, and no special category data is processed through AI systems.

Your Data Rights

You have several rights regarding your personal data, subject to applicable laws. These include:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request corrections to any inaccurate or incomplete personal data.
• Erasure: Ask us to delete your personal data where there is no valid reason for us to keep it, or if you have successfully objected to processing.
• Restriction: Request to limit the processing of your personal data in certain circumstances.
• Portability: Request your personal data in a structured, machine-readable format for transfer to another organization.
• Withdraw Consent: Withdraw consent for processing where applicable.

To exercise these rights or make a complaint, please contact our DPO using contact details above. We may need to verify your identity before processing your request.

We aim to respond to all valid requests within one month. If your request is complex or if you’ve made multiple requests, it may take longer. In such cases, we will notify and update you.

Updates to our Privacy Policy

Our Privacy Policy may be updated periodically to reflect changes in data protection laws, regulatory guidance, or our internal procedures. We encourage you to review the Policy from time to time to stay informed about how we collect, use, and protect your personal information. Updates to the Policy will be posted on our website, in brochures, and made available upon request.