Privacy Policy – Crystal Sky Travels Ltd

Crystal Sky Travels Ltd (company no. 16513173)

Registered office: 8 Mrigold Close, Edwalton, Nottingham, NG12 4JD

Contact: res@crystalskytravels.co.uk · 020 4630 7513

Effective date: 09-15-2025

Crystal Sky Travels Ltd (“we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights under UK GDPR and the Data Protection Act 2018.

We are the Data Controller for the personal data we collect and process in connection with enquiries and bookings made through us (acting solely as agent for third-party travel suppliers).

1. What data we collect

We collect and process the minimum data necessary to arrange your travel:

Identity & contact data

• Name, title, date of birth, gender, nationality, passport/ID details, visa information
• Address, email, phone numbers, emergency contact details

Travel booking data

• Itineraries, flights, accommodation, transfers, excursions, frequent-flyer numbers, special requests
• Party composition (including children’s details where relevant)

Payment & transactional data

• Booking values, invoices, payment confirmations, refund records
• Note: Customer card payments are taken by the Supplier or their merchant. We do not process or store your card details.

Special category data (only if strictly necessary and with consent)

Health/medical information, mobility needs, dietary or religious requirements (so suppliers can accommodate you)

Technical & usage data

IP address, device/browser type, pages visited, cookies (see Cookies section)

Communications

Emails, messages, call notes (for customer service and compliance)

Children’s data

We only collect children’s data when needed to arrange travel (e.g., name, DOB, passport). We require the booking lead/parent or legal guardian to provide/approve this information.

2. How we collect data

• Directly from you (enquiry forms, phone/email, during booking, aftersales)
• From other travellers on your booking (the lead passenger may provide details for the party)
• From suppliers (e.g., schedule changes, confirmations)
• Automatically via our website (cookies/analytics)

Where you provide information about others, you confirm you have their permission and will share this Privacy Policy with them.

3. Why we use your data (lawful bases)

We process data under the following lawful bases:

• Contract (UK GDPR Art. 6(1)(b)) – to provide quotes, take bookings, issue confirmations, and manage changes/cancellations.
• Legal obligation (Art. 6(1)(c)) – accounting/record-keeping, fraud checks, regulatory or border requirements.
• Legitimate interests (Art. 6(1)(f)) – business administration, service improvement, customer support, safeguarding our legal rights, and network/IT security (balanced against your rights).
• Consent (Art. 6(1)(a)) – marketing communications; processing any special category data; cookies requiring consent.
• Vital interests (Art. 6(1)(d)) – in rare emergencies where we or a supplier must share data to protect life.
• Special category data is processed only with your explicit consent (Art. 9(2)(a)) or where strictly necessary for travel arrangements you request (e.g., accessibility) and permitted under UK law.

You may withdraw consent at any time (see Section 10).

4. How we use your data

• Provide quotes, manage enquiries, and build itineraries
• Make bookings with suppliers; issue documentation; notify you of changes
• Handle amendments, cancellations, and (supplier) refunds
• Provide customer service and resolve complaints
• Verify identity where necessary; protect against fraud/abuse
• Maintain business records and comply with accounting/tax rules
• Send marketing only if you have opted in (you can unsubscribe anytime)
• Improve our website and services (aggregated analytics)

We do not sell your data.

5. Who we share your data with

To fulfil your booking and run our business, we share data with:

• Travel suppliers/principals (e.g., ATOL/ABTA tour operators, airlines, accommodation, ground handlers, cruise lines, car hire, excursion providers) so they can deliver your services
• Payment/merchant providers appointed by suppliers (we don’t process card data ourselves)
• Technology providers (website/CRM/email/IT hosting and support) under data-processing contracts
• Insurers/assistance providers if you ask us to liaise in an emergency or claim context
• Public authorities where required by law (e.g., border control, law enforcement)
• Professional advisers (accountants, legal counsel) under confidentiality

6. International transfers

• Crystal Sky Travels Ltd does not directly transfer your personal data outside the UK/EEA.
• However, the suppliers/principals with whom you contract may need to transfer data internationally (e.g., to an overseas hotel or airline) to deliver your booking. Those suppliers are independent controllers and are responsible for ensuring appropriate safeguards for any international transfers. We will provide supplier details on request.

7. Data retention

We keep your data only as long as necessary:

• Bookings & financial records: typically 6 years from the end of the financial year of your last transaction (legal/accounting purposes)
• General enquiries (no booking): up to 24 months
• Marketing data: until you unsubscribe or your consent is otherwise withdrawn
• Special category data: only for as long as required to fulfil your request, then securely deleted

We securely erase or anonymise data when no longer needed.

8. Security

We implement appropriate technical and organisational measures to protect your data, including: role-based access controls, strong passwords/MFA, encryption in transit, secure hosting, staff training, and vendor due diligence. While we work hard to protect your information, no transmission or storage can be guaranteed 100% secure.

9. Marketing preferences

We will contact you for marketing only with your consent (or as otherwise permitted by law). You can opt out at any time by:

• clicking unsubscribe in our emails, or
• emailing res@crystalskytravels.co.uk, or
• calling 020 4630 7513.

Unsubscribing from marketing won’t affect service emails about active or upcoming bookings.

10. Your rights (UK GDPR)

You have the right to:

• Access your data (Subject Access Request)
• Rectify inaccurate/incomplete data
• Erase your data (where legally permissible)
• Restrict or object to processing in certain circumstances
• Data portability (receive data you provided to us in a structured, commonly used format)
• Withdraw consent (for marketing or special category data) at any time

To exercise your rights, contact res@crystalskytravels.co.uk. We aim to respond within one month. We may need to verify your identity and, where appropriate, may lawfully refuse or charge for manifestly unfounded or excessive requests.

You also have the right to complain to the Information Commissioner’s Office (ICO): ico.org.uk · 0303 123 1113.

11. Cookies & similar technologies

We use cookies to operate and improve our website. Categories may include:

• Strictly necessary (site security, session management) – always active
• Functional (remember preferences) – consent-based where required
• Analytics (website performance and usage) – consent-based
• Advertising/retargeting (where used) – consent-based

On your first visit, we present a cookie banner so you can accept/refuse non-essential cookies. You can also manage cookies via your browser settings. Blocking certain cookies may affect site functionality. See our Cookie Notice for details (if separate).

12. Automated decision-making & profiling

We do not make decisions that have legal or similarly significant effects solely by automated means. We may use limited profiling (e.g., destination interest segments) to send more relevant marketing content only if you consent to marketing.

13. Third-party links

Our website may contain links to third-party sites (e.g., airline check-in, visa portals). We are not responsible for their privacy practices. Please review those sites’ policies.

14. Children’s privacy

We do not market to children. We process children’s data only to arrange travel at the request of the lead passenger/parent/guardian and only what is necessary (e.g., name, DOB, passport). Parents/guardians should supervise children’s online activities and communications with us.

15. If you don’t provide data

Where data is necessary to enter into or perform a contract (e.g., legal names for tickets, passport details for API), we cannot provide the services if you do not provide the required information.

16. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will be posted on our website with the effective date at the top. Material changes will be notified where appropriate.

17. Contact us (Data Protection)

Crystal Sky Travels Ltd

8 Mrigold Close, Edwalton, Nottingham, NG12 4JD

Email: res@crystalskytravels.co.uk

Tel: 020 4630 7513