The Quick Version:
In a nutshell, we will never sell your data. We provide controls that allow visitors and customers to have control over the privacy of all personal data that is captured by our service. We are committed to being transparent about what data we collect, how we use it and the measures we take to protect it. When you choose to provide us with information about yourself, you trust us to use it in a responsible manner. We respect that.
Want more? Here goes with the detail.
The Full Version:
Sustainable Rural Development International Limited (‘Us’, ‘We’) is the social enterprise overseeing the Black Sea Sustainable Rural Tourism Program.
We as a data controller collect, process, use and disclose the information you provide by using the Website (www.travelbsst.com). We will use your personal data only for the purposes and in the manner set forth below, which describes the steps we take to ensure our processing of your personal data is in compliance with the General Data Protection Regulation ((EU) 2016/679) (GDPR) and any implementing legislation (Data Protection Legislation).
- What data do we collect?
When you visit or use our Website in any way, we collect and process different types of information about you in different ways.
- Information you give us:
- Identity Data, including first name, last name, username or similar identifier, and title.
- Contact Data, including your address, email address and telephone numbers.
- Profile and Traveller Data, including history of enquiries and bookings made by you, your preferences, important information required for the delivery of bookings, such as travel plans, dietary and medical requirements and other information as required dependent on the booking and your feedback and review responses.
- Marketing and Communications Data, including your preferences in receiving marketing from us and your communication preferences.
- Information we collect:
In addition to the information you provide to us, we collect certain information when you visit our Website, as explained below and in our Cookies policy. The following additional information may be collected:
- Technical Data, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, and the type of device used to access the Platform; information about your visit, including the clickstream to, through and from our Platform (including date and time), products you viewed or searched for, page response times, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and any phone number used to call our customer service number. This can be stored in both video and word form and may allow us to access session videos designed to better illustrate how users interact with the platform.
- Usage Data, including information about how you use our website, products and services.
- Information from other sources:
We work with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers) and may receive some information that is not personal information because it does not identify you or anyone else. For example, we may collect anonymous aggregated information about how users use our services.
- How do we use the data?
We will only use your personal data for the purposes and legal bases set out below.
- Essential (contractual) uses:
The following is essential in order for us to carry out the service you request from us:
- To create and maintain a customer account
- To process and manage your enquiries and bookings
- To provide you with information and updates related to bookings you have requested
- To provide customer service and support.
- As part of our contract with you, we also need to pass essential information about you and your booking to the end provider(s) (Suppliers) of the service(s) you have booked.
- Uses we’d like your consent for:
With your consent we’d also like to do the following. You may provide or withdraw this at any time.
- To provide you with information, ideas and special offers about trips that we think may interest you.
- To provide you with information about relevant additional products or services we feel may interest you.
- To carry out market research and collect feedback.
- To help us identify new potential audiences of like-minded people on the Facebook platform.
- We will also ask your consent to publish any reviews or photos you provide about trips you have been on. You can revoke this consent at a later date and have the review removed from the platform by submitting a data request.
- Legitimate uses:
Data protection regulation allows for personal data to be processed in certain circumstances that are defined as 'legitimate interests'. We believe the following uses are necessary to support our legitimate interest in providing a service to you, provided such interests are not overridden by your interests and rights.
- To manage, operate and continually improve our website and service to you;
- To ensure that content is presented in the most effective and safe manner for you and for your computer;
- To administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- To allow you to participate in interactive features of our services when you choose to do so;
- To measure or understand the effectiveness of our marketing activity;
- To record and support your participation in the features and services you select;
- To assist in providing the highest level of customer care.
- We will also give you the chance to opt-out from receiving non-personalised marketing and update emails from us with trip ideas and special offers. We believe it is reasonable to consider that you might be interested in these having booked an experience with us, but will always give you the chance to opt-out.
- Legal uses:
The following processing is necessary to comply with legal and regulatory obligations:
- For the prevention and detection of fraud, money laundering or other crimes;
- For the purpose of responding to a binding request from a public authority or court.
- Unless you are making a booking, the provision of your personal data is not a statutory or contractual requirement. You can choose not to provide this information; however, you might not be able to gain access to our information, services or products.
- What about children?
This Website is not intended for children and we do not accept requests from children under the age of 18, except where they are an accompanying passenger on a booking made by an adult.
Where children are on a booking, we will ask for the child’s identity, profile and traveller data as detailed in the ‘information you give us section’, for the purpose of fulfilling our contracted services, as detailed in ‘how do we use the information’ section.
We will not use this data for any other means, including marketing.
If you are a child under the age of 18, please do not attempt to use this Website or provide any personal information about yourself to us. If we learn that we have collected personal information from a child under the age of 18, we will promptly delete that information. If you believe we have unnecessarily collected personal information from a child under the age of 18, please contact us.
- Do we share personal information with third parties?
We will never sell or rent your personal data and only share it with third parties in certain limited circumstances, which we will explain below. As well as sharing your data with Suppliers when you have made a booking with us (see ‘How do we use your data?' above), there are certain circumstances where we need to share your data with third parties to operate and manage our Website, process bookings, and fulfil and deliver our service to you.
We use a select number of trusted external service providers for certain technical data analysis, processing and/or storage offerings. These service providers are carefully selected and meet high data. protection and security standards. We only share information with them that is required for the services offered and we contractually bind them to keep any information we share with them as confidential and to process Personal Data only according to our instructions.
Third-Party Service Providers we may share data with include: providers of payment processing services including Stripe; providers of analytics and technology services to help us better understand our users’ needs and to optimize this service and experience, including Google Analytics; providers of cloud-based CRM software to provide customer account maintenance and customer support, such as AWS; providers who collect information on our behalf, including as necessary to operate features of the Website, such as customer satisfaction surveys; providers of cloud-based accounting software in relation to management of accounting.
We may also disclose your personal data to the following recipients:
- If we or substantially all of our assets are acquired by a third party, in which case your personal data held by us may be included in the transferred assets (for example, in the form of a database of users of the Website). Similarly, personal data may be transferred as part of a corporate reorganisation, insolvency proceeding, or other similar events, if permitted by and done in accordance with applicable law;
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or court order, or in order to enforce, establish, exercise or defend legal rights, the rights, property, or safety of you, us, our group, or employees;
- To detect, prevent, or otherwise address fraud, security, or technical issues;
- To protect against harm to the rights, property or safety of Us, our employees, our users, customers, or the public as required or permitted by law.
- We may also seek your express consent in other circumstances where we would like to share specific items of data with a particular party. We will always be transparent about who we are sharing with and why in these circumstances, and you have full control over whether we may share that data or not.
- Where is your data stored and is it secure?
The data that we collect from you will be transferred to, and stored in the cloud. It may also be processed by staff operating outside the EEA who work for us, or for one of our hosts. This includes staff and partners engaged in, among other things, the fulfilment of your booking and the provision of support services.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
- How long do we store your data?
We store your personal data during the time that you are a customer, for purposes of providing you the services, and for up to seven years after you cease to be a customer. If you have never been a customer, but have consented to receive information or marketing updates from us, we may store your data for up to three years after the last time you used the platform. We reserve the right to store or delete your personal data earlier or later than set forth herein if required to do so by an applicable law or regulation, including the GDPR and for the exercise or defense of legal claims.
- Links to other websites
Our Website may, from time to time, contain links to third party websites. If you follow a link to any of those third-party websites, please note that those websites have their own privacy policies and we do not accept any responsibility or liability for those practices. Please check those policies before you submit any personal data to those websites.
- Your rights
We are committed to ensuring that you have control and visibility of your personal data. Below is a summary of your rights and additional commitments. You may exercise your rights by contacting us the data request form.
If you wish, you can request a copy of all the personal data we hold about you, and you have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete. It is your responsibility to ensure that any information you have provided to us is accurate and up-to-date.
- Right to Erasure (‘Right to be Forgotten’)
You are able to request to delete your account, within the profile area of your account. In doing so, your details will be removed from our systems. Please note that we must legally hold data related to previously booked trips for 7 years.
If you wish to delete your account and you have booked onto a trip with us that has yet to take place, then you’ll need to delete your account upon your return. You have the right to request that your personal data be deleted in certain circumstances including:
- The personal data are no longer needed for the purpose for which they were collected;
- You withdraw a consent (where the processing was based on consent);
- You object to the processing and there are no overriding legitimate grounds justifying us processing the personal data (see Right to Object below);
- The personal data have been unlawfully processed; or
- To comply with a legal obligation.
- However, this right does not apply where, for example, the processing is necessary:
- To comply with a legal obligation; or
- For the establishment, exercise or defense of legal claims.
- Right to Restriction of Processing
You can ask that we restrict your personal data (i.e., keep but not use) where:
- The accuracy of the personal data is contested;
- The processing is unlawful but you do not want it erased;
- We no longer need the personal data but you require it for the establishment, exercise or defense of legal claims; or
- You have objected to the processing and verification as to our overriding legitimate grounds is pending.
- We can continue to use your personal data:
- Where we have your consent to do so;
- For the establishment, exercise or defense of legal claims;
- To protect the rights of another; or
- For reasons of important public interest.
- Right to Data Portability
Where you have provided personal data to us, you have a right to receive such personal data back in a structured, commonly used and machine-readable format, and to have those data transmitted to a third-party data controller without hindrance but in each case only where:
- The processing is carried out by automated means; and
- The processing is based on your consent or on the performance of a contract with you.
- Right to Object
You have a right to object to the processing of your personal data in those cases where we are processing your personal data in reliance on our legitimate interests. In such a case we will stop processing your personal data unless we can demonstrate compelling legitimate interests that override your interests and you have a right to request information on the balancing test we have carried out. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Automated Decision-Making
You have a right not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affects you other than where the decision is:
- Necessary for entering into a contract, or for performing a contract with you;
- Based on your explicit consent – which you may withdraw at any time; or
- Is authorized by European Union or Member State law.
- Where we base a decision solely on automated decision-making, you will always be entitled to have a person review the decision so that you can contest it and put your point of view and circumstances forward.
- Right to Complain
You have the right to lodge a complaint with the Data Protection Authority, in particular in your place of residence, place of work or place of an alleged infringement, if you are unhappy with how we are processing your personal data.
We will respond to your request in writing, or orally if requested, as soon as practicable and in any event not more than one month after receipt of your request. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of your request. We may request proof of identification to verify your request. All requests should be submitted through our data request form.
- Changes to Our Privacy and Cookies Policies
We reserve the right to change our Privacy and Cookies Policies from time to time at our sole discretion. If we make any changes, we will post those changes here and update the “Last revised” date at the top. Where you have previously consented to our use of your personal data, your continued use of the Website after we make changes is deemed to be acceptance of those changes, so please check the Privacy and Cookies Policies periodically for updates. If we consider the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of privacy and cookies policy changes). We will also keep prior versions of the Privacy and Cookies Policies in an archive for your review.
- Contact Us
If you have any questions, comments, requests and complaints regarding our Privacy and Cookies Policies and the information we hold, please contact us through the data request form or by mail. Our UK postal mail address is:
Sustainable Rural Development International Limited
5 St Johns Lane
London EC1M 4BH England