This document contains information regarding the basis on which we will collect, use, share, transfer and store your personal data. Please read this document carefully, and show it to all parties involved in your arrangements with The Luminaire. If you have provided us with information concerning another person, you are deemed to have received their permission to do so.
If you have any questions regarding this document or require further information, please contact our Data Protection Officer by email at firstname.lastname@example.org.
USE OF INFORMATION
The Luminaire, LLC (“we”, the “Company” or “The Luminaire”) shall at all times treat all personally identifiable information strictly in accordance with the UK General Data Protection Regulation (“UK GDPR”).
DATA CONTROLLER AND DATA PROCESSOR
We shall process your personal identifiable information in a lawful, fair, open, and transparent manner and shall apply appropriate security measures to protect against unauthorised or unlawful processing or accidental loss, destruction, or damage (including, without limitation, restricting access to such information to those people within our organisation who are required to use it and periodically reviewing our security procedures).
Our arrangements with our suppliers are governed by and operate strictly in accordance with the terms of the contractual arrangements we have entered into with such suppliers. These contractual arrangements determine how data, including your personally identifiable information, will be processed as between us and the relevant supplier, including the circumstances in which we act as a processor (e.g., when making visa applications) or as a controller (in accordance with the requirements of the UK GDPR). When acting as a controller of your data, we may, in certain circumstances, determine the purposes and means of processing your data, including the processing of your data by suppliers required to meet your specific travel requirements.
OUR BASIS FOR COLLECTING YOUR INFORMATION
We may collect certain personal data when we collect information about you, including your name, address, contact details, and other personal information such as a date of birth. Where relevant to do so, we may also collect information which relates indirectly to an individual by reference to a specific identifier, such as an IP address.
Further, where required and appropriate to do so, we may also collect sensitive personal information, such as information concerning an individual’s health details, credit worthiness, or criminal convictions.
In certain circumstances (such as designing a bespoke itinerary to suit your specific requirements), we may collect information from a range of sources, such as social media and networks, third-party databases generally available to the wealth advisory sector, or other suppliers involved in the delivery of a travel products. Such information may include information regarding your past experience of a travel sector.
Our aim is to hold all our data in an electronic format.
The devices on which our data is stored are password-protected, and subject to multi-factor authentication. Further, where reasonable to do so, we endeavour to store our data on secure cloud-based platforms.
Data within our electronic storage platforms is stored in a partitioned format so that only employees or other authorised agents who have an appropriate need to view the required data may do so.
On occasion, we may have to store your data in hard format (e.g., on a printed page). Accountable employee data handing policies govern the strict carriage, use and subsequent destruction of hard format documents. Details of this policy may be requested from the Data Protection Officer.
USING INFORMATION ABOUT YOU
We will use data about individuals, including sensitive information, because it is principally necessary:
for an individual to use a bespoke travel (e.g., personal preferences);
for compliance with a legal obligation (e.g., passport details);
to protect the interests of a data subject or another person; or
for our own legitimate interests or those of other controllers or third parties (e.g., to search at anti-money laundering agencies, conduct market research, develop statistics) except where such interests are overridden by the interests, rights or freedoms of the data subject.
When we process data about individuals, we will ensure that appropriate safeguards are in place so that:
processing is fair and transparent, and we are able to provide meaningful information about the rationale behind the processing, including the envisaged consequences and their significance;
appropriate procedures are in place for individual profiling;
appropriate technical and organisational measures are in place to enable inaccuracies to be corrected and to minimise the risk of errors in recorded data; and
we are able to secure your data in a way that is proportionate to the risk to your interest and rights and prevents discriminatory effects.
For audit purposes, we may record any communication by any means.
SHARING YOUR INFORMATION
We will share data about individuals, including sensitive information, because it is necessary:
for the creation of or to take steps for you to undertake a travel itinerary or other service provided by The Luminaire;
for the compliance with a legal obligation;
to protect such individuals’ vital interests;
for our own legitimate interests or those of other controllers or third parties; and
necessary for a task carried out in the public interest or for an exercise of an official authority (e.g., a regulatory body).
This includes sharing your data within The Luminaire as necessary and carefully selected third parties providing a service to us or on our behalf, including, without limitation, our insurers, and bankers (who may require certain data or the purposes of fraud detection or anti-money laundering obligations).
WHAT WE WILL NOT DO WITH YOUR INFORMATION
We will not share your data unless required to do so by law or for the reasons outlined above or unless we have your consent to share such information and have explained the rationale for doing so.
DURATION OF INFORMATION STORAGE
We will only keep data about an individual for as long as is necessary for the provision of our products and services or for compliance with a legal or regulatory obligation.
As such, we will typically keep information for a minimum retention period of seven years, and for a maximum retention period of 40 years, after we have ceased to provide a particular product or service.
Where we have collected data in respect of a quotation which did not result in a trip being arranged, we will typically keep such data for a shorter period of a minimum of one year and a maximum of seven years.
We will regularly:
review the length of time for which we keep data about individuals;
consider the purposes for which such information is held in determining the length of time for which we shall keep it;
securely delete data about individuals that is no longer needed;
endeavour to update, archive or securely delete data about individuals if it becomes out-of-date.
In carrying out our duties as a data controller or data processor, we may collect sensitive data about you, and other parties related to our products and services. In each case, the collection of such sensitive data will be necessary:
for the creation or undertaking by you of a bespoke travel product or other service offered by The Luminaire;
for compliance with a legal obligation;
for the protection of your vital interests;
for our own legitimate interests or those of other controllers or third parties; and
for a task carried out in the public interest or in connection with the exercise of an official authority (e.g., a regulatory body).
Sensitive data includes an individual’s:
health information (including medical conditions);
criminal convictions; and
racial or ethnic origin or religious beliefs.
We will apply additional organisational and technical measures for this category of data, including restrictions on access to this data.
USE AND STORAGE OF YOUR INFORMATION OVERSEAS
The Luminaire operates a global business, taking its guests to many destinations outside of the United Kingdom and European Economic Area. As a result, we may transfer, store, or process data about individuals outside of the United Kingdom or European Economic Area for the reasons stated above in the section entitled “Sharing Your Information”.
Where we transfer such individual data outside the United Kingdom or European Economic Area, we shall do so in compliance with the conditions of transfer set out under the UK GDPR. In any event, all reasonable steps shall have been undertaken to ensure the entity to which such data is being transferred has suitable measures in place to protect such information.
USING OUR WEBSITE AND COOKIES
When using our website you will be asked to accept a “cookie”, i.e., a small file that is downloaded to your computer when you visit our website. You will typically have to accept the cookie in order to benefit from the services of the website.
You have certain rights with respect to the personal information which we hold with respect to you, including the right to:
see a copy of the personal information we hold with respect to you (within one month from such request being made in writing to us);
require information to be corrected if it is inaccurate or incomplete;
require the deletion of such personal information in part or in its entirety where there is no compelling reason for its continued processing;
permit us to store, but not to process, such personal information;
require the processing of such personal information in a restricted manner (e.g., for marketing purposes only);
opt out of automated processing;
withdraw any permission you may have previously provided; and
complain to the Information Commissioner’s Office at any time if you or an individual is not satisfied with our use of such information.
You may request a copy of the personally identifiable information we hold by contacting us, and you may require such information to be provided to you in an easily portable format (such as electronically).
If you would like further information or wish make a Subject Access Request, you may send an e-mail to email@example.com.
When marketing to you as an individual, we will either rely on the permission we have (if we are able to do so) or ask you for your permission to contact you, including with respect to the means by which we will contact you (such as telephone, e-mail, push notifications, or otherwise). We may contact you regarding (i) new products or services we have or are developing, (ii) trial products and services which we think may improve our service to you or our business processes, or (iii) offer you rewards or incentives.
We will typically ask for this permission when you first contact us (generally but not exclusively through our website), although you maintain the right to withdraw such permission whenever you wish. We will review any such permission to check that your relationship with us and any rationale for data processing has not changed.
RESEARCH AND ANALYSIS
We may convert personal information we hold on you into statistical or aggregated data (i.e., such that this data cannot be traced back to an individual) with the purpose of undertaking producing or undertaking statistical or analytical research and development work. This is undertaken to optimise our marketing approach and customer experience.