Privacy Policy
1.1 Purpose of this Privacy Policy
This Privacy Policy will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you. Please also use the Glossary (Section 7) to understand the meaning of some of the terms used in this Privacy Policy.
It is important that you read this Privacy Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data. This Privacy Policy supplements the other notices and is not intended to override them. This privacy policy does not form part of any contract with you unless the contract expressly states otherwise.
When we say ‘we’ or ‘us’ or ‘our’ or ‘IBT’ we are generally referring to IBT which is the trading name of IBT Travel Ltd. IBT Travel Ltd is a company registered in Scotland. Company No SC299214. Our Registered Office is: IBT Travel Ltd, Cairn House, 15 Skye Road, Prestwick, KA9 2TA.
For over 35 years IBT has been specialising in the provision of educational trips, school ski trips and golfing tours in the UK, Europe and further afield. Trust and respect sit at the heart of the relationships we have with schools, pupils, tour organisers and golfers. Applying highstandards of privacy and security to the personal data shared with us, helps us to maintain these principles and deliver the outstanding service ourclients expect of us.
When we collect and use your personal data in the ways set out in this Privacy Policy, we are the controller for the purpose of the EU & UK Data Protection Legislation.
If you wish to speak to us or question anything in this privacy policy relating to how we collect, store or process your personal data, please email us at privacy@ibt-travel.com or write to our Data Protection Co-ordinator, Jim Connor at: IBT Travel Ltd, Cairn House, 15 Skye Road, Prestwick, KA9 2TA.
The General Section (Section 2) of the Privacy Policy applies to the use of all personal data processed by us in our capacity as a controller. There are then specific section(s) (Sections 3 to 6) that will or will not apply to you depending on how you interact with us. Please read the relevant sections that apply to you:
- Section 3: Customer Section: If you are a customer of IBT (e.g. you have a contract with us or you are enquiring about entering into a contract with us) please read this section. Please note that information related to corporate customers is generally not personal data.
- Section 4: Participant Section: If you are a participant for a trip or excursion booked with us then please read this section.
- Section 5: Website Section: If you visit one or more of our websites and/or contact us through one or more of our websites then please read this section. IBT currently operates the following websites: IBT Travel and IBT Golf
- Section 6: Marketing Section: If you receive marketing communications or updates from us then please read this section.
- If you are applying for employment with IBT, please access our Recruitment Privacy Notice 202301_Recruitment-Privacy-Notice.pdf (ibt-travel.com)
We may update this Privacy Policy from time to time. It was last updated on 1st March 2023. We may revise this Privacy Policy at any time by amending this page. You are expected to visit this page from time to time to note any changes we make, as they affect you.
This section of the Privacy Policy applies to the use of all personal data processed by us in our capacity as a controller.
Under certain circumstances, you have rights in relation to your personal data under the EU & UK Data Protection Legislation. You have the right to:
- Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of Personal Data we hold about you and to check that we are lawfully processing it.
- Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us.
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive or if you ask for multiple copies of your personal data. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You have the right to make a complaint at any time to your relevant supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance.
We may require to use any or all types of your personal data for complaints, grievance or litigation purposes depending on the specific nature of the complaint, grievance or litigation. We rely on the lawful basis of our Legitimate Interests for this purpose, and the additional condition of Legal Claims.
We employ appropriate technical and organizational measures to help protect your personal data. Although we take all necessary steps to provide the best security available and do our best to protect your personal data, the transmission of data on the internet can never be completely secure. We cannot guarantee the security of data collected electronically and transmitted to our site and need to make you aware that any transmission is at your own risk. Where a password may be needed to access areas of our site, it is your responsibility to keep these passwords secure and confidential.
We share your personal data with others in certain circumstances as detailed below:
- We contract with third party service providers and suppliers to deliver certain services to us to manage and operate our business, for example our agents and marketing representatives, consultants, auditors and accountants, banking services, administration or HR services, I.T systems maintenance, third party payment processors, hosting providers, digital marketing providers, etc. We only permit them to process your personal data for specified purposes and in accordance with our instructions. Our service providers change from time to time. If you require any further information on our service providers, you may request this by contacting us, subject to our obligations of confidentiality.
- We may use third party service providers and suppliers to provide certain services to you, for example: specialist instructors, ski representatives, tour guides, coach operators, ferry operators, airlines, hoteliers, activity providers. Our service providers change from time to time. If you require any further information on our service providers, you may request this by contacting us, subject to our obligations of confidentiality.
- We will also provide your personal data to third parties where there is a legal obligation to do so, for example to regulators, government departments, law enforcement authorities, tax authorities and any relevant dispute resolution body or the courts.
- We may also provide your personal data to third parties to whom we may consider or choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them.
- We will provide information about you to any other person who is authorised to act on your behalf.
- We do not share your information with third parties for the purpose of marketing products and services offered by them unless you have consented to this.
Some of our external third parties are based outside the UK or the EEA so their processing of your personal data will involve a transfer of data outside the UK. If we transfer your personal data to a third country (outwith the UK or EEA) or share with an international organisation we will take reasonable steps to (a) transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data or (b) use specific contracts approved for use which give personal data the same protection it has in the UK or the EEA.
We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In some circumstances we may anonymise personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Where we process personal data in relation to travel insurance we have provided, we will normally retain this for 7 years. Where we process personal data relating to minors, we will typically retain this information at least until they reach the age of 21. We may keep data for longer in order to establish, exercise or defend our legal rights.
When we assess the appropriate retention period for your personal data, we will consider the following:
- The requirements of our business, the services we provide to you and the products and services you provide to us
- Any legal or statutory obligations
- The purposes for which we originally collected the personal data
- The lawful grounds on which we based our processing
- The types of personal data we have collected
- The amount and categories of your personal data
- If the purpose of processing your personal data could be reasonably fulfilled by any other means
- The sensitivity of the personal data
- The potential risk of harm from unauthorised use or disclosure of the personal data
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the lawful basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us or if you are the group representative or group leader then please ensure that you are providing us with updated information in relation to all participants as is required.
Where we need to collect personal data by law, or under the terms of a contract with you and you fail to provide that personal data when requested, we may not be able to perform the contract we have or are trying to enter into with you and/or you may not be able to participate in all or part of a trip.
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
If you are a customer of IBT (e.g. you have a contract with us or you are enquiring about entering into a contract with us) please read this Section 3. Please note that information related to corporate or business customers is generally not deemed personal data.
- Direct interactions. You may give us your personal data yourself by for example, filling in our forms or by corresponding with us or by speaking with us in person.
- Indirect sources. We will also receive personal data about you indirectly from automated technologies, publicly available sources or from third parties. For example:
- When group representatives or group leaders share your personal data with us in order to book travel, accommodation and any other facilities on your behalf.
- From our third party agents and representatives who market our services to customers and potential customers on our behalf.
- From tour organisers and/or activity or excursion providers.
- From third parties who provide some of the services within a trip package e.g. travel insurance, flights, accommodation, etc,
- Local authority information, specialist directories, and Google searches.
- As you interact with our website, we may automatically collect Usage Data and Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
Where a third party has shared your personal data with us, we trust that they have informed you about the processing and sharing of yourdata.
In general terms, we use your personal data to allow us to perform services and to comply with the contract that we have with you. We have set out in the table below further detail of all the ways we plan to use your personal data, and which of the legal basis and, if applicable, additional condition we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Purpose/activity | Types of personal data | Lawful basis for processing including basis of legitimate interest | Additional condition for processing |
To sign you up as a new customer | Identity Data Contact Data | Contract | N/A |
To understand your needs and how we can meet them | Communications Data Profile Data Feedback Data Trip and Bookings Data | Contract Legitimate Interests of meeting your requirements | N/A |
To provide you with information about the tours and services you have requested from us | Identity Data | Contract | N/A |
To provide you with information about tours, trips and services we feel may be of interest to you now or in the future | Identity Data | Contract | N/A |
To fulfil our booking or contractual obligations and to meet agreements we have put in place with you | Identity Data | Contract | N/A |
To manage our relationship with you | Identity Data | Contract | N/A |
To maintain administration records for you | Identity Data | Contract | N/A |
To respond to your feedback and ideas | Identity Data | Legitimate Interests to improve our business and services | N/A |
To verify identification where required | Contact Data | Contract | Consent |
To plan and manage third party travel, hotel and activity relationships we have with you | Identity Data | Contract | Consent |
To investigate and respond to any complaints you may make | Contact Data | Contract | N/A |
To process financial transactions, invoicing and maintain group arrangements | Identity Data | Contract | N/A |
To prevent and detect crime, fraud or corruption | All personal data | Legal Obligation | Legal Claims |
To meet legal, regulatory, statutory and ethical responsibilities | All personal data | Legal Obligation | Legal Claims |
If you are a participant of a trip or excursion booked with us please read this Section 4.
- Direct interactions. You may give us your personal data yourself by for example, filling in our forms or by corresponding with us or by speaking with us in person.
- Indirect sources. We will also receive personal data about you indirectly from automated technologies, publicly available sources or from third parties. For example:
- When group representatives or group leaders share your personal data with us in order to book travel, accommodation and any other facilities on your behalf.
- From our third party agents and representatives who market our services to customers and potential customers on our behalf.
- From tour organisers and/or activity or excursion providers.
- From third parties who provide some of the services within a trip package e.g. travel insurance, flights, accommodation, etc,
- Local authority information, specialist directories, and Google searches.
- As you interact with our website, we may automatically collect Usage Data and Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
Where a third party has shared your personal data with us, we trust that they have informed you about the processing and sharing of your data.
Purpose/activity | Types of personal data | Lawful basis for processing including basis of legitimate interest | Additional condition for processing |
To arrange appropriate clothing on your behalf for trips or excursions | Contact Data | Legitimate Interest of providing all relevant services | N/A |
To arrange travel insurance on your behalf | Contact Data | Legitimate Interest of providing all relevant services | Consent |
To ensure that appropriate measures are taken to meet your health condition or disability | Contact Data | Legitimate Interest of providing all relevant services | Consent |
To ensure that your dietary requirements are made known to all relevant parties | Contact Data | Legitimate Interest of providing all relevant services | Consent Manifestly Public |
In the event of an emergency, to contact your next of kin | Contact Data | Legitimate Interest of providing all relevant services | Consent Manifestly Public |
To make travel, accommodation or other arrangements on your behalf | Contact Data | Legitimate Interest of providing all relevant services | Consent Manifestly Public |
If you are a user of one or more of our websites then please read this Section 5. IBT operates: ibt-travel.com and ibt-golf.com
- Direct interactions. You may give us your personal data yourself by for example, filling in our forms or by corresponding with us or by speaking with us in person.
- Indirect sources. As you interact with our website, we may automatically collect Usage Data and Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
Purpose/activity | Types of personal data | Lawful basis for processing including basis of legitimate interest | Additional condition for processing |
To respond to an enquiry made by you or your organisation | Contact Data | Legitimate Interest of responding to your enquiry | N/A |
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences | (a) Technical Data | Legitimate Interest of using data analytics to improve our website, products/services, marketing, customer relationships and experiences | N/A |
In common with many other website operators, we may use standard technology called ‘cookies’ on our websites. Cookies are small text files that are placed on your devices. They are widely used to make websites and platforms work, or work more efficiently, as well as to provide information to the owner of platform.
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy
If our advertisers use cookies it will result from a click on their advertisement, and we do not have control over their cookies if used.
Our websites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our websites, we encourage you to read the privacy notice of every website you visit.
If you receive marketing communications or updates from us then please read this Section 6.
Our lawful basis differs depending on whether you are an individual consumer contact or a business contact. If you are an individual consumer contact:
- For e-mail and texts we will ask for your prior consent to send this form of marketing materials, unless we are relying on the “soft opt-in” exemption. This exemption applies when you already receive services/goods from us and we send you information on similar goods/ services. This is because it is necessary for our legitimate interests (to develop our products/ services and grow our business).
- For telephone and postal marketing it is necessary for our legitimate interests (to develop our products/services and grow our business).
If you are a business contact, for all methods of contact it is necessary for our legitimate interests (to develop our products/services and grow our business).
You can ask us to stop sending you marketing messages at any time by following any opt-out links on any marketing message sent to you or by contacting us at any time. Where you opt-out of receiving these marketing messages, this will not apply to personal data provided to us for other purposes.
- personal data means any information relating to you from which you can be identified. It does not include data where your identity has been removed (anonymous data).
- processing means taking any action with your personal data e.g. collection, destruction, organising and structuring, sharing, etc.
- controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of your personal data.
- supervisory authority
- appropriate technical and organisational measures have the meanings given to them in the EU & UK Data Protection Legislation.
- EU & UK Data Protection Legislation means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (EU GDPR) and (ii) the United Kingdom’s Data Protection Act 2018 and the GDPR as it forms part of the law of the United Kingdom (UK GDPR), including by virtue of Section 3 of the European Union (withdrawal) Act 2018, as any of the forgoing may be amended from time to time.
- Special Category Personal Data means personal data revealing your racial or ethnic origin; political opinions; religious or philosophical beliefs; or trade union membership; genetic data; biometric data; data related to your health or data concerning your sex life or sexual orientation.
We will only use your personal data when the law allows us to – this is referred to as a ‘lawful basis’. Most commonly, we will use your personal data in the following circumstances:
- Consent: you have given your consent for us to process your personal data for that purpose.
- Contract: the use of your personal data is necessary for the performance of a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
- Legal Obligation: the use of your personal data is necessary for us to comply with law.
- Vital Interests: the use of your personal data is necessary to protect your or someone else’s vital interests e.g. your or someone else’s life.
- Legitimate Interests: the use of your personal data is necessary for legitimate interests pursued by us or a third party. Before we rely on this legal basis we will balance your interests against the legitimate interests pursued by us. In particular, if you would not reasonably expect your personal data to be used in a certain way, or it would cause unwarranted harm, your interests are likely to override the legitimate interests. However, your interests do not always have to align with the legitimate interests.
In the specific sections we have provide more information about the types of lawful basis that we will rely on to process your personal data.
To process your Special Category Personal Data, as well as having a lawful basis, we need to be able to apply an ‘additional condition’ (which is almost like a second type of lawful basis). Most commonly, we will use your personal data in the following circumstances:
- Consent: you have given your explicit consent for us to process your personal data for that purpose.
- Vital Interests: the use of your personal data is necessary to protect your or someone else’s vital interests e.g. your or someone else’s life.
- Manifestly Public: relates to personal data which are manifestly made public by you.
- Legal Claims: necessary for the establishment, exercise or defence of legal claims.
- Substantial Public Interest: necessary for reasons of substantial public interest, on the basis of law.
In the specific sections we have provide more information about the types of additional condition that we will rely on to process your Special Category Personal Data.
We may collect, use, store and transfer different types of personal data about you which we have grouped together as outlined below. In the specific sections we have provided more information about the personal data that we collect about you depending on how you interact with us.
- Contact Data: personal, school or business contact details, such as address, email address, telephone number.
- Communications Data: records of correspondence and communications with you.
- Dietary Data: data related to any dietary requirements you have. This may disclose Special Category Personal Data about you e.g. health data (allergies or health requirements), religious or philosophical beliefs, ethnic origin data.
- Emergency Contact Data: the name, contact details of, and relationship with a next-of-kin contact who we will notify of emergency situations involving you (which may disclose Special Category Personal Data as this may reveal your sexual orientation depending on who your emergency contact is).
- Feedback Data: records and detail regarding any feedback or complaints you make.
- Financial Data: bank account and payment card details; and includes details about payments to and from you.
- Health Data: information about your health, for example details of disabilities or health conditions. This is Special Category Personal Data.
- Identity Data: first name, last name, maiden name, or similar identifier (such as your date of birth or photograph), title, date of birth, gender. This may disclose Special Category Personal Data.
- Measurement Data: your height, your weight and the size of clothing and footwear that you wear from time to time.
- Marketing and Communications Data: your preferences in receiving marketing from us and our third parties and your communication preferences.
- Official Data: copies of your official documents or any ID documents, such as your driving licence, passport, birth certificate, marriage certificate and any visa. This may disclose Special Category Personal Data.
- Organisation Data: data on the organisation that you work for or otherwise represent, for example: if relevant, the name of your school and your position within the school, or if relevant, your company or organisation name and nature of your business or organisation.
- Profile Data: we may build profiles on the types of trips and excursions that you may be interested in.
- Technical Data: internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our websites.
- Trip and Bookings Data: details of the trips, excursions and any additional services you may have enquired about; details of any previous, current and future booking(s) you may have made with us; details of the excursions and any additional activities you took part in during your trip; and records of any special requirements you have informed us of.
- Usage Data: details of your visits to any of our websites including, but not limited to, traffic data and other communication data whether this is required for our own billing purposes or otherwise and the resources that you access.