PRIVACY AND COOKIES POLICY

1. Who We Are

Alight Travel Ltd (“Alight Travel”, “we”, “us”, “our”) is a private travel management company registered in England and Wales (Company No. 17094672), with its registered office at 11 Old Bond Street, Mayfair, London, W1S 4PN.

Alight Travel is the data controller for the personal data described in this policy. Any questions about this policy or the personal data we hold about you should be directed to info@alighttravel.com.

2. Scope of This Policy

This policy explains how we collect, use, store, and protect personal data when you engage with us as a client, prospective client, supplier, or visitor to our website at alighttravel.com or any associated sub-domains. It also describes our use of cookies and similar tracking technologies.

By engaging with Alight Travel, you confirm that you have read and understood this policy and the practices described within it.

3. Personal Data We Collect

Depending on the nature of your engagement with Alight Travel, we may collect the following categories of personal data:

• Identity data, including full name, title, date of birth, nationality, and passport details where required for travel.
• Contact data, including postal address, email address, and telephone numbers.
• Booking data, including travel preferences, itineraries, dietary requirements, accessibility needs, and any guest details provided by the client.
• Financial data, including billing details and bank transfer references. Card data, where card payment is offered, is processed by a regulated third-party payment processor and is not stored by Alight Travel.
• Communications data, including emails, messages, and call notes relating to your engagement with us.
• Technical data, including IP address, browser type, and pages visited on our website.

We may also process special category data, such as health information, where it is necessary for the safe delivery of a service. We process such data only with your explicit consent or where another lawful basis applies.

4. How We Collect Personal Data

We collect personal data directly from you when you contact us, request a quotation, confirm a booking, or otherwise engage with our services. We may also receive personal data from operators and third-party suppliers in connection with delivering services on your behalf, and from publicly available sources where relevant to a client engagement.

5. Lawful Basis for Processing

We process personal data on the following lawful bases under UK GDPR:

• Contract: where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract.
• Legitimate interests: where processing is necessary for our legitimate business interests, such as managing client relationships, providing high-quality service, and protecting the security of our operations, balanced against your rights and freedoms.
• Legal obligation: where processing is necessary to comply with a legal or regulatory obligation.
• Consent: where you have given clear consent to a specific processing activity, such as receiving marketing communications or processing of special category data.

6. Third-Party Processors

We share personal data with third parties only where necessary to deliver services or to operate our business. The categories of third party we may share data with include:

• Operators and suppliers, including aircraft operators, chauffeur companies, hotels, venues, security providers, and other service partners.
• Regulated third-party payment processors, where card payment is offered. The specific processor in use will be confirmed at the time of invoice.
• Our accredited host agency partner, where required to fulfil a booking under a regulated travel arrangement (including but not limited to ATOL-protected, Travel Trust Association protected, and IATA-ticketed bookings). The partner acts as a separate data controller in respect of the data we share for the purposes of issuing the relevant protection certificates and operating the applicable bonding. The partner applies its own privacy policy.
• Professional advisors, including accountants, legal counsel, and IT service providers, where engaged in the course of operating our business.
• Hosting and communications platforms, including our website hosting provider and messaging platforms used to communicate with clients.

All third parties are required to handle personal data securely and in accordance with applicable data protection law.

7. International Transfers

Some of our operators and suppliers operate outside the United Kingdom. Where personal data is transferred to a country that has not been the subject of a UK adequacy decision, we put in place appropriate safeguards in line with UK GDPR requirements, including the use of the International Data Transfer Agreement or equivalent contractual mechanisms.

8. Your Rights

Subject to the conditions set out in UK GDPR, you have the following rights in relation to your personal data:

• The right to be informed about how we use your personal data.
• The right of access to a copy of the personal data we hold about you.
• The right to rectification of inaccurate or incomplete personal data.
• The right to erasure of personal data in certain circumstances.
• The right to restrict processing in certain circumstances.
• The right to data portability in certain circumstances.
• The right to object to processing based on legitimate interests.
• The right to withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, please contact info@alighttravel.com. We will respond within one month of receipt of a valid request, save where the request is complex or numerous, in which case we may extend the response period by up to two further months.

9. Retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including any legal, accounting, or reporting requirements. Booking and financial records are typically retained for a minimum of seven years to comply with UK tax and accounting law. Other categories of data are retained only for as long as the relevant purpose requires.

10. Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure. Measures include access controls, secure communications, and the use of reputable hosting and platform providers. While no system can be guaranteed completely secure, we work to ensure that personal data is protected to a standard appropriate to the sensitivity of the information.

11. Cookies and Similar Technologies

Our website uses cookies and similar technologies to operate, secure, and improve the user experience. This section sets out what cookies are, the categories we use, the specific cookies in operation, and how you can manage them.

11.1 What Are Cookies

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work, improve performance, remember preferences, and provide information to website owners about how their site is used. Similar technologies include pixels, local storage, and session storage, all of which are covered by this policy.

11.2 Categories of Cookies We Use

We use the following categories of cookies on alighttravel.com:

• Strictly necessary cookies: required for the website to function, including loading pages, securing forms, and managing session state. These cannot be disabled.
• Performance and analytics cookies: used to understand how visitors interact with our website, including pages visited, time on page, and referral source. We use these to improve the site over time.
• Functionality cookies: used to remember preferences such as language or region so that returning visits feel consistent.
• Third-party cookies: set by services embedded on our website. Currently, our site uses Squarespace, our hosting platform, and a WhatsApp messaging widget. If we integrate further third-party services such as social media, video, or analytics providers, we will update this policy accordingly.

We do not use advertising or marketing cookies on alighttravel.com. We do not sell or share cookie data with third-party advertisers.

11.3 Specific Cookies in Use

Our website is built on Squarespace, which sets a small number of cookies necessary for the platform to operate, including session cookies, security cookies, and a tracking cookie used by Squarespace’s own analytics. Full details are published by Squarespace at squarespace.com/cookie-policy and are incorporated by reference into this policy.

Where we add further integrations, such as embedded video, contact forms, or analytics tools, the cookies set by those providers will be governed by their own privacy and cookie policies.

11.4 Managing Cookies

Strictly necessary cookies are used by default. Non-essential cookies are set only where you allow them through your browser settings or, where applicable, through the consent options presented on the site.

Most browsers allow you to control cookies through their settings. You can typically choose to block all cookies, accept only first-party cookies, or be notified when a cookie is set. Disabling cookies may affect the functionality of our website, including form submission and session continuity.

Guidance on managing cookies in major browsers is available at:

• Safari: apple.com/legal/privacy
• Google Chrome: support.google.com/chrome
• Mozilla Firefox: support.mozilla.org
• Microsoft Edge: support.microsoft.com

You may also opt out of certain analytics tracking by visiting the relevant provider’s opt-out page.

11.5 Do Not Track

Some browsers offer a “Do Not Track” signal. There is no universally accepted standard for how websites should respond to such signals, and our website does not currently respond differently when this signal is present. We will update this policy if our approach changes.

12. Children

Our services are not directed at children, and we do not knowingly collect personal data directly from children. Where children are included as guests on a booking arranged by an adult client, the relevant data is provided to us by the adult client and processed only for the purposes of delivering the booking. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy and Cookies Policy from time to time to reflect changes in our practices, technology, or applicable law. The current version will always be available at alighttravel.com. Where changes are material, we will notify affected clients directly where reasonably practicable. Your continued engagement with Alight Travel following any update constitutes acceptance of the revised policy.

14. Complaints

If you have any concerns about how we handle your personal data, please contact us in the first instance at info@alighttravel.com. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection, at ico.org.uk.