Orion Holidays Ltd understands that your privacy is important to you and that you care about how your personal data is used and shared online. We respect and value the privacy of everyone who visits this website, www.orionholidays.com (“Our Site”) and will only collect and use personal data in ways that are described here, and in a manner that is consistent with Our obligations and your rights under the law.
This Policy explains how your personal information will be treated, please read it carefully. By continuing to use Our Site you are agreeing to the terms detailed in this Policy.
- Information About Us and Contact Details
Our Site is owned and operated by Orion Holidays Ltd, a limited company registered in England under company number 03824156, whose registered address is The Gateway Centre Spine Road East, South Cerney, Cirencester, England, GL7 5TL.
Our VAT number is 685878261.
Our Data Protection Officer can be contacted by email at firstname.lastname@example.org, by telephone on 01285 861839, or by post at The Gateway Centre Spine Road East, South Cerney, Cirencester, England, GL7 5TL.
- What Does This Policy Cover?
- What are Your Rights?
As a data subject, you have the following rights under the GDPR, which this Policy and Our use of personal data have been designed to uphold:
The right to be informed about Our collection and use of personal data;
The right of access to the personal data We hold about you (see section 10);
The right to rectification of any personal data We hold about you if inaccurate or incomplete (please contact Us using the details in section 1);
The right to be forgotten – i.e. the right to ask Us to delete any personal data We hold about you;
The right to restrict (i.e. prevent) the processing of your personal data;
The right to data portability (obtaining a copy of your personal data to re-use with another service or organisation);
The right to object to Us using your personal data for particular purposes; and
Rights with respect to automated decision making and profiling.
For further information on each of those rights, including the circumstances in which they apply, please contact Our Data Protection Officer on email@example.com, by telephone on 01285 861839, or by post at The Gateway Centre Spine Road East, South Cerney, Cirencester, England, GL7 5TL or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights.
If you have any cause for complaint about Our use of your personal data, please contact Us using the details provided in section 1 and We will do Our best to solve the problem for you. If We are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office. The Information Commissioner may be contacted at https://ico.org.uk/make-a-complaint or telephone: 0303 123 1113.
For further information about your rights, please contact the Information Commissioner’s Office or your local Citizens Advice Bureau.
- What Personal Data Do We Collect?
- contact information such as email addresses and telephone numbers;
- demographic information such as, preferences and interests;
- IP address;
- web browser type and version;
- operating system;
- a list of URLs starting with a referring site, your activity on Our Site, and the site you exit to;
- services of interest;
- Device screen resolution;
- Geographic location (country only);
- Mouse events (movements, location, and clicks);
- Site engagement (pages viewed, time spent on a page, click through, search history)
- How Do We Use Your Data?
Under data protection law, We can only use your personal data if We have a proper reason, e.g:
- where you have given consent;
- to comply with Our legal and regulatory obligations;
- to allow you to stay in one of our properties; or
- for Our legitimate interests or those of a third party.
A legitimate interest is when We have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance Our interests against your own.
All personal data is processed and stored securely, for no longer than is necessary in light of the reason(s) for which it was first collected.
Our use of your personal data will always be for a proper reason, such as when it is necessary for Our performance of a contract with you or to take steps at your request before entering into a contract with you, because you have consented to Our use of your personal data (e.g. by subscribing to emails), or because it is in Our legitimate interests or those of a third party such as to minimise fraud that could be damaging to you or Us. Specifically, We may use your personal data for the following purposes:
- Providing and managing your booking;
- Personalising and tailoring your experience on Our Site;
- Supplying Our services to you;
- Personalising and tailoring Our services for you;
- Replying to emails from you;
- Supplying you with emails that you have opted into (you may unsubscribe or opt-out at any time by using the unsubscribe link provided at the bottom of Our subscribed to email communications, or contacting the Data Protection Officer whose details are provided in section 1;
- In conducting checks to identify Our customers and verify their identities;
- In ensuring that Our business policies are adhered to, such as to those concerning security and the internet, for Our legitimate interests or those of a third party, so that We can deliver an efficient service to you at the best price;
- In ensuring confidentiality of commercially sensitive information to protect trade secrets in Our legitimate interest or those of a third party;
- For operational reasons such as quality control or training, in Our legitimate interest or that of a third party, so that the service and price we offer to you are continually optimised;
- In order to comply with any legal or regulatory obligations that We may have, such as making statutory returns;
- For Our legitimate interest of keeping in touch with you to make you aware of existing orders or new products or services;
- In order to allow external audits in Our legitimate interests or those of a third party so that We operate at the highest standards and comply with any legal and regulatory obligations;
- In the analysis used to manage Our business in furtherance of Our legitimate interests or those of a third party, in order to gather your feedback to deliver the best service to you at the best price, continually improving Our Site and your user experience;
- For marketing purposes in Our legitimate interests and those of third parties who have previously expressed an interest in Our service, in order to promote Our business to existing and former customers;
With your permission and/or where permitted by law, We may also use your personal data for marketing purposes which may include contacting you by email and/or telephone and/or post with information, news and offers on Our services. We will not, however, send you any unsolicited marketing or spam.
You have the right to withdraw your consent to Us using your personal data at any time, and to request that We delete it.
- Who we share your personal data with
We routinely share personal data with:
- SharpSpring Incorporated (SharpSpring) who provide a suite of marketing automation services related to various forms of marketing and customer interaction, email marketing, storage capabilities and lead analytics. All sensitive data shared between Orion Holidays Ltd and SharpSpring is transferred using Transport Security Layer (TLS) protocols with up-to-date ciphers utilising 256-bit RSA encryption keys. Credentials are stored in an encrypted on-disk format to prevent the data from being compromised in the event that a data theft of breach incident occurs.
- SharpSpring works with other third-parties (subprocessors) to provide specific functions or features of their service. SharpSpring perform due diligence on the information security practices and data protection processes of all subprocessors and requires each to commit to written obligations regarding their security controls and safekeeping of personal data.
- Third parties We use to help deliver Our products AND/OR services to You, e.g. payment service providers, warehouses and delivery companies; and
other third parties We use to help Us run Our business;
third parties approved by You;
Our insurers and brokers;
We only allow Our service providers to handle your personal data if We are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on service providers to ensure they can only use your personal data to provide services to Us and to you.
- How long do we retain your personal data?
We do not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Personal Data will therefore be retained for the following periods (or its retention will be determined on the following bases):
For the period We provide services to you and manage your booking unless required for other legal obligations;For the period analytics is tracked on Our site;
SharpSpring retains personal data for as long as they have a justifiable business need to fulfil their contractual obligations to Orion Holidays Ltd . When they have no such justifiable reason to retain personal data they will either delete or anonymise it. SharpSpring takes full backups of customer data daily, these are retained for 7 days. SharpSpring replicates these backups to an off-site location in compliance with its own disaster recovery policy.
- Keeping your personal data secure
We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
- How and where do we store your personal data?
We only keep your personal data for as long as We need to in order to use it as described above in section 6, and/or for as long as We have your permission to keep it.
Your personal data will be stored in the UK and in the United States of America with SharpSpring.
Data security is very important to Us, and to protect your personal data We have taken suitable measures to safeguard and secure personal data collected through Our Site.
Steps We take to secure and protect your personal data include:
Personal Data is stored on a secured CRM system which can only be accessed by Our Team (please see definition of Team at the end of this policy);
Personal Data used to facilitate the use of Our marketing automation software is stored on SharpSpring which can only be accessed by Our Team. How SharpSpring handles the data We share with them is detailed in sections 6 and 7 of this policy.
Data collected by Analytics is stored directly on analytics and anonymised. Our Analytics account can only be accessed by our Team and the login details for which are stored on LastPass.
- Transferring your personal data out of the UK and EEA
To deliver services to you, it may be in some circumstances that it is sometimes necessary for Us to share your personal data outside the UK/EEA, e.g.:
with your and Our service providers, such as SharpSpring, located outside the UK/EEA;
if you are based outside the UK/EEA;
Under data protection law, We can only transfer your personal data to a country or international organisation outside the UK/EEA where:
the UK government or, where the EU GDPR applies, the European Commission has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);
there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
a specific exception applies under data protection law;
These are explained below.
- Adequacy decision
We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:
all European Union countries, plus Iceland, Liechtenstein and Norway (collectively known as the ‘EEA’);
Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.
Other countries international organisation We are likely to transfer personal data to do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but We must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception, as explained below.
- Transfers with appropriate safeguards
Where there is no adequacy decision, We may transfer your personal data to another country or international organisation if We are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects.
The safeguards will usually include using legally-approved standard data protection contract clauses.
To obtain a copy of the standard data protection contract clauses and further information about relevant safeguards, please contact us (see ‘How to contact us’ below).
- Transfers under an exception
In the absence of an adequacy decision or appropriate safeguards, We may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, e.g:
you have explicitly consented to the proposed transfer after having been informed of the possible risks;
the transfer is necessary for the performance of a contract between Us or to take pre-contract measures at your request;
the transfer is necessary for a contract in your interests, between Us and another person; or
the transfer is necessary to establish, exercise or defend legal claims
We may also transfer information for the purpose of Our compelling legitimate interests, so long as those interests are not overridden by your interests, rights and freedoms. Specific conditions apply to such transfers and We will provide relevant information if and when We seek to transfer your personal data on this ground.
- Further information
If you would like further information about data transferred outside the UK/EEA, please contact Us or Our Data Protection Officer
- Do We Share Your Personal Data?
We may share your personal data with other companies in Our group for the purposes of responding to emails, handling enquiries, and delivery of services.
Where your personal data is held
Personal data may be held at Our offices and those of Our group companies, third party agencies, service providers, representatives and agents as described above (see above: ‘Who we share your personal data with’).
Some of these third parties may be based outside the UK/EEA. For more information, including on how We safeguard your personal data when this happens, see below: ‘Transferring your personal data out of the UK and EEA’.
We may sometimes contract with third parties to supply services to you on Our behalf. These may include payment processing, delivery of goods, search engine facilities, advertising, and marketing. In some cases, the third parties may require access to some or all of your personal data. Where any of your personal data is required for such a purpose, We will take all reasonable steps to ensure that your personal data will be handled safely, securely, and in accordance with your rights, Our obligations, and the obligations of the third party under the law.
We may compile statistics about the use of Our Site including data on traffic, usage patterns, user numbers, sales, and other information. All such data will be anonymised and will not include any personally identifying data, or any anonymised data that can be combined with other data and used to identify you.
In certain circumstances, We may be legally required to share certain data held by Us, which may include your personal data, for example, where We are involved in legal proceedings, where We are complying with legal requirements, a court order, or a governmental authority;
We will not share or sell your personal data with anyone other than the in circumstances detailed in points above.
- How Can You Control Your Personal Data?
In addition to your rights under the GDPR, set out in section 3, when you submit personal data via Our Site, you may be given options to restrict Our use of your data. In particular, We aim to give you strong controls on Our use of your data for direct marketing purposes (including the ability to opt-out of receiving emails from Us which you may do by unsubscribing using the links provided in Our emails and at the point of providing your details).
You may also wish to sign up to one or more of the preference services operating in the UK: The Telephone Preference Service (“the TPS”), the Corporate Telephone Preference Service (“the CTPS”), and the Mailing Preference Service (“the MPS”). These may help to prevent you receiving unsolicited marketing. Please note, however, that these services will not prevent you from receiving marketing communications that you have consented to receive.
- Your Right to Withhold Information
You may access certain areas of Our Site without providing any data at all, with the exception of Analytics. However, to use all features and functions available on Our Site you may be required to submit or allow for the collection of certain data.
- How Can You Access Your Data?
You have the right to ask for a copy of any of your personal data held by Us (where such data is held). Under the Data Protection Act 1998, or Under the GDPR, no fee is payable and We will provide any and all information in response to your request free of charge within 30 days. Please contact Us using the details in section 1.
- Definitions and Interpretation
In this Policy the following terms shall have the following meanings:
|Anyone who is employed by Orion Holidays Ltd on a full-time, part-time, and contractual basis.|
|“Cookie”||means a small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site. Details of the Cookies used by Our Site are set out in section 12, below;|
|“Cookie Law”||means the relevant parts of the Privacy and Electronic Communications (EC Directive) Regulations 2003;|
|“personal data”||means any and all data that relates to an identifiable person who can be directly or indirectly identified from that data. In this case, it means personal data that you give to Us via Our Site. This definition shall, where applicable, incorporate the definitions provided in the Data Protection Act 1998 OR EU Regulation 2016/679 – the General Data Protection Regulation (“GDPR”); and|
|“We/Us/Our”||means Orion Holidays Ltd.|