Privacy Policy.

Last updated: 25 October 2025

Controller: Hollyhock Travel Services Ltd., t/a HTS Travel - Company no.  09607905
. 
Registered office: 167 - 169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom. 

Data Protection Contact: privacy@htstravel.co.uk

1. Introduction and scope

HTS Travel provides luxury, tailor-made travel services worldwide. We respect your privacy and are committed to protecting your personal data. This Policy explains how we collect, use, disclose, transfer and retain personal data when you interact with us - for example, when you visit our website, contact us, request a quotation, or book travel services (including FIT and group bookings).
This Policy applies to data processed by HTS Travel as data controller. Where HTS acts as agent for a third party or processes data on behalf of another controller, different arrangements may apply and you will be notified.

2. Principles we follow

We process personal data lawfully, fairly and transparently. Data processing is limited to what is necessary, accurate, securely stored and retained only for the period required. We apply heightened confidentiality and security appropriate to our clientele and the bespoke nature of our services.

3. What personal data we collect (categories)

We collect information you give us and information we gather automatically. Categories include:

Identity and contact data

  • Full name, title, preferred name, date of birth, nationality, gender, contact addresses, phone numbers, email addresses.

Booking and travel data

  • Travel dates, itineraries, accommodation choices, rooming arrangements, travel companions, passport and visa information (copies as required), special requests, dietary and accessibility requirements, flight and transport booking references, loyalty programme numbers.

Financial and transactional data

  • Payment card details (processed by our payment providers), billing and invoicing data, refunds, booking deposits and balances, transaction history.

Health and special categories (sensitive)

  • Medical conditions, mobility needs, allergies, medication requirements - collected only where essential to provide safe and lawful travel services and always with your explicit consent.

Technical and usage data

  • IP address, device/browser details, cookies and tracking data, pages visited, time spent on site, form submissions.

Communications and marketing

  • Preferences for contact, marketing consents, communications history, feedback.

Third-party data

  • Data provided by partners, agents, event organisers, or referral partners about you (e.g., group lead supplying participant names).

4. Lawful bases for processing

We rely on one or more lawful bases under UK GDPR to process personal data. Typical lawful bases we use include:
  • Contract performance - to perform pre-contractual measures and our contractual obligations (e.g., to make bookings, process payments, issue tickets, meet dietary/medical requirements).
  • Legal compliance - to comply with statutory duties (e.g., tax, anti-money-laundering checks, immigration or health regulations).
  • Legitimate interests - where processing is necessary for our business interests that are not overridden by your rights (e.g., fraud prevention, direct service improvements, complaints handling, confidentiality of bookings). We carry out legitimate interest assessments.
  • Consent - where required (e.g., marketing emails, processing special category data where explicit consent is required). You may withdraw consent at any time.
We will notify you of the applicable lawful basis for specific processing activities at or before the point we collect your personal data.

5. Purposes of processing - what we use data for

We process personal data to:
  • Create, confirm and manage bookings and itineraries (including issuing tickets, vouchers and travel documents).
  • Communicate service information, changes, disruptions and emergency contact responses.
  • Arrange supplier services (hotels, transfers, guides, excursions), including sharing necessary traveller data with suppliers to fulfil the booking.
  • Process payments, refunds and manage financial records and accounting.
  • Manage group bookings and participant coordination (rooming lists, passenger manifests, dietary/health requirements).
  • Conduct checks required by suppliers, authorities or insurance (e.g., passport validity, visas, vaccination checks).
  • Provide personalised, concierge and VIP services (where requested), including preferences management.
  • Manage marketing and customer relationship activities (with consent where applicable).
  • Conduct quality assurance, training, service improvement and internal analytics.
  • Handle complaints, claims, legal proceedings and enforce our Terms & Conditions.
  • Detect and prevent fraud, cyber incidents and other unlawful activity.

6. Special categories of data (sensitive data)

We process health / medical and special category data only when necessary to perform or facilitate travel services (safety, accessibility, medical support) — and only where you have provided explicit consent or where processing is necessary for reasons of substantial public interest or to protect your vital interests. We apply strict safeguards to such data: limited access, encryption, and defined retention.

7. Sharing personal data - who we disclose to

To deliver bespoke travel services we routinely share necessary personal data on a need-to-know basis with:
  •  Suppliers and service providers: hotels, carriers, local tour operators, guides, event organisers, ground transport, excursion providers.
  • Regulatory and public authorities: immigration, customs, public health authorities and law enforcement where required by law.
  • Financial and payment processors: banks, card processors, invoicing and accounting providers.
  • Partner organisations: ATOL/ABTA licensed partners, referral partners, corporate bookers - only where relevant and with appropriate safeguards.
  • Professional advisors: legal counsel, tax or compliance advisors, insurers in relation to claims.
  • Technology providers: CRM, booking platforms, cloud hosting and IT support, analytics and email platforms (processors acting under written agreements).
Where we share personal data, we limit data to what is necessary and require all recipients to meet data protection obligations and confidentiality standards. If a partner acts as independent controller (e.g., ATOL partner issuing flight tickets), you may receive separate privacy information from them.

8. International transfers

Our suppliers and processors may be located outside the UK/EEA. When we transfer personal data internationally we will ensure adequate protections, e.g.:
  • Transfers to countries with adequacy decisions, or
  • Standard Contractual Clauses (SCCs) adopted for transfers, or
  • Other appropriate safeguards (e.g., Binding Corporate Rules where applicable).
We will inform you if specific processing requires transfer to jurisdictions without adequacy and the safeguards in place.

9. Data processors and sub-processors

Where service providers process data on our behalf, they act as processors under contract. These contracts require processors to implement appropriate technical and organisational measures, restrict their scope of processing and limit onward transfers. A list of our principal processors is available on request.

10. Security measures

  • We implement proportionate technical and organisational measures, including:
  • Access controls and role-based permissions.
  • Encryption of data in transit and, where appropriate, at rest.
  • Secure hosting and regular security testing/patching.
  • Staff training and confidentiality obligations.
  • Incident response and breach notification procedures.
We review measures regularly to reflect changes in risk and technology.

11. Retention policy (principled schedule)

We retain personal data only for as long as necessary for the purpose collected, or to meet legal obligations. Indicative retention periods (please confirm with advisors and local rules):
  • Booking records, invoices and payments: 7 years (tax and accounting).
  • Bookings and itinerary records: 7 years after travel completion (to handle complaints/claims).
  • Passport copies and visa records: 1 year after travel completion unless longer retention is required by suppliers/authorities.
  • Medical / special category data: retained for as long as necessary to provide safe services; typically 1–3 years post travel, unless required longer for legal claims.
  • Marketing consent records: until consent withdrawn + 2 years for audit.
  • Website logs and analytics: 6–24 months depending on data type.
  • Job applications / recruitment records: 6–12 months unless longer retention is permitted/required.
Exact retention periods will be documented and reviewed; special categories are retained only as needed and with strict access control.

12. Your rights

Under UK GDPR you have rights subject to legal limitations and exemptions:
  • Right of access - obtain a copy of your personal data we hold.
  • Right to rectification - correction of inaccurate data.
  • Right to erasure (right to be forgotten) - where legal grounds permit.
  • Right to restriction - to limit processing in certain circumstances.
  • Right to data portability - receive certain data in structured, machine-readable format.
  • Right to object - object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent - where processing is based on consent.
To exercise your rights, contact: privacy@htstravel.co.uk. We aim to respond within one month (extended if necessary for complex requests). We will verify identity before responding.

13. Marketing and direct communications

We will only send marketing emails where you have given consent or where we have a legitimate interest and you have not opted out. Marketing emails include offers, news and invitations. You can unsubscribe at any time via a link in every email or by contacting privacy@htstravel.co.uk

14. Cookies and online tracking

Our website uses cookies and trackers for essential functions, analytics and marketing. We provide a cookie banner and settings to manage preferences. For details of cookies used, see our Cookie Notice. You may disable non-essential cookies but some site features may be affected.

15. Children and vulnerable persons

Our services are intended for adults. We do not knowingly collect data from children under 16 without parental consent. If you are booking for minors, the booking lead must be an adult and provide necessary consents. If you believe we have unlawfully collected data about a child, contact us and we will take remedial steps.

16. Data breaches and notifications

We maintain an incident response plan. In the event of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, we will promptly notify the Information Commissioner’s Office - ICO and affected individuals as required by law and take steps to mitigate harm.

17. Data Protection Impact Assessments (DPIAs)

We carry out DPIAs for higher-risk processing activities (e.g., large group data handling, processing sensitive health data for complex itineraries). Our DPIA process identifies risks and mitigation before projects commence.

 18. Group bookings, corporate clients and referrals (specific practices)

Because a significant part of our business involves group bookings and partner referrals, we set out some specific practices:
  • Lead client responsibility: where a lead organiser provides participant data, the lead confirms they have authority to share personal data with us and have obtained required consents where necessary.
  • Participant notification: we will communicate directly with participants where appropriate (e.g., changes to itinerary, emergency contact), and participants have the rights set out in this Policy.
  • Partner referrals and commissions: partner introductions may result in commission arrangements. We share only necessary data with partners and notify you where sharing is for referral/commercial purposes.
  • Confidential / VIP clients: we provide enhanced discretion options (e.g., limited publishing of names, private invoicing instructions). Notify us at booking if confidentiality measures are required.

19. International travel and border requirements

Some jurisdictions require carriers and hotels to hold passenger/passport information. We will share such data with suppliers and authorities where required for legal compliance and safe travel. We will advise you of this at booking.

20. Third-party links and controllers

Our website may link to third-party sites (e.g., partner promotion pages). We are not responsible for their privacy practices. When another organisation acts as an independent controller for processing (e.g., ATOL partner issuing flight tickets), you should read their privacy terms.

21. Complaints

If you have concerns about our processing, please raise them with privacy@htstravel.co.uk

22. Changes to this Policy

We will update this Policy as required. The “Last updated” date will indicate the current version. Where changes are material, we will notify active clients directly.

23. Contact information

For questions, to exercise rights, or to request processors list or retention details, contact:
Data Privacy & Compliance - privacy@htstravel.co.uk.