Privacy Policy
This Privacy Policy explains how The Global Travel Organisation, uses, and discloses personal information about you when you visit our website or use our services. We are committed to protecting your privacy and complying with applicable data protection laws,
INFORMATION WE COLLECT
We collect personal information to make your experience as smooth and rewarding as possible. The information we may collect includes, but is not limited to, your name, email address, and mobile number.
USE OF PERSONAL INFORMATION
We use your personal information for the purposes you provided it, such as fulfilling bookings, answering inquiries, and improving our services.
Additionally, we may use your data to:
- Notify you of important updates or changes to our services or terms
- Provide you with marketing communications, where you have consented to receive such information.
If we intend to use your personal information for purposes other than those for which it was originally collected, we will seek your explicit consent before proceeding.
You have the right to withdraw your consent at any time, and you can do this by contacting us via GTO Mobile APP.
DISCLOSURE OF PERSONAL INFORMATION
- We use your personal information to be able to book on your behalf.
We will only disclose personal information when it is necessary for the performance of the service.
NO SALE OF PERSONAL INFORMATION
We do not sell, rent, or share your personal information for monetary gain.
SECURITY OF PERSONAL INFORMATION
We take the protection of your personal data seriously and implement appropriate technical and organisational measures to safeguard your information from unauthorised access, loss, or disclosure. Our website uses (such as SSL) to ensure secure transmission of sensitive data.
DATA RETENTION
We will only retain your personal data for as long as necessary to fulfil the purposes outlined in this Privacy Policy. If we no longer require your information, we will securely delete it.
CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time, and any changes will be posted on this page. Please check this Privacy Policy regularly to stay informed about how we are protecting your personal information.
Data Privacy Policy Standards & Guidelines
1. Introduction
- Global Travel Organisation is committed to protecting and respecting your privacy.
- This Data Privacy Policy outlines how we collect, use, store, and protect personal
- data.
- This policy applies to all personal data we collect, process, and store, and provides
- guidelines for handling and securing this information. It is designed to ensure that
- we handle personal data fairly, lawfully, and transparently.
2. Data Protection Principles
- We are committed to ensuring that personal data is:
- Processed lawfully, fairly, and transparently.
- Collected for specified, legitimate purposes and not processed in ways that
- are incompatible with those purposes.
- Processed in a manner that ensures appropriate security of personal data.
3. What Personal Data We Collect
- We may collect and process the following types of personal data:
- Contact details: Name, Email address and Mobile number.
- Marketing data: Preferences and feedback from interactions with our website, newsletters, or other communications.
4. Purpose of Data Processing
We process personal data for the following purposes:
• To Fulfil bookings on our customers’ behalf.
• To communicate with customers about bookings, updates, and promotions.
5. Legal Basis for Processing
we are required to ensure that we have a legal basis for processing personal data.
The legal bases we rely on include:
• Consent: Obtained for specific purposes (e.g., marketing communications).
• Contractual necessity: To fulfil our contractual obligations (e.g., processing
bookings).
6. Data Sharing and Disclosure
We may share personal data with service providers in the following circumstances:
• Service Providers: entities that we book with, such hotels, airlines, Etc (only
the required information is shared, such as the Name, Last name and in
some cases the nationality, no further information is shared)
7. Data Retention
We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, reservations including internal accounting, or internal reporting requirements. Personal data will be securely deleted once it is no longer needed.
8. Security of Personal Data
We employ a range of security measures to protect your personal data, including:
• Access controls and authentication procedures.
• Staff training on data privacy and security.
9. Data Protection Programme and Training
We have implemented a Data Protection Programme to ensure ongoing
compliance with the laws. This includes:
• Data mapping: Identifying what personal data we collect and how it is used.
• Privacy by design: Embedding data protection principles into our
operational processes and systems.
• Staff training: Providing regular training on data privacy and security best
practices for all employees.
12. Compliance and Monitoring
We conduct periodical audits and reviews of our data protection practices to ensure compliance with the laws.
Type of Information Collected & How We Process It
1. Purpose
This document outlines the types of information we collect from
you and how we process it.
2. Types of Information We Collect:
We may collect the following information:
- First Name
- Last Name
- Email Address
- Mobile Number
3. Purpose of Collecting This Data:
We collect and process this information for the following
purposes:
- To create and manage your membership.
- To activate and personalise your mobile app.
- To facilitate bookings on your behalf.
- To share promotions, updates, and new benefits added to your membership.
4. How we process the data:
Processing Activity |
Description of Data |
Purpose of Processing |
Retention Period |
Customer Registration |
Name, email address, Mobile number |
To create and manage customer accounts, provide services, and communicate with customers |
Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted |
Reservations Processing |
Name, Email address, Nationality, reservations details and history |
To process the reservations |
Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted |
Customer Support |
Name, email address, Mobile number, support query details |
To respond to customer inquiries and help |
Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending queries or bookings related to this query, all information is deleted |
Marketing Communications |
Name, email address, mobile number |
To send promotional communication, newsletters, product updates, promotions and offers |
Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted |
5. Secure Destruction of Data:
a. Once the membership expires and there are no further bookings pending, all personal and relevant data will be securely deleted from our system in accordance with our data retention and security policies.
Privacy Incident and Data Breach Response Program
1. Definitions
- Privacy Incident: Any occurrence or event that may potentially affect the privacy of personal data, including unauthorised access, loss, destruction, alteration, or disclosure of data.
- Data Breach: A data breach is a specific type of privacy incident that involves the unauthorised access to, disclosure, loss, or destruction of personal data. Data breaches typically involve a risk to the rights and freedoms of data subjects.
2. Incident Detection and Reporting
2.1. Detection of Privacy Incidents
Privacy incidents may be detected through various methods,
including:
- Regular monitoring and audits of systems, networks, and data.
- Reports from employees.
- Alerts from security systems or breach detection software.
- Monitoring of suspicious activity or access attempts.
2.2. Incident Reporting Process
Any employee who detects or suspects a privacy incident or data
breach must immediately report it to the designated Incident Response
Team. Reports should be submitted via:
- Phone
3. Problem Detection
-
Response Plan Activation
Once we detect any suspicious movement, it gets reported to the designated team, who conducts an initial assessment of the incident immediately after detection, and the response team will develop an action plan to contain and investigate the breach.
4. Incident Investigation and Containment
4.1. Initial Assessment
Upon notification of an incident, we will assess the nature and
scope of the breach, including:
- What data was involved?
- How did the breach occur?
- Who may be affected?
This assessment will determine whether the incident is classified as a data breach and requires further investigation.
4.2. Containment and remediation Measures
To prevent further damage or spread of the breach, the team will
immediately implement containment measures, including:
- Isolating affected systems or networks.
- Changing passwords or access credentials for compromised accounts.
- Disconnecting devices or servers from the network.
- Applying additional security measures, such as firewalls, if necessary.
4.3. Mitigation
We will implement measures to mitigate the effects of the breach,
including restoring data from secure backups (if applicable) and
securing any exposed personal data.
5. Risk Assessment
5.1. Assessing the Impact of the Breach
Following containment, we will conduct a comprehensive risk
assessment to determine:
- The nature of the personal data involved (e.g., sensitive data such as financial information, health data, or personal identifiers).
- The potential harm or risks to affected individuals.
- Whether the breach is likely to result in a risk to the rights and freedoms of the affected individuals.
5.2. Severity Rating
Each incident will be assigned a severity rating (low, medium, or
high) based on the assessment of the potential risks involved. This
rating will guide the urgency and scale of the response actions,
including notifications to regulators and individuals.
6. Notification
6.1. Notification to Data Subjects
If a data breach results in high risk to individuals, we will
notify affected data subjects as soon as possible, The notification will
include:
- A description of the breach, including its nature and scope.
- The likely consequences of the breach for individuals.
- Measures taken to address the breach, including any mitigation steps.
7. Post-Incident Review
7.1. Incident Documentation
All details of the privacy incident, including the investigation,
response actions, communications, and final resolution, will be
documented thoroughly by our team.
7.2. Root Cause Analysis
Following the resolution of the incident, a root cause analysis
will be conducted to determine how the breach occurred and whether any
preventive measures or improvements to systems, processes, or security
controls are needed.
7.3. Corrective Actions
Based on the findings from the post-incident review, corrective
actions will be implemented to prevent future incidents, which may
include:
- Updating security protocols or software.
- Conducting additional employee training on data protection.
8.2. Policy and Process Updates
This Privacy Incident and Data Breach Response Program will be
reviewed and updated periodically to ensure it remains in compliance
with evolving standards and industry best practices.
Recording and destruction of data process
1. Information needed for processing bookings for customers:
- Personal Information: First & Last Name
- Contact Information: Email & Mobile Number
- Purpose of Processing: Customer relationship management, Processing bookings and reservations, marketing communications, and customer support.
2. Description of the Processing Activities
Processing Activity |
Description of Data |
Purpose of Processing |
Retention Period |
Customer Registration |
Name, email address, Mobile number |
To create and manage customer accounts, provide services, and communicate with customers |
Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted |
Reservations Processing |
Name, Email address, Nationality, reservations details and history |
To process the reservations |
Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted |
Customer Support |
Name, email address, Mobile number, support query details |
To respond to customer inquiries and help |
Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending queries or bookings related to this query, all information is deleted |
Marketing Communications |
Name, email address, mobile number |
To send promotional communication, newsletters, product updates, promotions and offers |
Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted |
4. Data Subject Rights
Customers can exercise the following rights related to their personal data:
- Right of Access: Customers can request a copy of the personal data we hold about them.
- Right to Rectification: Customers can request corrections to any inaccurate or incomplete data.
Noting that we don’t keep any information, we only ask for the information when processing the bookings and every time the customer books we ask for the data to be added to the booking.
5. Security Measures
We implement technical and organisational measures to ensure the security of personal data:
- Access Control: Only authorised personnel can access personal data.
8. Data Retention and Deletion
Personal data will be deleted after the applicable retention periods.
We are committed to regularly reviewing our data retention policies to ensure that personal data is not kept longer than necessary and is securely deleted once it is no longer required.
9. Updates to the Record of Processing Activities
This Record of Processing data will be reviewed periodically and updated as necessary to reflect any changes in data processing activities, legal requirements, or organisational practices.
Data Processing by Design and by Default Policy
1. Purpose
The purpose of this Data Processing by Design and by Default Policy is to establish the principles and practices of GTO in ensuring that data processing activities are aligned with the privacy principles of data protection by design and data protection by default. This policy is designed to ensure that personal data is processed with the highest level of privacy and security throughout its lifecycle, from collection to deletion.
2. Data Protection by Design
2.1. Integration of Privacy into System Design
We integrate data protection and privacy measures into the design
and development of all new products, services, and business processes.
This means that privacy and data security are considered at the earliest
stages of any project, initiative, or change to business operations. Our
approach includes:
- Data Minimisation: We will only collect personal data that is necessary for the specific purpose for which it is being processed. We avoid excessive or irrelevant data collection.
- Purpose Limitation: Personal data is collected for specified, legitimate purposes and is not further processed in a manner incompatible with those purposes.
- Secure System Design: Security controls, such access control, and auditing mechanisms, are integrated into systems from the design phase to prevent unauthorised access, loss, or alteration of personal data.
- Data Subject Rights: We ensure that systems are designed in a way that supports the effective exercise of data subject rights, such as rights to access and correction.
2.2. Anonymisation and Pseudonymisation
We employ techniques such as anonymisation or pseudonymisation
where possible to reduce the risk to individuals’ privacy. In
cases where full anonymisation is not possible, pseudonymisation ensures
that personal data is not easily traceable back to an individual without
additional information that is kept separate.
3. Data Protection by Default
3.1. Ensuring Data Protection as the Default Setting
We implement data protection measures that ensure privacy is
maintained by default, even in the absence of user intervention. This
includes:
- Default Privacy Settings: When designing our services, we set the highest level of privacy as the default setting. Personal data will not be collected or shared unless explicitly necessary for the service being provided.
- Access Control by Default: Personal data is only accessible to those employees or service providers (such as the hotels, airlines, etc to be able to fulfil the reservation on the customers’ behalf) who require it to perform their duties.
- Data Retention: We implement default retention periods for personal data based on its purpose. Data will only be retained for as long as it is necessary for the purpose for which it was collected, and then securely deleted or anonymised by default.
4. Technical and Organisational Measures
To support data processing by design and by default, GTO has implemented the following technical and organisational measures:
- Access Control Mechanisms: We implement role-based access control to ensure that personal data is only accessible to those who need it for their job responsibilities.
- Regular Audits: We regularly audit our data processing activities, systems, and policies to ensure compliance with this policy and data protection standards. These audits help identify potential risks and enable us to address any gaps in privacy and security.
- Incident Response Plan: We maintain a robust incident response plan to respond to potential data breaches, with measures to contain and reduce the impact of breaches, notify affected individuals,
- Employee Training: All employees are regularly trained on data protection principles, including privacy by design and by default, to ensure that they understand their obligations regarding data privacy and security.
5. Data Subject Rights
5.1. Transparency and Consent
As part of our commitment to privacy by default, we ensure that
individuals are informed about how their data will be used and give
their explicit consent before any data processing activities take place.
5.2. Rights to Access, Rectification, and Erasure
Our systems are designed to facilitate the rights of data
subjects under data protection laws, including:
- Access: Individuals can request access to the personal data we hold about them.
- Rectification: Individuals can request corrections to inaccurate or incomplete data.
6. Policy Review and Updates
This policy will be reviewed periodically or as needed, to ensure it remains in compliance with applicable data protection standards. Any significant changes will be communicated to employees.