We hope the following sections will answer any questions you have, but if not please get in touch with us.
1. Who are we?
City to Summit is a privately owned and funded adventure business.
For simplicity throughout this notice, ‘we’ and ‘us’ means City to Summit and its brands.
‘You’ and ‘your group’ means you and your party members or anyone for whom you are making a booking.
2. What personal data we collect
We collect some personal data, for example when you book a trip with us, use our website or contact us.
Your personal data may include for example your name, your contact details, information relating to your itinerary (such as your booking reference number) or information on how you use our website or how you interact with us.
Using the website
- To deliver the best possible web experience, we collect technical information about your internet connection and browser as well as the country and telephone code where your computer is located, the web pages viewed during your visit, the advertisements you clicked on, the site referring you and any search terms you entered.
Requesting information/a quote
- Your name, contact details and query will be recorded when you fill out a contact form
- We will use your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.
Making a booking
- If you have a booking or online account with us we may have records of your name, gender, date of birth, email and telephone number(s). For your security, we’ll also keep an encrypted record of your login password.
- We hold details of your interactions with us through conversations with our sales and support teams, on centre, or online. For example, we collect notes from our conversations with you, details of any complaints or comments you make, details of bookings you made, items added to your basket, voucher redemptions and how and when you contact us.
- We hold payment (credit or debit card) information
- We collect children’s names, gender and ages as part of our holidays online booking process
Organisation of your trip
- We hold copies of documents you provide to prove your age or identity where the law requires this. (including your passport and driver’s licence). This will include details of your full name, address, date of birth and facial image. If you provide a passport, the data will also include your place of birth, gender and nationality.
- Some of the personal data we hold for your party members may include for example party member’s name, gender, passport details, date of birth and dietary requirements. We presume you have gained the necessary consent from party members / parents / guardians to use their personal data.
- We collect child and adult height, weight, shoe size and head measurements for the provision of equipment
- We collect information within bursary applications for individual children, which may include sensitive data
- In the event of any accidents or incidents on any of our adventure courses – your data may be recorded and shared with third parties as part of our duty of care
Contact Post- Travel
- We retain your comments, feedback and product reviews.
- We hold your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.
Special Category Data
When we provide our services to you we may collect information that could reveal racial or ethnic origin, details of physical or mental health (including SEND), or religious beliefs.This information is considered “sensitive personal data” under GDPR and other data protection laws.
We only collect this information where it is necessary to deliver our services to you.
For example, if you inform us about specific dietary requirements, this could indicate specific religious beliefs.
If you provide us with passenger information details, your nationality may imply your racial or ethnic origin.
If you request special assistance, use of an adapted room or facilities; or provide medical information for you and/or your group, this could reveal information about health.
In addition, we may also share your personal data with our suppliers who provide services to you on our behalf. For example, if we need an adapted coach to accommodate wheelchair users.
3. Explaining the legal bases we rely on
The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:
In specific situations, we can collect and process your data with your consent. For example, when you tick a box to receive email newsletters. When collecting your personal data, we can always make clear to you which data is necessary in connection with a particular service.
In certain circumstances, we need your personal data to comply with our contractual obligations.For example, if you book a trip with us, we will collect your address details in order to send you booking information.
If the law requires us to, we may need to collect and process your data. For example, we can pass on details of people involved in fraud or other criminal activity to law enforcement. We may also have to pass data to regulatory or governing bodies.
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, we will use your booking history to send you or make available personalised offers. We also combine the browsing history of many customers to identify trends and/or develop new products/services. We will also use your address details to send you direct marketing information by post, telling you about products and services that we think might interest you
4. How and why we use personal data
We want to give you a great customer experience.
One way to achieve that is to get a picture of who you are by combining the data we have about you. We then use this to offer you promotions, products and services that are most likely to interest you. The data privacy law allows this as part of our legitimate interest in understanding our customers and providing the highest levels of service.
Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for.
Here’s how we’ll use your personal data and why:
To manage your booking and make arrangements for you
When you book a trip with us, we use your information to provide services to you and fulfil our contractual obligations, for example to confirm your travel arrangements such as flights, coach travel and overseas crossings, your accommodation, and itinerary arrangements.
To communicate with you & manage our relationship
We will need to contact you by email for administrative or operational reasons, for example to send you confirmation of your booking and payments, to inform you about a specific aspect of the product you have enquired about or booked. Please be aware that these communications are not made for marketing purposes and as such, you will continue to receive them even if you have not opted into receiving marketing communications. We may also use your personal data after you have sent us a request, filled in a web-form through our website or contacted us on social media, where required to meet your request. In order to manage our relationship with you as our customer and to improve our services and experiences for customers we will use the communications you exchange with us and the feedback you may provide. We will also hold information about you so that we can respect your preferences for being contacted by us.
To personalise & improve customer experience
We may use personal data to tailor our services to your needs and preferences and to provide you with a personalised customer experience. For example, if you inform us about your preferred destination, trip type or curriculum area/role in school we will be able to send you communications relevant to your preferences. We’ll do this as part of our legitimate business interests. We may also collect information on how you use our website, which pages of our website you visit most, which destinations and products you search for and what products you book, in order to understand what you like. We may use this information to tailor the content and offers that you see on our website and, if you have agreed to accept the use of marketing cookies on our website.
To inform you about trips linked to your curriculum and destination preferences.
When you provide your personal data via our website(s) or it is available in the public domain (e.g. on a school’s website), we use this information for our legitimate business interests to provide information about and provision of residential trips. An example of when we might use this approach is for ensuring postal and digital marketing is relevant for you and tailored to your interests, determined by your booking history, your job role or known curriculum and/or destination preferences.
When we process your personal data for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
You can also choose to opt out from receiving marketing communications at any time, by clicking on the relevant unsubscribe link at the bottom of any marketing related email you may receive from us.
If you prefer, you can also call us and express your preference to not receive marketing communications 07557336551 or send an email to email@example.com with the header “Unsubscribe”.
Please note that we do not share your contact details and other personal data to organisations outside of City to Summit for them to market to you.
To improve our services, fulfil our administrative purposes and protect our business interests
We will use your information for the following business purposes which include accounting, billing and audit, credit or other payment card verification, safety, security and legal purposes, statistical and marketing analysis, customer feedback requests, systems testing, maintenance and development.
To comply with our legal obligations
To respond to your queries, refund requests and complaints
Handling the information you have sent to us enables us to respond. We may also keep a record of these communications to inform any other contact we have with you/your group and to demonstrate how we communicated throughout. We do this on the basis of our contractual obligations to you, our legal obligations and our legitimate interests in providing the best service and understanding how we can improve our service based on your experience.
To protect our business and your account from fraud and other illegal activities
This includes using your personal data to maintain, update and safeguard your account. We’ll also monitor your browsing activity with us to quickly identify and resolve any problems and protect the integrity of our websites. We’ll do all of this as part of our legitimate interest.
For example, by checking your password when you login and using automated monitoring of IP addresses to identify possible fraudulent log-ins from unexpected locations.
To develop, test and improve our systems
We’ll do this on the basis of our legitimate business interests. For example, we may record your browser’s Session ID to help us understand more when you leave us online feedback about any problems you’re having.
To send you survey and feedback requests to help improve our services
These messages will not include any promotional content and do not require prior consent when sent by email or text message. We have a legitimate interest to do so as this helps make our products or services more relevant to you.
To administer any prize draws or competitions
We will use your data to contact you about prize draws or competitions which you enter, based on your consent given at the time of entering.
To inform our business decisions
We may combine data captured within our systems with that from third parties and data from publicly-available lists. We’ll do this on the basis of our legitimate business interest. For example, by combining this data, this will help us personalise your experience and decide which content to share with you. We also use anonymised data from customer purchase histories to identify trends, create a better understanding of our customers and improve the quality of our marketing activities.
5. Requesting access to your personal data
We respect your right to control your data. Your rights include:
Right of access – you have the right to access and obtain a copy of the personal data that we hold about you. We will only charge you for making such an access request where we feel your request is unjustified or excessive.
Right to rectification – you have the right to request that we correct any inaccuracies in the personal data stored about you.
Right to erasure – in certain circumstances, you have the right to request that we erase your personal data. For example, you may exercise this right in the following circumstances:
- your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by us
- where you withdraw consent and no other legal ground permits the processing
- where you object to the processing and there are no overriding legitimate grounds for the processing
- your personal data have been unlawfully processed
- your personal data must be erased for compliance with a legal obligation
Where we store your personal data for statistical purposes, we may not be able to comply with such a request where it would likely impair such statistical purposes or where we require your personal data for compliance with a legal obligation or in connection with legal proceedings.
Right to restriction – you have the right to restrict our processing of your personal data where any of the following circumstances apply:
- where you feel that the personal data which we hold about you are not accurate. This restriction will be in place for a period to enable us to verify the accuracy of your personal data
- where the processing is unlawful and you do not want your personal data be erased and request the restriction of its use instead
- where we no longer need to process your personal data (e.g. any of the purposes outlined above have been completed or expire), but we require it in connection with legal proceedings
- where you have objected to our processing of your personal data pending the verification of whether or not our legitimate business interests override your interests, rights and freedoms.
Where you exercise your right to restrict our processing of your personal data, we will only continue to process it with your consent or in connection with legal proceedings or for the protection of the rights of other people or for reasons of important public interest.
Right to data portability – you have a right to receive and transfer the personal data that you provide to us in a structured, commonly used and machine-readable format where we process your personal data on the legal bases of: a) your consent; or b) where it is necessary to perform our contract with you. Where you make such a request, we will directly transfer your personal data on your behalf to another controller of your choice (where it is feasible for us to do so).
Right to withdraw consent – you have a right to withdraw your consent, at any time, to our processing of your personal data which is based on your consent. Where you exercise this right, our processing of your personal data prior to your withdrawal of consent will remain valid.
Right to object to processing – In certain circumstances, you have a right to object to our processing of your personal data where we process it on the legal bases of our legitimate business interest or your consent to marketing. We may not be able to comply with such a request where we can demonstrate that there are compelling legitimate grounds for us to process your personal data which override your interests, rights and freedoms or where the processing of your personal data is required for compliance with a legal obligation or in connection with legal proceedings.
If you would like to make a personal data access request, please email us at firstname.lastname@example.org with the subject title ‘My data request’ including the following required Information:
- your full name
- a description of your data access request
- all email addresses (past and present) used to book trips with us
- attach to the email a copy of your current and valid photo ID (for example, passport photo page)
From the date that we receive ALL the required Information, we have one month to process your request. If the request is complex or numerous we may require an additional two months and will contact to explain why the extension is necessary within the first month of your request.If you have questions in relation to your personal data, please contact us at: email@example.com
6. How we protect your personal data
We are committed to taking appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage to personal data. When you provide your personal data through our website(s), this information is transmitted across the internet securely using high-grade encryption.
Sensitive data such as payment card information is secured by SSL encryption via external sources.
7. How long will we keep your personal data?
Whenever we collect or process your personal data, we’ll only keep it for as long as necessary for the purpose which it was collected; or for as long as we reasonably require for our legitimate interests. At the end of that period your data will either be deleted or anonymised, for example by aggregation with other data – so it can be used in a non-identifiable way for statistical analysis or business planning.
How we retain types of data
|Type of data||Examples||Period retained|
|Analytics data||Anonymised web traffic data in Google analytics and Hotjar systems||50 months|
|Bursary request data||Name, school, free school meal eligibility, other info as provided by group leader||12 months after travel|
|Insurance claims||Notification of claim, details of hearings||Until claim is resolved or expires|
|CCTV footage||Images of party members||1 month|
|Car registration details||Driver name, Reg no.||1 week|
|Copies of ID||Passport information as provided to border agencies||Deleted after travel|
8. Cookies or other tracking technologies
9. Sharing your personal data
We may also share some of your personal data with, or obtain your personal data from, the following categories of third parties:
Suppliers providing services to us in order to help us run our business and improve our services and your customer experience. We may for example share your personal data with the companies who provide services e.g. insurers, coach companies, airline carriers, ferry operators, rail operators, Eurostar, accommodation providers, agents who may book these services on our behalf, guides and representatives who assist your group whilst on tour and visit providers.
We may also share your personal data with marketing agencies and mailing houses to improve our products and services and to communicate with you.
We may for example share your personal data with airports, government authorities, law enforcement bodies and regulators when this is necessary to get you to your destination or is required by law. We carefully select our suppliers who process your personal data on our behalf and require that they comply with high security standards for the protection of your personal data.
Authorities, including the Civil Aviation Authority – We may also disclose your personal data to the Civil Aviation Authority (“CAA”) and The International Air Transport Association (“IATA”) for the purposes of ensuring compliance with and the enforcement of ATOL regulations.
10. Contacting the Regulator
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1113.Or go online to www.ico.org.uk/concerns (opens in a new window; please note we can’t be responsible for the content of external websites)
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
Last Updated: 10th June 2020