Data Protection Policy

Last Updated:

1. Introduction

Charmingplanetox is committed to protecting the privacy and security of your personal data. This Data Protection Policy explains how we comply with data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to all personal data we process about individuals who interact with our business, including website visitors, customers, prospective customers, and other stakeholders. It should be read alongside our Privacy Policy, which provides additional details about how we collect and use personal data.

We are the data controller responsible for your personal data. This means we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with data protection laws.

2. Data Protection Principles

We are committed to processing personal data in accordance with the following principles:

2.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We provide clear information about how we use personal data and ensure that individuals understand how their data will be processed.

2.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner that is incompatible with those purposes. We clearly communicate the purposes for which we collect data at the point of collection.

2.3 Data Minimization

We only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. We do not collect excessive data or retain data longer than necessary.

2.4 Accuracy

We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. We provide mechanisms for individuals to update their information and promptly correct or delete inaccurate data.

2.5 Storage Limitation

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. We have established retention periods for different categories of data.

2.6 Integrity and Confidentiality

We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.

2.7 Accountability

We are responsible for and can demonstrate compliance with the data protection principles. We maintain records of our processing activities and regularly review our data protection practices.

3. Legal Basis for Processing

We only process personal data where we have a legal basis to do so. The legal bases we rely on include:

3.1 Consent

In some cases, we process personal data based on the consent you have given us. When we rely on consent, we ensure that it is freely given, specific, informed, and unambiguous. You have the right to withdraw your consent at any time.

3.2 Contract Performance

We process personal data when it is necessary for the performance of a contract with you, such as when you book a tour with us. This includes taking steps at your request before entering into a contract.

3.3 Legal Obligation

We process personal data when we are required to do so by law, such as for tax reporting purposes or to comply with regulatory requirements.

3.4 Legitimate Interests

We process personal data when it is necessary for our legitimate interests or the legitimate interests of a third party, provided that your interests and fundamental rights do not override those interests. Our legitimate interests include operating our business, marketing our services, and improving our website.

4. Types of Personal Data We Process

We may collect and process the following categories of personal data:

4.1 Identity Data

This includes your name, title, date of birth, and other identifiers.

4.2 Contact Data

This includes your address, email address, telephone numbers, and other contact information.

4.3 Transaction Data

This includes details about bookings you have made with us, payments, and other transaction information.

4.4 Technical Data

This includes your IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.

4.5 Usage Data

This includes information about how you use our website and services.

4.6 Marketing and Communications Data

This includes your preferences in receiving marketing from us and your communication preferences.

4.7 Special Category Data

In limited circumstances, we may process special category data such as health information if you provide it to us for the purpose of ensuring your safety during tours. We only process such data with your explicit consent or where necessary for reasons of substantial public interest.

5. How We Collect Personal Data

We collect personal data through various means:

  • Direct interactions: You may provide personal data by filling in forms on our website, corresponding with us by phone, email, or otherwise, or by booking our services.
  • Automated technologies: As you interact with our website, we may automatically collect technical data about your equipment, browsing actions, and patterns using cookies and similar technologies.
  • Third parties: We may receive personal data from third parties such as analytics providers, advertising networks, and payment processors.

6. How We Use Personal Data

We use personal data for the following purposes:

  • To provide and manage our services, including processing bookings and coordinating tours
  • To communicate with you about your bookings and respond to your inquiries
  • To send you marketing communications where you have consented or where we have a legitimate interest
  • To improve our website and services based on your feedback and usage patterns
  • To ensure the security of our website and prevent fraud
  • To comply with legal obligations and enforce our terms and conditions
  • To analyze and understand our customer base and improve our business operations

7. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

7.1 Service Providers

We engage third-party service providers to perform functions on our behalf, such as payment processing, email delivery, hosting services, and analytics. These service providers have access to personal data only to perform their functions and are obligated to maintain the confidentiality and security of that data.

7.2 Business Partners

We may share personal data with business partners who provide complementary services or with whom we have joint marketing arrangements, but only where you have consented to such sharing.

7.3 Legal and Regulatory Authorities

We may disclose personal data to law enforcement, regulatory authorities, courts, or other public authorities if we are required to do so by law or if such disclosure is necessary to protect our rights, property, or safety, or that of others.

7.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and the choices you may have regarding your personal data.

8. International Data Transfers

We are based in Great Britain and primarily process personal data within the UK. However, some of our service providers may be located in other countries, which may result in your personal data being transferred outside the UK.

When we transfer personal data outside the UK, we ensure that appropriate safeguards are in place to protect your data in accordance with data protection laws. These safeguards may include:

  • Transferring data to countries that have been deemed to provide an adequate level of protection
  • Using standard contractual clauses approved by the UK authorities
  • Implementing binding corporate rules
  • Relying on other appropriate transfer mechanisms recognized under data protection law

9. Data Security

We have implemented appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Employee training on data protection and security
  • Incident response and breach notification procedures
  • Regular backups and disaster recovery plans
  • Secure disposal of data when no longer needed

While we take all reasonable steps to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but will notify you promptly of any data breach that is likely to result in a risk to your rights and freedoms.

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, accounting, or reporting requirements.

The retention period varies depending on the type of data and the purpose for which it is processed:

  • Customer booking data: Retained for 7 years after the tour date for accounting and legal purposes
  • Marketing data: Retained until you withdraw consent or we determine it is no longer relevant
  • Website usage data: Typically retained for 2 years for analytics purposes
  • Inquiry data: Retained for 2 years or until the inquiry is resolved

When personal data is no longer needed, we securely delete or anonymize it in accordance with our data retention and disposal procedures.

11. Your Rights

Under data protection law, you have the following rights regarding your personal data:

11.1 Right of Access

You have the right to request a copy of the personal data we hold about you. This is known as a subject access request.

11.2 Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

11.3 Right to Erasure

You have the right to request that we delete your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.

11.4 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

11.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

11.6 Right to Object

You have the right to object to the processing of your personal data in certain circumstances, particularly where we are processing data based on legitimate interests or for direct marketing purposes.

11.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.

11.8 Right to Withdraw Consent

Where we process your personal data based on consent, you have the right to withdraw that consent at any time.

To exercise any of these rights, please contact us using the details provided at the end of this policy. We will respond to your request within one month, although this period may be extended in complex cases.

12. Complaints

If you have concerns about how we process your personal data, please contact us first so we can try to resolve the issue. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 0303 123 1113
Website: www.ico.org.uk

13. Changes to This Policy

We may update this Data Protection Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by posting the updated policy on our website and updating the "Last Updated" date. We encourage you to review this policy periodically.

14. Children's Data

Our services are not directed at children under the age of 18, and we do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us so that we can delete the information.

15. Contact Information

If you have any questions about this Data Protection Policy or wish to exercise your data protection rights, please contact us:

Data Protection Officer
Charmingplanetox
63 St Mary Axe
London EC3A 8AA
Great Britain

Email: mailuse@charmingplanetox.world
Phone: +44 20 7183 6090