Key Travel Group understands Data Privacy and the Security of Personal Data is a sensitive area and has become even more important with the new General Data Protection Regulation (GDPR) legislation.

This Policy has been updated to cover how Key Travel Group collects, uses, discloses, transfers and stores personal information, informing our clients of their rights over their Personal Data. This policy applies when our clients use our online services, either by web or through our mobile applications, by telephone, SMS text or otherwise by using electronic means interacting with our websites, email, WhatsApp, Web chat or social media channels.

It is our aim to give effect to our commitment to protect your personal information through this Policy.


What data do we collect & process and why?

Personal Data

  • Personal Data we collect is limited to what is necessary to fulfil service requests to conduct travel bookings and includes name, date of birth, mailing address, contact telephone numbers, email address, contact preferences, passport details and login details to Key Travel Group systems such as your username and password.
  • When you make a booking, depending on the arrangements you ask us to make we will ask if you have special requirements, such as dietary requirements, medical/health conditions to ensure that your needs in relation to a booking are met.
  • For the provision of services agreed under the terms of the contracts signed between our clients, ourselves and 3rd party suppliers which provide services (such as travel, hotels, etc)

Non-Personal Data

Key Travel Group additionally collects data that does not on its own make direct associations possible with users of our systems and services. This is considered ‘Non-Personal Data’; it is collected via our website cookies and includes the following:

  • Site activities such as length of stay on each page and areas visited on the page
  • Frequent search queries with the purpose of improving our website performance


Non-Personal Data is also used for internal purposes such as data analysis and research on improving our services.

How we use your Personal Data

We use the Personal Data we collect and process it, either because it is necessary for us to do so as part of the services we provide to you due to having entered into a contract with us or because we have a legitimate business reason for doing so.

A) Activities carried out by Key Travel Group in order to provide the services you have entered into a contract with us for, are the following:

  • Managing your booking internally, communicating your booking with external suppliers such as airlines, so as to ensure that the services you requested are arranged, including the issuing of VISAs.
  • Communicating with you regarding your requested booking, including sending booking information and travel documents necessary for you to travel.
  • Assisting you or arranging for assistance to be provided to you by third parties in the event of an incident or health emergency which is in your vital interests.

B) Activities carried out by Key Travel Group on the basis of our legitimate interests as a business which you employ to provide your travel arrangement services, are the following:

  • The improvement of the customer experience using our online and offline services
  • The protection of our business against financial loss for payment card and booking verification
  • The promotion of our business, improving our products and services by:
    • Sending marketing correspondence which you will only receive if you opt-in to and grant your permission for us to contact you about products and services similar to those that you have previously bought from us
    • Contacting you if you make any enquiries on our website
    • Inviting you to take part in customer surveys to improve our service offering to you
  • The resolution of complaints, dealing with disputes and legal proceedings which may include contacting you if we need to resolve any issues you may be experiencing or have experienced with a booking or other purchased service provided by Key Travel Group.

Which countries and who will your Personal Data be sent to?

Key Travel Group’s data centers operate within the European Economic Area (EEA). However, your Personal Data is held on a combination of Key Travel Group’s EEA-based data-centers, the systems of the suppliers we use to provide our services (e.g. airlines, border controls) and ultimately the providers of the services you select such as a hotel, a taxi transfer service, etc.

Some of these third parties which may be based outside the EEA may not be subject to the same level of controls in relation to data protection as we have in the UK and the EEA. Therefore as a first step, Key Travel Group ensures safeguards are set within the contractual clauses in an approved legal form or by having our suppliers sign up to an independent privacy scheme approved by regulators (like the US “Privacy Shield”).

How do we choose our service providers for you?

  • We carefully select and source third party suppliers that are required to receive your Personal Data in order to deliver the travel services offered to you.
  • Our terms of contract state our suppliers must comply from an Information Security and GDPR perspective given their function as Data Processors.
  • We ensure that Key Travel Group's vendors are reputable suppliers, in particular:
    • Without a known history of data protection breaches
    • With credible data protection policies/practices to ensure the integrity and safety of the data
    • With a policy of using the data only for the delivery of the contractually agreed Service.

At present only a single sub-processor is utilised by Key Travel, Sub-Processor: CIBT VisasPurpose: Provision of Visa services and Information Shared: Itinerary data including TSA/APIS information, contact details

Legal and Governmental Authorities

When Key Travel Group is requested to provide Personal Data by law, legal process, litigation and/or requests from governmental authorities within or outside the clients’ country of residence, it will be obliged to comply and proceed with providing your Personal Data.

Protection of Personal Information & Security

Key Travel Group acknowledges that the Information Security and the protection of our clients’ Personal Data is an ongoing commitment and will continue to evolve in complexity, as do threats. As a result, Key Travel Group has taken technical steps to ensure we remain compliant with the DPA (Data Protection Act) and GDPR frameworks through an extensive GDPR-readiness program, continuous vigilance, and investment throughout the 3P’s (People, Platform, Process), in addition to being certified in PCI DSS v3.2.1 and Information Security Governance standards such as ISO 27001:2017. Our Information Security Management System (ISMS) is Page 6 | 7 Privacy Policy v1.6 independently audited annually to ensure that we maintain a high level of commitment and quality across the 3P’s (People, Process, Platform).

Our Information Security framework mandates that data always remain secure, therefore, multi-level encryption of high strength is used across our Information Technology estate that delivers the service. This means that connection and transmission of data to our systems is secure, and the personal data entered is encoded before it is sent to us and our suppliers, protecting it as it is transferred over the Internet. However, it must be noted that the transmission of information via the Internet is not completely secure and while Key Travel Group will endeavour to ensure that any information entered in the Online Booking Services is secure, it does not guarantee the security of the data transmitted to or from such services.

Key Travel Group has number of security measures in place and continuously invests and works to further safeguard the security of your Personal Data. Some, examples include internal and external penetration tests of our information systems, mandatory Cyber Security awareness training, awareness of Information Security Policies, the enforcement of Access Control policies, the utilisation of state-of-the-art network threat detection & prevention systems. This also extends to physical security measures, CCTV and door access controls systems which includes monitoring, logging, and audit trails functions.

How long do we keep your Personal Data?

Key Travel Group retains your Personal Data for the period necessary to fulfil your booked travel arrangements except in cases when a longer retention period is requested by the customer or required by law or other legal obligation. We will only hold the minimum necessary data to provide the services you have requested us to provide, and we will do so for no longer than 12 months after the last booking has been completed.

Should we be operating with you through a client contract and that be terminated, your data will not be kept for longer than 12 months. A period of up to 12 months post-contract termination is acceptable to cater for bookings which are made for up to 12 months in advance.

  • Internal Data Subjects: Personal Data will be kept for the duration dictated by HR legal off-boarding requirements. Details of unsuccessful applicants will be removed following the end of the recruitment process except where a candidate has given their explicit consent for Key Travel Group to hold onto it.

What are your rights as to your Personal Data?


Accessing it & requesting a copy

As entitled by the GDPR, as our clients, you have the right to request and receive a copy of your Personal Data in a user-friendly format.

Asking for it to be deleted - “Right to be forgotten”

You are also entitled to request the erasure of your personal data, exercising your “Right to be Forgotten”. It must be noted, however, that when travel is booked through an organisation (e.g. a University) with which Key Travel Group has a contract, all such requests can be actioned only when approved by the client organisation which acts as the Data Controller.

Note that Key Travel Group has the option to refuse such requests if they impact its ability to provide the contracted services to the organisation which the traveller belongs to or if there is a legal requirement to maintain the data. In the event that either of these scenarios is enacted, Key Travel Group will work with the Data Controller towards resolution.

Withdrawing your consent

At any given point in time, you have the right to withdraw your consent for us to use your Personal Data when providing our services to you. As before, when travel is booked through an organisation (e.g. a University) with which Key Travel Group has a contract, all such requests can be actioned only when approved by the client organisation which acts as the Data Controller.

How can you contact us?

Any communications relating to data access requests, or the withdrawal of your consent can be made in writing to:

Key Travel Limited,
9th Floor,
St James Building,
61-95 Oxford Street,
Manchester,
M1 6EJ, 
UK

Alternatively, you may contact us by e-mail to data.compliance@keytravel.com

Changes to this Policy

The Key Travel Group Privacy Policy is a live policy and adjusts to the changes in the ever-evolving frameworks governing privacy concerns. As such, our Privacy Policy will change from time to time. Client rights will not be affected without the client’s explicit consent. Where applicable, changes to Privacy Policy will be communicated by email. You have the right to request a copy of a previous version of our Privacy Policy.