Data Protection, Privacy & Security Notice

1. INTRODUCTION

At the Business First Partnership we collect, process and store Personal Data for a range of business purposes including when you use Our website or discuss business with Us about Business First providing travel, accommodation and other services to you, your business or your employees. We want you to be fully aware how and why we use the data we collect and this Policy tells you:

· how the Business First Partnership will use, guard and protect Personal Data it collects;

· your data protection rights; and

· how the law protects you.

This Policy applies to all data processing activities we undertake Business First and includes activities or systems related to both internal business operations, as well as external relations and third-party agreements. We only use Personal Data as permitted under Data Protection Legislation.

2. DEFINITIONS

In this Policy We use specific terms about data processing and this is how We define those terms:

Aggregated Data: means collections of statistical or demographic data that do not directly or indirectly reveal your identity. If we combine or connect Aggregated Data with Personal Data, we will treat the combined data as Personal Data and this Policy will apply to it.

Anonymous Data: means personal data where your identity has been removed and you cannot be identified from it. It may have been combined with Aggregated Data.

Customers: means people we do business with or for and it includes You and Your business.

Data Protection Legislation: means the UK Data Protection Act 2018.

Lawful Purpose: means a Purpose of Processing that is permitted under Data Protection Legislation to undertake normal operational activity of our business and provide service to Customers.

Legitimate Interest: means a Lawful Purpose or one where we are conducting and managing our business to enable Us to give You the best service/product and the best and most secure experience.

Personal Data: means any type of information that relates to an identifiable living person and includes:

· Contact details

· Billing or delivery address

· Address, Email & telephone details

· Transaction Information about payments received from you and services used or products bought

· Passport details

· Financial information

· Educational background

· Certifications & skills

· Nationality

· Job title

· Marketing preferences and survey responses

Sensitive Personal Data: means specific types of information that relate to an identifiable person which is processed with enhanced care and security due to its sensitive nature. It includes:

· Racial or ethnic origin

· Political opinion and trade union membership

· Religious or philosophical beliefs

· Loyalty scheme memberships

· Genetic data

· Biometric data

· Health-related information

Purpose of Processing/Retention: means use by Business First for one of the following reasons or a reason like it.

· Business administration and operations

· Completion of contracts

· Financial and administrative processing

· Marketing

· Regulatory compliance

· Human resources

· Payroll

· Business development

NOTE: A company does not have Personal Data, Sensitive Data and Data Protection Legislation does not apply to company information, only to the staff within in.

3. HOW IS YOUR PERSONAL DATA COLLECTED BY US?

We use different methods to collect Personal Data when You do business with us, make an enquiry, visit Our website, order products, subscribe to Our newsletters or social media, complete a survey or correspond with Us.

We consider and balance any potential impact on You (both positive and negative) and Your rights before We collect or process Your Personal Data. If the impact on You overrides Our interests, We do not use Your Personal Data unless We have Your consent, or if that processing is for a Lawful Purpose or is required or permitted to by law. You can obtain further information about how We assess our Legitimate Interests against any potential impact on You by emailing help@bfp.travel.

Also if You interact with Our website, We will automatically collect information about Your equipment, browsing actions and patterns using cookies and other similar technologies. We may also receive technical information about You from other websites and third parties such as Google or other search engines. Please see our cookie policy for more details.

4. HOW & WHEN WE USE YOUR PERSONAL DATA?

We will only use your personal data as permitted under Data Protection Legislation, for a Lawful Purpose or Legitimate Interest or under a specific consent given by You.

When we have collected Personal Data we may create Aggregated Data and/or Anonymised Data from it. We may process Personal Data on more than one lawful ground. The purpose we collect Personal Data for, the type of data we collect and the Lawful Purpose for processing is shown below.

Purpose/ActivityType of data we collectLawful Purpose for processing
Registering You as a customer• Identity
• Contact
- Performing Our contract with You
Processing/delivering Your order:
- Managing payments
- Collecting and recovering money
• Identity
• Contact
• Financial
• Transaction
• Marketing
• Communications
- Performing Our contract with You
- Necessary for our Legitimate Interests
Managing our relationship with You:
- Notifying You about changes to Our terms or privacy policy
- Asking You to leave a review or take a survey
• Identity
• Contact
• Marketing
• Communications
Performing Our contract with You
- Necessary to comply with a legal obligation
- Necessary for record keeping
To administer and protect Our business and its website• Identity
• Contact
• Technical
- Necessary for Our Legitimate Interests; running Our business, its administration, IT, network security, fraud prevention, business structure
- Compliance with a legal obligation
To deliver relevant content & advertisements to You and measure the effectiveness of Our advertising• Identity
• Contact
• Usage
• Marketing
• Communications
• Technical
- Necessary for our Legitimate Interests
To use data analytics to improve Our website, products/services, marketing, customer relationships and experiences• Technical
• Usage
- Necessary for our Legitimate Interests
To make suggestions and recommendations to you about goods or services that may be of interest to you• Identity
• Contact
• Financial
• Transaction
• Marketing
• Communications
- Necessary for our Legitimate Interests

5. MARKETING & COOKIES

We strive to provide you with choices regarding personal data uses, particularly around marketing and advertising. We may use your Personal Data to form a view on what We think You may want or need, or may be of interest to You. You can update your preferences and can withdraw consent to marketing at any time by contacting info@bfp.travel.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. Click here for information about the cookies we use.

6. THIRD-PARTY LINKS

This website includes links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about You. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage You to read the privacy policy of every website You visit.

7. CHANGE OF PURPOSE

We will only use your Personal Data for the purposes we collected it for, unless We reasonably consider that We need to use it for another reason and that reason is compatible with the original purpose it was collected for. You can ask us for more details about this by contacting us at info@bfp.travel.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain how we want to use it. We may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

8. SHARING PERSONAL DATA WITH THIRD-PARTIES

We will get Your express consent before We share Your Personal Data with any third party. This does not apply to Aggregated Data or Anonymised Data.

9. DISCLOSURE OF YOUR PERSONAL DATA

We may share Your Personal Data with third parties for a Lawful Purpose or Legitimate Interest. When we do that, We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow third-party service providers to use Your personal data for their own purposes and only permit them to process Your Personal Data for specified purposes and in accordance with Our instructions.

10. INTERNATIONAL TRANSFERS

We may share Your Personal Data with Customers or suppliers to fulfil Your order or Our contract with You. This may involve transferring Your data outside the European Economic Area (EEA). Whenever We transfer your personal data out of the EEA, we ensure the party receiving it treats it with a similar degree of protection as we do under Data Protection Legislation or equivalent local laws.

Unless You consent, We will only transfer Your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details of which countries that is see <<European Commission: Adequacy of the protection of personal data in non-EU countries>>. Where we use providers based in the US, We may transfer Personal Data to them only if they comply with the obligations of the Trans-Atlantic Data Privacy Framework.

11. DATA SECURITY

We have appropriate security measures to prevent Your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, We limit access to Your Personal Data only to contractors and staff and who have a business need to know and subject to a duty of confidentiality. Our staff

are forbidden to retain confidential information or Personal Data not relating to themselves on their personal devices. Exceptions to this policy include information that is needed for a purpose that is work-related, temporary and approved by a relevant manager.

All Personal Data we collected is stored and protected in a secure location. We monitor processing and storage of Personal Data and undertake appropriate levels of research and due diligence into any third-party service that We ask to store or process data for Us.

We ensure that Our software, IT systems, equipment and services meet industry standard levels of data security and We undertake regular checks, audits and tests to ensure security hardware and software is fully functional and optimised to manage and mitigate data security risks.

We use encryption and anonymisation as a risk management tool alongside existing systems, to protect against accidental loss, damage destruction or unauthorised access of Personal Data. We may also anonymise Personal Data if We believe it is prudent or necessary to do so for some other reason connected with ensuring or protecting the rights of a data subject.

We undertake periodic assessments to consider the purposes and context of the processing we undertake, and standard security practices to ensure that we continue to provide an adequate level of protection for Personal Data as required by applicable data and privacy laws.

We maintain at all times an appropriate disaster recovery, business continuity and contingency plan and policies related to and procedures which provide for continued operation in the event of a catastrophic event affecting Our business operations. We will notify You as soon as possible after any such disaster occurs if we become aware that Your Personal Data has or may have been compromised.

12. HOW LONG WILL WE USE YOUR PERSONAL DATA FOR?

We will only retain Your Personal Data for as long as reasonably necessary to fulfil the purpose We collected it for. This includes holding it for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

When We decide how long to keep your data for, We consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of it, the purposes for which We process it and whether We can achieve those through other means, as well as the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances We may use Aggregated Date, Anonymise Data or anonymise parts of Your Personal Data for research or statistical purposes, in which case we may use and retain this anonymous information indefinitely.

We may retain Your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

13. YOUR DATA, YOUR RIGHTS

We are registered with the Information Commissioner’s Office (ICO) to process Personal Data.

Access Your Personal Data (commonly known as a “data access request”). You can ask Us to provide You with a copy of the Personal Data we hold about You at any time by writing to info@bfp.travel.

Correct Your Personal Data. You can ask us to correct or complete any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Withdraw Your consent to processing. You can ask Us to stop processing or storing Your Personal Data at any time by following the opt-out links on any marketing message sent to you or by emailing info@bfp.travel. If You withdraw Your consent, we have to keep a record of that request. This will not affect the lawfulness of any processing carried out before You withdraw your consent.

Object to Our processing of Your Personal Data. where we are relying on a Lawful Purpose or Legitimate You can still object to processing if You feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing Your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Erase Your Personal Data. You can ask us to delete or remove Personal Data where You no longer want Us to process it. You also have the right to ask us to delete or remove Your Personal Data. Note that we may not always be able to comply with your request of erasure for specific legal reasons. If those apply, they will be notified to You at the time of Your request.

Request restriction of processing Your Personal Data. You can ask Us to suspend processing Your Personal Data whilst You establish it is accurate, or Our use of the Personal Data is not lawful but You do not want us to erase it, or You need us to hold the Personal Data even though we no longer require it as you need it to establish, exercise or defend legal claims, or if You have objected to Our use of Your Personal Data but we need to verify whether we have overriding legitimate grounds to use it.

Request transfer of Your Personal Data. We will provide to You, or a third party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for Us to use or where we used the information to perform a contract with You.

You will not have to pay a fee to access your personal data or to exercise the rights above. We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive and we can refuse to comply in these circumstances.

If you want to request, object or withdraw your consent to our processing <<click here>>

When You make a request, We may need to request specific information from You to help Us confirm Your identity and ensure Your authority to access that data (or to exercise any of other rights). This is a security measure to ensure that Personal Data is not disclosed to a person who has no right to receive it.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

14. MORE INFORMATION & COMPLAINTS

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us first and we will try to help.

This policy is subject to regular review and amendment.

For more information about this Policy please email help@bfp.travel.

15. PRECISE LOCATION IN BACKGROUND FOR BFP TRAVEL APPLICATION

The BFP Travel app collects location data to display the real-time risk alerts and personalized assistance notification features, even when the app is closed and not in use. This option can be changed later by going to the device settings.