Tourism Exchange USA LLC Privacy Policy

1. We respect your privacy
1.1. Tourism Exchange USA LLC (“we”, “us” or “our”) operates an online tourism marketplace which connects tourism providers, tourism website operators and national, regional and local tourism groups.
1.2.

We collect, or receive, your personal data:

  • When you make a booking via, or visit, a webpage operated by us;
  • When you make a booking through a webpage operated by another organization, which we support, for a product offered by one of our partners; or
  • When you otherwise contact us.

You will always know if we are collecting or receiving your personal data as we will provide you with a copy of our privacy notice at the point you make the booking or, in some cases, where you book via a third party webpage, we will send you a copy of our privacy notice when we confirm your booking, which we shall do upon receipt of your details from the third party webpage provider.
1.3. We respect your right to privacy and are committed to safeguarding your privacy. This privacy notice sets out how we collect and treat your personal data.
2. Important information and who we are
2.1. Purpose of this privacy policy
It is important that you read this privacy notice together with any other privacy notice or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.
Our platform is not intended for children and we do not knowingly collect data relating to children.
2.2. Who is the Controller
Tourism Exchange USA LLC (02-07614404) is the controller and responsible for the personal data we collect or receive as described in this privacy notice.
As well as the personal data we collect in accordance with this privacy notice we will also be processing any booking information you submit as part of making your booking, to enable your booking to be made with the tourism provider. When you make a booking via the tourism provider’s own website, we act as their processor, and you should see their privacy notice for how this information is processed. Where you make a booking via a tourism website operator’s website (whether operated by us, or directly by that organization) we will process your booking information as a processor for that organization, and you should see their privacy notice for how this information is processed.
2.3.

Contact details
If you have any questions about this privacy policy or our privacy practices, please
contact us in the following ways:
Full name of legal entity: Tourism Exchange USA LLC
Email address: [email protected]
Postal address: 6751 Professional Parkway, Sarasota, FL 34240

The details of our representative in the UK are:
[email protected]

The details of our representative in the EEA are:
[email protected]

You have the right to make a complaint at any time to the Information Commissioner’s Office, if you are based in the UK, or your applicable supervisory authority, if you are based in an EEA state (they can be identified here- Our Members | European Data Protection Board (europa.eu)). We would, however, appreciate the chance to deal with your concerns before you contact them, so please contact us in the first instance.
2.4. Changes to the privacy note
2.5. We keep our privacy policy under regular review. This version was last updated on January 19, 2023. Historic versions can be made available upon request.
3. Collection of personal information
3.1. When you make a booking, the information required to enable that booking will be sent to the organization providing the goods or services you have booked. As noted above, you should see the applicable organization’s privacy notice for how this personal data is processed.
3.2.

We will also collect the following categories of information, for our own purposes:

  • Identity data including first name and last name;
  • Contact data including your email address, address and phone number;
  • Marketing and Communications data including your consents to direct marketing and related preferences;
  • Transaction Data including details about payments to the provider of the goods and services and other details of products and services you have purchased (including number of people who have booked, location etc.);
  • Technical Data including internet protocol (IP) address, browser information and tracked websites; and
  • Feedback, enquiries and support requests.
3.3. Your credit card details are not saved during the booking process nor are they in any way viewable nor accessible by us. This information will only ever be processed by us on behalf of the tourism provider and you should see their privacy notice for more information on how this information is used.
3.4. In most cases Technical Data will not allow us to identify you. In some cases however the information may, when combined with other information we hold about you, allow us or our suppliers to identify you. In these instances it will be personal data and will be processed in accordance with this privacy notice.
3.5.

The information identified in this clause will be collected either:

  • directly by us, where you use a website we operate or otherwise communicate directly with us; or
  • where you make a booking through a webpage operated by another organization, which we support, for a product offered by one of our partners, by that website. They will then transfer the information to us. Please note, we will not receive Technical Data in these circumstances.
4. Use of your personal information
4.1. We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
4.2. Note that we may process your personal data on more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Purpose/Activity Type of Data Lawful basis for processing including basis of legitimate interest
To share your information with third party organizations for the purpose of enabling them to market to you and derive insights from your information. This will only be transferred where you have provided consent to third party direct marketing. Identity data
Contact data
Marketing and communications data
Transaction data		 Our legitimate interest in providing a service which enables organizations to obtain consent for direct marketing.
Where you do not provide consent to third party direct marketing we will anonymise your personal information and share it with the tourism website operator through whom you made your booking and with the national, regional or local tourism bodies for the area in which the tourism product you booked is located. Identity data
Contact data
Marketing and communications data
Transaction data		 Our legitimate interest in providing tourism website operators and national, regional and local tourism bodies with a more valuable service. The tourism website operators and national, regional and local tourism bodies’ legitimate interest in having better insights into who is booking via their website, or in their area.
To direct market our goods or services to you. Identity data
Contact data
Marketing and communications data
Transaction data		 Consent.
To analyze and derive insights from your personal data and share those insights with third parties. Identity data
Contact data
Marketing and communications data
Transaction data
Technical data
Feedback, enquiries and support requests		 Our legitimate interests in analyzing your personal data to enhance our products and services and provide any insights to third parties, increasing the value of our business.
To aggregate your personal data with the personal data of others, to analyze the aggregated information and to share any insights with third parties. Identity data
Contact data
Marketing and communications data
Transaction data
Technical data		 Our legitimate interests in creating and analyzing the aggregated data to enhance our products and services and in providing any insights to third parties, increasing the value of our business.
To respond to queries from you or a third party. Identity data
Contact data
Marketing and communications data
Transaction data
Technical data
Feedback, enquiries and support requests		 Our legitimate interest in dealing with enquiries to ensure our business provides a high quality service.
To make improvements to our services and products. Feedback, enquiries and support requests Our legitimate interest in improving our products and services.
To defend or make legal claims in respect of you or third parties. Identity data
Contact data
Marketing and communications data
Transaction data
Technical data
Feedback, enquiries and support requests		 Our legitimate interest in defending or bringing claims, where necessary.
To undertake certain limited corporate activities, such as making an insurance claim or managing a corporate restructure or sale. Identity data
Contact data
Marketing and communications data
Transaction data
Technical data
Feedback, enquiries and support requests		 Our legitimate interest in operating our business.
4.3. In addition to the above, we may use the personal data we collect about you for the purposes of complying with our legal obligations. This includes storing your personal data in compliance with our tax obligations.
4.4. Where we anonymize your personal data, we do so by deleting or removing any fields of data which could be used to identify you (such as your name and your address). We regularly review the anonymized data sets to ensure they cannot be identified, given the information available to third parties. We will never disclose this information generally to the public and you can submit any comments or concerns to us using the contact details set out in this privacy notice.
5. Disclosure of your personal information
5.1. We may disclose your personal data to our group companies, insofar as reasonably necessary for the purposes set out in this Policy.
5.2. We may disclose your personal data to our insurers, professional advisers, agents or suppliers (including our IT providers) insofar as reasonably necessary for the purposes set out in this Policy (our “Suppliers”).
5.3. We may from time to time disclose personal information to regulators, courts or other government or regulatory bodies, to comply with a legal requirement, such as a law, regulation, court order, subpoena, warrant, in the course of a legal proceeding or in response to a law enforcement agency request.
5.4. If there is a change of control in our business or a sale or transfer of business assets, we may transfer, to the extent permissible at law, our user databases, together with any personal information and non-personal information contained in those databases or as is otherwise required as part of the change of control, sale or transfer.
6. Marketing
6.1. As described in clause 4 above, we will, where you have provided consent to marketing from third party organizations, transfer your personal data to the website tourism operator, through whose website you have made your booking, and the applicable national, regional and local tourism groups, in whose area your tourism product is located. Each recipient can be identified here along with their applicable privacy notice- [https://tourismexchangeusa.com/partners-privacy/]
7. International transfers
7.1. We will transfer your personal data to our Suppliers, who are based in the USA and Australia. We are required to put in place suitable safeguards, as set out in the UK GDPR and EU GDPR, in respect of these transfers. We rely on the EU standard contractual clauses and UK international data transfer addendum (“Standard Clauses”), which we have put in place with each of our Suppliers, to provide these suitable safeguards. You can ask us for a copy of these by contacting us on the details set out in this privacy notice..
7.2. We will, where you have provided consent to direct marketing, transfer your personal data to the website operator, via whom you made your booking, and to local, regional and national US tourism groups. The tourism groups will always be based in the USA and we will put in place the Standard Clauses with them. The website operators may be located in a number of countries (please see https://tourismexchangeusa.com/partners-privacy/) for further details). We will put in place the Standard Clauses with each of these organizations before we transfer your personal data to them, unless they are based in the EEA, UK or a country deemed adequate (in accordance with the UK and EU GDPR’s), in which case these safeguards are not required. You can ask us for a copy of any Standard Clauses by contacting us on the details set out in this privacy notice.
8. Security of your personal information
8.1. We are committed to ensuring that the information you provide to us is secure. In order to prevent unauthorized access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information and protect it from misuse, interference, loss and unauthorized access, modification and disclosure.
8.2. The transmission and exchange of information is carried out at your own risk. We cannot guarantee the security of any information that you transmit to us or receive from us. Although we take measures to safeguard against unauthorized disclosures of information, we cannot assure you that personal information that we collect will not be disclosed in a manner that is inconsistent with this privacy notice.
9. Data retention
9.1. We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
9.2. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
9.3. Details of retention periods for different aspects of your personal data are available in our Retention Policy which you can request by contacting us on the details set out in this privacy notice.
9.4. In some circumstances you can ask us to delete your data: see Your Legal Rights below for further information.
9.5. In some circumstances we will anonymize your personal data (so that it can no longer be associated with you) as noted above, in which case we may use this information indefinitely without further notice to you.
10. Your Legal Rights
10.1. Under certain circumstances, you have rights under data protection laws in relation to your personal data:
Your right of access – You have the right to ask us for copies of your personal data.
Your right to rectification – You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal data in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal data in certain circumstances.
Your right to object to processing – You have the right to object to the processing of your personal data in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal data you gave us to another organization, or to you, in certain circumstances.
Where you have provided your consent to our processing of your personal data, you have the right to withdraw this consent at any time.
10.2. If you wish to exercise any of the rights set out above, please contact us on the contact details set out in this privacy notice.
10.3. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
10.4. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
10.5. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.