Sandlight Travels (“we”, “us”, “our”) takes your privacy seriously. This Privacy Policy explains what personal data we collect when you use our website or book travel services with us, how we use it, who we share it with, and the rights you have under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Who we are

Sandlight Travels is the data controller responsible for the personal data we collect about you. You can contact us at info@sandlighttravels.co.uk or by writing to us at our Milton Keynes office.

2. Data we collect

We collect the following categories of personal data:

• Identity & contact data: name, email address, postal address, telephone number, date of birth.
• Booking data: traveller names, passport/ID details where required by the supplier, special requests, dietary requirements, accessibility needs.
• Payment data: billing address and the last four digits of your card. Full card details are processed directly by our PCI-DSS compliant payment provider and are never stored on our servers.
• Account data: login credentials, saved searches, booking history, preferences.
• Technical data: IP address, browser type, device identifiers, operating system, pages visited and timestamps (collected via cookies and similar technologies).
• Marketing data: your preferences for receiving marketing from us.

3. How we use your data & legal basis

We use your personal data for the following purposes:

• To process your booking — legal basis: performance of a contract.
• To pass details to suppliers (hotels, airlines, transfer providers) so they can deliver the travel service — legal basis: performance of a contract.
• To provide customer support and respond to enquiries — legal basis: legitimate interest.
• To comply with legal and regulatory obligations (e.g. tax, anti-money-laundering, Advanced Passenger Information rules) — legal basis: legal obligation.
• To send service messages about your booking — legal basis: performance of a contract.
• To send marketing emails (where you have opted in) — legal basis: consent.
• To improve and secure our website — legal basis: legitimate interest.

4. Who we share your data with

We share your personal data only with parties who need it to deliver your travel arrangements or to support our business, including:

• Hotels, airlines, cruise lines, transfer providers, tour operators, and insurers fulfilling your booking.
• Payment processors and fraud-prevention providers.
• IT, hosting, email, and analytics providers acting under contract on our behalf.
• Government and regulatory authorities where we are legally required to do so.

Where your travel involves a destination outside the United Kingdom, your booking data will be transferred to the supplier in that country. We rely on the appropriate safeguards required by the UK GDPR (such as adequacy decisions or Standard Contractual Clauses) for international transfers where applicable.

We do not sell your personal data to third parties.

5. How long we keep your data

We retain personal data only for as long as necessary for the purposes set out above. Booking records are typically held for seven years to comply with UK accounting and tax law. Marketing preferences are kept until you withdraw your consent. Account data is kept for as long as you maintain an account with us, plus a short retention period after closure.

6. Your rights

Under the UK GDPR you have the right to:

• Request access to the personal data we hold about you.
• Request correction of any inaccurate or incomplete data.
• Request erasure of your personal data (subject to legal retention obligations).
• Object to or restrict the processing of your data in certain circumstances.
• Request the transfer of your data to another provider (data portability).
• Withdraw consent at any time where we are processing on the basis of consent.
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, please contact us at info@sandlighttravels.co.uk. We will respond within one month.

7. Security

We use industry-standard technical and organisational measures to protect your data, including TLS encryption in transit, access controls, secure hosting, and regular security reviews. While we work hard to protect your information, no system is completely secure and we cannot guarantee the security of data transmitted over the internet.

8. Cookies

Our website uses cookies and similar technologies. Please see our Cookie Policy for full details and to manage your preferences.

9. Children

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If a child needs to be added to a booking, the booking must be made by a parent or legal guardian.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you by email or via a notice on our website. The current version is always published on this page.