Privacy Notice

Last updated: 11th June 2024

At On the Beach & Sunshine.co.uk we are all about making your jollies jollier. However, with that comes a responsibility to provide you with a great holiday whilst ensuring that we keep your information safe and secure and use your personal data only for what we legitimately need. In other words, we have to abide by the law. You knew this already but you may not be aware of what we do with your personal data, how we store it and generally manage it, to ensure that we remain lawful. The following is an overview of how we manage your data with links for you to find more details if you wish.

The information we collect is the personal data, which you supply, concerning you and your fellow travellers and will be things like name, address, email address, phone, date of birth, passport number. We also collect some information automatically such as IP address (your computer’s address) which we collect with other information about your computer in order to understand how people use our website so that we can improve our services to you. Our cookie controls (see our Cookie Notice) allow you to select the information that we can collect and use in this way.

We will never sell your personal data and we will only share your personal data where there is a need to do so, to provide you with your holiday or where you have consented to have your personal data used. For example, we will share your personal details with airlines for your flights and other suppliers of your holiday. We may also share your personal details with finance organisations where they are providing tools to enable us to make payments on your behalf to book your holiday.

We will keep your personal data only for so long as we need it to provide your holiday, for audit or legal purposes.

You have rights under data protection law to know how your personal data is used. You may exercise these rights at any time. Requesting what personal information we hold about you is as easy as contacting our Data Protection Officer via [email protected]. If you are EU-based we also have a nominated representative whose contact details may be found below.

Please see below for more detail on how we use and manage your personal data.Changes may be made to this notice and changes will be published and dated on these pages.

MORE DETAIL ABOUT HOW WE USE YOUR PERSONAL DATA

Here at On the Beach, we are committed to doing everything we can to protect any personal data that you give to us. Please continue reading this Privacy Notice to understand how we use and protect your personal data. Please also read our separate Cookie Statement, which explains how we use cookies and other similar technologies when you use our websites and apps. If you have any questions about what we do with your personal data after reading this notice, feel free to contact us using the contact details provided below.

This Privacy Notice covers all platforms through which we offer travel-related services, this includes our Website, our app and where you interact with us on social media such as Facebook (in which case you should also refer to those social media sites' privacy notices).

The data controller of the personal data referred to in this Privacy Notice is On The Beach Limited, a limited liability company with registered company number 03162982.

Sunshine.co.uk is a trading name of On The Beach Limited.

All references in this Privacy Notice: to our "Website" refer to the websites at www.onthebeach.co.uk and www.sunshine.co.uk, to "we", "us" and "our" refer to On The Beach Limited; and to "you" and "your" are to you, the user.

What kind of personal data do we collect?

When you book a holiday with us, you will be required to provide us with certain information, including your name, address, e-mail address and phone number and payment information.

If you fill in a booking form but don’t actually complete the booking, we will use your information to check in with you as to whether you need any assistance and whether you would like to complete your booking. For more information about how we do this (and how to prevent this if you wish to do so), please see our Cookie Statement.

There are also other instances when you’ll provide us with information, for example if you sign up for alerts and/or updates, register to use our Website or App, enter one of our competitions or complete a survey.

The personal data we collect may include:

  • Your name

  • Your address

  • Your phone number(s)

  • Your email

  • Your date of birth

  • Your passport number

  • Your marketing preference

  • Payment details (we do not keep full card details)

  • Special assistance

  • Information about products such as travel insurance and transfers.

Personal data you give to us about others

If you are travelling with others or booking a holiday for someone else, you will need to give us personal data about them when making the booking, for example their name and age. It is your responsibility to ensure that anyone who you have provided personal data about is aware and happy that you have done so and is aware of how we use and process their information.

Personal Information we collect automatically

When you visit our Website, even if you don’t make a booking, we will automatically collect certain information such as your IP address, the date and time you accessed the Website, the hardware, software or internet browser you use and information about your visit, including pages you viewed and interaction information.

If you are using a mobile device, we may collect data that identifies your mobile device, location details and any specific settings.

For more information, please see our Cookie Statement.

What do we do with your personal data?

Once we have collected the information about you, it will be used for the following purposes:

  • Bookings:

    Put simply, we will use your personal data to provide to you the services that we sell, which may include flights, hotels, transport, insurance and other ancillary products. We need certain information about you, so we can fulfil our obligations contained in the contract that you enter into with us when you make a booking. In certain circumstances we may create temporary email addresses that will be used only to aid in our booking processes with the airlines or holiday suppliers. We create these so that we can provide a seamless service to you. We may also pay for flights on your behalf. We will not use your payment card in such circumstance but will ensure payment is made, risk free, by us to ensure that your booking payment is on time.

  • User Accounts:

    The information that you provide when you set up an account on our Website or app allows us to provide you with services including the ability to manage your bookings, personal settings and access to special offers.

  • To communicate with you in relation to your holiday:

    We will use the contact information you have previously shared with us to communicate with you in relation to your holiday and to provide you with information relevant to your holiday. For example, helpful information about the destination to which you are travelling, security alerts, administrative messages about your holiday and emails to remind you to fill in your Holiday Checklist.

  • Customer Services:

    You are free to contact us about our services at any time, whether this is a general query, a question about your booking or to report a problem on our Website. This can be done through the Manage Your Booking system on our Website or app, by telephone or via social media. We will use the information that you have provided to help us answer any questions and respond to your query (along with any future queries that you may have). If you contact us by telephone, your call may be recorded for quality control and training purposes but we will always ask for your consent before recording communications for these purposes.

  • Personalisation:

    We will use information we hold about you, such as the products and services you have purchased from us in the past, to enable us to show you the products and services we think you will like on our Website and app and communicate these with you, such as the recommended deals and special offers we put to you. For example, we will save your searches to tailor future searches you make to your needs. If you would like to turn off this functionality you can do so via your account. We may share some personal information, including your first name and past searches when you click on one of our interactive videos (provided by a partner). Your personal data in this case will only be shared when you click on a link, to provide you with a better experience. Your personal data will not be used for other purposes and because clicking on an interactive story video is optional, does not affect your marketing preferences.

  • Marketing:

    Where you place an order with us and you have not opted out (or in any other case, if you have opted in to receive marketing by e-mail or text message), we may contact you by e-mail or text message with information about other goods and services that we offer that are similar to those that you have already purchased or enquired about and we think may interest you based on the information we hold about you. We may also use your contact details to contact you by phone or post with details of products and services that we think may be of interest to you (unless you have told us you don't want to receive these communications or you are registered with the Telephone Preference Service).

  • Corporate transaction:

    We may use your data in connection with a corporate transaction such as the sale of a subsidiary or a division, merger, consolidation or asset sale.

  • Promotional Activities:

    If you participate in our promotions (such as surveys or competitions) we will use the information you provide to us to administer these activities.

  • Improving our services:  Sometimes we will use your data to help us improve the quality and functionality of the services that we offer. This includes:

    • analysing your recent visits to our Website and app and how you move around different sections of our Website and app for analytics purposes to understand how people use our Website so that we can make it more intuitive.

    • troubleshooting, data analysis, testing, research and for statistical and survey purposes by us, all of which helps us to provide the best service that we can.

    • in some circumstances we may send data about our Website and app users in aggregate or anonymised form, to third parties for them to provide these services to us – this is explained in more detail under "When do we share your data with third parties?" below.

Legal basis for processing personal data

Our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the specific context in which we collect it.

However, we will normally collect personal data from you under the following legal bases:

  • Performance of a contract:

    If we have obligations under a contract with you, we will use your information to perform our obligations to you. For example, if you make an online booking on our Website or app, we will use the information that you provide us with when making the booking to complete and administer the reservations with the relevant third-party suppliers.

  • Consent:

    You will be asked to consent to us providing you with marketing information and if you give us this consent, we will rely on this when contacting you with marketing information by e-mail and text message (although please note that in limited circumstances we are allowed to send marketing information to you without your consent). You can opt-out of receiving marketing communications from us at any time by contacting us using the details at the end of this policy, by using the link at the bottom of each email that we send to you or by logging in to your account and changing your contact preferences.

  • Legitimate interests:

    We will use your information for our own legitimate interests, for example, to provide you with the best suitable content on our Website or app, to improve and promote our services and for our own administrative purposes, including creating and maintaining business records of our relationship with you.

  • Legal requirements/vital interests: In some cases, we will have a legal obligation to collect personal data from you (for example, for us to comply with tax laws which require us to collect and retain records of products and services that we sell) or where we need the personal data to protect your vital interests or those of another person (for example, if you are involved in an emergency and we need to provide the details which we hold about you to the emergency services).

How and where will your data be processed?

Any information that we hold about you is stored on our secure servers and all payment transactions are encrypted. We do not keep your card details and we are PCI-DSS compliant, the standard required of businesses to enable them to take card payments. Only authorised personnel are permitted to access personal data in the course of their work. Whilst we do our best to protect your personal data, no information transferred over the internet can be guaranteed to be completely secure and you provide your information at your own risk.

When your credit card details are required as part of the booking process, we store the last 4 digits and an authorisation token.

The data that we collect from you may be transferred to, and stored at, a destination outside the UK, including where we may transfer your data to our suppliers so that they can assist us with providing our services to you. Where your information is transferred to another country, we will take steps to ensure that the information receives the same level of protection as if it remained within the UK, including by entering into data transfer agreements, using standard contractual clauses (which are data transfer agreements approved by the UK government or the European Commission), or by relying on certification schemes and supplementary measures. You have the right to request details of the mechanism under which your data is transferred outside of the UK – for this information, please contact us using the details set out under "How can you contact us?" below.

When do we share your data with third parties?

In certain circumstances we do share your personal data with parties outside of On the Beach. The third parties who we share your personal data with include:

  • Our suppliers: If you make a booking with us, it is necessary for us to share your reservation data with relevant third parties, such as hoteliers, airlines, insurers and ground-handling agents, to complete your booking. This may include your name, contact details, payment details, the names and ages of any guests travelling with you, along with any preferences or special circumstances you told us about when you made your booking. If you contact us with a query about your booking, we may pass this on to our suppliers if they are better placed to help you.

  • Our group companies: Your details may be shared with other companies in our corporate group who process information for purposes that are described in this Privacy Notice, for analytical purposes or to support the services that we provide to you. To find out more about our corporate group please visit https://www.onthebeachgroupplc.com/.

  • Third party service providers: This includes anyone who provides services or functions on our behalf, including credit card processing, business analytics, advertising, administration of competitions and promotions, collection of customer feedback and customer service. We use these service providers to process your data on our behalf, this may be to send our marketing material or to collate information that can be analysed to improve our service. They have access to and may collect information only as needed to perform their functions and are not permitted to share or use information for any other purpose. Where we provide data to third party service providers for them to provide data analysis or statistical services for us, we will only ever send them aggregated or anonymised data.

  • Payment Providers and other financial institutions: If you request a chargeback for your booking, it may be necessary for us to share certain reservation details with the payment service provider and the relevant financial institution so they can handle the chargeback. This may include a copy of your booking confirmation or the IP address that was used to make your reservation.

  • Any competent law enforcement body, regulator, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights (including to investigate any suspected fraudulent or other criminal activity), or (iii) to protect your vital interests or those of any other person.

  • Potential Buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided we inform the buyer it must use your personal data only for the purposes disclosed in this Privacy Notice.

  • Any other person (with your consent to the disclosure).

Any information that is collected from you directly by hotels or other suppliers or which you share through social media platforms such as Facebook is not covered under this Privacy Notice and we would urge you to check their own privacy notices before handing over any of your personal data.

Categories of business we share your personal data with

Your personal data is only shared where there is a lawful purpose to do so. Categories of organisations with which we share personal data include

  • Hotel suppliers – hotels may be directly paid by us, on your behalf or via an agent dealing in beds. In such cases only basic details are provided so that suitable rooms may be allocated.

  • Airlines – Airlines need to know who is flying and we provide the minimum information they require to secure your chosen flights. Some airlines may require you to create an account with them to manage your flight directly and in this case, your personal details will be shared to enable this to happen in as seamless a way as possible and so that we may honour our contract with you, to provide the holiday of your choice.

    Other airlines, where we integrate with their systems will become a controller of your information in order that they can further manage your flight booking and ensure that you are informed of any flight changes.

  • Holiday Partners (additions) – We may share your personal details with companies that provide your holiday extras such as car hire and travel insurance. In most instances you will have selected to purchase these and provide your details directly to them but in some instances we may do this for you.

  • Payment providers – We use payment providers to manage payments we take from you for your holiday. Only very basic details are required for this. We also have payment providers who make payments to, for example, airlines on our behalf and your contact details may be used to facilitate this payment. We do this to remove any financial risk to you as your own payment information is not used and the processing may involve a check to verify your details in line with standard financial checks which do not affect your credit history.

  • Marketing - We do not share your personal information for marketing purposes and will send you marketing information only if you have consented to receive it.

Data protection and insolvency

In the event of our insolvency we, or any appointed insolvency practitioner, may disclose your personal information to the CAA so that they can assess the status of your booking and advise you on the appropriate course of action under any scheme of financial protection. The CAA’s General Privacy Notice is at https://www.caa.co.uk/Our-work/About-us/General-privacy-notice/.

Retention of your personal data

When we have no ongoing legitimate business need to process your personal data (for example, to provide products or services to you or to retain records to manage any claims which you or we may have in respect of the products and services we provide to you), we will either delete or anonymise it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

What rights do you have in relation to your personal data?

You have the following rights in relation to the personal data that we hold about you:

  • If you wish to access, correct, update or request deletion of your personal data, you can do so at any time.

  • You can object to processing of your personal data, ask us to restrict processing of your personal data or equest portability of your personal data.

  • You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us.

  • Similarly, if we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.

  • You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority. The Information Commissioner's Office is the data protection authority for the UK.

If you would like to exercise any of your above rights please contact us using the contact details provided under the “How can you contact us?” heading, below. We respond to all requests received from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

What about data that is collected through a mobile device?

We offer a free app for a variety of mobile devices which can be used to access our services as well as versions of our regular Website that have been optimised for mobile and tablet browsing. These mobile sites work in a similar way to our Website. We use cross-device tracking, which allows us to track user behaviour across multiple devices. We use this to optimize marketing activities and the service that we provide to you, so advertisements shown to you on other websites may be offered based on your activities on linked devices. Please see our cookie notice for further information on this.

How do we treat personal data of children?

Our Website and app is not intended to be used by children under 18 years of age. We only process information about children with the consent of the parents or legal guardians.

Changes to our Privacy Notice

We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.

You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.

How can you contact us?

If you have any questions about this Privacy Notice or wish to exercise any of your data protection rights, please contact our Data Protection Officer at:

Email: [email protected]

Post: Should be sent for the attention of the Data Protection Officer to:

On the Beach,
Aeroworks,
5 Adair Street,
Manchester,
M1 2NQ

Nominated European Representative

In accordance with Article 27 of the EU General Data Protection Regulation (GDPR), our organisation has appointed a Nominated European Representative to act as a point of contact for data protection matters within the European Union. The representative is responsible for communicating with Supervisory Authorities and Data Subjects on all issues related to the processing of personal data and ensuring compliance with the GDPR. If you are a European citizen and have a request for your personal data, please use the contact email [email protected]. Otherwise you may use the email address below for any other matters.

Our Nominated European Representative's contact email is [email protected].