Privacy Policy

1. Who We Are

Blue Turtle Escapes is a personal travel concierge service based in Tavistock, Devon, operated by Rachael Waller. We design tailor-made holidays for individuals, couples, and families.

For the purposes of UK GDPR, Blue Turtle Escapes is the data controller: meaning we decide what personal data is collected and how it is used.

2. What Personal Data We Collect

Enquiry and contact data

When you contact us via our website enquiry form, email, or telephone, we may collect your name, email address, phone number, and the details of your travel enquiry.

Booking and travel data

To plan and book your holiday, we collect the information needed to make reservations with airlines, hotels, cruise lines, tour operators, and other travel suppliers. This includes:

• Full name, address, email address, and telephone number
• Travel preferences, cabin or room preferences, and dietary requirements
• Medical or accessibility requirements you choose to share with us
• Emergency contact details

Passport and identity data

For flight bookings, cruise reservations, and visa applications, we collect the following passport details for each traveller:

• Full name exactly as it appears on the passport
• Date of birth and gender (as stated on passport)
• Nationality and country of passport issue
• Passport number, issue date, and expiry date
• Place of birth (required for certain bookings and visa applications)

We collect this data via a secure, zero-knowledge encrypted form. We do not routinely collect or store scans or photographs of passports unless a specific visa application requires one.

Payment data

Payments are processed securely through Protected Trust Services Ltd (PTS no. 6090) via their secure payment link or by bank transfer to their client account. We do not collect or store your card details.

Communications data

We keep records of our correspondence with you: by email, telephone, or other means: for the purpose of managing your booking and providing our service.

3. How We Collect Your Data

• Directly from you: via our website enquiry form, telephone, email, or our secure passport data form
• Via our website: when you use the contact or enquiry form on blueturtleescapes.co.uk
• From travel suppliers: booking confirmations and itinerary details received from airlines, hotels, cruise lines, and tour operators in connection with your booking

4. Our Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR Article 6:

• Contract performance (Article 6(1)(b)): The primary basis for processing booking data, passport details, and payment information. We need this data to fulfil our contract with you to arrange your holiday.
• Legitimate interests (Article 6(1)(f)): For follow-up communications with existing clients, keeping records of past bookings, and general business administration. We have assessed that our legitimate interests do not override your rights.
• Legal obligation (Article 6(1)(c)): For retaining financial records as required by HMRC.
• Consent (Article 6(1)(a)): Where we send you marketing communications about new destinations, offers, or travel inspiration. You can withdraw consent at any time.
• Consent (Article 6(1)(a)): We rely on your clear consent to use non-essential cookies, such as those used for Google Analytics. You provide this consent via our cookie banner when you first visit our site.

Where you share medical or health information with us (for example, mobility requirements or dietary needs related to a health condition), we process this as special category data under Article 9(2)(a): with your explicit consent: or under Article 9(2)(b) where it is necessary to protect your vital interests.

5. How We Use Your Data

• To respond to your enquiry and discuss your holiday requirements
• To plan, quote for, book, and manage your travel arrangements
• To pass the necessary details to airlines, hotels, cruise lines, tour operators, and visa agencies to complete your booking
• To process payments securely through Protected Trust Services
• To send you booking confirmations, itineraries, travel documentation, and pre-departure information
• To contact you about your booking or in the event of travel disruption
• To maintain our business records and meet our legal obligations
• With your consent, to send you travel inspiration, destination guides, and information about our services

6. Who We Share Your Data With

We share your personal data only where necessary to fulfil your booking or meet a legal obligation. We never sell your data.

Travel suppliers

We share the relevant booking details (including passport information where required) with the suppliers needed to complete your holiday: airlines, hotels, cruise lines, tour operators, transfer companies, excursion providers, and similar. Each supplier operates under their own privacy policy and data protection obligations.

Visa agencies

Where your itinerary requires a visa, we may share your passport details and supporting information with the relevant visa processing agency or embassy.

Protected Trust Services

Your payment and financial protection data is processed by Protected Trust Services Ltd (PTS no. 6090), our financial protection provider. PTS acts as a data processor on our behalf and holds client funds in a protected trust account.

Our data processors

We use the following third-party platforms to operate our business. Each acts as a data processor on our behalf:

• TopDog Travel Systems (UK): our client relationship management system, where your booking records and contact details are stored securely
• JotForm Inc.: used to collect passport details via an encrypted form. JotForm's Encrypted Forms use zero-knowledge AES-256 encryption; neither JotForm nor anyone other than us can access the data
• FormSubmit.co: processes website enquiry form submissions and forwards them to our email address
• Google Ireland Limited: provides website analytics via Google Analytics. Google collects data such as your IP address and how you interact with our site to help us improve our services. This data is transmitted to and stored by Google on servers in the United States. Google Analytics is only activated with your consent via our cookie banner.

We do not share your data with any third party for marketing or any purpose unconnected with your travel booking without your explicit consent.

7. International Data Transfers

Booking international travel inevitably involves sharing data with suppliers in countries outside the UK. Airlines, hotels, cruise lines, and tour operators around the world will receive the details necessary to complete your reservation. Where we share data with suppliers outside the UK or European Economic Area (EEA), we rely on the supplier's own compliance with applicable data protection law, the use of Standard Contractual Clauses, or adequacy decisions made by the UK government.

If you have questions about a specific transfer relating to your booking, please contact us.

8. How Long We Keep Your Data

Type of Data	Retention Period	Reason
Passport details (number, expiry, place of birth, etc.)	Deleted within 90 days of your return from travel	Data minimisation: no continuing operational need after travel
Booking records (confirmations, itineraries, correspondence)	6 years from the date of the booking contract	Limitation Act 1980: potential for contractual claims
Financial records (invoices, payments, receipts)	7 years from the end of the relevant tax year	HMRC legal requirement
Enquiry data (where no booking results)	12 months from the date of enquiry	Legitimate interest in following up; deleted thereafter
Marketing consent	Until you unsubscribe or withdraw consent	Consent-based; you may withdraw at any time
Passport expiry date only (retained after trip)	Until the passport expires or you request deletion	Legitimate interest in alerting you to renewal requirements before future travel

9. Your Rights Under UK GDPR

You have the following rights in relation to your personal data. To exercise any of these rights, please contact us at rachael@blueturtleescapes.co.uk. We will respond within one month.

Please note that some rights apply only in certain circumstances, and we may need to retain data to fulfil a legal obligation even where you request deletion. We will always explain clearly if this is the case.

Automated decision-making: We do not use your personal data for automated decision-making or profiling that would produce legal effects or similarly significantly affect you.

10. Data Security

We take the security of your personal data seriously and use appropriate technical and organisational measures to protect it against loss, misuse, and unauthorised access. These include:

• Storage of your booking records and contact details in TopDog, a UK-based, password-protected CRM system
• Collection of passport details via JotForm Encrypted Forms: zero-knowledge AES-256 encryption, meaning only we can access the submitted data
• Secure password management and two-factor authentication on all accounts holding personal data
• A policy of not transmitting passport details by unencrypted email
• Prompt deletion of sensitive data once it is no longer needed

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform you directly without undue delay.

11. Cookies

Our website uses cookies to distinguish you from other users and to help us improve our site. For full details see our Cookies Policy.

Strictly necessary cookies

These are essential for the website to function, for example for security and form submissions. These cookies are set without your consent as they are required for the site to operate.

Analytical cookies

We use Google Analytics to understand how visitors use our site, for example which pages are most popular and how long people spend on them. This helps us improve our service. These cookies collect information in a way that does not directly identify anyone.

When you first visit our site, we will ask for your consent before setting any analytical cookies. You can change your mind or withdraw consent at any time by clearing your browser cookies or clicking the Cookie Settings link in our website footer.

12. Children's Data

Our services are not directed at children under the age of 16. Where we hold data relating to a child traveller: for example, passport details for a minor included in a family booking: this is provided by the parent or guardian who has parental responsibility, and is processed solely for the purpose of that booking.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our business practices or in the law. The current version will always be available on this page, with the date it was last updated shown at the top. For significant changes, we will notify existing clients by email.

14. Contact Us & How to Complain

If you have any questions about this policy, want to exercise your rights, or have concerns about how we have handled your data, please contact us:

If you are not satisfied with our response, or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): the UK's supervisory authority for data protection.

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would always prefer the opportunity to address your concern directly before you contact the ICO, so please do get in touch with us first.