Protecting and using your personal data responsibly is very important to us. This Privacy Policy lets you know what happens to any personal data that you provide to us, or any that may we collect about you.
This policy applies only to personal information processed by or on behalf of BookOTel LTD t/as arrangeMY and Integrated Business Travel LTD t/as arrangeMY travel.
We may collect information from you when you visit our website, make a booking, have a booking made on your behalf, contact us by telephone or email or receive a communication from us relating to your service.
If you are making a booking on behalf of another traveller, you should draw their attention to this policy which sets out how we will use their information.
What personal information do we collect, and why?
We use the data we collect about you for various purposes. European data protection legislation sets out specific “lawful basis” for processing personal data. The table below sets out under which basis we process different information about you, and explains the purpose of that processing. It also sets out the specific rights you have in respect of that processing, which may depend on the basis we process it for.
We respect the privacy of every individual who visits the Internet Website located at www.arrangemy.com (the “Site”).
Protecting and using your personal data responsibly is very important to us. This Privacy Policy lets you know what happens to any personal data that you provide to us, or any that may we collect about you.
This policy applies only to personal information processed by or on behalf of BookOTel LTD t/as arrangeMY and Integrated Business Travel LTD t/as arrangeMY travel.
We may collect information from you when you visit our website, make a booking, have a booking made on your behalf, contact us by telephone or email or receive a communication from us relating to your service.
If you are making a booking on behalf of another traveller, you should draw their attention to this policy which sets out how we will use their information.
What personal information do we collect, and why?
We use the data we collect about you for various purposes. European data protection legislation sets out specific “lawful basis” for processing personal data. The table below sets out under which basis we process different information about you, and explains the purpose of that processing. It also sets out the specific rights you have in respect of that processing, which may depend on the basis we process it for.
| Consent | To perform our contract with you, or for a travel provider to perform their contract with you | To comply with a legal obligation | Our legitimate interest | |
|---|---|---|---|---|
| Name | X | X | X | |
| Contact details | X | X | X | X |
| Address | X | X | ||
| Advance Passenger Information | X | X | ||
| Perferences | X | X | ||
| Payment Card Information | X | X | ||
| Information about the booking | X | X | X | |
| Communications with us | X | X | X | |
| Loyalty Scheme Information | X | X |
We may use any of your personal data in connection with any complaint made relating to our service to you, or in respect of reviewing any legal rights or obligations, either on the basis of performing our contract with you or in our legitimate interests to resolve any dispute. We may share any of your personal data with a prospective purchaser or purchaser of any part of our business, on the basis of our legitimate interests and the interests of our purchaser, so that they can appropriately value the business and assess any risks and continue doing business with you after the acquisition.The travel data that we store may include: name, address, email address, travel destinations, travel schedules, seating preferences, smoking or non-smoking accommodations, meal preferences and reservation information, as well as passport details.
The provision of APIS information is a requirement when booking certain travel including flights, and failure to do so will mean that you are unable to travel. Otherwise, providing your personal information is not a legal requirement, however, the information requested on our website or notified to you as being required when you speak to a Business Travel Consultant is required in order for us to provide the travel services, as we are unable to make bookings and appropriately manage the service without this information.
When servicing a given corporate client, we may create a “Traveller Profile” with travel data for each traveller, which is kept on file as a reference document and consulted each time a reservation is to be made. When a reservation is made, a “passenger name record” (PNR) is created, which contains all of the information, needed to fulfil the travel request of each traveller.
Details relating to any transactions will be encrypted to ensure their safety. Transmission of information online is not 100% secure and we cannot guarantee the security of data sent to us in this way. Transmission of data over the internet is at your own risk. You are responsible for keeping your password to access arrangeMY trip.
Who we share personal information with and international transfers
In addition to creating Traveller Profiles and PNRs, AM uses the travel data with the consent of the traveller for the following travel and other travel-related purposes.
Travel providers: When you book travel through our services, we provide your information to the suppliers of those travel services, which may be a third party intermediary such as an airline, hotel or car hire company directly. You will know when you are making the booking who the booking will be with and is often requested on your behalf.
They will use this information as a “data controller” – this means that how they process your travel information should be set out in their own privacy policies, and they have their own responsibilities to comply with data protection laws.
Your employer: If you are using arrangeMY trip to book employment related travel which is paid for by your employer, we may share information about the travel booked with your employer. They will use also this information as a “data controller” – this means that how they process your travel information should be set out in their own privacy policies, and they have their own responsibilities to comply with data protection laws.
Your team administrator/booker: If you have travel booked on your behalf by someone else (either an administrator appointed by your employer, or a team administrator who has booked personal travel for you), they will have access to the information that you have given them to input onto arrangeMY trip.
Service providers: We use third party service providers to support our provision of the service. These include travel intermediaries, and other, less direct business functions, including IT support or hosting our data on cloud platforms.
We will have in place an agreement with our service providers which will restrict how they are able to process your personal information.
If you request a booking which is made with a travel services provider outside the European Economic Area (for example a hotel in New York), we may transfer your personal data to that travel service provider in order to perform our contract with you and make your booking with them.
How long do we keep your information for?
We will retain your personal information within arrangeMY trip and our back office in-house systems whilst you are an active client, for a period of up to seven years after you have left the service. Information held on arrangeMY trip may be deleted one year after you have stopped being an active client.
In certain circumstances, we may be required to retain your personal information for longer. Such retention is required by law or record keeping requirements, including managing our relationship with you, defending any claims, or for tax purposes.
Requesting your rights
You may request any of the rights outlined above by emailing bookings@arrangemy.com
Please contact us if you have any concern about how your personal information is processed at bookings@arrangemy.com and we will try to resolve your concerns. However, if you consider that we are in breach of our obligations under data protection laws, you may lodge a complaint with the Information Commissioner’s Office.
ISO 27001
In the addition to the above we are also proud to announce arrangeMY are one of only a small selection of Travel Management companies to be certified ISO 27001 compliant, a widely-recognised international security standard.
We know how important it is for our customers to feel we are delivering security management best practices and comprehensive security controls. This accreditation demonstrates our commitment to deliver the best business travel services to our customers across the globe.
The ISO 27001 certification requires us to continually:
arrangeMY welcomes the ISO 27001 standard and best practices into our organisation. The certification confirms our longstanding commitment to the security of our services to our customers. Going through the certification process confirms that we are addressing each element of the ISO standard and that our management practices follow internationally-recognised best practices.
The key to the ongoing certification under this standard is the effective management of a rigorous security program. The Information Security Management System (ISMS) required under this standard defines how we perpetually manage security in a holistic, comprehensive way.
Certification means a third party accredited independent auditor has performed an assessment of our processes and controls and confirms they are operating in alignment with the comprehensive ISO 27001 certification standard.
What does this mean to me as a customer?
Our ISO 27001 certification demonstrates our commitment to information security at every level. Compliance with this internationally recognised standard, validated by an independent third-party audit, confirms that our security management program is comprehensive and follows leading practices. This certification provides more clarity and assurance for customers evaluating the scope of our security practices.
Which arrangeMY locations are covered?
arrangeMY ISO 27001 accreditation covers our Head Office address based in Worcester, Worcestershire and our Data Centre in Media City, Manchester and IT Tech Team in Ombersley, Worcestershire all located within the UK.
What arrangeMY services are in scope for the ISO 27001 certification?
The scope of arrangeMY’s Information Security Management System (“ISMS”) covers the business processes and information assets supporting the operational duties and services that arrangeMY conduct.
These include core systems and operations supporting customer-facing applications, related hardware, infrastructure, personnel, facilities and traveller data, under arrangeMY control or managed by arrangeMYTrip – SABScorp and arrangeMYData – Travelogix.
The objectives of the ISMS are to ensure the confidentiality, integrity, and availability of information assets through controls identified above.
Google Analytics
This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States .
Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.
You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.
External Websites
BookOTel Ltd T/as arrangeMY encourages you to review the privacy statements of Web sites you choose to link to from BookOTel Ltd T/as arrangeMY so that you can understand how those Web sites collect, use and share your information.
BookOTel Ltd T/as arrangeMY is not responsible for the privacy statements or other content on Web sites outside of the BookOTel Ltd T/as arrangeMY Web site.
Changes to our Internet Privacy Policy
Any changes to this Internet Privacy Policy will be posted here, so please check our Internet Privacy Policy each time you visit the Site.
Contact Information
BookOTel Ltd T/as arrangeMY welcomes your comments regarding this Statement of Privacy. If you believe that arrangeMY has not adhered to this Statement, please contact us using the below details:
BookOTel Ltd T/as Building 7, Berkeley Business Park, Wainwright Road, Worcester, WR4 9FA.
Tel 01905 610016, email bookings@arrangemy.com
We will use commercially reasonable efforts to promptly determine and remedy the problem
The travel data that we store may include: name, address, email address, travel destinations, travel schedules, seating preferences, smoking or non-smoking accommodations, meal preferences and reservation information, as well as passport details.
We may use any of your personal data in connection with any complaint made relating to our service to you, or in respect of reviewing any legal rights or obligations, either on the basis of performing our contract with you or in our legitimate interests to resolve any dispute. We may share any of your personal data with a prospective purchaser or purchaser of any part of our business, on the basis of our legitimate interests and the interests of our purchaser, so that they can appropriately value the business and assess any risks and continue doing business with you after the acquisition.
The provision of APIS information is a requirement when booking certain travel including flights, and failure to do so will mean that you are unable to travel. Otherwise, providing your personal information is not a legal requirement, however, the information requested on our website or notified to you as being required when you speak to a Business Travel Consultant is required in order for us to provide the travel services, as we are unable to make bookings and appropriately manage the service without this information.
When servicing a given corporate client, we may create a “Traveller Profile” with travel data for each traveller, which is kept on file as a reference document and consulted each time a reservation is to be made. When a reservation is made, a “passenger name record” (PNR) is created, which contains all of the information, needed to fulfil the travel request of each traveller.
Details relating to any transactions will be encrypted to ensure their safety. Transmission of information online is not 100% secure and we cannot guarantee the security of data sent to us in this way. Transmission of data over the internet is at your own risk. You are responsible for keeping your password to access arrangeMY trip.
Who we share personal information with and international transfers
In addition to creating Traveller Profiles and PNRs, AM uses the travel data with the consent of the traveller for the following travel and other travel-related purposes.
Travel providers: When you book travel through our services, we provide your information to the suppliers of those travel services, which may be a third party intermediary such as an airline, hotel or car hire company directly. You will know when you are making the booking who the booking will be with and is often requested on your behalf.
They will use this information as a “data controller” – this means that how they process your travel information should be set out in their own privacy policies, and they have their own responsibilities to comply with data protection laws.
Your employer: If you are using arrangeMY trip to book employment related travel which is paid for by your employer, we may share information about the travel booked with your employer. They will use also this information as a “data controller” – this means that how they process your travel information should be set out in their own privacy policies, and they have their own responsibilities to comply with data protection laws.
Your team administrator/booker: If you have travel booked on your behalf by someone else (either an administrator appointed by your employer, or a team administrator who has booked personal travel for you), they will have access to the information that you have given them to input onto arrangeMY trip.
Service providers: We use third party service providers to support our provision of the service. These include travel intermediaries, and other, less direct business functions, including IT support or hosting our data on cloud platforms.
We will have in place an agreement with our service providers which will restrict how they are able to process your personal information.
If you request a booking which is made with a travel services provider outside the European Economic Area (for example a hotel in New York), we may transfer your personal data to that travel service provider in order to perform our contract with you and make your booking with them.
How long do we keep your information for?
We will retain your personal information within arrangeMY trip and our back office in-house systems whilst you are an active client, for a period of up to seven years after you have left the service. Information held on arrangeMY trip may be deleted one year after you have stopped being an active client.
In certain circumstances, we may be required to retain your personal information for longer. Such retention is required by law or record keeping requirements, including managing our relationship with you, defending any claims, or for tax purposes.
Requesting your rights
You may request any of the rights outlined above by emailing bookings@arrangemy.com
Please contact us if you have any concern about how your personal information is processed at bookings@arrangemy.com and we will try to resolve your concerns. However, if you consider that we are in breach of our obligations under data protection laws, you may lodge a complaint with the Information Commissioner’s Office.
ISO 27001
In the addition to the above we are also proud to announce arrangeMY are one of only a small selection of Travel Management companies to be certified ISO 27001 compliant, a widely-recognised international security standard.
We know how important it is for our customers to feel we are delivering security management best practices and comprehensive security controls. This accreditation demonstrates our commitment to deliver the best business travel services to our customers across the globe.
The ISO 27001 certification requires us to continually:
• Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities
• Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks
• Adopt an overarching management process to ensure that the information security controls meet the our information security needs on an ongoing basis arrangeMY welcomes the ISO 27001 standard and best practices into our organisation. The certification confirms our longstanding commitment to the security of our services to our customers. Going through the certification process confirms that we are addressing each element of the ISO standard and that our management practices follow internationally-recognised best practices.
The key to the ongoing certification under this standard is the effective management of a rigorous security program. The Information Security Management System (ISMS) required under this standard defines how we perpetually manage security in a holistic, comprehensive way.
Certification means a third party accredited independent auditor has performed an assessment of our processes and controls and confirms they are operating in alignment with the comprehensive ISO 27001 certification standard.
What does this mean to me as a customer?
Our ISO 27001 certification demonstrates our commitment to information security at every level. Compliance with this internationally recognised standard, validated by an independent third-party audit, confirms that our security management program is comprehensive and follows leading practices. This certification provides more clarity and assurance for customers evaluating the scope of our security practices.
Which arrangeMY locations are covered?
arrangeMY ISO 27001 accreditation covers our Head Office address based in Worcester, Worcestershire and our Data Centre in Media City, Manchester and IT Tech Team in Ombersley, Worcestershire all located within the UK.
What arrangeMY services are in scope for the ISO 27001 certification?
The scope of arrangeMY’s Information Security Management System (“ISMS”) covers the business processes and information assets supporting the operational duties and services that arrangeMY conduct.
These include core systems and operations supporting customer-facing applications, related hardware, infrastructure, personnel, facilities and traveller data, under arrangeMY control or managed by arrangeMYTrip – SABScorp and arrangeMYData – Travelogix.
The objectives of the ISMS are to ensure the confidentiality, integrity, and availability of information assets through controls identified above.
Google Analytics
This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States .
Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.
You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.
External Websites
BookOTel Ltd T/as arrangeMY encourages you to review the privacy statements of Web sites you choose to link to from BookOTel Ltd T/as arrangeMY so that you can understand how those Web sites collect, use and share your information.
BookOTel Ltd T/as arrangeMY is not responsible for the privacy statements or other content on Web sites outside of the BookOTel Ltd T/as arrangeMY Web site.
Changes to our Internet Privacy Policy
Any changes to this Internet Privacy Policy will be posted here, so please check our Internet Privacy Policy each time you visit the Site.
Contact Information
BookOTel Ltd T/as arrangeMY welcomes your comments regarding this Statement of Privacy. If you believe that arrangeMY has not adhered to this Statement, please contact us using the below details:
BookOTel Ltd T/as Building 7, Berkeley Business Park, Wainwright Road, Worcester, WR4 9FA.
Tel 01905 610016, email bookings@arrangemy.com
We will use commercially reasonable efforts to promptly determine and remedy the problem
This policy will be reviewed every 12 months from April 2023
Signed:
Dated: 20/04/23
arrangeMY’s (AM) focus is to provide business travel services to the employees of businesses with whom they work alongside and for. In doing so, AM receives individual data from the employees.
Why the laws apply to us and why AM needs to obtain the consent of the traveller:
Data protection laws apply to the information received by AM because that data can be used to identify an individual person.
The purpose of data protection is to protect an individual’s rights by keeping personal data secure and by regulating its processing, so that it may be used only for the purpose for which it was given/collected.
Information that we store:
The travel data that we store may include: name, address, email address, travel destinations, travel schedules, seating preferences, smoking or non-smoking accommodations, meal preferences and reservation information, as well as passport details and next of kin information.
When servicing a given corporate client, AM may create a “Traveller Profile” with travel data for each traveller, which is kept on file as a reference document and consulted each time a reservation is to be made. When a reservation is made, AM creates a “passenger name record” (PNR), which contains all of the information, needed to fulfil the travel request of each traveller. Based on the travel expenses incurred by travellers of each corporate client, AM produces reports that summarise and analyse the travel trends of that client.
What we do with the information:
In addition to creating Traveller Profiles and PNRs, AM uses the travel data with the consent of the traveller for the following travel and other travel-related purposes.
Reservations: AM may need to transfer travel data to various third party travel suppliers and computer reservation systems for the purposes of making reservations within the traveller’s home country or to another country where the traveller may be travelling.
Consolidation of Travel Data: At the request of the corporate client (the traveller’s employer), AM or a third party prepares information reports that summarise and analyse the travel expenditures per destination, per travel supplier, etc.
Compliance with Travel Policy: Also at the request of the corporate client, AM may report on the compliance of the travellers with the travel policy of the client and identify any exceptions to the compliance.
Collecting Travel Payments: AM may transfer travel data to third parties in the traveller’s home country or in another country for the purpose of collecting payments related to travel reservations.
New products and Services: Also with the goal of improving service and based on the data given to AM, we may send additional information to the traveller if it applies to his/her trip. An example would be a list of restaurants near a specific hotel, in a specific city.
AM as a Data Controller or a Data Processor:
AM proposes two options:
1. AM is Data Controller: AM needs to collect the consent of each traveller
2. Client is Data Controller: AM is data processor while the Client manages the traveller consent process internally.
Measures we are taking:
AM is implementing, step-by-step, a process through which we will standardise the way our company and its affiliates handle travel data.
Transfer to Third Parties: Prior to a transfer, third parties (except for travel suppliers such as the airlines, computer reservation systems, hotels, etc.) may be required to sign a transfer agreement with AM, which requires them to follow the applicable data protection laws. This will ensure that even if the laws governing the third party are less strict than our standards, the level of protection that the traveller’s data receives will be consistent. For instance, data consolidators are required to sign an agreement.
Security: Pursuant to the various data protection laws, AM is implementing appropriate technical and organisational measures to protect the personal travel data, obtained from our clients’ travellers, against accidental or unlawful disclosure or destruction. The measures are being determined for each department, according to their handling of the travel data.
Destruction: Under many data protection laws, personal data must be destroyed after a certain period of time. AM keeps travel data only as long as required by law, a period of time which may vary according to the requirements for the various internal departments.
Our policy may be subject to additional requirements in compliance with local legislation in certain countries (please see below, under “Notes”).
Infrequent travellers: If the client provides personal data to us about a traveller, they must ensure that they are entitled to disclose that data to us and that without us taking any further steps required by privacy/data protection laws, we may collect, use and disclose such information for the purposes described above. For example, the client should take reasonable steps to ensure the individual traveller concerned is aware of the various matters detailed in this AM Privacy/Data Protection Policy as those matters relate to that individual, including our identity, how to contact us, our purposes of collection, our information disclosure practices, the individual’s right to obtain access to the data and the consequences for the individual if the data is not provided.
Travellers’ rights:
The traveller’s principal rights are to: amend his/her personal data, and upon written request and payment of a statutory fee or if none, a reasonable fee, to receive from AM, within a reasonable amount of time, a copy of his/her Traveller Profile (for data held by third parties, please contact the third party), Know how his/her data is being processed, for what purpose and who is doing the processing, Choose whether or not to receive unsolicited services/direct marketing/information on other travel products and services, Revoke consent to the DPS (upon written request) or refuse to provide information.
Please note that if a traveller chooses not to agree, or to revoke consent to, the details explained in the Data Protection Policy, AM cannot accept his/her travel data and cannot service the traveller. If this is the case, we encourage the traveller to contact his/her employer. In issuing this document to a client AM assumes all information provided to them is in agreement to its Data Protection Policy.
This policy will be reviewed every 12 months from April 2023
Signed:
Dated: 16/04/23
Statement under section section 54(1) of the Modern Slavery Act 2015
arrangeMY (BookOTel Ltd and Integrated Business Travel Ltd t/as arrangeMY) recognises that modern slavery and human trafficking are significant global issues presenting a challenge for businesses worldwide. Although arrangeMY doesn’t legally have to provide this statement, the ethical and moral responsibilities are seen as critical in the day-to-day operations and supply chain in arrangeMY, therefore the decision has been made to produce this statement to sit aside other processes and documentation regarding Modern Slavery. arrangeMY has a zero-tolerance approach to modern slavery and is committed to acting ethically in all aspects of business.
Our business and supply chains
arrangeMY is a Travel Management Company that employs 73 staff. All employees are directly employed and are not in any category which is generally seen to be vulnerable to modern slavery in this country. We encourage transparency in our supply chains; arrangeMY is committed to having an ongoing and open dialogue, with intent to obtain full validation of standards with its suppliers, and working with them to ensure robust preventative measures are in place and we will continue to seek confirmations over the course of all business commitments.
Supporting Policies
arrangeMY makes explicit the following policies reflecting its commitment to acting ethically and with integrity in all its business relationships:
Ethical Trading and Modern Slavery Policy
Equality and Diversity Policy
Due diligence processes for slavery and human trafficking
As part of our initiative to identify and mitigate slavery and human trafficking, we take measures to:
Mitigate the risk of slavery and human trafficking occurring in our supply chains.
Enhancing awareness and knowledge of our staff with training to assist them in identifying and understanding the risks of slavery and human trafficking.
We endeavour to continually review, monitor and assess any potential risks with suppliers.
Supplier adherence to our values
arrangeMY has a zero-tolerance approach to slavery and human trafficking and we expect our suppliers and contractors to uphold the same values. arrangeMY will not conduct business knowingly with anyone engaged in slavery and human trafficking practices or knowingly permit them to be carried out in any part of our business. Our standard supplier terms and conditions include applicable anti-slavery provisions with the expectation that suppliers meet the high standards we adhere to.
Annual Training
To ensure a high level of understanding of the risks of modern slavery and human trafficking in our supply chains and our business, we have implemented annual training to our staff to assist them in identifying and preventing exploitation. We continue to improve our processes, benchmark our standards, and audit our approach against regulatory requirements and available guidance.
