Privacy Policy
Last updated: 18 March 2026
1. Who we are
Travel Provider Check is operated by [OPERATOR NAME], a sole trader registered in Scotland, United Kingdom.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller.
Contact: [email protected]
2. What data we collect and why
We collect only the personal data necessary to provide our service. The table below sets out what we collect, why, and the legal basis under UK GDPR Article 6.
| Data | Purpose | Lawful basis |
|---|---|---|
| Email address | Account creation, magic-link authentication, sending verification reports | Performance of a contract (Art. 6(1)(b)) |
| Search queries (URLs, company names) | Performing provider checks and generating reports | Performance of a contract (Art. 6(1)(b)) |
| Emails you forward to us | Analysing your travel dispute or booking issue | Performance of a contract (Art. 6(1)(b)) |
| IP address, browser type, device information | Security, fraud prevention, service improvement | Legitimate interests (Art. 6(1)(f)) |
| Cookies (strictly necessary only) | Session management, authentication | Legitimate interests (Art. 6(1)(f)); exempt from consent under PECR Reg. 6 |
We do not collect special category data (health, religion, biometrics, etc.). We do not use advertising or tracking cookies. We do not sell your data to third parties.
3. How we use your data
We use your personal data to:
- Authenticate you via magic-link email
- Run provider verification checks and deliver reports
- Analyse forwarded emails for travel dispute resolution
- Send you copies of reports you request via email
- Maintain and improve the security and performance of our service
We will never send you unsolicited marketing emails. If we introduce optional marketing in future, we will seek your explicit consent first.
4. Third parties who process your data
We share personal data only with processors who act on our instructions and are bound by data processing agreements:
- Brevo (Sendinblue) — transactional email delivery (magic links, reports). Data processed in the EU.
- Cloudflare — CDN, DDoS protection, email routing. Data processed in the EU/UK.
We may also disclose data if required by law, regulation, or court order.
We query the following public data sources as part of our checks. These queries contain only the company name or website URL you provide — not your personal data:
- ABTA, ABTOT, and ATOL public registers
- Companies House public API
- Trustpilot, Google Safe Browsing, FCA register
- Publicly accessible website content
5. International data transfers
Your data is primarily stored on servers located in the United Kingdom (Scotland). Our email and CDN processors (Brevo and Cloudflare) may process data in the EU/UK. The EU has an adequacy decision from the UK, meaning data can flow freely between the two. Where any processor operates outside the UK/EU, we rely on UK Standard Contractual Clauses or the UK International Data Transfer Agreement to safeguard your data.
6. How long we keep your data
| Data | Retention period |
|---|---|
| Account and email address | Until you delete your account, or 2 years of inactivity |
| Saved checks and reports | Per your chosen retention period (1 or 3 years), then auto-deleted |
| Forwarded emails and analyses | Until you delete them, or when your account is deleted |
| Server logs (IP, user agent) | 90 days |
| Unactivated accounts | 2 days, then automatically deleted |
7. Cookies
We use only strictly necessary cookies for session management and authentication. These are exempt from consent requirements under the Privacy and Electronic Communications Regulations (PECR) 2003.
We do not use analytics cookies, advertising cookies, or any third-party tracking scripts (no Google Analytics, no Meta Pixel, no similar services).
8. Your rights under UK GDPR
You have the following rights in relation to your personal data:
- Access — request a copy of the personal data we hold about you (Subject Access Request)
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data ("right to be forgotten"). You can delete your account at any time from your account settings.
- Restriction — ask us to limit how we process your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, email us at [email protected]. We will respond within one calendar month.
9. Automated decision-making
Our provider verification checks use automated processing (including AI-assisted analysis) to generate risk signals and reports. These outputs are informational only and do not produce legal effects or similarly significant effects on you. No automated decisions are made about your rights, access to services, or financial standing.
10. Children
Our service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Security
We take appropriate technical and organisational measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Encrypted database storage
- Passwordless authentication (magic links) to reduce credential theft risk
- Principle of least privilege for system access
- Regular security reviews
12. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via a notice on our website. The "Last updated" date at the top will always reflect the current version.
13. Complaints
If you are unhappy with how we handle your data, please contact us first at [email protected] so we can try to resolve the issue.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113