Highland Tour Privacy Policy


1. Introduction

Welcome to Highland Tour ("we," "our," or "us"). We are a private tour operator based in Scotland, committed to protecting your privacy and safeguarding your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you book a tour with us, use our website highlandtours.uk , or otherwise interact with our services.

We are the data controller and are responsible for your personal data.

By providing us with your personal data, you acknowledge you have read and understood this policy.

2. The Information We Collect

We collect various types of personal data to provide you with exceptional and safe touring experiences across Scotland.

A. Personal Data You Provide to Us:

· Identity & Contact Data: Name, title, email address, phone number, pick up location .
· Booking & Financial Data: Billing address, payment card details (processed securely by our payment provider), booking history, and tour preferences.
· Special Category Data: We may collect health information relevant to your tour participation, such as mobility issues, dietary restrictions (e.g., allergies), or other medical conditions. We only collect this with your explicit consent to ensure your safety and well-being during the tour.

B. Data Collected Automatically:

· Technical Data: Internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
· Usage Data: Information about how you use our website, products, and services.
· Cookies: Our website uses cookies to distinguish you from other users. This helps us to provide you with a good experience and allows us to improve our site. You can set your browser to refuse all or some browser cookies.

C. Data from Third Parties:
We may receive personal data about you from:

· Travel Agents & Booking Platforms: Such as Tripadvisor, Viator, or Airbnb Experiences.
· Accommodation Partners: Hotels or B&Bs that book a tour on your behalf.
· Publicly Available Sources: Including publicly available information on social media platforms, where relevant and proportionate.

3. How We Use Your Personal Data (Our Legal Basis)

We will only use your personal data when the law allows us to. Our primary legal bases under UK GDPR are:

Purpose / Activity Type of Data Lawful Basis for Processing
To register and manage your booking Identity, Contact, Financial Performance of a contract with you
To manage payments and fees Identity, Contact, Financial Performance of a contract, Legal Obligation (for accounting)
To respond to enquiries and provide customer service Identity, Contact Legitimate Interests (to grow and run our business)
To ensure your safety and provide a tailored experience Identity, Special Category (Health) Explicit Consent (for health data) / Vital Interests
To send marketing communications & special offers Identity, Contact, Marketing Consent (you can opt-out at any time) or Legitimate Interests (for existing customers - 'soft opt-in')
To comply with legal obligations (e.g., tax records) Identity, Contact, Financial Legal Obligation
To improve our website and services Technical, Usage Legitimate Interests (to develop our products and services)

4. How We Share Your Personal Data

We may share your personal data with the following parties, who are required to handle it confidentially and securely:

· Your Private Guide: Essential information (your name, contact details, and any critical health/dietary information) is shared with your guide to deliver your tour.
· Service Providers: Payment processors, email marketing platforms (e.g., Mailchimp), IT and system administration services, and booking management software.
· Third-Party Transport & Venues: Where necessary to book specific elements of your tour (e.g., ferry companies, private distillery tours, hotel lunches).
· Public Authorities: Where required by law, such as HMRC for tax purposes.
· Professional Advisers: Lawyers, bankers, auditors, and insurers.

We do not sell or trade your personal data.

5. International Transfers

We primarily store and process your data within the UK. If we ever need to transfer your data outside the UK (for example, if using a cloud service based in the US), we will ensure a similar degree of protection is afforded to it by using approved legal mechanisms.

6. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way. These include encryption, secure servers, and access controls. We limit access to your personal data to those employees, guides, and partners who have a business need to know.

7. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

· Financial and booking records are typically retained for 7 years for HMRC compliance.
· Marketing contact data is retained until you withdraw your consent or opt-out.
· Special Category Data (e.g., health information) is deleted immediately after your tour concludes, unless retaining it is vital for ongoing care or legal claims.

8. Your Legal Rights

Under UK data protection law, you have rights including:

· The right to access – You have the right to request copies of your personal data.
· The right to rectification – You have the right to request that we correct any information you believe is inaccurate.
· The right to erasure – You have the right to request that we erase your personal data, under certain conditions.
· The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.
· The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.
· The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

You are not required to pay any charge for exercising your rights. Please contact us using the details below to make a request.

You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns first.

9. Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact us:

Highland Tour
Email: office@highlandtour.uk
Phone: +447492274415
Address: 159 Miller Street Inverness

---

Why this is tailored for Scotland/UK:

· UK GDPR & Data Protection Act 2018: The template is framed around this specific legislation.
· ICO: It explicitly names the ICO as the relevant supervisory authority.
· Legal Bases: It clearly outlines the lawful bases for processing as required by UK GDPR, including the important distinction for "Special Category Data" (like health information) which requires explicit consent.
· 'Soft Opt-in' for Marketing: It acknowledges the PECR "soft opt-in" rule common in the UK, which allows for marketing to existing customers about similar services.
· HMRC Retention: It specifies the 7-year retention period for financial records, which is a key requirement for UK businesses.
· Scottish Context: It uses examples relevant to a Scottish tour operator (e.g., ferry companies, distilleries).