Skip to main content
Skip table of contents

Data Protection White Paper

Last update

Introduction

Holibob is committed to opening a world of possibilities for travellers, tour operators and travel brands by pioneering solutions for discovering and booking things to do. We provide a range of technology solutions to our clients (or partners) to give them better connection with their customers so that they receive a tailored and personalised experience during their travels.

We value your trust and understand the importance of ensuring that personal data is properly protected and used responsibly. This white paper aims to provide a simple, easy-to-understand overview of how we handle our clients' personal data and what measures we have put in place to keep risk to a minimum.

Privacy by design

First and foremost, a key element of privacy and data protection compliance is a concept called privacy by design. This means implementing (or ‘baking in’) privacy-friendly measures from the outset into our technology and ensuring that processing of personal data is as minimally intrusive as possible (this is called data minimisation and is one of the 6 principles of the GDPR). Our technology does just that.

Our marketing platform services

When using our services, your organisation remains the data controller of the data you provide us. We act as data processor on our partners’ behalf with regards to certain services, in particular our marketing platform and customer communications services.

As part of our marketing services, with your agreement and approval, we can send on your behalf communications (via WhatsApp, SMS or email) directly to your opted-in customers. In particular, our comms can offer to your customers tours and experiences relevant to them. Here’s how it works:

  • You provide us with the data for your customers who have upcoming bookings (e.g. a flight or hotel)

  • we store the data in a specific sub-account within our trusted CRM automation tool (so as to be separated from the data we hold for our other partners (each of which we have a sub-account for))

  • We can use the CRM tool to send, on your behalf, an initial transactional message to your customers to enquire if everything went okay with the preliminary booking (the nature of the message would of course vary between each partner to meet their specific needs)    

  • After this initial reach out, we can also enquire, on your behalf, about your customers’ trip preferences. These responses are passed back to our system, which allows us to optimise experiences considered to be most relevant to the customer

  • The customer can then be provided with a referral URL, which directs them to a white-labeled web app (with your business’ branding) that displays a customised selection of experiences offered to that customer. 

White label

We also develop, operate and maintain partner-branded websites, through which tours and experiences can be promoted and sold to customers. We refer to this as our white label website service. Here, Holibob acts as a controller on the basis that, among other things, we host, operate and maintain the site, transact with the customer and collect customer details for our own record-keeping. Regardless of whether we act as controller or processor, though, security of customer data is always a priority for us. As part of the website package, we also enable cookie opt-in mechanisms and include a privacy policy.

How do we keep data secure?

We understand that security of customer data will be a key concern for our clients. In addition to the measures explained above, we implement appropriate technological and organisational measures to ensure your customers’ data is kept secure. Some examples are set out below.

When managing our partners’ data as part of providing the marketing platform, we:

  • provide a secure channel for partners to pass data to us (which will be partner-specific so we can tailor a solution that works for each of our partners)

  • will not store any personal data on internal Holibob data warehouses. This will be passed to and stored directly on our marketing automation tool

  • ensure that customer data is masked to everyone within Holibob except those administrators who need access in order to provide the service

  • cleanse data no longer required in a timely manner and in accordance with our arrangements with you.

We keep and maintain appropriate IT, security and data protection policies internally. In addition, we have robust processes in place that review staff access to systems and respond  promptly to any security threats.

In addition, all web-facing systems are securely served over https and will generally be configured in collaboration with our partners’ own security teams to operate at sub domains of their primary domain as this has been shown to greatly increase customer trust and conversion. 

Our agreements with our partners

Our partner agreements are subject to our general terms and conditions which contain the necessary provisions as required by applicable data privacy laws and which help ensure personal data is appropriately safeguarded. These set out your and our obligations in respect of compliance with those privacy laws, including appropriate clauses, where applicable, governing international data transfers.

Our servers

We recognise our partners’ concerns regarding the locations of our servers. All Holibob systems are hosted on Amazon AWS with primary systems located in the Republic of Ireland (EU) and backup systems in the United Kingdom.

Selecting providers

When selecting any potential provider involved in the processing of personal data, we undertake appropriate due diligence on that provider to ensure that, among other things, security of data is maintained at the highest level. We would also ensure that our agreements with any selected providers are compliant with applicable data privacy requirements.

Where it is necessary to transfer personal data to a provider based outside the UK and/or EU, and within a country with no EU or UK adequacy decision, we would carry out the necessary risk assessments and put in place the appropriate safeguards, such as standard and contractual clauses in our contract with that provider, to ensure protection of that personal data and adherence with data privacy laws.

Individual rights requests

We recognise that, under applicable data privacy laws, individuals have certain rights concerning their data, including the right to access data held about them, to have their data deleted, to object to certain types of processing, and to unsubscribe from receiving communications. Our technology is set up, and catered for, complying with any such data requests made by individuals to make it simpler to meet your and our respective obligations under those laws. Where we act as the processor, we can easily retrieve and delete an individual’s customer’s personal data upon request from our partner.

Collaboration with our clients

We understand that transparency with customers regarding how their data is used is important for the customer experience and also for our partners. It is of course the partner’s responsibility to ensure that it meets all the necessary requirements of data protection and privacy laws applicable to it (including ensuring that it has obtained the necessary consents and provided the required notices in accordance with such laws). That being said, we always adopt a collaborative approach with our partners to help meet any concerns they may have in this area.

Further information

For further information regarding Holibob’s privacy practices, please email partnersuccess@holibob.tech.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close