This Privacy Policy explains how Serko Limited and its group companies (collectively, “Serko”, “us”, “we” or “our”) collect, use, disclose, transfer, protect, store, and otherwise process your personal information. You can find a list of our group companies in our latest financial statements, which are located on our investor centre website.
This Privacy Policy is effective from 1 December 2020 (previous versions can be obtained by contacting us). We will need to update this Privacy Policy from time to time so we encourage you to check it regularly because any changes we make will be posted on this page. We may also email you or indicate on our home page that our Privacy Policy has been updated if changes are significant.
This Privacy Policy applies to our use of your “personal information” (which means any information that relates to an identified or identifiable natural person, either on its own or in combination with other information) when you:
This Privacy Policy does not apply to:
If you are in the European Union or the United Kingdom, or you are a resident of California, and you use our Services, this Privacy Policy does not apply to your personal information that we process on behalf of your organisation (i.e. our corporate customer). In the case of Zeno Travel, it also doesn’t apply to your personal information that we process on behalf of your organisation’s travel management company (if any) and/or business partners (for example, travel providers who process your personal information to facilitate your bookings). These entities’ use of your personal information will be governed by their terms and privacy policies, and we will process it under their direction (as a "processor" under the General Data Protection Regulation (“GDPR”) or a "service provider" under the California Consumer Privacy Act (“CCPA”)). If you have any questions or requests relating to these entities’ processing of your personal information, you should contact them directly.
Our Sites and Services are not intended for children and we do not knowingly collect or use any personal information from children.
We will collect, receive, use, process, store and transfer different kinds of personal information depending on the Sites and/or Services that you use. This might include:
Depending on the Sites and/or Services that you use, we may need to collect limited amounts of special or sensitive categories of personal information about you for the purposes described in section 5 (‘How We Use Your Personal Information’) below.
We may also collect, use, and share aggregated data for any purpose. Aggregated data could be derived from your personal information, but it is not considered personal information because it will not identify you.
If you do not agree with the terms of this Privacy Policy, please do not provide any personal information to us. However, while providing some personal information is optional, failing to provide certain personal information may unfortunately mean you are unable to use some parts of our Sites and/or Services and/or that we are unable to respond to your queries. This may mean we have to cancel a service you have with us, in which case we will notify you at the time.
If you apply for a job with us, then we will collect recruitment data about you including your education history, work experience, references, and other information submitted in your CV and/or cover letter and/or job application.
We collect and receive personal information in different ways depending on the Sites and/or Services that you use. This might include:
In certain situations, you may provide personal information to us about other individuals (such as your colleagues, customers, suppliers, directors or shareholders). If so, you warrant that you have all necessary notices, permissions, and consents in place to lawfully disclose such personal information to us to use in accordance with this Privacy Policy.
We collect and use your personal information for different purposes depending on the Sites and/or Services that you use. The main purposes are:
There will be times when we need to share your personal information with third parties for the purposes set out in this Privacy Policy. This might include:
We are a global business and your personal information may therefore be transferred to, and processed in, countries other than the country you live in – for example to Australia, New Zealand, the Republic of Ireland, the Netherlands, and Canada, where some of our offices and data centres are located. Whenever we internationally transfer your personal information, we put safeguards in place so your personal information is protected.
We have put in place appropriate technical and organisational security measures and procedures to try and prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Although we will take such measures to protect your personal information, by virtue of the nature of the internet, we cannot absolutely guarantee the security of your information transmitted online, and so any transmission is at your own risk. We have also put in place procedures to deal with breaches of personal information, and we will notify you and any applicable regulator of a breach where we are legally required to do so.
Where we have given you (or you have chosen) a password that enables you to access certain parts of our Sites and Services, you are responsible for keeping this password confidential and you must not share it with anyone.
We retain personal information we collect from you where we have an ongoing legitimate business need to do so in accordance with our data retention policies and practices (for example, in connection with the purposes described in this Privacy Policy, legal purposes, and/or for the purposes of satisfying any regulatory, tax, accounting or reporting requirements). Following that period, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been temporarily stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
You have rights under privacy and data protection laws in relation to your personal information. For example, you may have rights to:
You can exercise your rights by logging into your account and/or making a request to us using the contact details set out in section 13 (‘Contact Details’) below. In which case, please describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. Please note that we may request specific information (such as proof of address in some circumstances) and/or photo identification from you to help us confirm your identity and rights.
You can also ask us not to send you marketing communications by following the unsubscribe instructions contained in the marketing communication, clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you.
You can also set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. However, if you disable or refuse cookies used, you may not be able to access or use parts of our Sites and Services.
If you are in the European Union or the United Kingdom, the following information also applies to you with respect to your personal information:
A. Data Controller
Serko Limited is the controller of your personal information (except in the circumstances described in section 2 (‘Scope of Privacy Policy’) above).
We have appointed a data protection officer (“DPO”). If you have any questions or complaints about this Privacy Policy, including with regard to any request to exercise your rights in relation to your personal information, please contact the DPO using the details set out in section 13 (‘Contact Details’) below.
We have also appointed a representative to act on our behalf in relation to our obligations under the GDPR in Europe, details of which are set out below. You can also click here for more information on how to contact our representative.
DataRep
www.datarep.com/serko
B. Legal bases for processing your personal information
We may collect, use, and share your personal information:
C. Your rights
You have rights under privacy and data protection laws in relation to your personal information. For example, you may have the following rights:
You can exercise your rights as described in section 10 (‘Your Rights’) above. If you would like to request erasure of your personal information from our Services, please email remove.me@serko.com and state the Service that you wish to have your personal information removed from.
If you are not happy with the way we process your personal information, please let us know. You also have the right to make a complaint to your local information protection supervisory authority. Your local data protection authority will be able to give you more information on how to submit a complaint.
D. International transfers
Your personal information may be transferred internationally, including outside the EEA. Whenever we transfer your personal information outside the EEA, we put safeguards in place so your personal information is protected, for example transferring it to countries that have been deemed to provide an adequate level of protection for personal information and/or having approved transfer mechanisms in place to protect your personal information – such as using specific contracts approved by the European Commission. For more information, please contact us using the details set out in section 14 (‘Contact Details’) below.
If you are a resident of California, the following information also applies to you with respect to your personal information:
A. The personal information we collect, receive, and disclose
We will collect, receive, and disclose different kinds of personal information depending on the Sites and/or Services that you use. With reference to the categories of personal information set out in the CCPA, in the past 12 months we have collected the following personal information from the sources set out in section 4 (‘How We Collect And Receive Personal Information’) above, and disclosed it to the categories of third parties set out below (and as described in further detail at section 6 (‘How We Disclose Personal Information’) above) for business purposes:
CCPA category |
Includes |
Disclosed to |
Identifiers | Name, address, telephone number, and email address, Internet Protocol address, passport details, drivers licence details, and other similar identifiers | Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers; business partners and third parties you authorise |
Characteristics | Gender, age, and national origin | Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers, business partners and third parties you authorise |
Internet or other electronic network activity information | Online identifiers including device and IP address, browser type, operating system, and other information regarding your interactions with our Sites and Services | Serko group companies, customer(s), service providers, business partners and third parties you authorise. |
Commercial information | Purchase history and transactions, financial details, and payment information | Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers, business partners and third parties you authorise, our professional advisors |
Geo-location data | Zip code, and general geolocation information (based on your IP address and/or travel itinerary and/or expense claims) | Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers, business partners and third parties you authorise |
Audio, visual and other electronic data | Audio, electronic, visual and similar information such as images, call recordings, chat, and other interactions that you may have with us (such as for customer service purposes), and feedback or testimonials you provide about our Sites and Services | Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers, business partners and third parties you authorise |
Professional and employment-related | Job title, industry and company | Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers, business partners and third parties you authorise |
Inferences | Inferences drawn from any of the above personal information to create a profile or summary about you such as reflecting preferences/characteristics | Serko group companies, service providers |
We do not "sell" your personal information for the purposes of the CCPA.
B. Your rights
You have rights under privacy and data protection laws in relation to your personal information. For example, you may have rights to:
You can exercise your rights as described in section 10 (‘Your Rights’) above. You may also designate an authorised agent to make a request on your behalf, subject to proof of identity and authorisation.
If you have any questions about this Privacy Policy, please contact us at legal@serko.com. Otherwise, our mailing address is:
Attention: Legal Department
Serko Limited
Unit 14d, 125 The Strand
Auckland
New Zealand