Privacy Policy

Your privacy is important to us. This privacy policy (“the Policy”), explains how we process the personal data that we collect or receive from use of our software and online services, including our website , app and online booking tools (services).

This policy is provided in a layered format so you can click through to the specific areas set out below. Alternatively you can download a pdf version of the policy here.

Please check the Glossary at the end of the document to understand the meaning of some of the terms used in this Policy.

1.     Who we are

1.1           Serko and subsidiaries: Serko Limited (Serko, we, us or our) has a number of subsidiaries in different global location. Details of each of those subsidiaries can be found here. Only Serko Australia Pty Limited, Serko Inc., Foshan Sige Information Technology Limited and Serko India Private Limited process personal data.

1.1          What we do: Serko provides corporate travel and expense management services and software either directly to our corporate customers (customers) or indirectly through our network of third-party travel management companies (TMCs).

1.2          How we interact with your personal data: Our customers use our services to plan, book and manage business travel and corporate expenses on behalf of end users, who are typically their staff. This policy applies to all personal data that we process, whether we have collected it directly from an end user or we have received it from someone else using our services to book travel or manage expenses on behalf of an end user (for example, whomever is responsible for booking travel and/or processing expenses for the end user’s employer). References to youthroughout this Policy will be to any end user whose personal data we process, regardless of how or by whom it was collected.

1.3          TMCs and GDS: We use a network of TMCs and other third parties like Global Distribution System (GDS) operators, travel providers, expense management suppliers and credit card service providers when providing our services around the world. This Policy only covers how Serko processes your personal data. We are not responsible for the privacy practices of any TMC or any other third party, including your employer when they are our customer. If you have any questions about how a TMC or your employer handles your personal data when booking or managing your travel or expenses on your behalf, please contact them directly.

1.4          Our role: Serko will be data controller in some circumstances and a data processor in others. We are the data controller for our Serko Expense product and the Serko.Travel product where it is sold directly to our customers.  Serko is the data processor for our Serko Online, Serko Mobile and Zeno travel products, as well as Serko.Travel when that product is re-sold by TMCs and “powered by Serko”. Please see for further details of our products.

2.     The data we collect and receive about you

2.1          Personal data covered: This policy applies to all of the personal data that we process, including personal data we receive from our customers about their employees, contractors and other points of contact, personal data that collect directly from individuals and personal data that we receive from third party service providers such as TMCs, airlines, hotels and travel agencies.

2.2          Types of data: We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:

  • Identity Data includes first name, last name, username, title, date of birth, age, gender, driver’s licence number, passport details, visa details and company name and number.
  • Contact Data includes billing, business, delivery and email addresses and telephone numbers.
  • Profile Data includes your username and password, your interests and travel preferences, including seating, food, airline, hotel and vehicle details.
  • Financial Data includes credit card number, cardholder name and expiration date and bank account number in relation to expense claims.
  • Transaction Data includes details of your previous bookings with us, payments to and from you and other details of products and services you have purchased from us.
  • Travel Data includes frequent flyer details, hotel loyalty details, rental car loyalty details, travel destinations and itineraries, flight and ticket numbers, travel components (air, car, hotel, transfers and rail), meal preferences and seats requested.
  • Technical Data includes internet protocol (IP) address, your login data, device type, unique device identification numbers, browser type and version, time zone setting and location, browser plug-in types and versions, your internet services provider, operating system and platform and other technology on the devices you use to access this website.
  • Location Data includes location information obtained from smartphones, tablets or other devices with the ability to monitor your current and previous geographic locations.  We do not collect location data unless you expressly agree to use location-based features within our mobile application (App) the first time you use the App. You can switch off location data collection at any time by accessing your phone settings.
  • Usage Data includes information about your use of our website, App and services, includingpersonal data obtained through our use of cookies and tracking technologies.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

2.3          Aggregated Data: We also collect, use and share aggregated data like statistical or demographic data. If it doesn’t directly or indirectly reveal your identity, that data is not personal data. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature and we may share it with advertisers and investors. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat that combined data as personal data which will be used in accordance with this Policy.

2.4          Sensitive Data: We may collect limited amounts of Sensitive Data about you where that information is volunteered or shared by you or on your behalf while using our services. For example, the need for wheelchair access or other information that suggests or implies religious beliefs or health issues, such as dietary requests.

2.5          Refusal to provide your personal data: You do not have to provide your personal data when we request it, but if you choose not to, we may not be able to respond to your queries and perform any contract we have or are trying to enter into with you (for example, to provide you access to our expense management tool). That may mean we have to cancel a product or service you have with us. We will notify you at the time if that is the case.

3.     How we collect and receive your personal data

3.1          When we collect personal data: We collect and receive your personal data in different ways, depending on what Serko service you or your employer is using and how and through whom it has been accessed. In addition to receiving personal data directly from our customers’ HR systems to enable us to provide our services to customers, typically we collect personal data when you, or someone acting on your behalf:

  • makes an inquiry or booking through us, or otherwise purchases or uses any of our services
  • creates or registers an account on our website or App
  • gives us feedback or speaks to us or our customer service teams on the telephone
  • updates frequent flyer or loyalty programme details
  • provides emergency contact details to us
  • provides your credit card details for expense reporting
  • ensures we enable a travel booking or a particular service.

3.2          How we collect personal data: We collect and receive your personal data in the following ways.

  • From suppliers and other third parties. We receive most of the personal data we process from third parties, including those in the list below. They provide us with your personal data, including Identity, Contact, Profile, Financial and Travel Data, to enable us to process your bookings and expense claims.
    • Our customers (who may include your employer) acting on your behalf, usually through a travel and/or expense administrator. Where our customers provide us with your personal data, they are responsible for obtaining your permission to share it with us
    • Our customers’ financial and/or human resources systems, including where those are outsourced to third parties and their financial
    • TMCs and travel agents that work with our customers
    • GDS and operators
    • Payment suppliers including card operators (e.g. VISA, Mastercard, American Express) and virtual payment suppliers
    • travel and accommodation service providers, including airlines, hotel chains, restaurant chains and ride-sharing services
    • customer suppliers that send us receipts for expense processing on behalf of our customers
  • Directly from you. You may give us your Identity, Profile, Contact and Financial Data when filling in forms on our websites and mobile applications or in paper form or by corresponding with us by post, phone, email or otherwise.
  • Automated technologies or interactions. If you interact with our software, website and mobile applications, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy here for further details. We also receive your Technical Data from analytics providers such as Google. We may combine Technical Data (some of which will be anonymous) with other personal data we have collected from you in order to understand and measure your online experiences and determine what products, promotions and services are likely to be of most interest to you.

If you use our App, we may also collect and use:

    • Location Data if you use features that enable you to identify nearby hotels or airports, which will suggest relevant content based on your location;
    • Technical Data including error-reports so we can investigate and improve the stability of the App for future releases;
    • Identity, Contact and Profile Data to send you push notifications about flight changes or to provide notifications from your TMC or employer in case of emergency.
  • Public sources. We may source personal data from publicly availably sources such as phone directories, membership lists, professional and trade associations, government, bankruptcy or court registry searches and electoral registers.

4.     How and why we use your personal data

4.1          Legal basis for processing: We will only use your personal data where the law allows us to and for the purposes set out in section 4.3 below. We use your personal data where that is necessary to for our legitimate interests (or those of a third party such as a TMC) and your interests and fundamental rights do not override those interests. We may also use your personal data where that is necessary to comply with the law, such as our financial and taxation obligations.

4.2          Legitimate interests: Where your employer is our customer, our services involve facilitating the booking of your travel and the management of your expense claims, to the extent you are making corporate travel and/or expense claims. We could not provide those services without processing personal data. The processing of your personal data is therefore necessary for our legitimate interests, including:

  • operating our business and providing our services to our customers, as well as end users like you that indirectly benefit from those services
  • meeting our contractual obligations to our customers
  • keeping our records updated
  • understanding how customers and end users use our services
  • fraud prevention and ensuring network and information security.

4.3          Consent: Generally we do not rely on consent as a legal basis for processing your personal data, although we will get your consent before sending marketing communications to you via email or text message. You have the right to withdraw your consent to marketing at any time by contacting us.

4.4          If you have any questions about the lawful basis upon which we collect and use your personal data, please contact us here.

4.5          Purpose of processing: We use and process your personal data to:

  • provide, host, maintain and improve our services
  • process and complete transactions made using our services, such as creating and submitting expense reports or booking corporate travel
  • provide customer service and support, including booking confirmations, technical notices, updates, security alerts and support and administrative messages
  • understand how our services are being configured and used by our customers and how our services and the user experience can be improved
  • develop new products and services
  • protect the security of our services and customers, including investigating and preventing fraudulent transactions, unauthorised access or other security incidents, and other illegal activities
  • perform internal business processes such as testing and quality assurance
  • provide user access to our services, include processing user registrations, creating new users in our systems and developing non-automated group and individual traveller profiles
  • analyse trends and statistics regarding visitors' use of our sites and App(s) and the transactions visitors conduct on our sites
  • comply with applicable legal requirements and industry standards.

5.     Cookies

5.1          You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see here.

6.     Change of purpose

6.1          We will only use your personal data for the purposes for which we collected it, unless we reasonably consider we need to use it for another reason compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

6.2          If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

7.     How we share your personal data

7.1          We may need to share your personal data with the following parties to enable us to provide our services and for the purposes set out in section 4 above. Where permitted by law, we may also share your personal data for other purposes directly related to the purpose for which the information was collected.

  • Serko subsidiaries: Subject to strict access controls, Serko subsidiaries have access to the Serko data centres in which we store and process the data that enables us to provide our services, including personal data. 
  • TMCs, GDS operators and travel agents:  We may share your personal data with our global TMCs and their agents and integrated service providers such as GDS operators that co-operate to enable the provision of our services throughout the world.
  • Customers: We need to share your personal data with our customers (including your employer) so we can provide our services, including processing your travel bookings and expense claims. Where they are one of our customers, your employer can access your personal data held in our systems. Your employer may also configure our software to make your personal data available to third parties through our APIs.
  • Service providers:
    • travel service providers who provide travel-related services to us such as travel wholesalers, tour operators, airlines, hotels, car rental companies
    • expense management and accounting service providers
    • contracted third parties who provide data processing services to us or who otherwise process personal data for purposes such as credit and virtual card processing, fraud prevention, IT and system administration, business analytics, online advertising delivery, marketing, market research and communication, mail, freight and courier and price comparison services
    • professional advisers acting as processors or joint controllers, including lawyers, bankers, auditors, consultants, insurers and recruiters.
  • Other third parties:
    • regulators and other law enforcement authorities and agencies who require reporting of processing activities in certain circumstances and/or where disclosure is required by law
    • business partners with whom Serko may jointly offer products or services, or whose products or services may be offered on Serko’s website
    • third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice
    • where the law requires or authorises us to do so

7.2          We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

8.     International transfers

8.1          Our data centres: We store personal and other data in data centres located in Australia, the Republic of Ireland, the Netherlands and Canada. We use private cloud arrangements on the Microsoft Azure cloud platform to provide our data centre services and Serko has management control of those data centres. Our customers (including your employer, where applicable) select the region in which they want us to store your data. Your personal data will only be moved to another location following notice to the relevant customer(s).

8.2          Safeguards for transfers outside the EU: So we can provide our global services, we may need to share your personal data with Serko subsidiaries and with TMCs and our customers (which may include your employer). That may involve transferring and processing your personal data outside the EEA. If that happens, we ensure at least one of the following safeguards is implemented.

8.2.1    Adequacy: We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.

8.2.2    Approved standard clauses: Where we have entered into EU-approved standard contractual clauses with the recipient to give personal data the same protection it has in Europe.

8.2.3    US Privacy Shield: Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

8.3          Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

9.     Your rights

9.1          You have the following rights in relation to your personal data.

  • Access: you can request access to a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Correction: you can request that any incomplete or inaccurate data we hold about you is corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Erasure: you can ask us to delete or remove your personal data where there is no good reason for us continuing to process it, where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing: where we are relying on a legitimate interest (or those of a third party) and you believe our processing of your personal data impacts your fundamental rights and freedoms, you may object to such processing for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information that override your rights and freedoms.
  • Restrict processing: you can ask us to suspend the processing of your personal data: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Data portability: you can request that your personal data is transferred to you or a third party. We will provide you or a third party you have chosen with your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information that you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent: you may withdraw your consent to our processing of your personal data. If you do so, we may not be able to provide certain products or services to you. We will advise you if that is the case when you withdraw your consent.

9.2          If you wish to exercise any of the rights set out above, please contact us (see section 12 below).

9.3          No fee usually required: You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. If we choose to deny your request, we will inform you of the decision and your right to complain to the supervisory authority within the 1 month deadline.

9.4          What we may need from you: We may need to request specific information from you to verify your identity and ensure that personal data is not disclosed to the wrong person.

9.5          Time limit to respond: We respond to all legitimate requests without undue delay and at the latest within one month. Occasionally, if your request is particularly complex or you have made a number of requests, we may need to extend this by up to a period of two months, in which case we will notify you and keep you updated.

10.     Security of your personal data

10.1       We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. While no online service can guarantee absolute security, we have implemented technical and organisational measures such as encryption when transmitting your personal data and firewalls and intrusion detection systems to help prevent unauthorised access to your information.  In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

10.2       We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

11.     How long will you use my personal data for?

11.1       We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

11.2       To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of that data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.

12.     Contact Details

12.1      Data Protection Authority: EU data subjects have the right to make a complaint at any time to the data protection authority of the EU country where you live. A list of the national data protection authorities can be found at  here . We would, however, appreciate the chance to deal with your concerns before you approach them, so please contact us in the first instance.

12.2      Data Protection Officer: We have appointed a data protection officer (DPO) who is responsible for overseeing privacy issues for the Serko group. If you have any questions or complaints about this Policy, including any requests to exercise your rights in relation to your personal data, please contact the DPO using the details set out below.

Email address:

Postal address: Attention: CISO, Serko Limited, PO Box 47638, Auckland 1144, New Zealand

12.3      EU Representative: We have appointed a representative to act on our behalf in relation to our obligations under the General Data Protection Regulation in Europe:

Name: DPR Group

Email address:


Click here for more information on how to contact DPR group.

Please note: this information should only be used when trying to contact us in relation to a GDPR data matter, otherwise you can contact us via

12.4    Removal of your personal data: if you no longer want your personal data in the Service, please email; stating the Service that you wish to have your data removed from.

13.     Changes to the privacy Policy and your duty to inform us of changes

13.1      This version was last updated on 2 July 2018.

13.2      We reserve the right to update and change this Policy at any time by posting changes on this webpage or applicable mobile apps. Changes will take effect from the time they are posted. We will use reasonable endeavours to communicate those changes to you on our website and mobile apps or via other channels that we think are suitable.

13.3      It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.


Customer means a corporate customer of Serko who is using our services to book travel and manage expenses on behalf of its employees or other individuals.

Data controller means the entity that decides the means and purpose of processing personal data.

Data processor means the entity that processes personal data on behalf of and in accordance with the instructions of the controller.

GDS means the Global Distribution System, a travel technology platform that enables travel agencies and their clients to access travel data, shop for and compare reservations options and book travel.

Legitimate Interest means our interests in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Personal data means any information about an individual that can be used to identify that person directly or indirectly by reference to a range of identifiers. It does not include anonymous data where the identity of the individual has been removed.

Processing means any operation or set of operations performed on personal data.

Sensitive Data means personal data that health, genetic data and biometric data or data that reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation.

TMC means a Travel Management Company (commonly known as a business travel agency or corporate travel provider) that manages the business travel requirements of clients to save them time and money.


Serko Limited has the following subsidiaries:

  1. 1. Serko Australia Pty Limited: marketing and support of travel bookings software solutions supplied by Serko Limited.
  2. 2. Serko Inc.: subsidiary for the US‑based operations.
  3. 3. Serko India Private Limited: subsidiary for India‑based operations.
  4. 4. Foshan Sige Information Technology Limited: subsidiary for China‑based operations.
  5. 5. Serko Trustee Limited: management and staff trustee activity.
  6. 6. Serko Investments Limited: holding company.