Privacy Policy

1. Introduction

This Privacy Policy explains how Serko Limited and its group companies (collectively, “Serko”, “us”, “we” or “our”) collect, use, disclose, transfer, protect, store, and otherwise process your personal information. You can find a list of our group companies in our latest financial statements, which are located on our investor centre website.

This Privacy Policy is effective from 1 December 2020 (previous versions can be obtained by contacting us). We will need to update this Privacy Policy from time to time so we encourage you to check it regularly because any changes we make will be posted on this page. We may also email you or indicate on our home page that our Privacy Policy has been updated if changes are significant.

2. Scope of Privacy Policy

This Privacy Policy applies to our use of your “personal information” (which means any information that relates to an identified or identifiable natural person, either on its own or in combination with other information) when you:

- use our websites (“Sites”);
- use the services and applications we provide, including the travel and expense management services accessible through Zeno, Serko Online, Serko Mobile, Serko.Travel and Zeno Expense (“Services”);
- sign up to our newsletter and/or any other marketing and/or promotional activities; and/or
- respond or apply to a job advertisement.

This Privacy Policy does not apply to:

Third party websites that our Sites and Services may provide links to, and we are not responsible for such third party content, use of personal information, or security practices,
The collection, use, retention or disclosure of your personal information (which may include special or sensitive categories of personal information) by third parties (such as travel management companies) who use our Services to provide their own services to their end customers. In such circumstances, where we retain your personal information through our Services, we do so as ‘agent’ of, or ‘processor’ for, those third parties You should refer to the privacy policies of those third parties to understand how your personal information will be processed by them, and your rights of access and other rights in respect of such personal information.

If you are in the European Union or the United Kingdom, or you are a resident of California, and you use our Services, this Privacy Policy does not apply to your personal information that we process on behalf of your organisation (i.e. our corporate customer). In the case of Zeno Travel, it also doesn’t apply to your personal information that we process on behalf of your organisation’s travel management company (if any) and/or business partners (for example, travel providers who process your personal information to facilitate your bookings). These entities’ use of your personal information will be governed by their terms and privacy policies, and we will process it under their direction (as a "processor" under the General Data Protection Regulation (“GDPR”) or a "service provider" under the California Consumer Privacy Act (“CCPA”)). If you have any questions or requests relating to these entities’ processing of your personal information, you should contact them directly.

Our Sites and Services are not intended for children and we do not knowingly collect or use any personal information from children.

3. The Personal Information We Collect

We will collect, receive, use, process, store and transfer different kinds of personal information depending on the Sites and/or Services that you use. This might include:

- Identity data: including name, employee ID, network ID, title, date of birth, gender, passport details, visa details, company name, and company number;
- Contact data: including email address, address, and phone number;
- Financial data: including credit card details, costs, bank account number, bank state branch (BSB), credit card limit, and details of payments to and from you;
- Technical data: including internet protocol (IP) address, login data, browser type and version, time zone setting, operating system and platform, device type, unique device identification numbers, and other information your browser supplies;
- Profile data: including username, user ID, and password;
- Usage data: including details of products and services you have purchased from us, and information on how you are using the products, and services;
- Communications data: including preferences in receiving marketing from us and our third parties (if any), your communication preferences, and any feedback or survey responses;
- Travel data: including details of your bookings and travel itineraries, frequent flyer details, loyalty details, rental car details, meal preferences, seat preferences, travel dates/times, flight number, ticket number, confirmation number, booking locators (booking ID, passenger name record (PNR), airline locator), origin location, destination location, third party profile ID/code, and travel components (air, car, hotel, transfers, rail);
- Expense data: including details of expenses submitted (such as copies of receipts);
- Location data: including geolocation, and travel origin and destination; and
- Support data: including screenshots (of error messages, for example), support ID, and support communications.

Depending on the Sites and/or Services that you use, we may need to collect limited amounts of special or sensitive categories of personal information about you for the purposes described in section 5 (‘How We Use Your Personal Information’) below.

We may also collect, use, and share aggregated data for any purpose. Aggregated data could be derived from your personal information, but it is not considered personal information because it will not identify you.

If you do not agree with the terms of this Privacy Policy, please do not provide any personal information to us. However, while providing some personal information is optional, failing to provide certain personal information may unfortunately mean you are unable to use some parts of our Sites and/or Services and/or that we are unable to respond to your queries. This may mean we have to cancel a service you have with us, in which case we will notify you at the time.

If you apply for a job with us, then we will collect recruitment data about you including your education history, work experience, references, and other information submitted in your CV and/or cover letter and/or job application.

4. How We Collect And Receive Personal Information

We collect and receive personal information in different ways depending on the Sites and/or Services that you use. This might include:

- Direct interactions: For example, you may give us personal information when you contact us, use our Site and/or Services, respond to a job advertisement, or request our marketing and promotional materials.
- Customers, suppliers and other third parties: We may receive personal information from other sources such as: our customers (i.e. your organisation), our customers’ travel management companies and travel agents (if any), global distribution systems (“GDS”) operators; payment suppliers (including card operators and virtual payment suppliers), travel service providers (including accommodation providers, transport providers, and restaurants), and our customers’ suppliers (for example, who may send us receipts for expense processing).
- Automated interactions or technologies: We automatically collect some personal information when you visit, use, and interact with our Sites and Services by using cookies and other similar technologies. We may also receive personal information if you visit other sites employing our cookies and/or from analytics providers (such as Google). You can see our Cookie Policy for further details. For example, we might use these technologies to distinguish you from other users and remember your preferences, to improve our Sites and Services, and/or for web analytics.
- Public sources: For example, phone directories, membership lists, professional and trade associations, government, bankruptcy or court registry searches, and electoral registers.

In certain situations, you may provide personal information to us about other individuals (such as your colleagues, customers, suppliers, directors or shareholders). If so, you warrant that you have all necessary notices, permissions, and consents in place to lawfully disclose such personal information to us to use in accordance with this Privacy Policy.

5. How We Use Personal Information

We collect and use your personal information for different purposes depending on the Sites and/or Services that you use. The main purposes are:

- To provide, host, and maintain our Sites and Services – for example, to process purchases (along with our authorised payments processors), manage payments, collect monies owed, process user registrations, and to develop non-automated group and individual traveller profiles;
- To communicate and manage our relationship with you – for example, to provide you with the Services and information you have requested or that we are required to provide to you, inform you of technical notices, updates, security alerts, support and administrative messages, notify you of any changes to our Sites Services or policies, and ask you for feedback or to take part in any research we are conducting;
- To provide customer service and support – for example, to provide booking confirmations, assist with the resolution of technical support issues or other issues relating to the Sites or Services (whether by email, in-app support, or otherwise), and we may record customer calls for monitoring and training purposes;
- To measure and enhance our Sites and Services – for example, to understand how our Sites and Services are being configured and used, to understand how our Sites Services and user experience can be improved, to develop new services, and to perform internal business processes such as testing, maintenance, and quality assurance;
- For protection purposes – for example, to detect, investigate and prevent any fraudulent or malicious activity or transactions, unauthorised access, or other security incidents and other illegal activities, troubleshooting, and to ensure our Sites and Services are being used in accordance with our Terms of Use;
- For marketing and promotional purposes – for example, to send you marketing and promotional communications (about Serko or another product or service we think you might be interested in) in accordance with your marketing preferences, displaying targeted advertising online through our own Sites and Services or through third party websites and platforms, and administer referral programmes, rewards, surveys, and other promotional activities or events sponsored or managed by us or our partners;
- To analyse, aggregate and report – for example, to analyse trends and statistics regarding use of our Sites and Services and the transactions conducted, and to produce aggregated and anonymised analytics and reports;
- Recruitment – if you apply for a job with us, we will process your personal information in the application process; and
- Legal purposes and/or to comply with regulatory and/or industry requirements and standards.

6. How We Disclose Personal Information

There will be times when we need to share your personal information with third parties for the purposes set out in this Privacy Policy. This might include:

- Serko group companies – who help us provide, host, and maintain our Sites and Services. Some group companies (subject to access controls) may also have access to the Serko group data centres in which we store and process your personal information.
- Customers (i.e. your organisation) - for example, so we can provide our Sites and Services (including processing and/or approving your travel bookings and/or expense claims), for user management and licence administration purposes, and they may be able to access your personal information held in our systems.
- Travel management companies, travel agents, and GDS operators (if any) - who co-operate with us to provide our Services.
- Service providers – for example, travel service providers (such as travel wholesalers, tour operators, airlines, hotels, car rental companies), banks, expense management and accounting service providers, and other contracted third party service providers such as credit and virtual card processing, fraud prevention, IT and system administration, business analytics, online advertising delivery, marketing, market research and communication, mail, freight and courier and price comparison services.
- Business partners and third parties you authorise – with whom we may jointly offer products or services, or whose products or services may be offered on and/or integrated with our Sites or Services. You may also give third parties access to your personal information on the Sites and Services.
- Our professional advisers – including our lawyers, bankers, auditors, consultants, and insurers.
- An actual or potential buyer (and its agents and advisors) - in connection with an actual or proposed purchase, merger or acquisition of any part of our business. If a change happens to our business, then the new owner may use your personal information in the same way as set out in this Privacy Policy.
- Regulators, law enforcement bodies, government agencies, courts or other third parties - where we think it is necessary to comply with applicable laws or regulations, or to exercise, enforce, or defend our legal rights.

7. International Transfers

We are a global business and your personal information may therefore be transferred to, and processed in, countries other than the country you live in – for example to Australia, New Zealand, the Republic of Ireland, the Netherlands, and Canada, where some of our offices and data centres are located. Whenever we internationally transfer your personal information, we put safeguards in place so your personal information is protected.

8. Security

We have put in place appropriate technical and organisational security measures and procedures to try and prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Although we will take such measures to protect your personal information, by virtue of the nature of the internet, we cannot absolutely guarantee the security of your information transmitted online, and so any transmission is at your own risk. We have also put in place procedures to deal with breaches of personal information, and we will notify you and any applicable regulator of a breach where we are legally required to do so.

Where we have given you (or you have chosen) a password that enables you to access certain parts of our Sites and Services, you are responsible for keeping this password confidential and you must not share it with anyone.

9. Retention

We retain personal information we collect from you where we have an ongoing legitimate business need to do so in accordance with our data retention policies and practices (for example, in connection with the purposes described in this Privacy Policy, legal purposes, and/or for the purposes of satisfying any regulatory, tax, accounting or reporting requirements). Following that period, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been temporarily stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

10. Your Rights

You have rights under privacy and data protection laws in relation to your personal information. For example, you may have rights to:

- obtain confirmation of what personal information we hold about you;
- request access to your personal information; and
- request a correction to the personal information that we hold about you.

You can exercise your rights by logging into your account and/or making a request to us using the contact details set out in section 13 (‘Contact Details’) below. In which case, please describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. Please note that we may request specific information (such as proof of address in some circumstances) and/or photo identification from you to help us confirm your identity and rights.

You can also ask us not to send you marketing communications by following the unsubscribe instructions contained in the marketing communication, clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you.

You can also set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. However, if you disable or refuse cookies used, you may not be able to access or use parts of our Sites and Services.

11. Additional Information For Individuals In The European Union And United Kingdom

If you are in the European Union or the United Kingdom, the following information also applies to you with respect to your personal information:

A. Data Controller

Serko Limited is the controller of your personal information (except in the circumstances described in section 2 (‘Scope of Privacy Policy’) above).

We have appointed a data protection officer (“DPO”). If you have any questions or complaints about this Privacy Policy, including with regard to any request to exercise your rights in relation to your personal information, please contact the DPO using the details set out in section 13 (‘Contact Details’) below.

We have also appointed a representative to act on our behalf in relation to our obligations under the GDPR in Europe, details of which are set out below. You can also click here for more information on how to contact our representative.

DataRep

serko@datarep.com

www.datarep.com/serko

B. Legal bases for processing your personal information

We may collect, use, and share your personal information:

- - - - to perform a contract with you;
        
        where we (or a third party) have legitimate interests (and they are not overridden by your rights) – such as operating our business and providing our products and services to our customers and end users, meeting our contractual obligations to our customers, record keeping, and security and fraud prevention;
        
        where you have consented; and
        
        to comply with a legal or regulatory obligation – including financial and taxation obligations.

C. Your rights

You have rights under privacy and data protection laws in relation to your personal information. For example, you may have the following rights:

- - - - Access - you can ask us if we are processing your personal information and, if we are, you can request access to it.
        
        Erasure - you may ask us to delete your personal information in certain circumstances. However, we may not always be able to comply with your request for specific legal reasons which we will notify to you, if applicable.
        
        Objection – where we are processing your personal information based on legitimate interests (or those of a third party), you may challenge this if you believe it impacts your fundamental rights and freedoms. However, we may in some situations be entitled to continue processing your personal information. You also have the right to object where we are processing your personal information for direct marketing purposes.
        
        Restriction - you may be entitled to ask us to suspend processing some of your personal information, for example if you want us to establish its accuracy or the reason for processing it.
        
        Transfer – you may ask us to help you request the transfer of your personal information to another party.
        
        Automated decisions - you may contest any automated decision made about you where this has a legal or similar significant effect and ask for it to be reconsidered.
        
        Withdraw consent - where we are relying on consent to process your personal information, you may withdraw such consent. However this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you.

You can exercise your rights as described in section 10 (‘Your Rights’) above. If you would like to request erasure of your personal information from our Services, please email remove.me@serko.com and state the Service that you wish to have your personal information removed from.

If you are not happy with the way we process your personal information, please let us know. You also have the right to make a complaint to your local information protection supervisory authority. Your local data protection authority will be able to give you more information on how to submit a complaint.

D. International transfers

Your personal information may be transferred internationally, including outside the EEA. Whenever we transfer your personal information outside the EEA, we put safeguards in place so your personal information is protected, for example transferring it to countries that have been deemed to provide an adequate level of protection for personal information and/or having approved transfer mechanisms in place to protect your personal information – such as using specific contracts approved by the European Commission. For more information, please contact us using the details set out in section 14 (‘Contact Details’) below.

E. Privacy Shield

One of our group companies, InterplX, Inc (“InterplX”), complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States.

InterplX has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, purpose, data security and integrity, access and recourse, enforcement, liability, and accountability for onward transfer. If there is any conflict between this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

To learn more about the Privacy Shield program, and to view InterplX’s certification, please visit https://www.privacyshield.gov/. Note that the Federal Trade Commission has jurisdiction over InterplX’s compliance with the Privacy Shield.

If you have further enquiries or any complaints regarding our Privacy Shield policy, please contact InterplX at privacy@interplx.com.

InterplX has further committed to refer unresolved Privacy Shield complaints to an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint within 45 days, please contact or visit JAMS for more information or to file a complaint. If your complaint is not resolved after following the recourse mechanisms described above, you may have the ability to invoke binding arbitration. Additional information is available here.

12. Additional information for California Residents

If you are a resident of California, the following information also applies to you with respect to your personal information:

A. The personal information we collect, receive, and disclose

We will collect, receive, and disclose different kinds of personal information depending on the Sites and/or Services that you use. With reference to the categories of personal information set out in the CCPA, in the past 12 months we have collected the following personal information from the sources set out in section 4 (‘How We Collect And Receive Personal Information’) above, and disclosed it to the categories of third parties set out below (and as described in further detail at section 6 (‘How We Disclose Personal Information’) above) for business purposes:

CCPA category	Includes	Disclosed to
Identifiers	Name, address, telephone number, and email address, Internet Protocol address, passport details, drivers licence details, and other similar identifiers	Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers; business partners and third parties you authorise
Characteristics	Gender, age, and national origin	Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers, business partners and third parties you authorise
Internet or other electronic network activity information	Online identifiers including device and IP address, browser type, operating system, and other information regarding your interactions with our Sites and Services	Serko group companies, customer(s), service providers, business partners and third parties you authorise.
Commercial information	Purchase history and transactions, financial details, and payment information	Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers, business partners and third parties you authorise, our professional advisors
Geo-location data	Zip code, and general geolocation information (based on your IP address and/or travel itinerary and/or expense claims)	Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers, business partners and third parties you authorise
Audio, visual and other electronic data	Audio, electronic, visual and similar information such as images, call recordings, chat, and other interactions that you may have with us (such as for customer service purposes), and feedback or testimonials you provide about our Sites and Services	Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers, business partners and third parties you authorise
Professional and employment-related	Job title, industry and company	Serko group companies, customer(s), travel management companies, travel agents, and GDS operators (if any), service providers, business partners and third parties you authorise
Inferences	Inferences drawn from any of the above personal information to create a profile or summary about you such as reflecting preferences/characteristics	Serko group companies, service providers

We do not "sell" your personal information for the purposes of the CCPA.

B. Your rights

You have rights under privacy and data protection laws in relation to your personal information. For example, you may have rights to:

- - - - know what personal information is collected about you, and if any of your personal information is sold or disclosed (and the categories of third parties that purchased or received it);
        
        access the personal information we process about you;
        
        request the deletion of your personal information, if applicable;
        
        opt-out from the sale of your personal information, if applicable; and
        
        not be discriminated against for exercising any of the rights above.

You can exercise your rights as described in section 10 (‘Your Rights’) above. You may also designate an authorised agent to make a request on your behalf, subject to proof of identity and authorisation.

13. Contact details

If you have any questions about this Privacy Policy, please contact us at legal@serko.com. Otherwise, our mailing address is:

Attention: Legal Department

Serko Limited

Unit 14d, 125 The Strand

Auckland

New Zealand