This policy is provided in a layered format so you can click through to the specific areas set out below. Alternatively you can download a pdf version of the policy here.
Please check the Glossary at the end of the document to understand the meaning of some of the terms used in this Policy.
1. Who we are
1.1 Serko and subsidiaries: Serko Limited (Serko, we, us or our) has a number of subsidiaries in different global location. Details of each of those subsidiaries can be found here. Only Serko Australia Pty Limited, Serko Inc., Foshan Sige Information Technology Limited and Serko India Private Limited process personal data.
1.1 What we do: Serko provides corporate travel and expense management services and software either directly to our corporate customers (customers) or indirectly through our network of third-party travel management companies (TMCs).
1.2 How we interact with your personal data: Our customers use our services to plan, book and manage business travel and corporate expenses on behalf of end users, who are typically their staff. This policy applies to all personal data that we process, whether we have collected it directly from an end user or we have received it from someone else using our services to book travel or manage expenses on behalf of an end user (for example, whomever is responsible for booking travel and/or processing expenses for the end user’s employer). References to you throughout this Policy will be to any end user whose personal data we process, regardless of how or by whom it was collected.
1.3 TMCs and GDS: We use a network of TMCs and other third parties like Global Distribution System (GDS) operators, travel providers, expense management suppliers and credit card service providers when providing our services around the world. This Policy only covers how Serko processes your personal data. We are not responsible for the privacy practices of any TMC or any other third party, including your employer when they are our customer. If you have any questions about how a TMC or your employer handles your personal data when booking or managing your travel or expenses on your behalf, please contact them directly.
1.4 Our role: Serko will be data controller in some circumstances and a data processor in others. We are the data controller for our Serko Expense product and the Serko.Travel product where it is sold directly to our customers. Serko is the data processor for our Serko Online, Serko Mobile and Zeno travel products, as well as Serko.Travel when that product is re-sold by TMCs and “powered by Serko”. Please see serko.com for further details of our products.
2. The data we collect and receive about you
2.1 Personal data covered: This policy applies to all of the personal data that we process, including personal data we receive from our customers about their employees, contractors and other points of contact, personal data that collect directly from individuals and personal data that we receive from third party service providers such as TMCs, airlines, hotels and travel agencies.
2.2 Types of data: We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:
2.3 Aggregated Data: We also collect, use and share aggregated data like statistical or demographic data. If it doesn’t directly or indirectly reveal your identity, that data is not personal data. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature and we may share it with advertisers and investors. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat that combined data as personal data which will be used in accordance with this Policy.
2.4 Sensitive Data: We may collect limited amounts of Sensitive Data about you where that information is volunteered or shared by you or on your behalf while using our services. For example, the need for wheelchair access or other information that suggests or implies religious beliefs or health issues, such as dietary requests.
2.5 Refusal to provide your personal data: You do not have to provide your personal data when we request it, but if you choose not to, we may not be able to respond to your queries and perform any contract we have or are trying to enter into with you (for example, to provide you access to our expense management tool). That may mean we have to cancel a product or service you have with us. We will notify you at the time if that is the case.
3. How we collect and receive your personal data
3.1 When we collect personal data: We collect and receive your personal data in different ways, depending on what Serko service you or your employer is using and how and through whom it has been accessed. In addition to receiving personal data directly from our customers’ HR systems to enable us to provide our services to customers, typically we collect personal data when you, or someone acting on your behalf:
3.2 How we collect personal data: We collect and receive your personal data in the following ways.
If you use our App, we may also collect and use:
4. How and why we use your personal data
4.1 Legal basis for processing: We will only use your personal data where the law allows us to and for the purposes set out in section 4.3 below. We use your personal data where that is necessary to for our legitimate interests (or those of a third party such as a TMC) and your interests and fundamental rights do not override those interests. We may also use your personal data where that is necessary to comply with the law, such as our financial and taxation obligations.
4.2 Legitimate interests: Where your employer is our customer, our services involve facilitating the booking of your travel and the management of your expense claims, to the extent you are making corporate travel and/or expense claims. We could not provide those services without processing personal data. The processing of your personal data is therefore necessary for our legitimate interests, including:
4.3 Consent: Generally we do not rely on consent as a legal basis for processing your personal data, although we will get your consent before sending marketing communications to you via email or text message. You have the right to withdraw your consent to marketing at any time by contacting us.
4.5 Purpose of processing: We use and process your personal data to:
6. Change of purpose
6.1 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider we need to use it for another reason compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
6.2 If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
7. How we share your personal data
7.1 We may need to share your personal data with the following parties to enable us to provide our services and for the purposes set out in section 4 above. Where permitted by law, we may also share your personal data for other purposes directly related to the purpose for which the information was collected.
7.2 We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
8. International transfers
8.1 Our data centres: We store personal and other data in data centres located in Australia, the Republic of Ireland, the Netherlands and Canada. We use private cloud arrangements on the Microsoft Azure cloud platform to provide our data centre services and Serko has management control of those data centres. Our customers (including your employer, where applicable) select the region in which they want us to store your data. Your personal data will only be moved to another location following notice to the relevant customer(s).
8.2 Safeguards for transfers outside the EU: So we can provide our global services, we may need to share your personal data with Serko subsidiaries and with TMCs and our customers (which may include your employer). That may involve transferring and processing your personal data outside the EEA. If that happens, we ensure at least one of the following safeguards is implemented.
8.2.1 Adequacy: We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
8.2.2 Approved standard clauses: Where we have entered into EU-approved standard contractual clauses with the recipient to give personal data the same protection it has in Europe.
8.2.3 US Privacy Shield: Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
8.3 Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
9. Your rights
9.1 You have the following rights in relation to your personal data.
9.2 If you wish to exercise any of the rights set out above, please contact us (see section 12 below).
9.3 No fee usually required: You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. If we choose to deny your request, we will inform you of the decision and your right to complain to the supervisory authority within the 1 month deadline.
9.4 What we may need from you: We may need to request specific information from you to verify your identity and ensure that personal data is not disclosed to the wrong person.
9.5 Time limit to respond: We respond to all legitimate requests without undue delay and at the latest within one month. Occasionally, if your request is particularly complex or you have made a number of requests, we may need to extend this by up to a period of two months, in which case we will notify you and keep you updated.
10. Security of your personal data
10.1 We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. While no online service can guarantee absolute security, we have implemented technical and organisational measures such as encryption when transmitting your personal data and firewalls and intrusion detection systems to help prevent unauthorised access to your information. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
10.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
11. How long will you use my personal data for?
11.1 We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
11.2 To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of that data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.
12. Contact Details
12.1 Data Protection Authority: EU data subjects have the right to make a complaint at any time to the data protection authority of the EU country where you live. A list of the national data protection authorities can be found at here . We would, however, appreciate the chance to deal with your concerns before you approach them, so please contact us in the first instance.
12.2 Data Protection Officer: We have appointed a data protection officer (DPO) who is responsible for overseeing privacy issues for the Serko group. If you have any questions or complaints about this Policy, including any requests to exercise your rights in relation to your personal data, please contact the DPO using the details set out below.
Email address: email@example.com
Postal address: Attention: CISO, Serko Limited, PO Box 47638, Auckland 1144, New Zealand
12.3 EU Representative: We have appointed a representative to act on our behalf in relation to our obligations under the General Data Protection Regulation in Europe:
Name: DPR Group
Email address: firstname.lastname@example.org
Click here for more information on how to contact DPR group.
Please note: this information should only be used when trying to contact us in relation to a GDPR data matter, otherwise you can contact us via email@example.com
13.1 This version was last updated on 2 July 2018.
13.2 We reserve the right to update and change this Policy at any time by posting changes on this webpage or applicable mobile apps. Changes will take effect from the time they are posted. We will use reasonable endeavours to communicate those changes to you on our website and mobile apps or via other channels that we think are suitable.
13.3 It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Customer means a corporate customer of Serko who is using our services to book travel and manage expenses on behalf of its employees or other individuals.
Data controller means the entity that decides the means and purpose of processing personal data.
Data processor means the entity that processes personal data on behalf of and in accordance with the instructions of the controller.
GDS means the Global Distribution System, a travel technology platform that enables travel agencies and their clients to access travel data, shop for and compare reservations options and book travel.
Legitimate Interest means our interests in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Personal data means any information about an individual that can be used to identify that person directly or indirectly by reference to a range of identifiers. It does not include anonymous data where the identity of the individual has been removed.
Processing means any operation or set of operations performed on personal data.
Sensitive Data means personal data that health, genetic data and biometric data or data that reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation.
TMC means a Travel Management Company (commonly known as a business travel agency or corporate travel provider) that manages the business travel requirements of clients to save them time and money.
Serko Limited has the following subsidiaries: