UK GDPR & Privacy Statement


Sweet Chariot respects your privacy when you use our services and is committed to complying with privacy legislation. This privacy notice has been updated to comply with The UK’s General Data Protection Regulation (UK GDPR) regulation which changes how companies use and process the personal data of European users.

The information below is what is referred to as a ‘Privacy Notice’ which explains how we use and protect your personal data.

Sweet Chariot Leisure Ltd. has registered with the ICO (Information Commissioner’s Office).

1. Information Sweet Chariot holds

This is a list of personal information that we hold for some customers and suppliers. We do not hold all of this information for all of our customers and suppliers.

• Phone number (work, home or mobile)

• Date of birth

• Address

• Passport details

• Health details

• Photographs / Videos

• Parents’ contact details (for minors)

• Suppliers’ contact details

• Suppliers’ bank details

We hold this information on a

• Secure Remote Server (Cloud), accessed via desktops and mobile devices

We use this information to:

• Send data to HMRC

• Send data to pension provider

• Send emails about our products using Constant Contact

• Contact customers regarding their proposed or actual tour (or other purchase)

• Liaise with suppliers

• Contact next of kin if necessary

Where It Came From, Customer Data

Customer data has come from contact about our products. Customers have approached Sweet Chariot either by telephone or email and we have recorded their data as above. We continue to liaise with them in the context of our products. The customer was originally able to cease contact and is always able to decline further contact.

The Web

You can visit our site ( without telling us who you are or providing us with any personal information. However, we collect related information such as page requests, browser type, operating system and average time spent on our website through an analytics programme (Google Analytics) which we use to monitor and improve our website.

To make this website easier to use, we sometimes place small text files on your device (for example your iPad or laptop). These are known as ‘cookies’. Our cookies aren’t used to identify you personally. They’re just here to make the site work better for you. For a list of all the cookies on our site and their purpose please click here.

By using our website, you agree that we can place these types of cookies on your device. We do not use cookies on this website that collect information about which other websites you visit (often referred to as privacy intrusive cookies). You can manage and/or delete these files as you wish.

You can choose to refuse cookies or tell your browser to let you know each time that a website tries to set a cookie. However, refusing cookies will mean some sections of the site will not work properly. For more information about cookies (including how to turn them off) please visit

Where it Came From, Supplier Data

Supplier data has come from a) previous contact before Sweet Chariot was incorporated and b)

further research into suppliers. They have also approached us, through our website, by phone or

email. We liaise with them in the context of providing services to our customers.

This constitutes implied consent or ‘soft opt-in’ but future communications will require new

customers to opt in.

Sweet Chariot is not required to refresh existing consent* for the reasons above but please see the

end of document for full advice to companies on consent.

Who We Share It With

We protect access to our data through a log-in process to our remote server.

We do not sell databases or provide them as part of sponsorship deals. We use our data solely in the

context of business operations. We contact customers directly for managing their tour or product,

for example regarding payments, passport details for flights, names for hotels and so on. We also

liaise with customers on other future products they may be interested in.

Similarly, supplier data is used for conducting business. We need their bank records for payments

and contact details for operations.

How We Record Our Processes

Customer contact comes initially from email, web form or telephone. We take this information and

record it in Outlook and on Excel spread sheets. Financial information is stored in Sage, in our Lloyds

Bank and Travelex secure accounts.

Further information from customers about their tours (names, dates of birth, dietary information

and so on) is gathered by email and stored on spread sheets, which in turn is kept on our password

protected, remote server.

2. Communicating privacy information

Sweet Chariot’s Privacy Notice

1. The Information We Collect & Why

Sweet Chariot is a tour operator. All the information we collect is within the context of the products

we sell. You, the customer, provide us with the data we need to operate products you have bought

or to liaise about products you might be interested in. This data includes but is not limited to:

• Full name

• Phone number (work, home or mobile)

• Email address

• Address

• Date of birth

• Passport details

• Health details (such as dietary requirements)

• Parents’ contact details (for minors)

• Bank details

• ID proof

• Social Media handles

2. How We Use Your Information

You will provide some or all of this information when contacting the company and in the course of

operating your tour or product (corporate hospitality or ticket purchases for example). It is in this

context that Sweet Chariot gathers your data.

  • An opt-in box is available on Sweet Chariot’s web forms.
  • If Sweet Chariot would like to use any social media content, we will specifically ask you, either on a form (such as the Tour Manager Report Form, sent to you on return) or directly by email.
  • You can opt out of all communications at any time, whereupon all requested data will be deleted within one month of written instruction ( or company address).

Ongoing Contact

Where we use Constant Contact for bulk emails, you are entitled to see its Privacy Statement, which

you can access by clicking on this url.

3. How We Share Your Information

We do not sell data to third parties for marketing purposes. We may, with your consent, share

photos or videos as part of our social media or marketing effort.

We use personal information solely for the purposes of the business. This includes providing

information to airlines, ground handlers and suppliers.

4. Storage & Processing: How We Protect Your Information

All our data is securely held on a remote server and is password protected.

5. Complaints

If you would like Sweet Chariot to remove any data from its server, simply email or write to our Head Office, explaining what information you would like

deleted. This will take place within one month of Sweet Chariot receiving the request.

If you would like to opt out of emails, simply unsubscribe on line.

If you still believe your data is being mishandled, you are entitled to complain to the ICO.

This information is available on our website and in email communications.

3 Individual’s rights

You, the customer or supplier, have the following rights:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • the right not to be subject to automated decision-making including profiling

Once a written request has been received, Sweet Chariot will act or respond within one month. If

action is required, it will be taken by a company director, ensuring all requested data is removed

from Sweet Chariot’s server and bank account.

Sweet Chariot can refuse or charge for requests that are manifestly unfounded or excessive. If we

refuse a request, we will tell you why and explain that you have the right to complain to the

supervisory authority for a judicial remedy. This will take place without undue delay and, at the

latest, within one month.

4 Children

Sweet Chariot does not offer online services to children. It only collects limited personal data for the

purposes of a tour.

This means, for example, Sweet Chariot will ask for dietary requirements (to protect children against

allergenic foods), names as they appear on passports (for airlines and hotel rooming lists) and ages

(to match up sporting opponents, to avail of excursion discounts and to arrange potential host


Parents provide consent and information to teachers for the above purposes. We ask teachers to

ensure consent is verifiable.

5 Data breaches

Sweet Chariot is able to detect, report and investigate a personal data breach as it employs an IT and

digital marketing company to oversee its technology. Alerts are in place.

Sweet Chariot is only required to notify the ICO of a breach where it is likely to result in a risk to the

rights and freedoms of individuals – if, for example, it could result in discrimination, damage to

reputation, financial loss, loss of confidentiality or any other significant economic or social


Where a breach is likely to result in a high risk to the rights and freedoms of individuals, Sweet

Chariot will notify those concerned directly.

6 Data Protection by Design Protection Impact Assessments

A DPIA is required in situations where data processing is likely to result in a high risk to individuals,

for example:

  • where a new technology is being deployed
  • where a profiling operation is likely to significantly affect individuals
  • where there is processing on a large scale of the special categories of data

Consequently, Sweet Chariot has no current requirement to undertake a DPIA

7 Data Protection Officers

Sweet Chariot does not require a Data Protection Officer (DPO) because it is not:

  • a public authority
  • an organisation that carries out regular and systematic monitoring of individuals on a large scale
  • an organisation that carries out the large scale processing of special categories of data, such as health records or information about criminal convictions

8 Supervisory Authority

The supervisory authority for Sweet Chariot is the UK.


Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in.

Consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from

other terms and conditions, and you will need to have simple ways for people to withdraw consent.

Consent has to be verifiable and individuals generally have more rights where you rely on consent to

process their data.

You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation

for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the

GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily

withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find

an alternative to consent.