Privacy Policy

1. Introduction & Data Controller

VisitBritainTours.com is operated by International Visa Service Sp. z o. o. sp. k., a company registered in Poland (NIP: 9542766476), with its registered office at ul. Graniczna 29, 40-017 Katowice, Poland ("we", "us", "our"). We act as the data controller for all personal data collected through this Website. We are committed to processing your data in a lawful, fair and transparent manner in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation — GDPR) and the Polish Act on the Protection of Personal Data. This Privacy Policy applies to all individuals who visit our Website, make enquiries, or book travel services with us. If you have any questions about how we handle your personal data, please contact us using the details in Section 13 below.

2. What Data We Collect

We may collect and process the following categories of personal data:

• Identity data: first name, last name, date of birth, nationality, gender
• Contact data: email address, telephone number, postal address
• Travel document data: passport number, passport expiry date, country of issue (required for booking visa-related services and certain tours)
• Payment data: credit/debit card details (processed securely via our payment processor; we do not store raw card numbers), billing address, transaction history
• Booking data: tour preferences, special dietary requirements, accessibility needs, travel companions' details
• Technical data: IP address, browser type and version, device identifiers, time zone, operating system, pages visited, referral source, session duration
• Marketing data: communication preferences, subscription status, response to marketing campaigns
• Cookie data: as described in Section 9 of this Policy

3. How We Use Your Data

We use your personal data for the following purposes:

• Booking processing: to process tour reservations, issue confirmation documents, coordinate with tour operators and accommodation providers, and manage your booking account
• Customer communications: to respond to your enquiries, send booking confirmations, pre-departure information, and post-trip follow-up
• Payment processing: to charge and refund payments securely and maintain financial records in accordance with legal obligations
• Legal compliance: to fulfil obligations under Polish tax law, anti-money laundering regulations, and any applicable travel industry regulations
• Marketing communications: to send promotional offers, newsletters and travel inspiration (only where you have provided explicit consent or we have a legitimate interest)
• Website analytics: to analyse how visitors interact with our Website in order to improve user experience and content relevance
• Security and fraud prevention: to protect our Website, clients and business from fraudulent activity and security threats

4. Legal Basis for Processing

We process your personal data on one or more of the following legal bases as defined in Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)): Processing is necessary for the performance of a contract to which you are a party — primarily the processing of your tour booking and provision of travel services.
• Compliance with a legal obligation (Art. 6(1)(c)): Processing is required to comply with our legal obligations, including tax record-keeping, anti-money laundering checks, and regulatory reporting.
• Legitimate interests (Art. 6(1)(f)): We process certain data based on our legitimate business interests, such as preventing fraud, improving our services, and direct marketing to existing customers — provided such interests are not overridden by your rights.
• Consent (Art. 6(1)(a)): Where we rely on your consent — for example, for marketing communications and non-essential cookies — you may withdraw your consent at any time without affecting the lawfulness of prior processing.

5. Data Sharing and Third Parties

We do not sell, rent or trade your personal data to third parties for their own marketing purposes. We may share your data with carefully selected third parties only where necessary for the delivery of our services or where required by law:

• Tour operators and ground handlers: to fulfil your booking, we share relevant personal data (such as names, dietary requirements and passport details) with our trusted UK-based tour operating partners
• Accommodation providers: hotels and other lodging partners receive guest information necessary for check-in and room allocation
• Payment processors: we use PCI-DSS compliant payment gateways (e.g. Stripe, PayU) to process card transactions securely
• Analytics and marketing tools: we use tools such as Google Analytics (with IP anonymisation enabled) and email marketing platforms; these providers act as data processors under binding data processing agreements
• Legal authorities: we may disclose data to law enforcement or regulatory bodies where required by applicable law or court order
• Professional advisors: our legal, accounting and IT service providers may access data on a strictly need-to-know basis, bound by confidentiality obligations

6. International Data Transfers

As a European company providing travel services in the United Kingdom, some of your personal data may be transferred to and processed in the United Kingdom (post-Brexit). The UK has been granted an adequacy decision by the European Commission under Article 45 GDPR, meaning that transfers to UK-based partners are deemed to provide an adequate level of data protection equivalent to the EU. Where we transfer data to countries or organisations outside the EU/EEA that do not benefit from an adequacy decision, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46(2)(c) GDPR), or we rely on other transfer mechanisms permitted under Chapter V of the GDPR. You may request a copy of the relevant safeguards by contacting us at the details in Section 13.

7. Data Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our standard retention periods are as follows:

• Booking and transaction data (including payment records and correspondence): retained for 5 years from the end of the calendar year in which the tour took place, in accordance with Polish tax and accounting obligations
• Passport and travel document data: deleted within 6 months of the tour completion date, unless a longer retention period is required by law
• Marketing data and email preferences: retained until you withdraw your consent or unsubscribe, after which it is deleted within 30 days
• Website analytics data: aggregated and anonymised data may be retained for up to 26 months; individual session data is retained for up to 14 months
• Enquiry and support correspondence: retained for 2 years from the date of last contact

After the applicable retention period expires, data is securely and permanently deleted or anonymised in accordance with our data disposal procedures.

8. Your Rights under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data. You may exercise any of these rights free of charge by contacting us as described in Section 13. We will respond to your request within one calendar month (extendable by a further two months for complex requests).

You also have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland — uodo.gov.pl. EU residents may also contact the data protection authority in their country of residence.

9. Cookies Policy

Our Website uses cookies and similar tracking technologies to enhance your experience, analyse site traffic, and support our marketing activities. A cookie is a small text file placed on your device by your web browser when you visit a website. Cookies do not harm your device and do not contain personally identifiable information on their own.

You can manage your cookie preferences at any time by clicking the "Cookie Settings" button in the website footer. You may also control or delete cookies through your browser settings — please refer to your browser's help documentation for guidance. Please be aware that disabling certain cookies may affect the functionality of the Website. For more information about cookies and how to manage them, visit allaboutcookies.org.

10. Children's Privacy

Our Website and services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent. If you are under the age of 16, please do not submit any personal data through our Website or booking forms. Where travel packages include minors as participants, all personal data relating to persons under 16 must be provided by a parent or legal guardian who accepts responsibility for the accuracy of that data and consents to its processing on the child's behalf. If we become aware that we have inadvertently collected personal data from a child under 16 without appropriate consent, we will take immediate steps to delete such data from our records. Parents or guardians who believe we may have collected data from a minor without consent should contact us immediately at [email protected].

11. Security Measures

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against accidental loss, unauthorised access, alteration, disclosure or destruction. Our security measures include:

• SSL/TLS encryption: all data transmitted between your browser and our Website is encrypted using industry-standard SSL/TLS technology (HTTPS)
• Payment security: card payment data is processed via PCI-DSS Level 1 compliant payment processors; we never store raw card numbers on our servers
• Access controls: personal data is accessible only to authorised staff members and contractors who require access to perform their duties, subject to confidentiality obligations
• System security: our servers are protected by firewalls, intrusion detection systems, and are regularly updated with security patches
• Data minimisation: we collect only the minimum personal data necessary for the stated purpose
• Staff training: all staff who handle personal data receive regular data protection training
• Incident response: we maintain a data breach response procedure; in the event of a reportable breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by Art. 33–34 GDPR

Despite our best efforts, no method of electronic transmission or storage is 100% secure. We encourage you to use a strong, unique password for any account you create with us, and to notify us immediately if you suspect any unauthorised use of your account.

12. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable legislation, or the services we provide. When we make material changes, we will update the "Effective Date" displayed at the top of this page. Where required by applicable law or where changes significantly affect your rights, we will notify you directly (for example, by email to registered clients) prior to the changes taking effect. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Website after publication of an updated Privacy Policy constitutes your acknowledgement of the changes. Previous versions of this Policy are available upon request by contacting us using the details in Section 13.

13. How to Exercise Your Rights / Contact DPO

To exercise any of your GDPR rights, submit a data subject access request, withdraw marketing consent, or raise a data protection concern, please contact us using the following details. Please provide sufficient information to allow us to verify your identity and locate your records. We will respond within one calendar month of receiving your request.

• Company / Data Controller: International Visa Service Sp. z o. o. sp. k.
• Address: ul. Graniczna 29, 40-017 Katowice, Poland
• NIP: 9542766476
• Email: [email protected] (mark subject: "Data Protection Request")
• Phone: +48 32 200 00 00
• Contact Form: Visit our Contact Page

If you are not satisfied with our response, you have the right to lodge a complaint with the Polish data protection supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw — uodo.gov.pl. EU residents may also contact the supervisory authority in their country of habitual residence.