2. The personal data we collect

Depending on how you interact with us, we may collect:

2.1 Booking & travel information

● Name, title, date of birth
● Contact details (email, phone, postal address)
● Booking details (tour/Day Card booked, dates, itinerary, group members)
● Payment-related details (amount paid, transaction references — actual card details
are usually held by your payment provider, not us)
● Special requests (e.g. accessibility, dietary needs, heritage interests)

2.2 Communications

● Emails, messages, and forms you send us (queries, feedback, complaints)
● Records of phone calls or notes taken when you contact us

2.3 Marketing & preferences

● Your newsletter subscription status
● Your communication and marketing preferences
● Historical interaction with campaigns (e.g. whether you opened/ clicked certain
emails)

2.4 Website and device data

When you visit our website, we may collect:

● IP address and general location (country/region)
● Device and browser type
● Pages visited, time spent, navigation paths
● Cookie and tracking information (see our separate Cookie Policy for details)

2.5 Photos and video (heritage tours)

● Photos or video taken by our tour guides or representatives where you may appear
as part of a group during Island Heritages tours and activities.
● We may use some of these images in our brochures, website, or social media to
promote our services, where appropriate and lawful (see Section 5 – purposes &
legal bases).

3. How we collect your data

We collect personal data in several ways:

● Directly from you – when you book a tour or Day Card, contact us, subscribe to our
newsletter, or fill in a form.
● From other travellers in your booking – for example, if a group leader provides
names and details of other participants.
● Automatically – through cookies and similar technologies when you browse our
website (see Cookie Policy).
● From partners – in some cases, from travel agents, booking platforms, or
accommodation providers, but only where this is necessary to fulfil your booking or
where you have consented.

4. Legal bases for processing (GDPR)

Under GDPR we must have a legal basis to process your data. Depending on the situation,
we rely on:

● Contract – to take steps at your request before entering into a contract and to
perform the contract (e.g. processing your booking, providing your tour).
● Legal obligation – to comply with applicable laws (e.g. accounting, tax, public-health
or safety rules).
● Legitimate interests – for example, to operate and improve our services, handle
basic customer service, and promote our business, where these interests are not
overridden by your rights.
● Consent – for certain marketing activities and non-essential cookies/analytics, and in
some cases for the use of photos where required.

You can withdraw your consent at any time (see Section 9).

5. What we use your personal data for

We use your personal data for the following purposes:

5.1 To manage bookings and provide our services (Contract)

● Processing enquiries, reservations, and payments
● Sending booking confirmations, travel documents, and important updates
● Providing your heritage-themed tours, Day Cards, and related services
● Handling changes, cancellations, and customer support

5.2 To communicate with you (Contract / Legitimate interests)

● Responding to your questions or requests
● Sending service-related messages (e.g. schedule changes, important tour
information)

5.3 To promote our services (Legitimate interests / Consent)

● Sending marketing emails or newsletters about Island Heritages, special offers, or
new tours, where permitted by law
● You can opt out at any time by using the “unsubscribe” link or contacting us directly.

5.4 Website operation and improvement (Legitimate interests / Consent)

● Running and maintaining our website
● Monitoring website performance and usage to understand how visitors interact with
our content
● Using analytics cookies (only with your consent where required by law)

5.5 Photos and media from tours (Legitimate interests / Consent)

● Our guides may take group photos or videos during tours to capture the experience.
● We may use some of these images in our brochures, website, or social media to
promote Island Heritages and heritage tourism.
● Where local law or circumstances require, we will seek consent or provide an easy
way for you to opt out (for example, by telling the guide you do not wish to be
included in promotional shots).

5.6 Legal, regulatory and safety purposes (Legal obligation / Legitimate interests)

● Keeping records for tax and accounting compliance
● Dealing with complaints, claims, or legal disputes
● Ensuring the safety and security of our guests and staff
● Meeting requirements of Irish or EU authorities where applicable

6. Who we share your data with

We may share your personal data with:

● Service providers and partners involved in delivering your trip, such as
accommodation providers, transport companies, local guides, and attraction
operators (only the data they need).
● Payment service providers and banks to process payments and prevent fraud.
● IT and hosting providers who support our website, booking systems, email, and
analytics tools.
● Professional advisers (lawyers, accountants, insurers) where necessary.
● Public authorities or regulators (e.g. the Irish Revenue Commissioners or the Data
Protection Commission) when we are legally required to do so.

We do not sell your personal data.

7. International data transfers

Some of our service providers or partners may be located outside the European Economic
Area (EEA). Where we transfer personal data outside the EEA, we will ensure appropriate
safeguards are in place, such as:

● Adequacy decisions by the European Commission, or
● Standard Contractual Clauses or equivalent measures,

to ensure your data remains protected to EU standards.

8. How long we keep your data

We keep your personal data only for as long as necessary for the purposes described in this
policy, including:

● For bookings: typically for the duration of your relationship with us plus a period
required for accounting, tax, or legal obligations.
● For marketing: until you unsubscribe or object, or after a period of inactivity, in line
with our internal retention rules.
● For photos and promotional material: while they remain relevant for marketing,
unless you request removal where applicable.

After these periods, personal data will be securely deleted or anonymised where feasible.

9. Your data protection rights

Under GDPR, you have various rights in relation to your personal data, including:

● Right of access – to obtain a copy of your personal data and certain information
about how we process it.
● Right to rectification – to correct inaccurate or incomplete data.
● Right to erasure (“right to be forgotten”) – to request deletion of your data in
certain circumstances.
● Right to restriction of processing – to limit how we use your data in certain
situations.
● Right to data portability – to receive your data in a structured, commonly used
format and have it transferred to another controller where technically feasible and
lawful.
● Right to object – to processing based on legitimate interests, including direct
marketing.
● Right to withdraw consent – where processing is based on your consent, you may
withdraw it at any time (this does not affect processing before withdrawal).

To exercise any of these rights, please contact us using the details in Section 1.

You also have the right to lodge a complaint with the Irish Data Protection Commission
(DPC) if you believe your data protection rights have been infringed:

• Data Protection Commission – see contact details on dataprotection.ie
  We would appreciate the chance to address your concerns before you contact the DPC, so
  please consider contacting us first.

10. Security

We take appropriate technical and organisational measures to protect your personal data
against unauthorised access, loss, misuse, or alteration. These may include:

● Secure systems and access controls
● Encryption and regular backups where appropriate
● Limiting access to personal data to staff and partners who need it

However, no system is completely secure, and you share information with us at your own
risk.

11. Children

Our services are primarily aimed at adults. We do not knowingly collect personal data from
children under 16 without appropriate consent. If you believe a child has provided us with
personal data without proper consent, please contact us and we will take appropriate steps.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this
page with an updated “Last updated” date.

We recommend that you review this Policy periodically to stay informed about how we use
your personal data.