(Last updated 1/8/22)
We process important, valuable and confidential data on behalf of our customers. We do this in a secure and appropriate way and have prepared this to demonstrate our security commitment in the context of travel procurement and privacy laws.
Data ownership and legal basis for data processing
We (Agiito) act as a data processor, in the majority of cases, when processing our customers’ personal data and will process it in accordance with the UK data protection law and the contractual obligations in our contracts.
This means only processing customer data in accordance with the written instructions of our customers, who are the data controllers.
Where we have entered into standard contractual clauses (SCCs) for the purpose of transferring data outside of the EEA, we take the position of data controller to enable this.
For the purpose of providing travel, meeting and event services we collect, use and disclose personal data. Personal data is any information that can be used to identify you or that we can link to you.
Any user of our services may be asked to provide certain personal data such as: name and contact information (work and home/ mobile phone, fax, email, address); emergency contact names and information; preferences and trip/meeting details e.g. seat preferences, frequent flyer club membership, class of service, meal preferences, hotel/rail/car and other ground transportation membership, special accommodation requests, other personal data supplied by you via your login profiles.
Dependent upon the type of service taken you may also be asked to supply additional documentation such as passport/visa/driver’s licence number, and date of birth.
Under UK GDPR, Data subjects have the right to data portability, access, object, restrict, rectification and erasure of data we may hold on them. In order to exercise any of these rights or for any issues with how we handle your data, please contact us at email@example.com.
Each of our customers can be assured that we are taking the necessary steps with its suppliers (who are sub-processors of the personal data) to require them to comply with the UK GDPR using both contractual clauses and annual due diligence reviews.
For the purpose of fulfilling the provision of travel, meeting and event services any personal data collected may be shared with or disclosed to our customer, as the data controller, for the purpose of management information, auditing, tracking and other purposes as necessary.
Our related companies, partners, subcontractors, and agents as necessary to fulfil and support the services, including facilitated bookings and assistance, responding to queries, ticket issue, responding to requests, and engagement in customer campaigns or supplier promotions.
Third-party travel service providers to fulfil contractual travel and events services (e.g. Global Distribution Systems (GDSs); trains, hotels, airlines, rental car / and other ground transportation companies, car parking facilities and other travel suppliers for booking purposes.
Additionally; technology platform providers, including, without limitation, online booking tool providers, meeting registration software providers (including onsite and mobile event management solution providers), visa and passport providers; credit card companies and payment collection and processing companies).
When sharing with or disclosing personal data to other parties, as stated above, personal data may be transferred to countries with data protection laws providing a lower standard of protection for your personal data than your country.
We will transfer your personal data in compliance with applicable data protection laws, including having adequate mechanisms in place to protect your personal data when it is transferred internationally e.g. facilitating Model Clauses, data protection agreements.
We are governed by a comprehensive Information Security Policy set and regularly audited by Capita plc. Policies include data security, information technology, physical security, data protection and cybersecurity.
A formal breach notification plan is in place detailing reporting lines and time frames for reporting internally through our incident management tool. Should an incident occur that affects any customers materially, we will notify in accordance with contractual obligations.
We adhere to a data retention policy that ensures that data is only stored as long as necessary to comply with legal and regulatory requirements.
We are an ISO 27001 and Cyber Essential Plus certified company with PCI DSS accreditation and as such are subject to regular internal and external audits against these standards.
We use appropriate technical and organisational security measures to protect the personal data of its customers.
Typically, data is stored within our UK based datacentre which houses our internal systems. These are held on our own equipment with no additional access available to any datacentre staff. Physical security controls include 24x7 monitoring, visitor logs and entry passes. Environmental controls include redundant communications and uninterrupted power supplies (UPS).
Whilst employing security measures to provide both data confidentiality, integrity and availability it should be noted that no transmission over the internet can be guaranteed as secure from illegal or unauthorised activity and so any personal data supplied is done so at your own risk.
You have the right to make a complaint at any time to the UK supervisory authority for data protection issues, the Information Commissioner's Office (ICO) (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance – any questions can be directed to firstname.lastname@example.org
Collection of personal information
The information which we collect and store during normal use of the site is used to monitor and analyse how parts of the site are used. Such use does not result in any personally identifiable data being collected or stored. 'Personal information' means information from which someone else would be able to identify you as an individual.
You have the option on certain pages within this site to submit personal information to Agiito, part of Capita plc in order that we might send you further information or email alerts. In each case, we will only use the information about you for the purpose for which you provide it. Here is an overview of each scenario in which you can provide data, and what we do with it:
Sign-ups to our newsletters – If you submit your email address in order to sign up for our newsletter, we will add your email address to our distribution list in our email tool, MailChimp. Each time you receive one of the newsletters, you will have the option to unsubscribe, or manage your preferences.
Call back request – If you submit your details for a call back request, our business development team will receive a notification asking them to call you back. We will only use the information you submit for the purpose of calling you back.
Document downloads – If you submit your information to download any documents from this site, such as white papers, infographics, case studies, or ‘takeaway’ service overviews, our business development team will contact you to ask if any of our services are of interest to you or your business. We will only use the information you submit for the purpose of contacting you about our services.
Become a partner – If you submit information to become a partner, the information is sent to our partner management team. The team will contact you to discuss the opportunities available to you as a partner of Agiito and our customers. We will only use the information you submit for the purpose of contacting you about our services.
If you have submitted personal information through this website and wish to have your details removed, or stop receiving communications from Agiito, please contact email@example.com.
Personal information you submit on this website is stored on secure servers. Occasionally, in order to complete your request as outlined above, we may need to transfer personal information you submit to us to countries or jurisdictions outside the EEA. In each case, we ensure that our suppliers provide adequate protection for the rights of data individuals in connection the transfer of their personal data.
Currently, we expect all suppliers to use the standard contractual clause approved by the European Union.
We will never sell or share your personal information with other organisations for their direct marketing purposes.
IP Addresses and log file data
The Agiito site does not automatically capture or store personal information, other than logging the user’s IP Address or the location of your computer or network on the Internet, for systems administration and troubleshooting purposes. (If you are connected to the Internet you have an IP address, for example, an IP address might read “184.108.40.206”). We also use IP addresses to track visitor pages in order to improve the quality of the site.
We use Google Analytics to collect information about visitor behaviour on our website. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on.
We have also implemented Google Analytics Demographics and Interest Reporting. This is used to gain an insight into the age, gender and interests of our users to help us make decisions on how to improve the website in the future. Users can opt out of this reporting by visiting Google Ads Settings.
You can find out more about Google’s position on privacy as regards its analytics service at https://support.google.com/analytics/answer/6004245?hl=en-GB
Visitors may choose to opt-out of Google Analytics tracking with the Google Analytics opt-out browser add-on.
Changes to our privacy policies
Agiito reserves the right to revise, amend, or modify these privacy policies at any time and in any manner. When we post changes to them, we will amend the ‘Last updated’ date, and we encourage you to regularly check for changes.
We use a minimal number of different cookies on our site. If you do not know what cookies are, or how to control or delete them, then we recommend you visit https://www.aboutcookies.org for detailed guidance.
The list below describe the cookies we use on this site and what we use them for. Currently, we operate an ‘implied consent’ policy which means that we assume you are happy with this usage. If you are not happy, then you should either not use this site, or you should delete the cookies having visited the site, or you should browse the site using your browser’s anonymous usage setting (called “Incognito” in Chrome, “InPrivate” for Internet Explorer, “Private Browsing” in Firefox and Safari etc.).
First Party Cookies
These are cookies that are set by this website directly.
Used for security reasons
Used for security reasons
Used in connection with user login
Used to indicate the system from which the site was rendered
Used for system monitoring/debugging
Used for system monitoring/debugging
Used for cookie banner parameters
Used to identify logged in site members
Used for security and anti-fraud reasons
Used for system effectiveness measurement
Used for stability/effectiveness measurements
Used on multilingual websites to save user language preference
Used to distinguish users.
Used to distinguish users.
Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property- id>.
30 seconds to 1 year
Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service.
Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out
Third Party Cookies
These are cookies set on your machine by external websites whose services are used on this site. Cookies of this type are the sharing buttons across the site allow visitors to share content onto social networks. Cookies are currently set by LinkedIn, Twitter and YouTube. In order to implement these buttons, and connect them to the relevant social networks and external sites, there are scripts from domains outside of our website. You should be aware that these sites are likely to be collecting information about what you are doing all around the internet, including on this website.
You should check the respective policies of each of these sites to see how exactly they use your information and to find out how to opt out, or delete, such information.
Registered office and Data Protection Officer
65 Gresham Street
Registered in England no: 01094729
VAT no: 618184140
Data Protection Officer: Elvira English, who can be contacted on firstname.lastname@example.org