At The Luxury Holiday Company, a trading brand of Wexas Limited, we work hard to keep the information you give to us safe. We follow tight security procedures on how your personal information is used and stored, we limit who sees it and we have a number of processes in place to stop unauthorised access to it. This privacy policy explains how in more detail.


Under the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679, Wexas Limited has a legal duty to protect any personal information we collect from you. Wexas Limited of Runway East Borough Market, 20 St Thomas Street, London SE1 9RS is registered as a data controller with the Information Commissioners Office (ICO) under registration number ZA052466.

We are committed to safeguarding the privacy of our clients, be it through direct communication or via our websites, including, and (the “Websites”) or through our Leisure app, Vamoos (the “Digital Tools”). This privacy policy applies to personal information obtained through the Websites and Digital Tools, as well as to information provided to our consultants.

Personal information we collect and how we use it

Wexas does not capture or store any personal information provided to us, except as provided in this policy. Personal information may be given to Wexas in a variety of circumstances in order to manage your travel effectively. Such information may be provided to us in the following ways:

  • You make a booking, enquiry, purchase or subscribe to a membership through one of our Websites or one of our Digital Tools, or through our consultant teams by email, phone, letter, electronic form or in person;
  • You make amendments or changes to a booking, enquiry or purchase as above;
  • You consent and take part in a survey or provide us with feedback;
  • You subscribe to our newsletter and travel updates;
  • You enter one of our competitions;
  • You accept cookie usage on one of our Websites or Digital Tools allowing us to track information about your computer or device, and your visits to and use of our services
  • You send us any other information which is pertinent to the fulfilment of your travel booking, in particular this may extend to personal information about your family members or friends for holiday bookings
  • If you work for one of our Corporate clients, you or your company may provide personal information about you as part of a traveller profile form (which may be completed by you or someone who works with you);

All telephone calls are recorded and monitored for quality and training purposes and these may contain personal information and are backed-up and stored for up to one year. All email correspondence is stored locally and backed-up and can be accessed up to three years later for quality and regulatory purposes. Bookings and travel records are held for seven years after travel to comply with UK regulations. Travel profiles are held while you remain an active client/traveller and for Corporate clients we rely on your employer to notify us about leavers and joiners. We have a regular review process to keep Corporate traveller profiles up-to-date.

Any marketing materials we send you will be sent to you by post or in electronic format. Should you wish to remove your details from our email marketing list, then you will need to follow the unsubscribe link at the bottom of our emails. Should you wish to opt-out of postal mailings, then please contact Wexas via telephone, email or letter and we will change your preferences accordingly.

If you provide payment details to us to facilitate a travel booking, then this information is stored on secure, encrypted databases that comply with the Payment Card Industry (PCI-DSS) security standards and is only used for payment and accounting purposes.

Statistical data, Use of Cookies and Website Tracking

Wexas may use aggregate information and statistics for the purposes of monitoring Websites’ and Digital Tools’ usage, in order to help us develop our Websites and Digital Tools and our services and may provide such information in aggregate to third parties. These statistics and data will not include any information that can be used to identify any individual.

All of our Wexas Websites and some of our Digital Tools use cookies to improve our website experience and so we can provide a more personalised approach to our marketing. A cookie is a text file which identifies your computer to Wexas’ servers. Cookies in themselves do not identify the individual user, just the computer or device used. Cookies are not used to collect personal information. From 25th May 2018 all our Websites and (where used) our Digital Tools will ask you to accept cookie usage or decline it, the first time you use each service. You can also opt out of cookie usage at any time by clicking on the footer link on our Websites and selecting ‘Out of Cookies’.

Additionally some or all of our Websites and Digital Tools use:


We use Hotjar in order to better understand our website visitors’ needs. Hotjar technology measures website experience factors (e.g. time spent on which pages, which links are clicked and where visitors exit a webpage). This enables us to identify and improve underperforming webpages to improve your website experience.Hotjar uses cookies and other technologies to collect data on users’ behaviour and their devices (specifically anonymised IP address, device screen size, device type, browser information and country location). This information is stored in a pseudonymised user profile that we do not and cannot attribute to an identifiable individual. Neither Hotjar nor we will ever use this information to identify individual users.

Google Analytics

We use Google Analytics to understand our website visitors’, popular webpages and track ‘conversion’ (i.e. an enquiry, a brochure request, or newsletter sign-up) by webpage. Like Hotjar, Google Analytics measures the same website experience factors and uses cookies to collect data on our users’ behaviour and their devices as well as collecting information on the webpages the visitor has visited. Aggregated data is anonymised from the outset to recommend improvements to webpages. No data from Google Analytics is ever used to identify an individual.

Bing and Google AdWords

We use Bing and Google AdWords cookies to appropriate track whether our digital advertising campaigns are working (i.e. resulting in enquiries, brochure requests and newsletter sign-ups). Like Hotjar and Google Analytics, Bing and Google AdWords measure website experience factors. They use cookies to collect data on our users’ behaviour and their devices. No data from Bing or Google AdWords is ever used to identify an individual and anonymised data is only used to optimise our advertising campaigns.

Facebook and Instagram

We use a Facebook ‘pixel’ to collect aggregated, anonymised data about the behaviour of our website visitors, in order to promote relevant adverts to them on Facebook and Instagram. The ‘pixel’ is a cookie that collects data about what webpages a visitor has been on, aggregates demographic data (e.g. age range, gender) and whether somebody who has visited our website via Facebook has gone on to make a ‘conversion’ (e.g. make an enquiry, request a brochure, sign up to our newsletter). Typically we use this data to provide relevant adverts to our Leisure website visitors based on expressed holiday interests from browsing our website. At no point in time do we know the users’ identities when collecting the data and advertising to them.


Dotmailer is an email marketing platform that we use to send our databases’ emails. We also use Dotmailer to email travel agents with news or occasional relevant information. We use a Dotmailer cookie on our website that tracks whether an individual who has been sent an email has proceeded to order a brochure or make an enquiry. It is possible to identify somebody who has opened one of our emails, including what they have clicked on. We use aggregated data to identify what was popular in any given email so we can better understand clients’ preferences. We also aggregate the data to provide more personalised emails based on a theme of interest. We never use the data to identify individual users’ preferences, only a collated dataset that is impartial.


When a booking is made, as part of the booking process, your booking information is uploaded to Feefo, an independent review website. Feefo will then contact you via that email address to ask you to review the service you received with Wexas. You may choose to decline, review anonymously or review with your name associated with the review. Feefo do not use the data for any other purpose, and your data is held securely by Feefo.

All data is collected from Hotjar, Google Analytics, Google and Bing AdWords, Facebook pixels, Dotmailer and Feefo is stored securely in the cloud and is not shared with anybody outside the Wexas digital marketing team.


Wexas will only hold your information for as long as is necessary for the purpose for which it was collected. However in line with our Data Security Policy, some regulatory bodies do require us to hold records for up to seven years after travel. Our Data Security Policy is updated at least once per year and the owner of this policy is our Information Compliance Manager. A copy of this policy may be requested by emailing [email protected].

Save as stated below, your personal information is not disclosed to third parties unless this is indicated by our consultants, or is indicated on our Websites or Digital Tools and/or the relevant form at the point of collecting the information, or as required or allowed by law.

Your personal information may be passed to a third party in order to fulfil your travel requirements or certain processes necessary for the operation of our Website and marketing activities. This may necessarily include passing your details outside of the UK and European Economic Area (EEA). These countries may not have data protection laws equivalent to those in force in the EAA, and you expressly agree to this transfer, storing or processing by submitting your travel request to us. If we transfer data outside of the EEA we will take steps to ensure that your privacy rights continue to be protected as outline in this privacy policy.

We may disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 736 of the UK Companies Act 1985.

We may, from time to time, expand or reduce our business and this may involve the sale and/or transfer of control of all or part of Wexas Limited. Information provided by our clients will, where it is relevant to any part of our business being transferred, be transferred along with that business and the new owner or newly controlling party will, under the terms of this privacy policy, be permitted to use the information for the purposes for which it was originally supplied to us. We may also disclose information to prospective purchasers of our business or any part of it. In this instance we will take steps to ensure your privacy is protected.

How we protect your information

Any personal information collected is recorded in secure systems. Any payment transaction details are encrypted and comply with the Payment Card Industry (PCI-DSS) security standards.

All Wexas’ employees and data processors, who have access to or are associated with the processing of personal information, are obliged to respect the confidentiality of that information and employees receive annual training on this. Access to our systems is secured by password. Should Wexas receive any complaint, notice, request or communication which relates directly to the processing of your personal information by a third party supplier (whether travel principal or technology supplier) and the supplier’s compliance with Data Protection laws, we shall notify you as soon as possible (and in the case of our Corporate clients, your company, deemed to be acting on behalf of its employees and contractors) of any breach or suspected breach of personal information.

Wexas ensures that your personal information is not disclosed to government institutions and authorities, except if required or allowed by law.

Email security

All Wexas outbound emails are encrypted, but please note that unless encrypted an email sent from you to us via the internet may not be secure and could be intercepted and read by someone else. Please bear this in mind when deciding whether to include personal information in any email you intend to send us.


Our Websites and Digital Tools may contain links to and from other websites, including those of our suppliers. If you follow a link to any of these websites, please note that these websites will have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check external websites policies before you submit any personal information to these websites.

Your consent

Whenever you are required to submit personal information you will be given options to restrict our use of this information, which will include the use of this information for direct marketing purposes. By submitting your personal information you consent to the use of that information as set out in this policy. If Wexas changes this privacy policy it will post the changes on this page. Continued use of our service will signify that you agree to any such changes.

Data protection by design

Wexas is PCI-DSS certified and our Data Protection Policy covers all new processes, technology and procedures introduced at Wexas including Data Protection at the design stage.

Clients 16 and under

If you are aged 16 or under, please get your parent/guardian’s written permission sent to us before you provide personal information to Wexas’ Websites, Digital Tools or consultants. Clients/users aged 16 or under without this consent are not allowed to provide us with personal information.

Accessing your personal information and data Wexas holds on you

Wexas will process any personal information that it collects in accordance with the Data Protection Act 1998. If you wish to access personal information collected from you or you have an enquiry or concern regarding the processing of personal data by Wexas, please make an individual information request to:

[email protected] or write to our Information Compliance Manager at Wexas Limited, Runway East Borough Market, 20 St Thomas Street, London SE1 9RS.

Under the Data Protection Act 1998 you can request a copy of your personal information. Wexas will provide you with a legible copy of the personal information it holds and to which you are entitled. This will be sent to you within 30 days of your request. Please note Wexas requires proof of your identity before supplying the information and may ask you for further information to assist in locating your personal information. Individual traveller requests are free of charge, although Corporate or group/multiple requests may incur charges which are detailed in our Wexas Travel Management transaction fees.

Your right to rectify

You can ask Wexas to update your personal information if something is inaccurate or missing. You do not need to submit an information request to do this, simply send any changes by email or post to your Wexas consultant or account manager.

Your right to restrict processing

If you think there is something wrong with the data being held about you, or you are unsure Wexas is complying with the GDPR rules, you can restrict any further use of your personal information until the problem is resolved. However please note we will not be able to make any future travel bookings or provide tickets/documentation for imminent travels while such a restriction is in place.

Your right to erasure

From 25th May 2018 you have the right to erasure, which means post an individual or Corporate data request, you may instruct Wexas to erase the personal information we hold on you. Subject to there being no legal reasons to retain this information, Wexas will erase the information within one month (Corporate) and three months (Leisure and holidays) and provide you with a written confirmation of its erasure. In cases where we are required to keep travel records for legal or regulatory reasons or for the integrity of trend reporting for Corporate clients, we may anonymise your personal information rather than erase it, but your information will be anonymised in a non-redactable way.

Your right to data portability

You can request a copy of your information by writing to the Wexas Limited Information Compliance Manager at [email protected] or by post at Runway East Borough Market, 20 St Thomas Street, London SE1 9RS. Your information will be provided via electronic media in a commonly used format which is compatible with other IT systems.

For individual Leisure clients this information will be provided free of charge, although we reserve the right to charge for repeated or excessive requests.

For Corporate clients wishing to transfer their individual travellers’ personal information and/or travel records to a new travel management provider, written requests for these transfers may be made to your Wexas account manager. Please note there is a charge for the secure, encrypted transfer of Corporate client data by account and these charges are detailed in our Wexas Travel Management Transaction Fees. Typically Corporate client data transfers take between 14 to 28 days to complete. Where individual Corporate travellers have or continue to make personal holiday or travel arrangements with Wexas, this data will be retained.

Your right not to be subject to automated decision making

At the present time Wexas does not use automated decision making in any of its processes. Should this change, Wexas will always provide an opt-out capability and will always review any objections within the GDPR framework.


You may not transfer any of your rights under this privacy policy to any other person. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be affected.

If any court of competent authority finds that any provision of this privacy policy (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy policy will not be affected.

Unless otherwise agreed, no delay, act or omission by us or you in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.

This policy will be governed by and interpreted according to the laws of England and Wales. All disputes arising under this policy will be subject to the exclusive jurisdiction of the England and Wales courts.


This privacy policy may be updated from time to time, so you may wish to check it each time you submit personal information to our Websites or Digital Tools.

Wexas Limited | May 2018