Exodus Travels Limited, trading as Headwater Holidays, is part of the Travelopia group of companies (hereinafter called 'Headwater', 'we', ‘us’ or ‘our’). Here at Headwater we understand the concerns about how data may be stored, sent and used by companies. We are committed to complying with all data protection laws and want you to feel confident in the measures we are taking to uphold your data privacy rights.
This privacy policy explains how we collect and use your personal information. In it we explain the types of information we collect, how we collect it, what we use it for and who we may share your personal information with. We also let you know what rights you have over your information.
Privacy policies don’t need to be confusing and we don’t think you should have to read through lots of complicated paragraphs to understand how we handle your data. For this reason we have created our Privacy Policy Quick Guide (opens in new window).
We think this document highlights the most important points to be aware of. However, if you want more detail about a specific topic you can click the links below to be taken to the relevant section.
We do our best to keep the information we collect about you to the minimum necessary.
The information we collect depends upon how you are interacting with us. For example, if you’re booking a holiday or tour with us we are likely to ask for more information than if you’re only requesting a brochure or browsing our website. We may collect, use, store and transfer different kinds of personal information about you, which we have summarised in the box below.
Details about you: Your first and last name, marital status, title, gender, e-mail address, telephone number, date of birth, loyalty membership details, your reasons for travel, meal and other travel preferences or dietary requirements.
Payment details: Your bank details and payment card details when making a booking with us. Details about payments to and from you and other details of products and services you have purchased from us.
Identification documents: If you are travelling on a route requiring advance passenger information, your passport or identity card details including your passport number, the country in which your passport was issued and the expiry date.
Details about your booking with us: Details such as where you are flying from and to, your booking information (including anyone else on the booking), any onward travel details if relevant, details of experiences or excursions booked through us, baggage requirements, upgrade information, lounge visits, seat preferences, meal preferences or requirements, details of any special assistances required and any other relevant information so that we can provide you with the travel or other service you have arranged with us.
Details from your interactions with us: Information about interactions or conversations with us and our staff, including when you make enquiries, comments, complaints or submit feedback to us. This could also include username and password and your interests, marketing preferences and survey responses.
Your use of our systems and services: This includes how you use our site, app, retails stores, call centres and/or social media pages, IP addresses and information you may post on social media.
Job applications: If you apply for a job with us, your CV, work history, educational details and the role you are applying for.
Special types of data: In some circumstances we may need to collect information from you that is deemed sensitive. For example, we might collect:
- Data about your health. Knowing your dietary requirements and any medical conditions you have will ensure that the trip is suitable for you and any necessary adjustments are made.
- Information about your religion (for example if you specify a meal preference that indicates a particular religion, such as a kosher or halal meal).
We try to limit any sensitive personal data we collect to the minimum possible. Unless we have a specific lawful reason to use this information, we will ask for your consent to collect it.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
Depending upon your interactions with us, we might collect information in the following ways:
Direct Interactions: You may give us your identity, contact and financial data by filling in forms or by corresponding with us by post, phone and email or otherwise, This includes personal data you provided when you:
As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our Cookie Policy for further details.
We may receive personal data about you from various third parties as set out below:
a) airlines, hotel providers or other parties we work with if you make a complaint to them;
b) analytics providers
Under data protection laws we are allowed to use personal information only if we have a proper reason to do so such as:
Generally we do not rely upon consent as a legal basis for processing your personal data other than in relation to sending our own or third party direct marketing communications to you via e-mail or text message. You have the right to withdraw consent to marketing at any time by contacting us.
We have set out below a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
One of the other reasons we sometimes collect your information is so that we can form a view on what we think you may want or need, or what may be of interest to you. With this information we decide which products, services and offers may be relevant for you and what marketing you may be interested in.
We keep you up to date with our latest offers, partnerships, sales, promotions, competitions (or those of our partners such as other members of the Travelopia group) that we think might be of interest/relevance to you.
We will only contact you in this way if:
We never want to send our marketing to someone who isn’t interested in receiving this content. If you have decided that you no longer wish to hear from us, you can unsubscribe from marketing by clicking on the ‘unsubscribe’ link included in all of our e-mails or by contacting us.
We do not pass your information to other parties for marketing purposes unless you agree to us doing so. We will get your express opt-in consent before we share your personal data with any company outside the Travelopia group of companies for marketing purposes.
Sometimes we may use 3rd parties to send the communication to you on our behalf. However, these companies do not have the right to send marketing to you for their own purposes.
The marketing material we send to you we may occasionally also include information about selected business partners who provide services closely related to our own product.
In order to provide you with the services and on the lawful grounds described above, we may share your personal information with third parties such as:
We will only send your data outside the European Economic Area ("EEA") to:
Some of our external third parties are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA. If we do transfer information to parties outside of the EEA, we will make sure that it is given a similar degree of protection.
We want you to feel reassured that you have control of your personal information. With this in mind, we have explained below the rights you have in relation to the personal information we hold about you:
You can exercise these rights over your data by contacting us or by checking the applicable boxes on forms where we collect your information or to tell us that you don’t want to participate in marketing. You can also unsubscribe from any marketing circulation lists you are on by scrolling to the bottom of the e-mail and clicking the ‘unsubscribe’ link.
We will comply with your requests, unless we have a lawful reason not to do so. We may need you to provide additional details to confirm your identity in order to process your request.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only keep your personal data for as long as necessary to fulfil the purpose we collected it for, including for the purpose of satisfying any legal accounting or reporting requirements.
We operate a data retention policy and look to find ways to reduce the amount of information we hold and the length of time we hold it for.
By law we have to keep basic information about booking and our customers for six years for legal claims and tax purposes.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
This section is applicable to residents of California. If you are a resident of California, you have certain rights described below.
A California resident who has provided personal data to a business with whom he/she has established a business relationship for personal, family, or household purposes (a “California Customer”) may request information about whether the business has disclosed personal information to any third parties for the third parties’ direct marketing purposes. In general, if the business has made such disclosure of personal data, upon receipt of a request by a California Customer, the business is required to provide a list of all third parties to whom personal data was disclosed in the preceding calendar year, as well as a list of the categories of personal data that were disclosed. California Customers may request further information about our compliance with this law by mailing us at Headwater, Attn: Legal Department, D S T House, St Mark's Hill, Surbiton KT6 4BH, United Kingdom, or emailing us at datateam@exodus.co.uk. Please note that we are only required to respond to two requests per California Customer each year under Code Section 1798.83.
This section of our Privacy Policy provides California residents with a comprehensive description of our online and offline practices regarding the collection, use, disclosure, and sale of personal information and the rights of California consumers regarding their personal information under the California Consumer Privacy Act (“CCPA”). “Personal Information” under this section has the same meaning as defined in the CCPA. This section applies to all California residents (but not including legal entities, such as companies). The section will not apply, however, if we do not collect any Personal Information about you or if all of the information we collect is exempt from the statute (for example, the CCPA does not protect information that is already protected by certain other privacy laws, and it does not protect information that is already publicly available).
The above sections describe how we collect, use, and disclose your Personal Information.
We do not sell your Personal Information.
You have the right to request disclosure about what categories of Personal Information we have used or disclosed for a business purpose about you and the categories of third parties to whom the Personal Information was used or disclosed. Additionally, you have the right to request disclosure of specific pieces of information. Below is a full list of the information that you can include in your request.
The categories of Personal Information that we have collected about you:
When you make a request under your Right to Know, you can expect the following:
If you would like to exercise your right to request disclosure, please contact us using the information below under "How to contact us". Our privacy team will examine your request and respond to you as quickly as possible.
You have the right to request that we delete any Personal Information about you that we have collected from you. Please note that there are exceptions where we do not have to fulfil a request to delete information, such as when the information would create problems with the completion of a transaction or compliance with a legal obligation.
If you would like to exercise your right to request disclosure, please contact us using the information below under "How to contact us". Our privacy team will examine your request and respond to you as quickly as possible.
When you make a request for deletion, you can expect the following:
We will not discriminate against you (e.g., by denying you goods or services or providing a different level or quality of goods or services) for exercising any of the rights afforded to you.
We have appointed a Data Champion who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the Data Champion using the details set out below.
Exodus Travels Ltd
DST House
St Marks Hill,
Surbiton, Surrey
KT6 4BH
Please contact us in the first instance if you have any concerns. If we are unable to resolve your concern, you have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (ico.org.uk) or the relevant data protection authority where you live.
For data protection laws applicable in Member states of the European Union, please contact to the address or email below.
GDPR Officer
Sawadee Reizen
Sarphatistraat 650
1018 AV Amsterdam
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
In the event of our insolvency we, or any appointed insolvency practitioner, may disclose your personal information to the CAA, and/or ABTA so that they can assess the status of your booking and advise you on the appropriate course of action under any scheme of financial protection. The CAA’s General Privacy Notice is at https://www.caa.co.uk/Our-work/About-us/General-privacy-notice ABTA’s Privacy Notice is at https://www.abta.com/privacy-notice.
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Changes to this privacy policy and your duty to inform us of changes.
We keep our privacy policy under regular review. This version was last updated on 21st May 2018.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookies Policy.
Exodus Travels Limited, trading as Headwater Holidays, is a member of the Travelopia Group of Companies. Registered UK Office: Origin One, 108 High Street, Crawley, West Sussex, RH10 1BD. Registered in England and Wales No. 1150160. Vat no. 108216835.