BSL Tours
Privacy Policy - BSL Tours

Privacy Policy

How we protect and manage your personal information with transparency and care.

Last updated: January 2025

Last Updated: January 2025

Introduction

Welcome to the Privacy Policy of BSL Tours, a trading name of EPIC TRAILS TRAVEL GROUP LTD. We are a specialized Sri Lanka tour operator committed to protecting your personal information and respecting your privacy.

This policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and other applicable data protection laws.

Data Controller Information

We act as the data controller under GDPR as we collect your personal information for business purposes. We are responsible for deciding how your personal data is processed and for what purposes.

Company Details

Company Name: BSL Tours (trading name of EPIC TRAILS TRAVEL GROUP LTD)

Registration Number: 16225580

Registered Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

General Email: info@bestsrilankatours.com

Data Protection Email: dataprotection@bestsrilankatours.com

Telephone: +44 (0)330 043 4463

Website: www.bestsrilankatours.com

What Personal Information We Collect

Booking Information

When you make a booking with us, we collect:

  • Lead passenger details including full name, address, telephone number, and email address
  • Names and dates of birth of all traveling passengers
  • Passport details including passport numbers, expiry dates, nationality, and biometric data
  • Emergency contact information
  • Dietary requirements, medical conditions, or special assistance needs (special category data)
  • Travel preferences and interests
  • Information about disabilities or mobility limitations
  • Any other information you provide to help us fulfill your booking

Payment Information

  • Credit or debit card details (processed securely through our PCI-DSS compliant payment gateway and not stored on our servers)
  • Billing address
  • Payment history and transaction records
  • Financial information for refunds and reimbursements

Communication Data

  • Email correspondence
  • Phone call records and notes
  • Live chat conversations
  • WhatsApp communications
  • Feedback and survey responses
  • Marketing preferences and consent records
  • Complaint details and resolutions

Special Category Data

With your explicit consent, we may process:

  • Health and medical information (for tour suitability assessment)
  • Dietary requirements indicating religious beliefs
  • Disability or accessibility requirements
  • Information about minors under 18 years of age
  • Any other sensitive personal data necessary for your travel arrangements

Legal Basis for Processing Your Data

1. Contractual Necessity (Article 6(1)(b) GDPR)

Processing is necessary to fulfill our contract with you, including:

  • Processing and managing your booking
  • Arranging travel services and accommodations
  • Providing customer support
  • Managing payments and refunds

2. Legal Obligation (Article 6(1)(c) GDPR)

We must process certain data to comply with legal requirements, including:

  • Sharing passenger information with airlines and immigration authorities
  • Maintaining financial records for tax purposes
  • Complying with health and safety regulations
  • Meeting statutory reporting obligations

3. Legitimate Interest (Article 6(1)(f) GDPR)

We have a legitimate business interest in processing data for:

  • Fraud prevention and detection
  • Improving our services and website functionality
  • Analyzing customer preferences and trends
  • Training staff and quality assurance
  • Protecting against security threats

4. Consent (Article 6(1)(a) GDPR)

You have given us explicit consent for:

  • Marketing communications and promotional emails
  • Newsletter subscriptions
  • Using your photographs or testimonials for marketing
  • Processing special category data (health information, dietary requirements)
  • Optional data uses beyond our contractual obligations

Your Right to Withdraw Consent: You can withdraw your consent at any time by contacting us. This will not affect the lawfulness of processing based on consent before its withdrawal.

Data Security

Technical Security Measures

  • SSL/TLS Encryption: All data transmitted through our website is protected by Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption
  • Encrypted Storage: Sensitive information is encrypted both in transit and at rest
  • Secure Payment Processing: PCI-DSS compliant payment gateways with tokenization
  • Firewall Protection: Industry-standard firewalls protect our servers and networks
  • Multi-Factor Authentication: Required for staff access to sensitive systems

Payment Security

PCI-DSS Compliance

We process all financial transactions through secure, Payment Card Industry Data Security Standard (PCI-DSS) compliant payment gateways.

  • Your credit card details are never stored on our servers
  • Card information is removed immediately after processing
  • We use tokenization to securely reference transactions
  • Secure 3D authentication for card verification

Your Rights Under GDPR

Right to Access (Article 15 GDPR)

You can request a copy of the personal data we hold about you, including what data we process, why we process it, who we share it with, and how long we retain it.

Right to Rectification (Article 16 GDPR)

You can request correction of inaccurate or incomplete personal data. We will update records and notify relevant third parties where necessary.

Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You can request deletion of your personal data when:

  • The data is no longer necessary for the purposes collected
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed

Right to Object (Article 21 GDPR)

You can object to processing based on:

  • Legitimate interests: You can object unless we demonstrate compelling legitimate grounds
  • Direct marketing: You can object at any time and we will stop processing for marketing purposes
  • Profiling: You can object to automated decision-making

How Long We Keep Your Data

Data TypeRetention PeriodReason
Booking and Travel Records7 yearsLegal, accounting, and tax compliance
Marketing DataUntil unsubscribedMarketing consent
Payment Records7 yearsFinancial regulations
Medical and Health Data12 monthsTour safety and medical emergency purposes

Contact Us

BSL Tours Data Protection

General Inquiries

Email: info@bestsrilankatours.com

Phone: +44 (0)330 043 4463

Website: www.bestsrilankatours.com

Data Protection Officer

Email: dataprotection@bestsrilankatours.com

Response Time: 30 days (one month)

Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

Office Hours

Monday to Friday: 9:00 AM - 6:00 PM GMT
Saturday: 10:00 AM - 2:00 PM GMT
Sunday: Closed (except emergencies)

Complaints and Regulatory Authority

Information Commissioner's Office (ICO)

You have the right to lodge a complaint with the UK's supervisory authority:

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Website: www.ico.org.uk

Helpline: 0303 123 1113

Email: casework@ico.org.uk

Your Acceptance and Agreement

By using our website, making a booking, or providing us with your personal information through any means, you acknowledge that you have read and understood this Privacy Policy in its entirety and agreed to our collection, use, and disclosure of your personal information as described.

© 2025 BSL Tours Limited (trading name of EPIC TRAILS TRAVEL GROUP LTD). All rights reserved.
This Privacy Policy was last updated in January 2025. For information about our Terms and Conditions, please visit: www.bestsrilankatours.com/terms-conditions