Privacy Policy

We collect and process the following categories of personal data about you:

Information You Give Us

•       Full name, date of birth and passport details (for you and all travellers on your booking)

•       Contact details: email address, phone number, postal address

•       Payment information: card type and last four digits (full card details are processed securely by our payment provider and not stored by us)

•       Booking preferences, special requests and dietary requirements

•       Medical conditions or disabilities that may affect your travel arrangements

•       Communications you send us, including emails, chat messages and complaint correspondence

Information We Collect Automatically

•       IP address, browser type and version, operating system

•       Pages you visit on our website, time spent on each page and links you click

•       Referring website or search terms used to find us

•       Cookie identifiers and session data (see Part Two — Cookie Policy for full details)

Information From Third Parties

•       Travel suppliers such as airlines, hotels and transfer companies who may share booking-related information with us

•       Payment processors and fraud prevention agencies

•       Social media platforms if you interact with us through them (subject to your privacy settings on those platforms)

We use your personal data for the following purposes:

To Fulfil Your Booking

Lawful basis: Contract. We process your data to confirm and manage your holiday booking, pass your details to the relevant suppliers (airlines, hotels, transfer operators), issue travel documents, and provide pre-departure and in-resort support.

To Process Payments

Lawful basis: Contract. We process payment information to take deposits, balance payments and cancellation charges, and to manage refunds.

Legal & Regulatory Obligations

Lawful basis: Legal obligation. We are required by law to pass certain passenger data (Advanced Passenger Information) to government border control and security agencies. We also retain financial records in accordance with HMRC requirements.

Customer Service & Complaints

Lawful basis: Contract / Legitimate interests. We process your data to respond to enquiries, manage complaints and improve our service.

Marketing Communications

Lawful basis: Consent / Legitimate interests. With your consent, or where we have a legitimate interest as an existing customer, we may send you special offers, holiday inspiration and news. You can opt out at any time — see Section 8.

Website Improvement & Analytics

Lawful basis: Legitimate interests. We analyse how visitors use our website in order to improve the user experience. This is done using anonymised or aggregated data where possible.

Fraud Prevention & Security

Lawful basis: Legitimate interests / Legal obligation. We use your data to detect and prevent fraud, money laundering and other illegal activity.

We do not sell your personal data to third parties. We share your data only where necessary, with the following categories of recipient:

•       Travel suppliers — airlines, hotels, transfer companies, tour operators and other service providers required to fulfil your booking

•       Payment processors and banking partners — to process transactions securely

•       Government and regulatory bodies — including border control, HMRC and the Civil Aviation Authority (CAA) as required by law

•       Fraud prevention agencies — to protect against financial crime

•       IT and technology service providers — including cloud hosting, website analytics and customer service platforms, who process data on our behalf under strict data processing agreements

•       Professional advisers — including lawyers and accountants, where necessary

•       Insurance providers — where you purchase travel insurance through us

Where we share data with suppliers located outside the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO.

We retain your personal data only for as long as necessary for the purposes for which it was collected, in accordance with the following guidelines:

•       Booking records (including passenger details and correspondence): 7 years from the date of travel, to comply with HMRC financial record-keeping requirements

•       Payment records: 7 years

•       Complaint and dispute records: 6 years from resolution (in line with the Limitation Act 1980)

•       Marketing preferences: Until you withdraw consent or opt out

•       Website analytics data: Up to 26 months (anonymised)

•       Cookie consent records: 1 year

When data is no longer required, it is securely deleted.

Under the UK GDPR, you have the following rights in relation to your personal data:

•       Right of access — you can request a copy of the personal data we hold about you (a Subject Access Request).

•       Right to rectification — you can ask us to correct inaccurate or incomplete data.

•       Right to erasure — you can ask us to delete your data in certain circumstances (for example, where we no longer need it for the purpose for which it was collected and have no legal obligation to retain it).

•       Right to restrict processing — you can ask us to limit how we use your data in certain circumstances.

•       Right to data portability — you can request your data in a structured, machine-readable format where processing is based on consent or contract.

•       Right to object — you can object to processing based on legitimate interests, including direct marketing.

•       Rights related to automated decision-making — you have the right not to be subject to solely automated decisions that significantly affect you.

To exercise any of these rights, contact us at privacy@johnsonholidays.com. We will respond within one calendar month. We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data lawfully. The ICO can be contacted at www.ico.org.uk or by calling 0303 123 1113.

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, disclosure, alteration or destruction. These include:

•       Encryption of data in transit (SSL/TLS) and at rest

•       Secure payment processing via PCI-DSS compliant providers — we do not store full card details

•       Access controls limiting data access to authorised personnel only

•       Regular security reviews and staff data protection training

•       Data processing agreements with all third-party suppliers

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO in accordance with our legal obligations.

From time to time, we may send you information about our holidays, special offers and travel inspiration. We will only do this:

•       Where you have given us your explicit consent to receive marketing; or

•       Where you are an existing customer and we believe our offers are relevant to you (legitimate interests), unless you have opted out.

You can opt out of marketing at any time by:

•       Clicking the “unsubscribe” link in any marketing email we send you;

•       Emailing us at support@johnsonholidays.com; or

•       Calling us on 020 3997 7906.

?Opting out of marketing will not affect the service communications we send in relation to your booking (such as confirmation emails and pre-departure information), which are necessary for the performance of your contract.

Our website may contain links to third-party websites, including those of airlines, hotels and other suppliers. We are not responsible for the privacy practices of these websites. We encourage you to review the privacy policies of any external sites you visit.

Our website and services are not directed at children under the age of 18. We do not knowingly collect personal data from children without the consent of a parent or guardian. Where a booking includes children, we collect their personal data (such as name, date of birth and passport details) solely for the purpose of fulfilling the travel arrangements, with the lead passenger confirming consent on their behalf.

We may update this Privacy & Cookie Policy from time to time to reflect changes in our practices or applicable law. The date at the top of this document indicates when it was last revised. Where we make significant changes, we will notify you by email or via a prominent notice on our website.

We encourage you to review this policy periodically.