Policy version: [insert date of this policy] — for previous versions of this policy see www.rekke.com/policy-archive

www.rekke.com (our website), our mobile applications, and any other online or offline services operated under the Rekke brand are provided by Rekke Travel Company Ltd., trading as Rekke (“we”, “our”, or “us”). We are the controller of the personal data collected through our website, mobile applications, and other Rekke platforms and services, meaning we are the organisation legally responsible for deciding how and for what purposes your personal data is used.

www.rekke.com (the “Website”), our mobile applications, digital services, communication channels, and any other platforms operated under the Rekke brand (collectively referred to as the “Rekke Platform”) are provided by Rekke Travel Company Ltd., trading as Rekke (“we”, “our”, or “us”). We are the controller of the personal data collected through the Rekke Platform, meaning we are the organisation legally responsible for deciding how and for what purposes your personal data is used.

We take your privacy very seriously. Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share any information relating to you (your personal data) in connection with your use of the Rekke Platform. It also explains your rights in relation to your personal data and how to contact us or a relevant regulator in the event you have a complaint.

We collect, use and are responsible for certain personal data about you. When we do so we are subject to the Data Protection Act 2019 of the Laws of Barbados. 

Given the nature of the Rekke Platform, we do not expect to collect the personal data of anyone under 18 years old. If you are aware that any personal data of anyone under 18 years old has been shared with the Rekke Platform, please let us know so that we can delete that data, by emailing us at policy@rekke.com.

This privacy policy is divided into the following sections:

• What this policy applies to
• Personal data we collect about you
• How your personal data is collected
• How and why we use your personal data
• Marketing
• Who we share your personal data with
• How long your personal data will be kept
• Transferring your personal data out of Barbados
• Cookies and other tracking technologies
• Your rights
• Keeping your personal data secure
• How to complain
• Changes to this privacy policy
• How to contact us

What this policy applies to

This Privacy Policy applies to all interactions you have with Rekke, including your use of the Rekke Platform, communications, and any related online or offline services that link to or reference this Policy. Throughout our platforms, we may provide links to websites, applications, or services owned and operated by trusted third parties to offer you additional products or services. These third-party sites and services are governed by their own separate privacy policies, and Rekke is not responsible for the content, privacy practices, or data handling of those third parties. We encourage you to review the privacy policies of any external websites or services you access through our platforms to understand how they may collect and process your personal data.

Personal data we collect about you

The personal data we collect about you depends on the particular activities carried out throughout the Rekke Platform. Personal data shared with us will be optional unless required to achieve the service you are attempting to use. We will collect and use the following personal data about you:

• your name, address and contact information, including email address and telephone number and company details where applicable
• alternate use addresses provided
• information to check and verify your identity, eg date of birth
• your gender or gender identity
• location data
• your billing information, transaction and payment card or other payment method information
• bank account and payment details
• details of any information, feedback or other matters you give to us by phone, email, post or via social media
• your account details, such as username and login details
• your activities on, and use of, the Rekke Platform
• your personal or professional interests
• your professional online presence, eg LinkedIn profile
• information about the services we provide to you
• your contact history, purchase history and saved items
• information about how you use the Rekke Platform and technology systems
• your responses to surveys, competitions and promotions

You must provide this personal data to use the Rekke Platform and the services on it unless we tell you that you have a choice. 

You can choose whether to give us your personal data and let us use it. Where that is the case we will tell you and give you the choice before you give the personal data to us. We will also tell you whether declining to share that personal data will have any effect on your use of the Rekke Platform and features that rely on that information.

We collect and use this personal data for the purposes described in the section ‘How and why we use your personal data’ below.

How your personal data is collected

We collect personal data from you: 

• directly, when you enter or send us information, such as when register with us, contact us (including via email), send us feedback, purchase products or services via the Rekke Platform, post material to the Rekke Platform and complete customer surveys or participate in competitions via the Rekke Platform, and 
• indirectly, such as your browsing activity while on the Rekke Platform; we will usually collect information indirectly using the technologies explained in the section on ‘Cookies and other tracking technologies’ below

We also collect personal data about you from other sources as follows:

• from our payment processors and service providers, to process transactions and verify details;
• from analytics providers and advertising networks, to help us measure performance and improve user experience; and
• from publicly available sources or social media platforms, where you have made information available and where such collection is lawful.

How and why we use your personal data

Under data protection law, we can only use your personal data if we have a proper reason, eg:

• where you have given consent
• to comply with our legal and regulatory obligations
• for the performance of a contract with you or to take steps at your request before entering into a contract, or
• for our legitimate interests or those of a third party

A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see ‘How to contact us’ below).

The table below explains what we use your personal data for and why.

What we use your personal data for

Our reasons

Creating and managing your account with us

To perform our contract with you or to take steps at your request before entering into a contract

Providing products and services to you

To perform our contract with you or to take steps at your request before entering into a contract

Conducting checks to identify you and verify your identity or to help prevent and detect fraud against you or us

To comply with our legal and regulatory obligations

Enforcing legal rights or defend or undertake legal proceedings

Depending on the circumstances:

—to comply with our legal and regulatory obligations

—in other cases, for our legitimate interests, ie to protect our business, interests and rights

Customising the Rekke Platform and its content to your particular preferences based on a record of your selected preferences or on your use of the Rekke Platform

Depending on the circumstances:

—your consent as gathered [insert, eg by the separate cookies tool on the Rekke Platform]—see ‘Cookies[ and other tracking technologies]’ below

—where we are not required to obtain your consent and do not do so, for our legitimate interests, ie to be as efficient as we can so we can deliver the best service to you at the best price

If you have provided such a consent you may withdraw it at any time by [insert details, eg explain by changing the setting on the cookies tool and add appropriate links] (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)

Retaining and evaluating information on your recent visits to the Rekke Platform and how you move around different sections of the Rekke Platform for analytics purposes to understand how people use the Rekke Platform so that we can make it more intuitive or to check the Rekke Platform is working as intended

Depending on the circumstances:

—your consent as gathered [insert, eg by the separate cookies tool on the Rekke Platform]—see ‘Cookies[ and other tracking technologies]’ below

—where we are not required to obtain your consent and do not do so, for our legitimate interests, ie to be as efficient as we can so we can deliver the best service to you at the best price

If you have provided such a consent you may withdraw it at any time by [insert details as appropriate] (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)

[Insert details of any other purposes for which cookies are used on the basis of consent to clarify consent is the basis for that collection]

Your consent as gathered [insert, eg by the separate cookies tool on the Rekke Platform]—see ‘Cookies[ and other tracking technologies]’ below

If you have provided such a consent you may withdraw it at any time by [insert details, eg explain by changing the setting on the cookies tool and add appropriate links] (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)

Communications with you not related to marketing, including about changes to our terms or policies or changes to the products and services or other important notices

Depending on the circumstances:

—to comply with our legal and regulatory obligations

—in other cases, for our legitimate interests, ie to be as efficient as we can so we can deliver the best service to you at the best price

Protecting the security of systems and data used to provide the services

To comply with our legal and regulatory obligations

We may also use your personal data to ensure the security of systems and data to a standard that goes beyond our legal obligations, and in those cases our reasons are for our legitimate interests, ie to protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us

Statistical analysis to help us understand our customer base

For our legitimate interests, ie to be as efficient as we can so we can deliver the best service to you at the best price

Updating and enhancing customer records

Depending on the circumstances:

—to perform our contract with you or to take steps at your request before entering into a contract

—to comply with our legal and regulatory obligations

—where neither of the above apply, for our legitimate interests, eg making sure that we can keep in touch with our customers about existing orders and new products

Disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our business, eg to record and demonstrate evidence of your consents where relevant and [insert]

To comply with our legal and regulatory obligations

Marketing our services to existing and former customers 

For our legitimate interests, ie to promote our business to existing and former customers

See ‘Marketing’ below for further information

The audit of our system security, privacy compliance and internal policy adherence may necessitate third party companies to review your data.

These auditors will only access your data when they have a legitimate business reason to do so, and only in furtherance of their role as Auditor. These auditors will be subject to confidentiality agreements

To share your personal data with members of our group and third parties that will or may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency

In such cases information will be anonymised where possible and only shared where necessary

Depending on the circumstances:

—to comply with our legal and regulatory obligations

—in other cases, for our legitimate interests, ie to protect, realise or grow the value in our business and assets

How and why we use your personal data—in more detail

More details about how we use your personal data and why are set out in the table below.

Purpose

Processing operation

Lawful basis relied on under the Data Protection Act

Relevant categories of personal data

Communications with you not related to marketing, including about changes to our terms or policies or changes to the products or other important notices 

Addressing and sending communications to you as required by data protection laws, ie:

—the Data Protection Act 

[—the EU GDPR]

Processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(b))

—your name, address and contact information, including email address and telephone number [and company details]

—your account details (username)

Addressing and sending communications to you as required by [Insert details of law]

Processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(b))

[Insert]

Addressing and sending communications to you about changes to our terms or policies or changes to the products or other important notices (other than those addressed above)

Our legitimate interests (Article 6(1)(f)), which is to be as efficient as we can so we can deliver the best service to you

—your name, address and contact information, including email address and telephone number [and company details]

—your account details (username)

[Insert next purpose]

[Insert processing operations relating to purpose]

[Insert for each processing operation]

[Insert for each processing operation]

How and why we use your personal data—Special/sensitive personal data

Some of the personal data we process may be of a sensitive nature (e.g. racial or ethnic origin, political opinions, religious beliefs, trade union membership, biometric data, health data, sexual orientation). In the event we process such data:

• We will rely on an explicit additional lawful condition (such as your explicit consent or another permitted ground under the Act)
• We will implement additional safeguards (e.g. encryption, restricted access, pseudonymisation) to protect that data
• In the detailed schedule (or linked webpage), we will specify exactly which categories of sensitive data we process, for which purposes, what lawful condition we rely on, and the safeguards in place

Additional commitments and disclosures

• We will supply to you, at or before the time of collection (or as soon as practicable), the required disclosures under the Act, including the purposes of processing, lawful bases, retention periods, data subject rights, and details of any data transfers
• If we obtain personal data from third-party sources, we will provide you with appropriate disclosures as required by law
• Your personal data will reside outside Barbados. We will ensure that the destination country provides adequate protection, or we will adopt appropriate safeguards (e.g. contractual clauses, binding rules)
• We maintain records of all processing activities, including the lawful basis and purposes, in compliance with the Act
• In the event of a personal data breach likely to pose a risk to individuals, we will notify the Barbados Data Protection Commissioner (within 72 hours if feasible) and, where required, affected data subjects
• We recognise and facilitate data subject rights under the Act, including access, correction, erasure, restriction, objection, portability, and the right to prevent processing likely to cause distress

How and why we use your personal data—sharing

See ‘Who we share your personal data with’ for further information on the steps we will take to protect your personal data where we need to share it with others.

Marketing

We will use your personal data to send you updates (by email, text message, telephone or post) about our products and services, including exclusive offers, promotions or new products and services.

We have a legitimate interest in using your personal data for marketing purposes (see above ‘How and why we use your personal data’). This means we do not need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

You have the right to opt out of receiving marketing communications at any time by:

• updating your preferences through your user profile
• contacting us at policy@rekke.com

We may ask you to confirm or update your marketing preferences if you ask us to provide further products and services in the future, or if there are changes in the law, regulation, or the structure of our business.

We will always treat your personal data with the utmost respect and never sell it to other organisations for marketing purposes.

For more information on your right to object at any time to your personal data being used for marketing purposes, see ‘Your rights’ below.

Who we share your personal data with

We routinely share personal data with:

• third parties we use to help deliver our products and services to you, eg payment service providers, warehouses and delivery companies
• other third parties we use to help us run our business, eg, marketing agencies or website hosts and website analytics providers
• our banks.

We only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you.

We or the third parties mentioned above occasionally also share personal data with:

• our external auditors, eg in relation to the audit of our accounts, in which case the recipient of the information will be bound by confidentiality obligations
• our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations
• law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations
• other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations

Who we share your personal data with—in more detail

More details about who we share your personal data with and why are set out [in the table below OR here [insert link to another webpage]].

Recipient

Processing operation (use) by recipient

Relevant categories of personal data transferred to recipient

[Insert full legal name, eg Example Co 1 Ltd—a company incorporated in [Insert, eg England] with registered number [company number], whose registered office is at [Insert]]

[Insert, eg: Web and data hosting services, ie stores a copy of your personal data on computer equipment so it can be accessed by us and permitted third parties (see below) online.]

[Insert, eg for a hosting company: Any of the personal data we collect about you (see [add ‘here’ and insert link back to appropriate part of main policy]), except [insert as appropriate, eg location data]]

[Insert full legal name, eg Example Co 2 Ltd—a company incorporated in [Insert, eg England] with registered number [company number], whose registered office is at [Insert]] 

[Insert]

[Insert]

Who we share your personal data with—further information

If you would like more information about who we share our data with and why, please contact us (see ‘How to contact us’ below).

How long your personal data will be kept

We will retain your personal data as long as your account remains active. 

If your account remains dormant for a period of seven years we will delete or anonymise your account data.

Analytical data derived from your personal data will be retained indefinitely. This analytical data will not be associated with or identifiable to you.

Transferring your personal data out of Barbados

Countries outside of Barbados have differing data protection laws, some of which may provide lower levels of protection of privacy.

It is sometimes necessary for us to transfer your personal data to countries outside of Barbados. In those cases we will comply with applicable Barbadian laws designed to ensure the privacy of your personal data.

We will transfer your personal data to:

• our service providers located outside Barbados in the USA.

Under data protection laws, we can only transfer your personal data to a country outside of Barbados where one of the following applies:

• the Government of Barbados or the Data Protection Commissioner has determined (under sections 23 and 28 of the Act) that the destination provides an adequate level of protection for personal data. We currently rely on such adequacy determinations for transfers to the European Union (EU/EEA), the United Kingdom, Canada, New Zealand, and France.
• where no adequacy determination applies, we implement safeguards under section 24 of the Act (such as Commissioner-approved standard contractual clauses or binding corporate rules) that ensure enforceable rights and effective legal remedies for you.
• in limited cases provided by section 26 of the Act, for example where you have explicitly consented to the transfer, the transfer is necessary for contract performance, or it is required for legal or public-interest reasons

Where we transfer your personal data outside Barbados, we do so on the basis of either an adequacy determination or, where this is not available, appropriate safeguards approved by the Data Protection Commissioner under section 24 of the Act (such as standard contractual clauses or binding corporate rules).

If at any time we cannot, or choose not to, continue to rely on an adequacy determination or approved safeguard, we will not transfer your personal data outside Barbados unless we can do so on the basis of another lawful basis or exception permitted under the Data Protection Act 2019-29, and we will update this Policy accordingly. 

Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section on ‘Changes to this privacy policy’ below.

Transferring Your Personal Data Out Of Barbados—In More Detail

More details about the countries outside Barbados to which your personal data is transferred are set out in the table below.

Recipient country

Recipient

Processing operation (use) by recipient

Lawful safeguard

United States of America

[Insert full legal name (eg Example Co Ltd) and details of company registration number and registered address]

Vercel

Cloud-based hosting, CRM, payment processing

Transfer under section 24 — subject to appropriate safeguards (e.g. Commissioner-approved standard contractual clauses or binding corporate rules)

[Trip Advisor - integrated privacy / cookie policy

https://tripadvisor.mediaroom.com/us-privacy-policy]

https://vercel.com/legal/privacy-policy

NeonDB

https://neon.com/privacy-policy

PayPal

https://www.paypal.com/uk/legalhub/paypal/useragreement-full

Transferring your personal data out of Barbados

If you would like further information about data transferred outside Barbados, please contact us (see ‘How to contact us’ below).

Cookies and other tracking technologies

      A cookie is a small text file placed on your device (for example, a computer, smartphone, or tablet) when you visit or use the Rekke Platform. We use cookies and similar technologies such as web beacons, pixels, tags, and local storage to help us recognise you and your device, enable website functionality and security, store information about your preferences or past actions, improve site performance, analyse visitor behaviour, and support our marketing and analytics activities. We will always seek your consent before placing non-essential cookies or similar technologies on your device, and you can withdraw your consent or disable cookies at any time through your browser or device settings. 

For further information about the types of cookies we use, when consent is required, and how to manage or disable them, please refer to our Cookie Policy. All use of cookies and tracking technologies is carried out in compliance with the Barbados Data Protection Act.

Your rights

You generally have the following rights, which you can usually exercise free of charge, subject to certain exemptions under the Act:

Access to a copy of your personal data

The right to obtain from us confirmation as to whether or not we hold personal data about you, and if we do, to be provided with a copy of such data, together with certain supplementary information as required under section 20 of the DPA (including the purposes of processing, categories of data, recipients, and data retention period).

Correction (also known as rectification)

The right to require us to correct any inaccurate or incomplete personal data without undue delay, as provided under section 21 of the DPA.  

Erasure (also known as the right to be forgotten)

You may require us to delete your personal data in certain situations, such as where it is no longer needed for the purpose for which it was collected or where you withdraw consent (section 22 DPA). If you wish to delete you account, please contact us by email at policy@rekke.com.

Restriction of Processing

You may require us to restrict our use of your personal data in certain circumstances—for example, if you contest its accuracy or object to our processing (section 23 DPA).

Data portability

You have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format and to have that data transmitted to another controller, in certain situations (section 24 DPA).

Objection to Processing

You may object at any time to our processing of your personal data for direct marketing purposes, or in certain other circumstances where we process data based on our legitimate interests (section 25 DPA).

Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects concerning you (section 26 DPA). We do not engage in such automated decision-making.

Withdrawal of Consent

Where we rely on your consent to process your data, you may withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing carried out before the withdrawal (section 19(5) DPA).

Right to Complain

You have the right to lodge a complaint with the Data Protection Commissioner if you believe that your personal data has been processed in violation of the DPA (sections 63–66 DPA).

For further information on each of those rights, including the circumstances in which they do and do not apply, please contact us (see ‘How to contact us’ below). You may also find it helpful to refer to the guidance from the Barbados Data Protection Commissioner on your rights under the Data Protection Act. https://www.gov.bb/Departments/data-protection-commissioner

If you would like to exercise any of those rights, please email policy@rekke.com. 

When contacting us please:

• provide enough information to identify yourself and any additional identity information we may reasonably request from you, and
• let us know which right(s) you want to exercise and the information to which your request relates

Keeping your personal data secure

We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine need to access it.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

All Personal Data stored in our systems is stored encrypted. All data transmitted between our servers and your devices is also encrypted while in transit.

How to complain

Please contact us if you have any queries or concerns about our use of your personal data (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with:

• the Data Protection Commissioner in Barbados

The Barbados Data Protection Commissioner may be contacted using the details at:

Ministry of Industry, Innovation, Science & Technology 

5th Floor, SSA Building

Vaucluse

St. Thomas

Tel:  1 (246) 536-1200/ (246) 536-1212

Changes to this privacy policy

We may change this privacy policy from time to time—when we make significant changes, we will take steps to inform you. The website will contain a banner each time there is a change of policy. You will be required to accept the revised policy. Further use of our systems will mean acceptance of those revised policies.

How to contact us

Individuals in Barbados

You can contact by post, email or telephone if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.

Our contact details are shown below:

Rekke Travel Company Ltd. 

Shenstone, Strathclyde Dr. Bridgetown BB11078 Barbados

Email: policy@rekke.com