- use our websites (“Sites”);
- use the services and applications we provide, including the travel and expense management services accessible through Zeno, Serko Online, Serko Mobile, Serko.Travel and Zeno Expense (“Services”);
- sign up to our newsletter and/or any other marketing and/or promotional activities; and/or
- respond or apply to a job advertisement.
- Third party websites that our Sites and Services may provide links to, and we are not responsible for such third party content, use of personal information, or security practices,
- The collection, use, retention or disclosure of your personal information (which may include special or sensitive categories of personal information) by third parties (such as travel management companies) who use our Services to provide their own services to their end customers. In such circumstances, where we retain your personal information through our Services, we do so as ‘agent’ of, or ‘processor’ for, those third parties You should refer to the privacy policies of those third parties to understand how your personal information will be processed by them, and your rights of access and other rights in respect of such personal information.
Our Sites and Services are not intended for children and we do not knowingly collect or use any personal information from children.
3. The Personal Information we collect
We will collect, receive, use, process, store and transfer different kinds of personal information depending on the Sites and/or Services that you use. This might include:
- Identity data: including name, employee ID, network ID, title, date of birth, gender, passport details, visa details, company name, and company number;
- Contact data: including email address, address, and phone number;
- Financial data: including credit card details, costs, bank account number, bank state branch (BSB), credit card limit, and details of payments to and from you;
- Technical data: including internet protocol (IP) address, login data, browser type and version, time zone setting, operating system and platform, device type, unique device identification numbers, and other information your browser supplies;
- Profile data: including username, user ID, and password;
- Usage data: including details of products and services you have purchased from us, and information on how you are using the products, and services;
- Communications data: including preferences in receiving marketing from us and our third parties (if any), your communication preferences, and any feedback or survey responses;
- Travel data: including details of your bookings and travel itineraries, frequent flier details, loyalty details, rental car details, meal preferences, seat preferences, travel dates/times, flight number, ticket number, confirmation number, booking locators (booking ID, passenger name record (PNR), airline locator), origin location, destination location, third party profile ID/code, and travel components (air, car, hotel, transfers, rail);
- Expense data: including details of expenses submitted (such as copies of receipts);
- Location data: including geolocation, and travel origin and destination; and
- Support data: including screenshots (of error messages, for example), support ID, and support communications.
Depending on the Sites and/or Services that you use, we may need to collect limited amounts of special or sensitive categories of personal information about you for the purposes described in section 5 (‘How We Use Your Personal Information’) below.
We may also collect, use, and share aggregated data for any purpose. Aggregated data could be derived from your personal information, but it is not considered personal information because it will not identify you.
If you apply for a job with us, then we will collect recruitment data about you including your education history, work experience, references, and other information submitted in your CV and/or cover letter and/or job application.
4. How we collect and receive Personal Information
We collect and receive personal information in different ways depending on the Sites and/or Services that you use. This might include:
- Direct interactions: For example, you may give us personal information when you contact us, use our Site and/or Services, respond to a job advertisement, or request our marketing and promotional materials.
- Customers, suppliers and other third parties: We may receive personal information from other sources such as: our customers (i.e. your organisation), our customers’ travel management companies and travel agents (if any), global distribution systems (“GDS”) operators; payment suppliers (including card operators and virtual payment suppliers), travel service providers (including accommodation providers, transport providers, and restaurants), and our customers’ suppliers (for example, who may send us receipts for expense processing).
- Public sources: For example, phone directories, membership lists, professional and trade associations, government, bankruptcy or court registry searches, and electoral registers.
5. How we use Personal Information
We collect and use your personal information for different purposes depending on the Sites and/or Services that you use. The main purposes are:
- To provide, host, and maintain our Sites and Services – for example, to process purchases (along with our authorized payments processors), manage payments, collect monies owed, process user registrations, and to develop non-automated group and individual traveler profiles;
- To communicate and manage our relationship with you – for example, to provide you with the Services and information you have requested or that we are required to provide to you, inform you of technical notices, updates, security alerts, support and administrative messages, notify you of any changes to our Sites Services or policies, and ask you for feedback or to take part in any research we are conducting;
- To provide customer service and support – for example, to provide booking confirmations, assist with the resolution of technical support issues or other issues relating to the Sites or Services (whether by email, in-app support, or otherwise), and we may record customer calls for monitoring and training purposes;
- To measure and enhance our Sites and Services – for example, to understand how our Sites and Services are being configured and used, to understand how our Sites Services and user experience can be improved, to develop new services, and to perform internal business processes such as testing, maintenance, and quality assurance;
- For marketing and promotional purposes – for example, to send you marketing and promotional communications (about Serko or another product or service we think you might be interested in) in accordance with your marketing preferences, displaying targeted advertising online through our own Sites and Services or through third party websites and platforms, and administer referral programmes, rewards, surveys, and other promotional activities or events sponsored or managed by us or our partners;
- To analyze, aggregate and report – for example, to analyze trends and statistics regarding use of our Sites and Services and the transactions conducted, and to produce aggregated and anonymised analytics and reports;
- Recruitment – if you apply for a job with us, we will process your personal information in the application process; and
- Legal purposes and/or to comply with regulatory and/or industry requirements and standards.
6. How we disclose Personal Information
- Serko group companies – who help us provide, host, and maintain our Sites and Services. Some group companies (subject to access controls) may also have access to the Serko group data centers in which we store and process your personal information.
- Customers (i.e. your organisation) - for example, so we can provide our Sites and Services (including processing and/or approving your travel bookings and/or expense claims), for user management and license administration purposes, and they may be able to access your personal information held in our systems.
- Travel management companies, travel agents, and GDS operators (if any) - who cooperate with us to provide our Services.
- Service providers – for example, travel service providers (such as travel wholesalers, tour operators, airlines, hotels, car rental companies), banks, expense management and accounting service providers, and other contracted third party service providers such as credit and virtual card processing, fraud prevention, IT and system administration, business analytics, online advertising delivery, marketing, market research and communication, mail, freight and courier and price comparison services.
- Business partners and third parties you authorize – with whom we may jointly offer products or services, or whose products or services may be offered on and/or integrated with our Sites or Services. You may also give third parties access to your personal information on the Sites and Services.
- Our professional advisers – including our lawyers, bankers, auditors, consultants, and insurers.
- Regulators, law enforcement bodies, government agencies, courts or other third parties - where we think it is necessary to comply with applicable laws or regulations, or to exercise, enforce, or defend our legal rights.
7. International transfers
We are a global business and your personal information may therefore be transferred to, and processed in, countries other than the country you live in – for example to Australia, New Zealand, the Republic of Ireland, the Netherlands, and Canada, where some of our offices and data centers are located. Whenever we internationally transfer your personal information, we put safeguards in place so your personal information is protected.
We have put in place appropriate technical and organizational security measures and procedures to try and prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. Although we will take such measures to protect your personal information, by virtue of the nature of the internet, we cannot absolutely guarantee the security of your information transmitted online, and so any transmission is at your own risk. We have also put in place procedures to deal with breaches of personal information, and we will notify you and any applicable regulator of a breach where we are legally required to do so.
Where we have given you (or you have chosen) a password that enables you to access certain parts of our Sites and Services, you are responsible for keeping this password confidential and you must not share it with anyone.
10. Your rights
You have rights under privacy and data protection laws in relation to your personal information. For example, you may have rights to:
- obtain confirmation of what personal information we hold about you;
- request access to your personal information; and
- request a correction to the personal information that we hold about you.
You can exercise your rights by logging into your account and/or making a request to us using the contact details set out in section 13 (‘Contact details’) below. In which case, please describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. Please note that we may request specific information (such as proof of address in some circumstances) and/or photo identification from you to help us confirm your identity and rights.
You can also ask us not to send you marketing communications by following the unsubscribe instructions contained in the marketing communication, clicking on the “unsubscribe” or “opt-out” link in the marketing emails we send you.
11. Additional information for individuals in the European Union and United Kingdom
If you are in the European Union or the United Kingdom, the following information also applies to you with respect to your personal information:
A. Data controller
We have also appointed a representative to act on our behalf in relation to our obligations under the GDPR in Europe, details of which are set out below. You can also click here for more information on how to contact our representative.
B. Legal bases for processing your personal information
We may collect, use, and share your personal information:
- to perform a contract with you;
- where we (or a third party) have legitimate interests (and they are not overridden by your rights) – such as operating our business and providing our products and services to our customers and end users, meeting our contractual obligations to our customers, record keeping, and security and fraud prevention;
- where you have consented; and
- to comply with a legal or regulatory obligation – including financial and taxation obligations.
C. Your rights
You have rights under privacy and data protection laws in relation to your personal information. For example, you may have the following rights:
- Access – you can ask us if we are processing your personal information and, if we are, you can request access to it.
- Erasure – you may ask us to delete your personal information in certain circumstances. However, we may not always be able to comply with your request for specific legal reasons which we will notify to you, if applicable.
- Objection – where we are processing your personal information based on legitimate interests (or those of a third party), you may challenge this if you believe it impacts your fundamental rights and freedoms. However, we may in some situations be entitled to continue processing your personal information. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Restriction – you may be entitled to ask us to suspend processing some of your personal information, for example if you want us to establish its accuracy or the reason for processing it.
- Transfer – you may ask us to help you request the transfer of your personal information to another party.
- Automated decisions – you may contest any automated decision made about you where this has a legal or similar significant effect and ask for it to be reconsidered.
- Withdraw consent – where we are relying on consent to process your personal information, you may withdraw such consent. However this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you.
You can exercise your rights as described in section 10 (‘Your rights’) above. If you would like to request erasure of your personal information from our Services, please email firstname.lastname@example.org and state the Service that you wish to have your personal information removed from.
If you are not happy with the way we process your personal information, please let us know. You also have the right to make a complaint to your local information protection supervisory authority. Your local data protection authority will be able to give you more information on how to submit a complaint.
D. International transfers
Your personal information may be transferred internationally, including outside the EEA. Whenever we transfer your personal information outside the EEA, we put safeguards in place so your personal information is protected, for example transferring it to countries that have been deemed to provide an adequate level of protection for personal information and/or having approved transfer mechanisms in place to protect your personal information – such as using specific contracts approved by the European Commission. For more information, please contact us using the details set out in section 14 (‘Contact details’) below.
E. Privacy Shield
One of our group companies, InterplX, Inc (“InterplX”), complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States.
To learn more about the Privacy Shield program, and to view InterplX’s certification, please visit https://www.privacyshield.gov/. Note that the Federal Trade Commission has jurisdiction over InterplX’s compliance with the Privacy Shield.
If you have further enquiries or any complaints regarding our Privacy Shield policy, please contact InterplX at email@example.com.
InterplX has further committed to refer unresolved Privacy Shield complaints to an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint within 45 days, please contact or visit JAMS for more information or to file a complaint. If your complaint is not resolved after following the recourse mechanisms described above, you may have the ability to invoke binding arbitration. Additional information is available here.
12. Additional information for California residents
If you are a resident of California, the following information also applies to you with respect to your personal information:
A. The personal information we collect, receive, and disclose
We will collect, receive, and disclose different kinds of personal information depending on the Sites and/or Services that you use. With reference to the categories of personal information set out in the CCPA, in the past 12 months we have collected the following personal information from the sources set out in section 4 (‘How we collect and receive personal information’) above, and disclosed it to the categories of third parties set out below (and as described in further detail at section 6 (‘How we disclose personal information’) above) for business purposes: