Privacy Policy

Last updated: 29th April 2026

1. Who We Are

This privacy policy explains how wherewegoing? ("we", "our" or "us") collects and uses personal data when you use wherewegoing.co.uk, contact us, subscribe to updates, use the customer portal, receive an itinerary, message us, or make a payment.

For questions about this policy or to exercise your rights, contact us at hello@wherewegoing.co.uk.

2. Personal Data We Collect

The data we collect depends on how you use the website and services. It may include:

  • Identity and contact data: name, display name, email address, phone number, postal address, county, postcode, country and communication preferences.
  • Travel profile data: date of birth, nationality, passport number, passport expiry date, dietary requirements, special assistance information, notes and enquiry source.
  • Booking and itinerary data: itinerary references, PTS booking references, trip titles, dates, destinations, segments, passengers, pricing, currency, booking terms, attachments and travel documents uploaded or sent as part of your booking.
  • Payment data: payment schedule, amounts, due dates, payment status, payment reminder history, Protected Payment Services cross-reference and response codes. Card numbers and CVV values are handled by the payment gateway and are not stored by us.
  • Portal and security data: portal account status, password hash, magic link token hash, failed login counts, lockout information, session token hashes, IP address, user agent, passkey public-key credentials, authenticator metadata, TOTP settings and backup-code status.
  • Messages and enquiries: contact form messages, live chat messages, portal messages, email replies, subjects, departments, conversation status, transcript data and related itinerary context.
  • Newsletter data: email address, name, travel interest, verification status, unsubscribe status and subscription tokens stored as hashes.
  • Technical and analytics data: IP address, user agent, browser, device type, operating system, approximate location derived from IP address, page path, page title, referrer, UTM campaign fields, screen size, timestamps and aggregated usage statistics.
  • Administrative audit data: admin actions, affected records, old and new values for changes, IP address and user agent.

Some travel profile data, such as dietary requirements, accessibility needs or special assistance details, may reveal health, disability, religious or other special category information. We only ask for this where it is relevant to arranging or supporting your travel.

3. How We Use Personal Data

We use personal data to:

  • respond to enquiries and manage conversations with you;
  • create, send and manage quotes, itineraries, bookings, passengers and documents;
  • operate the customer portal, including authentication, sessions, passkeys and TOTP;
  • send transactional emails, itinerary emails, magic links and payment reminders;
  • process card payments and record payment outcomes;
  • send newsletters or travel updates where you have subscribed;
  • secure the website, detect misuse, rate-limit forms and maintain audit logs;
  • measure website performance and understand how visitors use the site; and
  • comply with legal, accounting, regulatory and dispute-resolution obligations.

We do not sell personal data. We do not use customer portal or booking data for third-party advertising profiling.

4. Lawful Bases

UK data protection law requires us to have a lawful basis for each use of personal data. Depending on the context, we rely on:

  • Contract: to prepare quotes, arrange travel, manage bookings, provide portal access and take payments.
  • Consent: for newsletter subscriptions and where you choose to provide optional special category information for travel support.
  • Legitimate interests: to respond to enquiries, secure services, prevent misuse, keep audit logs, improve the website and manage customer relationships.
  • Legal obligation: where we must keep records for tax, accounting, regulatory, fraud-prevention or travel compliance reasons.

Where we process special category data, we do so because you have provided it for travel arrangements or support, and because it is needed to deliver the services you request or to protect your vital interests during travel.

5. Payments

Card payment forms use hosted fields provided by Protected Payment Services. The card fields are tokenised before submission, so we receive a payment token rather than your full card number or CVV. We send the token, billing details, payment amount, currency, booking reference and device IP address to the payment gateway to process the payment.

If a payment is approved, we record that the itinerary payment is paid and store the payment date, PPS cross-reference and PPS response code for reconciliation, customer support, audit and dispute handling.

6. Cookies, Sessions and Local Storage

We use first-party cookies and browser storage to provide essential features:

  • wwg_portal_session: an HTTP-only customer portal session cookie used to keep you signed in.
  • wwg_admin_session: an HTTP-only admin session cookie used for secure staff access.
  • sidebar_state: a preference cookie used to remember the admin sidebar layout.
  • Session storage: used for temporary interface state such as live chat continuity and admin return navigation.

Our analytics implementation is first-party and does not set an advertising cookie. It records page-view data server-side using daily hashed visitor and session identifiers derived from IP address and user agent, with IP addresses shortened before hashing.

7. Analytics and Security Logs

We collect limited analytics to understand site usage, traffic sources, device types and approximate locations. We exclude admin, API, health-check and upload paths from normal page-view tracking, and we exclude known internal IP ranges and bots where possible.

We also keep administrative audit logs for security and accountability. These logs can include the action taken, affected record, old and new values, IP address, user agent and timestamp. Audit logs help us investigate errors, unauthorised activity, disputes and compliance questions.

8. Who We Share Data With

We share personal data only where needed to operate the website and deliver travel services. Recipients may include:

  • payment processors and payment gateway providers;
  • email and hosting infrastructure providers;
  • travel suppliers, accommodation providers, cruise lines, airlines, transfer providers, insurers or other travel partners needed for your trip;
  • professional advisers, regulators, law enforcement or dispute-resolution bodies where required; and
  • technology suppliers who help us provide authentication, analytics, storage, backups and security.

Where providers process personal data outside the UK, we use appropriate safeguards where required by law.

9. How We Protect Data

We use technical and organisational measures designed to protect personal data. These include encryption or hashing for selected sensitive fields and tokens, HTTP-only session cookies, role-based admin permissions, audit logging, rate limiting, access controls, token expiry and secure authentication options such as passkeys and TOTP.

No online service can guarantee absolute security, but we work to reduce risk and limit access to people and systems with a genuine need to process the data.

10. How Long We Keep Data

We keep personal data only for as long as needed for the purpose it was collected, including service delivery, customer support, legal, accounting, audit, fraud prevention and dispute handling.

  • Newsletter records are kept until you unsubscribe or ask us to delete them, subject to any suppression record needed to honour that request.
  • Customer, itinerary, payment and travel records are kept for as long as needed to manage your trip and meet legal, accounting or travel compliance requirements.
  • Portal sessions and authentication tokens expire or can be revoked; token values are stored as hashes where possible.
  • Audit logs and security records are kept for accountability, security investigation and compliance.
  • Analytics data is stored using hashed identifiers and aggregated statistics for reporting and service improvement.

11. Your Rights

Depending on the circumstances, you may have the right to request access to your personal data, correction, deletion, restriction, portability, objection to processing, and withdrawal of consent where processing is based on consent.

You can unsubscribe from marketing emails using the unsubscribe link in those emails. You can also contact us at hello@wherewegoing.co.uk.

You also have the right to complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.

12. Changes to This Policy

We may update this policy when our services, systems or legal obligations change. The latest version will always be published on this page.