La Clé Escapes LTD

Privacy Policy

Last updated: 29/05/2026

Welcome to lacleescapes.com (the "Website"). This Privacy Policy explains how La Clé Escapes LTD, a company incorporated in England and Wales under Company Number 16408765, with its registered office at 89-90 Paul Street, 3rd Floor, London, United Kingdom, including its subsidiaries and affiliates (the "Company", "We", "Us", or "Our"), collects, uses, stores, and protects the personal data of our clients, their representatives, job applicants, employees, contractors, suppliers and contacts ("User", "Users", "You", "Your") in compliance with:

The UK General Data Protection Regulation ("UK GDPR"), being Regulation (EU) 2016/679 as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018
The Data Protection Act 2018 ("DPA 2018")
The Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR")
Any other applicable laws and guidance issued by the Information Commissioner's Office ("ICO")
By engaging with Our Services or providing Us with Your personal data, You confirm that You have read and understood this Privacy Policy.

This Privacy Policy should be read in conjunction with Our Terms and Conditions and Cookie Policy, which together with this Privacy Policy form the entire agreement (the "Agreement"). If You do not agree with any part of the Agreement, We kindly ask You to stop using the Website. Continued use of the Website signifies Your understanding and acceptance of the Agreement.

1. DEFINITIONS

1.1. Data Controller — a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

1.2. La Clé Escapes LTD (a company duly registered under the laws of England and Wales, Company Number 16408765, with its registered office at 89-90 Paul Street, 3rd Floor, London, United Kingdom) is the Data Controller responsible for the personal data collected and processed under this Privacy Policy.

1.3. Personal Data — any information relating to an identified or identifiable natural person, as defined under Article 4(1) of the UK GDPR.

1.4. Processing — any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, restriction, erasure, or destruction.

1.5. Services — any luxury travel atelier, concierge, trip design, booking coordination, and related services provided by the Company through the Website or otherwise.

1.6. Supplier — any third-party provider of travel-related products or services, including but not limited to hotels, villas, destination management companies (DMCs), ground transport providers, experience providers, and airline ticketing agents, with whom the Company arranges bookings on behalf of the Client.

2. GENERAL INFORMATION

2.1. This Privacy Policy explains how We gather, use, store, transfer, and protect Your personal data.

2.2. It applies to all individuals who visit and use Our Website, become Our clients, contact Us via email or messaging platforms, apply for employment with Us, or otherwise share their personal data with Us.

2.3. If You wish to withdraw Your consent for the processing of Your personal data for marketing purposes, You may do so at any time by clicking the "Unsubscribe" link in any marketing email We send, or by emailing Us at info@lacleescapes.com. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal.

2.4. This Privacy Policy applies exclusively to this Website and the Services provided by the Company. The Company does not manage and bears no responsibility for any third-party websites that Users may visit through links provided on the Website, including Supplier websites.

2.5. Users are responsible for providing accurate and up-to-date personal data. We may rely on information provided by Users, but will take reasonable steps to ensure accuracy and will rectify or update personal data upon request.

3. CATEGORIES OF PERSONAL DATA

3.1. The Company collects, stores, processes, uses, and discloses the personal data provided by You when accessing or using the Website and/or Services, in accordance with this Privacy Policy. By using any part of the Website or Services, You authorise the Company to process Your personal data as outlined herein.

3.2. We collect and process only the data necessary to provide Our Services and conduct business activities, including:

3.2.1. Identity and contact data:

First name and last name
Date of birth (when required for travel bookings)
Nationality and passport details (when required for visa support, hotel registration, or travel bookings)
Email address
Phone number (including WhatsApp/Telegram where applicable)
Postal address
Emergency contact details

3.2.2. Travel preference and itinerary data:

Travel preferences, including preferred destinations, hotel categories, room types, dining preferences
Dietary requirements and allergies
Accessibility and mobility requirements
Information about travel companions, including family members and children (where provided by You)
Special occasion details (anniversaries, birthdays, honeymoons)
Previous travel history with the Company

3.2.3. Financial data:

Billing address
Information necessary for invoicing (company name, VAT number, registration details where applicable)
Transaction history

Note: We do not collect or store full credit or debit card details. All payments are processed by independent third-party payment providers, including Stripe (https://stripe.com/privacy) and bank transfer providers. We may receive partial card information (last four digits, card brand) for reference and reconciliation purposes only.

3.2.4. Communications and marketing data:

Records of correspondence with Us (emails, messaging app conversations, voice notes, call recordings where applicable and with consent)
Your responses to surveys, feedback, and testimonials
Marketing preferences and consents
Source data (how You found out about Us)

3.2.5. Technical and usage data:

IP address, browser type and version, time zone setting and location, operating system and platform
Information about Your visit to the Website, including pages viewed, navigation paths, time spent on pages
Cookie data (see Cookie Policy for details)

3.2.6. Sensitive (special category) data:

In certain limited cases, We may process special category data under Article 9 UK GDPR, including:

Health data (allergies, medical conditions relevant to travel arrangements such as dietary restrictions, mobility needs, required medical equipment
Information about religious or philosophical beliefs (where this affects dietary or accommodation arrangements).

Such data is processed only with Your explicit consent and only to the extent strictly necessary to provide the Services You have requested, in accordance with Article 9(2)(a) UK GDPR.

3.3. Personal data is obtained through forms on the Website, direct communications (email, messaging apps, phone calls, video calls), in-person meetings, completion of trip planning questionnaires, and Supplier communications conducted on Your behalf.

3.4. We may disclose Your personal data to third parties to fulfil the purpose for which You provided it. These include:

Suppliers and service providers: hotels, villas, DMCs, ground transport providers, experience providers, airline ticketing agents, restaurants, and other third parties necessary for the delivery of Your travel arrangements;
Payment processors: Stripe (https://stripe.com/privacy) and other regulated payment service providers;
Cloud storage and infrastructure providers: Google Workspace (https://policies.google.com/privacy), and similar providers for secure storage and hosting;
Communication and CRM platforms: ClickUp, Notion, Zoho CRM, WhatsApp Business, and similar platforms used to manage client relationships and trip planning;
Analytics platforms: Google Analytics and similar tools used to analyse Website usage;
Marketing platforms: email marketing providers used to send communications You have opted into;
Professional advisors: accountants, lawyers, auditors, insurers, and other consultants;
Regulatory authorities, law enforcement, courts: where required by law.

3.5. All third-party service providers and Suppliers are permitted to access and process Your personal data solely for the purposes of providing services to Us or to You, and are required to maintain at least the same level of protection as described in this Privacy Policy. They are contractually prohibited from using Your personal data for any other purpose.

4. LEGAL BASIS AND PURPOSE OF PROCESSING

4.1. The Company collects and processes Your personal data for the following purposes:

To verify Your identity and onboard You as a client;
To provide Our luxury travel atelier and concierge Services, including trip design, itinerary planning, booking coordination with Suppliers, and on-trip support;
To communicate with You regarding Your travel plans, including pre-trip briefings, in-trip support, and post-trip follow-up;
To process payments and manage invoicing;
To provide customer support and respond to Your inquiries;
To send marketing communications, special offers, and promotional materials (subject to Your consent where required);
To improve Our Services and personalise Your experience;
To prevent fraud and ensure the security of transactions and the Website;
To comply with legal, regulatory, accounting, and reporting obligations;
To establish, exercise or defend legal claims.

4.2. We process personal data in accordance with Article 6(1) of the UK GDPR. Processing is lawful only if at least one of the following applies: (a) consent; (b) performance of a contract; (c) legal obligation; (d) vital interests; (e) public task; (f) legitimate interests.

4.3. The table below summarises the purposes of processing, the categories of personal data, and the legal basis for each:

Purpose of processing

Type of personal data

Legal basis

Client onboarding and trip planning

Name, contact details, passport details, date of birth, travel preferences, dietary/health requirements

Performance of a contract (Art. 6(1)(b)); explicit consent for special category data (Art. 9(2)(a))

Booking coordination with Suppliers

Name, contact details, passport details, dates of travel, room/service preferences, dietary needs

Performance of a contract (Art. 6(1)(b))

Payments, accounting, invoicing

Name, billing address, transaction data, tax information, partial card data

Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c))

Client communication and support

Name, contact details, communication history, voice notes, messages

Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f))

Marketing communications

Name, email, phone number, travel preferences, engagement history

Consent (Art. 6(1)(a)); legitimate interests for existing clients under soft opt-in (PECR Reg. 22(3))

Website analytics

IP address, cookies, device type, browser, location, visit time, on-page behaviour

Consent for non-essential cookies (PECR); legitimate interests for essential analytics (Art. 6(1)(f))

Fraud prevention and security

IP address, login data, payment data, device fingerprint, behavioural data

Legitimate interests (Art. 6(1)(f))

Recruitment

Name, CV, contact details, references

Consent (Art. 6(1)(a)); legitimate interests (Art. 6(1)(f))

Legal compliance and dispute resolution

All categories as required

Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f))

Client feedback and testimonials

Name, photo, review content, social media handles (if provided)

4.4. You may withdraw Your consent at any time. Withdrawal will not affect the lawfulness of processing carried out prior to withdrawal.

4.5. Where We rely on legitimate interests, We have conducted (and document) Legitimate Interests Assessments ("LIAs") balancing Our interests against Your rights and freedoms, in line with ICO guidance.

5. YOUR CONSENT

5.1. By accepting this Privacy Policy, You confirm that You are at least 18 years of age (or the legal age of majority in Your jurisdiction), take full responsibility for Your actions, and understand the terms set out in this Privacy Policy.

5.2. The Website is not directed towards, and We do not knowingly collect personal data from, children under the age of 18. Where We process personal data of minors travelling with a parent or guardian Client, We do so only on the basis of the parent or guardian providing that data on the child's behalf. If You become aware that a child has provided personal data to Us without parental consent, please email Us at info@lacleescapes.com and We will investigate and, where appropriate, delete the data.

5.3. By submitting Your personal data to Us through the Website, by email, messaging app, or otherwise, You acknowledge that We will process Your personal data in accordance with this Privacy Policy and on the applicable legal bases set out above.

6. PRINCIPLES OF DATA PROCESSING

We handle and process personal data in full compliance with the principles set out in Article 5 of the UK GDPR:

Lawfulness, fairness, and transparency — data is processed lawfully, fairly, and in a transparent manner;
Purpose limitation — data is collected for specified, explicit, and legitimate purposes;
Data minimisation — only data necessary for the intended purposes is collected and processed;
Accuracy — reasonable steps are taken to ensure that personal data is accurate and kept up to date;
Storage limitation — personal data is retained only for as long as necessary;
Integrity and confidentiality — data is processed securely against unauthorised processing, accidental loss, destruction, or damage;
Accountability — the Company is responsible for, and must be able to demonstrate, compliance with these principles.

7. DATA RETENTION

7.1. We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. When retention is no longer necessary, data is securely deleted or anonymised.

7.2. Our standard retention periods are set out below:

8. YOUR RIGHTS UNDER THE UK GDPR

8.1. We recognise and uphold Your right to privacy. Under the UK GDPR and the DPA 2018, You have the following rights:

8.1.1. Right to be informed

You have the right to be informed about the collection and use of Your personal data. This Privacy Policy fulfils that right.

8.1.2. Right of access (Article 15 UK GDPR)

You have the right to obtain confirmation as to whether We are processing Your personal data and to receive a copy of that data. Subject Access Requests ("SARs") will be responded to within one month, free of charge, save where requests are manifestly unfounded or excessive.

8.1.3. Right to rectification (Article 16 UK GDPR)

You have the right to request that We correct any inaccurate or incomplete personal data We hold about You.

8.1.4. Right to erasure / "Right to be Forgotten" (Article 17 UK GDPR)

You have the right to request deletion of Your personal data where: (i) the data is no longer necessary for the purposes for which it was collected; (ii) You withdraw consent and there is no other legal basis; (iii) You object to processing under Article 21; (iv) the data has been unlawfully processed; or (v) erasure is required for compliance with a legal obligation. This right does not apply where processing is necessary for: legal claims, legal obligations, public interest, or freedom of expression.

8.1.5. Right to restriction of processing (Article 18 UK GDPR)

You have the right to restrict the processing of Your personal data in certain circumstances, including while We verify the accuracy of contested data or assess Your objection.

8.1.6. Right to data portability (Article 20 UK GDPR)

Where Our processing is based on consent or the performance of a contract and is carried out by automated means, You have the right to receive Your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

8.1.7. Right to object (Article 21 UK GDPR)

You have the right to object at any time to processing of Your personal data carried out on the basis of legitimate interests or for direct marketing. Where You object to direct marketing, We will cease such processing immediately.

8.1.8. Right to withdraw consent

Where Our processing is based on consent, You may withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. Following withdrawal, We will cease processing within 30 days unless another legal basis applies.

8.1.9. Rights related to automated decision-making and profiling (Article 22 UK GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects You. We do not currently carry out such automated decision-making.

8.1.10. Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the Information Commissioner's Office ("ICO"), the UK supervisory authority for data protection matters. You can contact the ICO at:

Website: https://ico.org.uk
Telephone: 0303 123 1113
Postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

We would, however, appreciate the opportunity to address Your concerns directly before You approach the ICO. Please contact Us at info@lacleescapes.com in the first instance.

8.2. How to exercise Your rights:

To exercise any of the above rights, please send a request to info@lacleescapes.com including: (a) Your full name; (b) email address and phone number associated with Our records; (c) a clear description of the right You wish to exercise; and (d) any documents reasonably necessary to verify Your identity. We aim to respond within one month, extendable by two further months for complex requests (with notification of the extension).

‍

9. INTERNATIONAL DATA TRANSFERS

9.1. By the nature of luxury travel arrangements, Your personal data may be transferred to, stored, and processed in countries outside the United Kingdom, including in jurisdictions where Suppliers (hotels, DMCs, ground operators) are located. This may include countries that the UK Government has not deemed to provide an "adequate" level of data protection.

9.2. Where We transfer personal data outside the United Kingdom, We ensure that one of the following safeguards is in place:

The destination country is the subject of an "adequacy decision" or "adequacy regulations" made by the UK Government;
The transfer is governed by the UK International Data Transfer Agreement ("IDTA") or the UK Addendum to the EU Standard Contractual Clauses ("SCCs");
Binding Corporate Rules apply;
The transfer falls within one of the derogations under Article 49 UK GDPR (e.g. necessary for the performance of a contract with You, including Your travel arrangements);
Where required, We carry out Transfer Impact Assessments ("TIAs") to evaluate the legal and practical risks of the transfer.

9.3. Specifically, where Your travel arrangements require Us to share Your personal data with Suppliers located outside the UK to enable Your booking (e.g. hotels, DMCs in destination countries), this transfer is necessary for the performance of Our contract with You (Article 49(1)(b) UK GDPR).

9.4. You may request a copy of the safeguards in place for transfers of Your personal data by contacting info@lacleescapes.com.

10. DATA SECURITY

10.1. We implement appropriate technical and organisational measures to protect Your personal data, including:

Encryption of data in transit using SSL/TLS technology;
Access controls and multi-factor authentication;
Regular security assessments and updates of Our systems;
Staff training on data protection and confidentiality;
Non-disclosure agreements with all employees, contractors, and partners with access to client data;
Data minimisation in Supplier communications (sharing only what is necessary).

10.2. Despite these measures, no system is 100% secure. In the event of a personal data breach that is likely to result in a risk to Your rights and freedoms, We will notify You and the ICO in accordance with Articles 33 and 34 UK GDPR (i.e. ICO notification within 72 hours of becoming aware where feasible).

11. LINKS TO OTHER WEBSITES

11.1. Our Website may contain links to third-party websites, including those of Our Suppliers. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We strongly advise You to review the privacy policy of every site You visit.

12. COOKIES

12.1. Our Website uses cookies and similar tracking technologies. For detailed information about the types of cookies We use, the purposes for which We use them, and Your options for managing cookie preferences, please refer to Our Cookie Policy, available at [link to Cookie Policy].

13. DATA PROTECTION CONTACT

13.1. Under the UK GDPR, We are not required to appoint a statutory Data Protection Officer. However, We have nominated a person responsible for data protection matters. You can contact Us regarding any data protection matter using the following details:

La Clé Escapes LTD
89-90 Paul Street, 3rd Floor, London, United Kingdom

Email: info@lacleescapes.com

Company Number: 16408765

14. GOVERNING LAW AND JURISDICTION

14.1. This Privacy Policy is governed by and shall be construed in accordance with the laws of England and Wales. Any dispute arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.