Tab | Privacy Policy

This privacy policy is effective from 24th May 2018.

About Tab

Tab provides an online platform that connects customers with tourism businesses. When you visit our website, download our apps, communicate with us, or use the Tab platform as a customer or tourism business, the data controller is Tab Labs Ltd.

Tab Labs Ltd is registered in England & Wales (company number 09339113) at 6th Floor, One London Wall, London, EC2Y 5EB.

Tourism businesses who use our platform may also act as data controllers for customer data, and you should contact them directly to understand how they manage your data.

Data we collect

Visitors

We collect personal data when you use our website or communicate with us.

Information about your use of our online content and emails, such as how you came to our website, which pages you visit, how long you remain on a page or view a video, and whether you opened an email or clicked a link. To collect this data, we use cookies and other tracking technologies.
Information provided when you communicate with us by phone, email, web inquiry forms or chat, including records of your contact, your country and language, your email address or other contact information, and other information about the reasons for the communication.
Information about tourism businesses and partners that we may consider working with from public sources and data enrichment services provided by third parties.
Marketing preferences, such as whether you have agreed to receive marketing information or newsletters about our services or whether you have opted out, and the types of services that may interest you.

Tourism Businesses

We collect personal data when you enquire about, set up, administer and use a Tab account. This may include information about your company’s employees, directors or beneficial owners.

Identification information, such as name, email address, phone number, birthdate, government-issued identification (for example, a passport or driver’s license), and account username and password.
Financial information, such as your bank account number, bank routing code, tax identification number, account holder name and address.
Transaction information, such as the names of transacting parties, detailed transaction descriptions, payment amounts, billing addresses; and the devices, payment methods and GPS locations used to complete the transactions.
Device and connection information, such as the type of device you use to access our services, operating system and version, device identifiers, network information, log-in records, IP address and location derived from it.
Merchant verification information, from agencies who provide identity verification or credit references, from financial institutions, from social media or from other public sources. We confirm your identity and businesses with which you are connected. Where applicable, we may access your presence on sanctions lists or in adverse media searches, and links to politically exposed persons.
Marketing preferences, such as whether you have agreed to receive marketing information or newsletters about our services or whether you have opted out, and the types of services that may interest you.

Customers

We collect personal data when you enquire about, set up, administer and use a Tab account, when you initiate or complete a transaction, and when you make or have a payment collected using our services.

Identification and contact information, such as your name, home address, and email address. Where required by law or financial institutions, we also collect a government identifier.
Financial information, such as your information about your payment card (though we do not store your full payment card number or CVV number).
Financial information, such as your bank account number, bank routing code, account holder name, tax identification number, and other information you provide to us or give us consent to access directly from your bank.
Transaction information, such as the names of transacting parties, detailed transaction descriptions, payment amounts, billing addresses; and the devices, payment methods and GPS locations used to complete the transactions.
Device and connection information, such as the type of device you use to access our services, operating system and version, device identifiers, network information, log-in records, IP address and location derived from it.
Payer verification information. If our banking partner or our own fraud alerts flag a potentially fraudulent payment or account, we will use identity verification and screening agencies and other publicly available data to confirm the payer’s identity and clear the alert or stop the payment or chargeback.
Marketing preferences, such as whether you have agreed to receive marketing information or newsletters about our services or whether you have opted out, and the types of services that may interest you.

Use of your personal data

Using personal data to provide our services

We use personal data where it is necessary to provide the services you request.

To provide our services, we use the identification, contact and financial information of customers and tourism businesses. We use transaction information to deliver key features of the services, such as displaying transaction history.
We use personal data to communicate with you, like sending transaction notifications, alerting you to changes in the service, customising our services for you based on your transaction history, or providing customer support.
We use personal data to prevent fraudulent or unauthorised use of our services. We verify the identity of tourism businesses and in some cases customers, evaluate the authenticity of transactions and payments, and may block transactions we believe to be fraudulent or violate our terms. To do this, we may rely on software that makes automatic decisions.

Using personal data for our legitimate interests

We use personal data for our legitimate business interests. When we do, we make sure we understand and work to minimise its privacy impact. For example, we limit the data to what is necessary, control access to the data, and where we can, aggregate or de-identify the data.

We use personal data to develop and improve our products and services. For example, we might use data to:
- create or refine models for detecting unauthorised transactions and improving the speed at which transactions are processed
- analyse how people engage with our website and services so that we can develop new products or features
We use personal data to promote our services, offer you products or services that may be of interest to you, communicate news and industry updates, and host or participate in events.
Where we believe it is necessary to protect our legal rights and interests and the interests of others, we use personal data in connection with legal claims, compliance, regulatory and audit functions, and in connection with the acquisition, merger or sale of a business.

Using personal data where required by law

We use personal data to comply with the requirements of law and as required in other exceptional circumstances.

We must conduct due diligence on tourism businesses using our platform and where necessary, customers, and prevent money laundering or other illegal activities. We verify the identities of prospective and current tourism businesses and their employees and beneficial owners, and screen them for sanctions, politically exposed persons, criminal activity and adverse media.
Under exceptional circumstances, we may be required by law to provide personal data to tax authorities, or to law enforcement agencies, courts or others in connection with claims and other litigation.

Sharing personal data

We share personal data with financial institutions and the tourism businesses and customers in a transaction to provide our services.
Tab works with partners who integrate our services into their applications and partners whose services we integrate into our application. When you transact through a partner integration, or when you set up a Tab account with one of our partners, your personal data will be shared with the partner to provide the integrated services.
We share data with Tab group companies in countries where we offer Tab services, who use it to provide and market our services in those countries, governed by this privacy notice.
If ownership or control of all or part of our business or assets changes, we may transfer personal data to the new owner. If the owner will use the data for purposes other than those disclosed here, they will take the steps required by law to ensure such purposes remain lawful.
We work with service providers who have access to personal data when they provide us with services, like technical infrastructure, web and app development, and marketing, analytics and survey tools. We impose strict restrictions on how service providers store, use and share data on our behalf. We also work with companies who provide identity verification, background screening, due diligence, consulting and other regulatory services for us.
In exceptional circumstances, we share personal data with government agencies and other third parties if we believe it is reasonably necessary to comply with law, regulation, legal process or governmental request; to enforce our agreements, policies and terms; to protect the security of our services; to protect Tab and our tourism businesses, customers or the public from harm or illegal activities; or to respond to an emergency.

Transferring personal data abroad

Tab’s services are offered from our headquarters in the United Kingdom. Personal data may also be stored and accessed by service providers located in other countries in the European Union. Some of our service providers are located in the United States or other countries that do not provide the same standard of data protection as the EU.

When we work with a service provider, we look for a legal mechanism that requires them to protect data to EU standards. For example, the service provider has signed on to the EU-US Privacy Shield, operates under EU-approved binding corporate rules, or is in a country the EU recognises as having adequate data protection laws. Where no other legal mechanism exists, we enact the EU-approved standard contractual data protection clauses in our contracts.

Our services are available in a number of countries around the world. If you use our services to transact with a tourism business in another country, personal data will be transferred as necessary to complete this transaction.

Your rights and choices

Most of the data we collect and the purposes we use it for are necessary for us to operate and improve our services or comply with our obligations as a service provider. We tell you in the service where you can make a choice or grant consent. When you grant consent, you may withdraw it at any time to stop any further processing. You can also ask us at any time not to send or to carry out profiling for direct marketing, or to stop using certain kinds of cookies.

You may have certain rights under data protection law. These include the right to ask Tab for a copy of your personal data, to correct, delete or restrict processing of it, and to obtain personal data in a format you can share with a new provider. You may have the right to object to processing. These rights may be limited in some situations – for example, where we can demonstrate that we have a legal requirement to process your data.

To exercise your data protection rights, please email us at: hello@tab.travel

If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live or work, or where you believe a breach may have occurred.

Retention periods for your personal data

Tab keeps personal data for as long as necessary to provide our services to tourism businesses using our platform. We also keep personal data for other legitimate business purposes, such as complying with our legal obligations, resolving disputes, preventing fraud, and enforcing our agreements. These needs can vary for different data types used for different purposes, so retention times will also vary. Here are some of the factors we have considered to set retention times:

How long do we need the personal data to develop, maintain and improve our services, keep our systems secure, execute chargebacks, prevent fraudulent transactions, and store appropriate business and financial records.
Have you asked us to stop using your data or withdrawn your consent? We will process the data for only a short period after this to implement your request. If needed, we will also keep a record of your request so that we can make sure it is respected in the future.
Are we subject to a legal, regulatory or contractual obligation to keep the data? For example, we’re required to keep transaction data and other information that helps us carry out required checks, for periods of time that vary according to the underlying payments scheme. We may also need to comply with government orders to preserve data relevant to an investigation or retain data for the purposes of litigation.