Privacy Policy

This Privacy Policy explains how ACL Travel S.r.l. Società Benefit (“we”, “us”, “our”), trading as HeyLocals through the website heylocals.co.uk and our UK correspondence office at WeWork, Aviation House, 125 Kingsway, London WC2B 6NH, processes personal data about you when you visit our website, enquire about a placement, make a booking, travel with us, communicate with us, or otherwise interact with us.

We are an Italian company. We are subject to the General Data Protection Regulation (Regulation (EU) 2016/679 — “EU GDPR”) and the Italian Codice Privacy (D.Lgs. 196/2003 as updated by D.Lgs. 101/2018) for our processing of personal data in our capacity as an Italian-established controller.

We are also subject to the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 for our processing of the personal data of individuals in the United Kingdom in the context of offering goods or services to them or monitoring their behaviour, in line with Article 3(2) UK GDPR.

We act as data controller of the personal data we process about you. The controller’s identity is ACL Travel S.r.l. Società Benefit, with the contacts set out in Section 14 below.

If you have any questions about this Privacy Policy or about how we process your personal data, please contact us using the details in Section 14.

We collect different categories of personal data depending on how you interact with us. The main categories are:

Identity and contact data

Full name, date of birth, gender, nationality, passport number and copy, postal address, email address, telephone number, emergency-contact details (with their consent — see Section 12).

Booking and financial data

Booking reference, dates and destination of placement, partner organisation, accommodation details, dietary requirements, payment-card masked details and transaction records (we do not store full card details — see “Payment processing” below), invoice records.

Health and special-category data

Information about disabilities, allergies, dietary requirements, medical conditions, medication, mental-health considerations, vaccination history, insurance details. Where you choose to share it with us, we treat this as special-category data under Article 9 UK GDPR / EU GDPR.

Safeguarding and criminal-records data

Safeguarding Self-Declaration responses, criminal-records certificates (DBS, ICPC, certificato penale, or national equivalents), Code of Conduct acknowledgements, references, identity verification documents, records of safeguarding concerns. This is criminal-offence data under Article 10 UK GDPR / EU GDPR and is subject to additional protections.

Communication and engagement data

Records of correspondence with us (emails, contact-form submissions, phone calls, messaging), enquiries and quote requests, feedback and reviews, social-media interactions where you have engaged with our official accounts.

Marketing preferences

Your preferences for receiving marketing communications, your subscription status, and your interaction with our marketing emails.

Website usage data

IP address (in truncated/pseudonymised form where possible), browser type and version, operating system, device type, referring URL, pages visited, time of visit, search terms, geolocation at country level, cookie identifiers. See our Cookie Policy for detail.

Photograph and audiovisual data

Photographs and videos taken during placements, in line with your separate consent and the rules in our Safeguarding Policy. Photographs and videos used in marketing are processed only with explicit consent (yours and, for any image of a child, the guardian’s).

We do not collect personal data from sources other than you, except where:

• A third party (for example, a parent or partner referrer) has provided your details with your consent;
• We obtain references from referees you have nominated;
• We receive criminal-record information through verification routes that you have authorised.

Under Article 6 UK GDPR / EU GDPR, every act of processing personal data must have a lawful basis. We rely on the following bases, depending on the purpose:

For each special-category processing operation, we maintain — where required by Schedule 1 Part 4 DPA 2018 — an Appropriate Policy Document explaining how we comply with data-protection principles and our retention policy for the data.

You have the right, where we rely on consent or legitimate interests, to withdraw consent at any time or to object to processing on legitimate-interests grounds. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. See Section 9 (Your Rights).

We use your personal data for the following purposes:

• To respond to your enquiries and provide you with information about our placements.
• To form and perform your booking contract, including communicating with you about your booking, organising your placement with the in-country partner, arranging accommodation, organising airport transfers and in-country support.
• To carry out safeguarding screening before any placement involving contact with children or adults at risk, in line with our DBS Check Policy.
• To deliver our duty of care to you and to the children, adults at risk and communities you will encounter, including emergency response, medical assistance referral, and consular liaison.
• To process payments and to manage refunds, charge-backs, accounting and tax compliance.
• To respond to and resolve complaints, including ADR processes where applicable.
• To meet legal obligations, including obligations under Italian travel-organiser law (Codice del Turismo), tax law, criminal-records law (D.Lgs. 39/2014) and statutory safeguarding cooperation.
• To send you service emails about your booking, pre-departure information, in-country updates, and post-trip follow-up.
• To send you marketing communications, where you have given consent or where the soft-opt-in rules apply, to tell you about other placements, news and updates that may interest you.
• To improve our website and services, including analysis of (consented) website usage, customer feedback, and operational learnings from placements.
• To defend and bring legal claims and to protect our legitimate business interests.
• To cooperate with statutory authorities (Italian, UK and host-country) where required, including in response to specific safeguarding or criminal investigations.

We do not use your personal data for any automated decision-making that produces legal or similarly significant effects on you. We do not engage in profiling for that purpose.

We share your personal data only in the circumstances and with the categories of recipient listed below. We do not sell your personal data to anyone, ever.

In-country partner organisations

We share with the partner hosting your placement the operational data they need (your name, dates, dietary requirements, allergies, emergency contact, relevant health/safeguarding-screening status). Partners are contractually required, through our Partner Safeguarding Agreement, to apply equivalent data-protection standards.

In-country coordinators, host families and accommodation providers

The minimum information they need to host you safely.

Payment processors

We use third-party payment service providers to process card payments. We do not see, store or process full card numbers. The payment processor acts as an independent controller for fraud-prevention purposes, and as our processor for payment-execution purposes.

Insurers

Where you ask us to provide a referral to an insurance provider, we share your contact details only with your express request. We do not share your data with insurers without your request.

Statutory and law-enforcement authorities

Where required by law or under our safeguarding obligations: Italian Procura della Repubblica, Telefono Azzurro / Emergenza infanzia / AGIA / Garante Privacy / Carabinieri / Polizia Postale; UK police, NSPCC, LADO, DBS, FCDO, ICO; host-country police and child-protection authorities.

Professional advisers

Lawyers, accountants, tax advisers, insurance brokers, auditors — bound by professional duties of confidentiality.

IT, hosting and operational service providers

Email and document services, website hosting, customer-relationship management software, analytics providers (where you have consented), all under data-processor agreements that require equivalent protection of your data.

Successors and acquirers

In the event of a corporate transaction (sale, merger, restructuring), personal data may be transferred to the acquiring or successor entity, subject to the same data-protection obligations.

Other recipients

Only with your specific consent, or where required by law.

Some of our data processing involves transferring personal data outside the United Kingdom and outside the European Economic Area (“EEA”). We deal with these transfers as follows.

Transfers from the UK to Italy

Italy is a member of the EEA. The UK has issued an adequacy decision recognising the EEA as providing an adequate level of data protection (the UK Data Protection (Adequacy) (European Union) Regulations 2021). Personal data of UK residents transferred from the UK to our headquarters in Italy therefore moves under that adequacy decision and no additional safeguard is required.

Transfers from the EEA to Italy

This is an intra-EEA transfer and requires no further safeguard.

Transfers to non-EEA host countries

(Kenya, Tanzania, Vietnam, Sri Lanka, Philippines, Nepal, Indonesia, Thailand, Cambodia, Costa Rica, Colombia, Japan, South Korea, India, Cape Verde) Where we share your data with in-country partners or coordinators in destinations outside the EEA, we put in place appropriate safeguards. The route varies by country:

• Adequacy decisions in force (recognised by the UK or EU Commission): for example, Japan and South Korea benefit from EU Commission and/or UK adequacy decisions for transfers in the relevant scope. Where applicable, transfers rely on the adequacy decision.
• Standard Contractual Clauses with the UK Addendum and/or the UK International Data Transfer Agreement (IDTA): for transfers to other destinations, we use the UK IDTA (or, where appropriate to our company-Italian context, EU Standard Contractual Clauses with the UK Addendum) entered into with each non-EEA partner. Transfers to non-EEA destinations from our Italian headquarters use EU Standard Contractual Clauses (Decision (EU) 2021/914) where required.

Specific derogations under Article 49 UK GDPR / EU GDPR apply only in tightly limited circumstances (for example, transfer necessary for the performance of a contract with you, or transfer necessary for important reasons of public interest, or transfer necessary to protect the vital interests of you or another person where you are physically or legally incapable of giving consent). We rely on these derogations only when a more permanent safeguard is not in place.

A copy of the relevant transfer mechanism for any specific transfer is available on request to [email protected].

We retain personal data only for as long as necessary for the purposes for which it was collected, in line with Article 5(1)(e) UK GDPR / EU GDPR and our Retention Schedule.

When the retention period ends, data is securely deleted or, where complete deletion is not possible (for example, in backup tapes), placed beyond use.

We take security seriously and apply appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS 1.2 or above) for all website traffic and email transit;
• Encryption at rest for stored personal data, where the storage technology supports it;
• Access controls — only personnel who need to see your data, see it;
• Multi-factor authentication on key administrative accounts;
• Regular review of user access rights;
• Staff training on data protection and information security;
• Data-processor agreements with all processors;
• A documented breach-response procedure, with notification to the supervisory authority within 72 hours where the criteria of Article 33 UK GDPR / EU GDPR are met, and to affected individuals where Article 34 applies.

No system is completely secure. If you have a concern about the security of your data, please contact us at [email protected].

Under UK GDPR and EU GDPR you have the following rights, which you can exercise free of charge in most cases:

• The right to be informed about how your personal data is processed (which is what this Privacy Policy is for).
• The right of access — to ask us for a copy of the personal data we hold about you.
• The right of rectification — to ask us to correct inaccurate or incomplete data.
• The right to erasure (“the right to be forgotten”) — to ask us to delete personal data, in the circumstances permitted by Article 17 UK GDPR / EU GDPR.
• The right to restriction of processing — to ask us to suspend processing while we investigate accuracy or settle an objection.
• The right to data portability — to receive personal data we process on the basis of consent or contract in a structured, commonly used and machine-readable format, and to transmit it to another controller.
• The right to object to processing based on legitimate interests, and to processing for direct marketing.
• The right to withdraw consent at any time, for processing based on consent.
• The right not to be subject to solely automated decisions producing legal or similarly significant effects (we do not currently make any such decisions).
• The right to lodge a complaint with a supervisory authority (Section 13).

Some rights are subject to conditions, exceptions and exemptions under data-protection law; we will explain in our response if any apply.

To exercise any right, please contact us at [email protected], or by post to either of our offices listed at the head of this Policy. We aim to respond within 30 days (extendable by up to 60 days for complex requests, in which case we will tell you within 30 days).

We may need to verify your identity before responding, to make sure we are not releasing data to the wrong person.

We send marketing communications (information about other placements, news, blog content) only:

• Where you have given explicit, opt-in consent (typically by ticking a clear box on a sign-up form, with no pre-ticked boxes); or
• Under the soft opt-in rule in Reg 22(3) PECR for similar products to existing customers — we offer an opt-out at every stage and you can unsubscribe at any time.

Every marketing email contains a clear, one-click unsubscribe link. You can also withdraw consent or object to marketing at any time by emailing [email protected]or by clicking “unsubscribe” in any email.

We do not engage in marketing by SMS, automated calling, fax, or push notification without your specific consent.

We do not share your data with third parties for their direct-marketing purposes.

We use cookies and similar technologies on heylocals.co.uk. Detail on what we use, why, for how long, and how you can control them is set out in our Cookie Policy (heylocals.co.uk/cookie-policy).

In summary:

• Strictly necessary cookies are set without consent. Without them, the website does not function.
• Functional, performance/analytics, and marketing cookies are set only with your prior, freely given, specific, informed and unambiguous consent, given through our cookie banner.
• You can withdraw consent at any time, as easily as you gave it, through the “Cookie preferences” link in our website footer.

We comply with the Privacy and Electronic Communications Regulations 2003 (“PECR”) and the ICO’s current guidance, including the requirement that the option to reject non-essential cookies must be as prominent and as easy to use as the option to accept them.

If you provide us with personal data of third parties (for example, an emergency contact, a parent’s contact, references), you confirm that:

• You have a lawful basis to share that data with us;
• You have informed the third party that their data has been shared with us;
• You have directed them to this Privacy Policy.

Our services are not directed at children, and we do not knowingly collect personal data from anyone under 18 except where:

• A parent or legal guardian has consented to our processing the data of an under-18 Participant on a placement specifically designated as suitable for under-18s;
• The data is collected as part of safeguarding work, in accordance with our Safeguarding & Child Protection Policy and the special-category lawful basis described in Section 3.

If you believe we hold personal data of a child without an appropriate basis, please contact us at [email protected].

• For all data-protection enquiries: [email protected]
• For safeguarding-related data matters: [email protected]
• By post (UK correspondence): WeWork, Aviation House, 125 Kingsway, London WC2B 6NH, United Kingdom
• By post (Italian registered office): ACL Travel S.r.l., Piazza Durante 24, 20131 Milano, Italy
• PEC (certified email, Italy): [email protected]

We have not appointed a Data Protection Officer (DPO), as our processing does not meet the threshold conditions under Article 37 UK GDPR / EU GDPR (we are not a public authority, our core activity does not consist of large-scale regular and systematic monitoring of data subjects, and our core activity does not consist of large-scale processing of special-category data, on a strict interpretation of the Article 29 / EDPB guidance). We will reassess this position annually and as our operations evolve.

We have not appointed an Article 27 UK GDPR / EU GDPR representative as our processing of UK or EU residents’ data is occasional, does not involve processing on a large scale of special-category or criminal-offence data, and is unlikely to result in a high risk to the rights and freedoms of data subjects, in line with the Article 27(2)(a) exception. We will keep this position under review and appoint a UK / EU representative if our operations expand to a level requiring it.

If you are unhappy with how we have handled your personal data, please tell us first — using the contacts in Section 14 — so that we have a chance to put it right.

You also have the right to complain at any time to a supervisory authority. The relevant supervisory authority depends on where you are habitually resident, your place of work, or the place of the alleged infringement:

• United Kingdom: Information Commissioner’s Office — www.ico.org.uk · 0303 123 1113
• Italy: Garante per la protezione dei dati personali — www.garanteprivacy.it
• Other EEA countries: the supervisory authority of your member state.

Complaining to a supervisory authority does not affect any other right or remedy you may have.

We may update this Privacy Policy from time to time to reflect changes in our practice, in the law, or in regulatory guidance. The version number and date of adoption at the head of the Policy will be updated when we make changes. We will tell you about material changes by email and/or by a notice on the website before they take effect.