Legal
Privacy Policy
Working draft — pending review by counsel · July 2026
This policy explains how VIRAM Advisors handles the personal data you give us when we arrange premium-cabin flights and luxury hotels on your behalf. It covers what we collect, why we collect it, the lawful bases we rely on, who sees your data, how long we keep it, where it travels, and the rights you hold. It applies to our clients, to prospective clients who enquire, and to visitors to our website. We review it regularly, and the version on this page is the current one.
Who We Are
VIRAM Advisors is a private travel advisory run by two Founders. We arrange first and business class flights and luxury hotels for a small list of clients. We are paid by the client and never by the airlines or hotels we book, which means we have no commercial reason to pass your data to anyone who does not need it.
For the purposes of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR), VIRAM Advisors is the data controller for the personal data described in this policy. That means we decide what data is collected and how it is used, and we are responsible for looking after it.
You can reach the Founders using the details in the final section. Correspondence about your data goes to one email address and is read by the partners themselves, not by an outside team.
What We Collect
Identity and travel-document data. Your full name, date of birth, nationality, passport number and expiry date, and, where a booking requires it, a scanned copy of the passport. Depending on the trip this may extend to visa details, known-traveller or redress numbers, and the names and passport details of others travelling with you, where you provide them.
Contact data. Your postal address, email address and telephone number, and a preferred way and time to be reached.
Travel preferences. Seat and cabin preferences, airline and hotel loyalty programme numbers, room and bedding preferences, and any dietary or accessibility requirements you ask us to arrange. Some of this, such as a dietary requirement or a mobility need, may reveal information about your health or religious beliefs. Data of that kind is treated as special category data and is described further under Lawful Bases below.
Booking and financial data. Itineraries, confirmations, invoices, and the payment details needed to settle a booking or our fee. Where card details pass through a payment provider, they are handled by that provider under its own security standards.
Correspondence. The emails, messages and notes that arise from arranging your travel and answering your enquiries.
Why We Collect It
To arrange, confirm and service the flights and hotels you ask us to book, including meeting the passenger and guest information that airlines, hotels and border authorities require.
To respond to your enquiries, give advice, and manage the working relationship between us.
To handle payment, keep accurate financial records, and meet our tax, accounting and other legal obligations.
To send you occasional communications about our service, where you have asked to receive them.
We collect only what a booking or the relationship reasonably needs. We do not gather data speculatively, and we do not build profiles for advertising.
Lawful Bases
Under UK GDPR and EU GDPR we must have a lawful basis for each use of your data. We rely on the following.
Performance of a contract (Article 6(1)(b)). Most of what we do, from taking your passport details to confirming a booking, is necessary to provide the service you have engaged us for.
Legitimate interests (Article 6(1)(f)). We rely on this to run the practice, to respond to enquiries from prospective clients, and to keep records of the advice we have given. Where we rely on legitimate interests, we have considered your rights and interests and are satisfied they are not overridden.
Legal obligation (Article 6(1)(c)). We keep certain financial and transaction records because tax and accounting law requires it, and we disclose data where a border or aviation authority lawfully requires it for a booking.
Consent (Article 6(1)(a)). We rely on your consent to send marketing communications, which you can withdraw at any time.
Explicit consent for special category data (Article 9(2)(a)). Where a dietary, health or accessibility requirement you give us reveals special category data, we process it only to arrange what you have asked for and only with your explicit consent.
Who Sees Your Data
We do not sell your personal data. We have never done so and we do not share it with advertisers, data brokers, or any third party for their own marketing.
We disclose your data only in two circumstances. The first is to the airline, hotel, ground transport provider or similar supplier needed to fulfil a booking you have specifically asked us to make. Only the information that booking requires is passed on, such as the passenger name and passport details an airline needs to issue a ticket. Once your data reaches an airline or hotel, that company handles it as its own controller under its own privacy policy, and we would encourage you to read those where a booking matters to you.
The second is a small number of service providers who support us under contract, such as our payment provider and our secure IT and email systems. These act as our processors, may use your data only on our written instructions, and may not use it for their own purposes.
We may also disclose data where the law requires it, for example to a tax authority or in response to a valid legal request. Beyond these narrow cases, your data stays with us.
International Transfers
Travel is international by nature, so fulfilling a booking often means sending your details to an airline or hotel outside the United Kingdom and the European Economic Area.
Where we transfer personal data outside the UK or the EEA, we do so on a lawful footing. That means the destination is covered by a UK adequacy regulation or an EU adequacy decision, or the transfer is protected by appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum, or the European Commission's Standard Contractual Clauses.
Some transfers to an airline or hotel are necessary to perform the contract you have asked us to arrange, and are made on that basis. In every case we limit the data sent to what the booking requires.
How Long We Keep It
We keep your data only as long as there is a reason to. The reason is either the working relationship between us, a legal obligation, or a right we may need to defend.
Booking and financial records are kept for six years after the relevant tax year, because tax and accounting law requires it. Correspondence and preference data are kept for the life of the relationship and for a reasonable period afterward, so that we can pick up where we left off if you return to us.
Passport copies and other travel-document data are deleted once the trip they relate to is complete, unless you ask us to retain them to save you resubmitting for future travel, in which case we hold them on that basis and delete them when you tell us to. Marketing consent and the data behind it are kept until you unsubscribe. When a retention period ends, we delete or securely destroy the data.
Your Rights
Under UK GDPR and EU GDPR you hold a set of rights over your personal data. You have the right to be told what data we hold and to be given a copy of it (access). You have the right to have inaccurate data corrected (rectification) and, in defined circumstances, to have data deleted (erasure). You have the right to restrict or object to certain processing, and the right to receive the data you gave us in a portable, machine-readable form so it can be moved elsewhere (portability). Where we rely on your consent, you have the right to withdraw it at any time, without affecting anything done before you did.
To exercise any of these rights, write to the email address in the final section. We do not charge for this in ordinary cases, and we respond within one calendar month, the period the law allows. We may ask you to confirm your identity first, so that we do not disclose your data to anyone else.
If you believe we have handled your data wrongly, you have the right to complain to a supervisory authority. In the United Kingdom that is the Information Commissioner's Office. In the European Union it is the data protection authority in the country where you live or work. We would welcome the chance to resolve the matter with you directly first.
Cookies
Our website uses a small number of cookies. The essential ones make the site work and keep it secure, and are set without asking because the site cannot function without them.
Any cookie that measures how the site is used is set only with your consent, which we ask for when you first visit and which you can change at any time. We do not use cookies to advertise to you or to track you across other websites.
You can control or delete cookies through your browser settings. Blocking the essential ones may stop parts of the site from working.
How to Contact Us
For any question about this policy, or to exercise a right over your data, contact the Founders of VIRAM Advisors by email at the address published on our contact page, or by post to our registered address.
If you are not satisfied with our response, you may contact the Information Commissioner's Office in the United Kingdom at ico.org.uk or on 0303 123 1113, or your local data protection authority in the European Union.
This policy is reviewed regularly and the version shown here is the current one. Where we make a material change, we update the date on this page and, where appropriate, tell you directly.
