Privacy notice

Welcome
About Us and Contact Details
Our Global Presence
Personal Information we collect about you
How we use your Personal Data
Marketing and your Personal Data
How we share your Personal Data
Transferring your Personal Data outside Europe
Retention of your Personal Data
Security of your Personal Data
Your rights under Applicable Data Protection Law
Updates to the Privacy Notice
Glossary

1. Welcome

Welcome to our privacy notice (“Privacy Notice”). At Lounge Pass("we, us, our,") we respect and commit to protecting your personal data. Our Privacy Notice, together with our Terms of Use, will explain how we collect, use, store, share and look after your data:

a) When you interact or use our website (together “Website”), or

b) If you use any of our products, services and or applications (together “services”).

For ease, we have divided our Privacy Notice into sections. At the end of our Privacy Notice, we have also included a Glossary to explain some of the terms mentioned.

2. About Us and Contact Details

Lounge Pass, a division of Priority Pass is a company registered in England and Wales, at 3 More London Riverside, London, SE1 2AQ with company number 02728518 and is a subsidiary of The Collinson Group Limited (the “Collinson Group”).

Under Applicable Data Protection Law, we are the Controller of your Personal Data we process. We may also act as a Processor if you obtained your Lounge Pass booking through our client, such as a travel agent.

The Collinson Group has appointed a Group Data Protection Officer (“DPO”). If you have any questions about this Privacy Notice or would like to know how we handle your Personal Data, please contact the DPO or the Data Protection Team by post at The Data Protection Officer, 3 More London Riverside, London, SE1 2AQor by email at Data.Protection@loungepass.com

3. Our Global Presence

We are a company with a global presence and must meet many data protection and privacy law requirements in the countries we operate. If you are a resident of California, we must comply with the Californian Consumer Privacy Act (“CCPA”). Please click here for the CCPA notice.

4. Personal Data we collect about you.

We will collect your Personal Data from:

You e.g. when you register your interest or sign up to use our services or provide us with your marketing preference.
our clients or prospective clients who send us your Personal Data to allow us to give you access to our services or communicate with you.
your devices e.g. when you connect to our Website, use our Website.
through cookies we use on our Websites to secure our Website, to offer you personalised experiences.
third parties such as social media platforms where you may interact with our social media pages, companies within the Collinson Group assisting us with services we offer you, service providers carrying out services on our behalf e.g. marketing and fulfilment partners, data enrichment service providers.

The table below outlines the categories of Personal Data we collect and examples of the type.

Categories of Personal Data	Type of Personal Data
Contact details	Name (previous names), email address, telephone number, mobile number, address
Booking Information	Information about your booking with us, booking reference number, payment detail, marketing preference, flight number
Transaction details and history	Services you access and purchase, such as lounges or merchants you visit, as part of your Lounge Pass booking; Boarding card information
Nationality data	Passport number, nationality, country of residence language preference
Payment details	Payment method used, credit and debit card, bank details
Device details	IP address, time of access, date of access, location, web pages visited, device identifiers.
Website use data	Please see our cookie policy.
Marketing and Advertising data	Your marketing preferences and responses to our direct marketing, e.g. when and if you have opened, read and deleted our marketing emails, links clicked in marketing emails.
Your communications with us	Any Personal Data you provide us when you contact us. We also record your calls with us. We collect and store all copies of emails sent.
Fraud data	Any suspicious activities and details.

We do not knowingly collect or solicit Personal Data from anyone under the age of 18. If you are under 18, please do not attempt to register for our services or send any Personal Data about yourself to us. If we learn that we have collected Personal Data from a child under age 18, we will delete that information as quickly as possible. If you believe that a child under 18 may have provided us personal data, please contact us Data.Protection@loungepass.com

5. How we use your Personal Data

We will use your Personal Data in the following circumstances:

to perform a contract we have with you or about to enter with you. for our Legitimate Interest (or those of a third party), but only when your rights and freedoms do not override our legitimate interest. Our legitimate interest is, to help us improve our services and products and to obtain feedback from you.

to comply with a legal and regulatory obligation.
where we have your consent. If we have relied on consent to process your personal data, you have the right to withdraw your consent at any time by contacting Data.Protection@loungepass.com

The table outlines the lawful basis we can rely on to process your Personal Data.

What we use your information for	Our legal basis for doing so
To provide you with access to our Website	To perform a contract, we have with you or are about to enter into with you
Provide access to travel experiences within the service programme	To perform a contract, we have with you or are about to enter into with you
To manage our relationship with you as a user of the Website which includes notifying you about changes to our Websites and the services we offer.	Legitimate Interest (to keep our records updated and to study how customer use our product and services).
To provide you with information you have requested, including without limitation, quotations, Service documentation, brochures, and responses to applications.	Where we have your consent.
To respond to any enquiries from you regarding our services.	To perform a contract, we have with you or are about to enter into with you.
Process any payment required for the products and services you have requested	To perform a contract, we have with you are about to enter into with you
Store your payment card details, in order to be able to take agreed payments, as explained in the Conditions of Use	To perform a contract, we have with you are about to enter into with you
Provide you with newsletters, and other communications about the services you have purchased or chosen to opt into.	Where we have your consent
Offer customer surveys to improve our products and services	For our legitimate interests to improve our services
Analyse your usage of our services in order to be able to personalise your service and improve our products	For our legitimate interests to improve usage of our services
To provide you with information about certain other goods and services which we believe may be of interest to you.	Where we have your consent.
To enrich your data	Legitimate Interest to better understand you as a customer to provide you with a better service.
To send you targeted electronic communications about our services for marketing purposes.	Where we have your consent
To send marketing communication by post about our services.	Legitimate Interest - where you have not opted out to receive communication via post. To help us communicate to you about our services that may be of interest.
To receive feedback from you on our services	Legitimate Interest to help understand how we can improve our services.
To provide a better customer experience and understand your advertising needs.	Legitimate Interest to help us understand how we can develop our marketing strategy.
To provide customer support services	To perform a contract, we have with you or are about to enter into with you.
To protect the company and you from fraud	Legitimate Interest (to prevent and detect fraud and other financial crime)

a) We may also keep and use your Personal Data to comply with our legal obligations, resolve disputes, and enforce our agreements.

b) We may access, use and preserve your Personal Data to comply with law, in anticipation of litigation, or to protect our rights or property or those of third parties, even if your Personal Data is subject to a deletion request from you. We may also provide information to law enforcement or authorities to protect the safety of you, other users of our services or others.

c) Sale, acquire, merger, or change of ownership. If we merge with another company, or our equity securities or all or a part of our assets are sold to a third party, your Personal Data may be transferred to the buyer or successor entity. We will notify you and other users of any transfer to a different legal entity.

6. Marketing and your Personal Data

Marketing communications to our clients or other companies

We send commercial e-mails to individuals at our clients’ or other companies where we want to develop or maintain a business relationship or if they have used or shown interest in our services previously and have not opted out of marketing.

Marketing within the Collinson Group

We are part of the Collinson Group. If you consent to receive marketing from other companies within the Collinson Group, we will share your Personal Data with these companies so they can send you information about their products and services and any news that may be of interest to you. Each entity will be a separate Controller for the marketing they send to you and will handle your Personal Data, and any opt outs as set out in their Privacy Notice on their Website.

Third Party Marketing

With your consent we may share your information with selected third parties and partners outside the Collinson Group for marketing purposes. If you consent, we will share your Personal Data with these partners and third parties. They will handle your Personal Data, and any opt outs as set out in their Privacy Notice on their Website.

Opting out of Marketing

Where you consent to receive communication for marketing purposes, you have the right to opt-out. You can opt-out of receiving marketing communication at any time by following the opt-out links or option in any marketing messages sent to you or by contacting us any time at loungepass.com

If you opt-out of marketing, you will stop receiving marketing from us within 30 days. Please note, this does not apply to service communication, market research or customer surveys or any other processing outside marketing.

If opting out of marketing by post, please expect 30 days for the marketing to stop.

Where you consent to receive marketing from our selected partners, third parties or companies within the Collinson Group, you should contact them directly to opt-out of receiving their marketing communications.

7. How we share your Personal Data

We may share your Personal Data with the following types of companies, (Controllers or Processors) for the reasons explained in section 6.

Companies (Processors) we will share your Personal Data with include:

IT service providers, data disposal service providers and data storage service providers.
Data enrichment service providers to enhance the data we already hold about you to help us make more informed decisions and better understand you as a customer.
Companies within the Collinson Group acting as our processor, to help us provide our services to you e.g. our customer service function to handle your enquiries.
Our providers, AWS, who host our Websites
Lounges or merchants’ providers which you visit, so they can record and account for your visit.
We also share your Personal Data with payment service providers and data analytics services

Where we share your Personal Data with our service providers, we enter into contracts to ensure they also protect your Personal Data in line with Applicable Data Protection Law and with this Privacy Notice.

Companies (Controllers) we will share your Personal Data with include:

Companies within the Collinson Group to offer you services or products, where we have your consent.
Other third parties outside the Collinson Group to offer you services or products, where we have your consent.
Where service is a benefit of your payment card and therefore, we act as processor for our clients, the clients as controllers may instruct us to share your personal data with them,our partners or clients which provide joint marketing services

Where we share your Personal Data with the Controllers mentioned above, we enter into contracts to ensure your data is protected, as Controller they will also have a legal obligation to protect your data.

To help protect you and us from fraud, to combat money laundering and protect our Website from illegal use, we will share your Personal Data with fraud prevention agencies, payment service providers, banks, financial institutions and similar third parties for checking your identity and monitoring your behaviour on our Website. These additional service providers are Controllers and will have their obligations to protect and secure your data under Applicable Data Protection Law.

We may also share your Personal Data with law enforcement and statutory authorities when required by the law in the following circumstances:

To comply with a request for information from a governmental body such as law enforcement (police) or other public authorities;
To comply with a court order to disclose your Personal Data;
To comply with a regulatory investigation; and
The establishment, exercise or defence of a legal claim (including in connection with an investigation or enquiry by a competent regulatory authority).

We may share your data with your Issuers:

Where we are controllers and have contractual obligations to share your data with Issuers.
Where we act as a processor for issuers, the Issuers as controllers may instruct us to share your data with them.

There are other circumstances where we share your Personal Data:

The Collinson Group may transfer all your Personal Data to a third party if the operator of the Website changes, or if there is a sale of all or any part of its business or its assets or if we go out of business, enter bankruptcy, or go through some other change of control. In the event of any of these transfers occurring, the party who acquires the data will assume the rights and obligations described in this Privacy Notice.
We may share your Personal Data with courts, law enforcement, and governmental authorities and other third parties if required by law, subpoena, a directive from a regulatory authority or as otherwise necessary to comply with legal requirements or to protect our rights or property or those of third parties.

We may have links to other sites promoting our partners and clients. Please read their Privacy Notices available on their Websites to find out how they process Personal Data. This Privacy Notice will not cover their use of Personal Data.

8. International Transfer of your Personal Data

We will send your data to countries outside the UK and the EEA (transfers outside the EEA include transfers to the UK), where different data protection laws may apply. These transfers will only happen when:

we use service provider companies outside the UK or EEA;
there is a legal or regulatory obligation;
to meet our contractual obligation with you or are about to enter with you; or
we have your consent.

Where we transfer your data to a service provider company outside the UK or the EEA, we will implement safeguards so that your data continues to be protected. We protect your data by making sure:

the country has been granted an adequacy decision by the European Commission or UK; or

we conduct a security and data protection transfer assessment and put an appropriate contract in place with approved UK or European Commission standard contractual clauses between the company and us.

9. Retention of your Personal Data

We will not keep your Personal Data for longer than is necessary. When defining the retention period, we take several factors into consideration, the type and sensitivity of the Personal Data in question, the reason why the data was collected and processed, our legal basis for processing the Personal Data, who the Personal Data relates to and their rights and freedom. We also consider any legal and regulatory requirements to keep the data. Where we are the Processor, we will retain and dispose of the information under instructions from the Controller.

When the retention period has expired, we dispose of your Personal Data securely.

If you opt-out of receiving marketing, some Personal Data will be retained and added to our suppression list to ensure we do not market to you again.

10. Security of your Personal Data

We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorised access, disclosure, alteration and destruction. We have written procedures and policies regularly audited, and the audits are reviewed at a senior level.

Where personal data is transmitted across the internet, it will be encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of your personal data, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

11. Your rights under Applicable Data Protection Law

Under Applicable Data Protection Law, you may have certain rights. The table below outlines your rights. If you would like to request to exercise your rights, please email loungepass.com Your request will be reviewed and responded to as quickly as possible.

Under the CCPA, California residents also have rights relating to disclosure and access and deletion of their personal information. Please see CCPA Notice.

Your rights:	Meaning:
The right to object to the processing	You have the right to object to the processing of your Personal Data in certain situations. You have an absolute right to stop your Personal Data being used for direct marketing.
The right to information	You have the right to be informed whether and to what extent we process your data. E.g. this Privacy Notice.
The right of access	You have the right to request access to your Personal Data we hold. You also have the right to request a copy, and we will provide you with this unless legal exceptions apply.
The right to rectification	If the Personal Data that we process is incomplete or incorrect, you have the right to request their completion or correction at any time.
The right to Erasure (also known as the “right to be forgotten”)	You have the right to request we delete your Personal Data. This is not an absolute right and only applies in certain circumstances, for example, we cannot delete information if there is a legal or regulatory obligation on us to keep it.
The right to restrict the processing	You have the right to request that we restrict the processing of your Personal Data in certain situations. a) If you contest the accuracy of your personal data, you may request that its processing is restricted while we verify its accuracy b) If the processing of your personal data is considered unlawful, but you do not require the deletion of your personal data c) If we no longer need the data for the purposes of its processing, but you need it for the establishment, exercise or defence of legal claims d) If you object to our processing of your data based on our legitimate interests
The right to data portability	You have the right to request that we provide your Personal Data to you in a machine-readable format. This right can only be used where the processing relies on your consent or contract and is carried out by automated means.
Your rights in relation to automated decision making and profiling	You have the right to object to decisions based exclusively on the automated processing of your Personal Data. We do not engage in profiling or any processing related to automated decision-making activity.
The right to withdraw your consent	If your Personal Data is processed based on your consent, you have the right to withdraw your consent at any time. If you withdraw your consent, this will not affect the lawfulness of how we used your personal data before you withdrew consent, and we will let you know if we can no longer provide you with your chosen service.

We will keep a copy of any request. Further, we may charge a reasonable fee or refuse to act on a request if such a request is excessive, repetitive or manifestly unfounded.

If you make a request, where required, we will confirm your identity and ask you to provide us with information to help us deal with your request. We have one month from receiving your request (provided we have verified your identity) to respond.

Please note that for a complex request, we may extend the one month by two months. To exercise your rights please contact loungepass.com

Making a complaint

If you have any questions, concerns or complaints about this Privacy Notice, please contact our Data Protection Team and or our Data Protection Officer at loungepass.com

If you are unsatisfied with our response, you can contact the UK’s Supervisory Authority, the Information Commissioner at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, United Kingdom
SK9 5AF

Phone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

If located within the EU, you can also make a complaint to our lead supervisory authority in Malta at:

Officer of the Information and Data Protection Commissioner

Floor 2, Airways House,
Triq Il-Kbira,
Tas-Sliema SLM 1549, Malta

12. Updates to the Privacy Notice

We keep our Privacy Notice under regular review, and we will make new versions available on our Privacy Notice page on our website. This Privacy Notice was last updated on 18th May 2021.

13. Glossary

Term	Definition
Applicable Data Protection Law	means all applicable worldwide legislation and regulation relating to data protection and privacy including without limitation UK and European Applicable Data Protection Law, the CCPA.
Controller	is a person(s) or company (either alone or jointly or in common with other persons) who decides how Personal Data will be processed.
Criminal Data	Data about criminal proceedings or convictions. Criminal Data should be treated in the same way as Special Category Data.
Legitimate Interest	Processing Personal Data for our activities and needs including providing you with the best service and experience we can offer. We will balance its interests against any possible impact on to you (both positive and negative), your rights or freedom. Where our interest and needs are overridden by your interests, rights or freedom, we will not process your Personal Data (unless you provide us with your consent or required by law).
Personal Data	Information relating to an identifiable person, who can be directly or indirectly identified by reference to an identifier.
Privacy Notice	Also referred to as a Fair Processing Notice) or a Privacy Policy)– Privacy Notice is a document explaining to data subject what Personal Data is processed and how a company will process it
Processor	is an external company or other third parties that collects and processes Personal Data on behalf of a Controller. We undertake activity as both a Controller, and a Processor
Special Category Data	Also referred to as sensitive data, is defined as Personal Data relating to the following, race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.