At The Mountain Company, we understand that privacy is really important, so we have prepared this policy to explain what personal information we collect, why we collect it, how we collect it and what we do with it.
The Mountain Company is a travel operator specialising in adventure holidays, organising treks and tours in Nepal, Pakistan, India, Bhutan and Myanmar (Burma), which we refer to as our “destination countries”. We are registered with Companies House in England and Wales and our registration number is 05309471. Our customers come from all around the world.
When you use our services (from browsing on our webpages to booking and going on a trip with us), you’ll share some information about yourself with us. This enables us to perform our function as a travel operator, from providing information and customised advice about trips that you may be interested in, to organising the finer details of your travels within the destination countries. If you decide to book a trip with us, we’ll need to share certain information that you provide to us with our service providers in the destination countries. This is for logistical purposes to arrange your trip (such as hotel bookings and trekking permits), as well as for personal safety purposes so that in the event of an emergency on your trip, our service providers in the destination countries have the information required to manage the situation appropriately.
For the purposes of data protection legislation, we are the data controller of your personal data. We are registered with the Information Commissioner’s Office in the UK with reference number ZA241051.
By providing personal information to us, you agree that this Policy will apply to how we handle your personal information and you consent to us collecting, using and disclosing your personal information as detailed in this Policy. If you do not agree with any part of this Policy, you must not provide your personal information to us. If you do not provide us with your personal information, or if you withdraw a consent that you have given under this Policy, this may affect our ability to provide services to you or negatively impact the services we can provide to you. For example, most travel bookings must be made under the traveller’s full name and must include contact details and appropriate identification (e.g. passport details). We cannot make bookings for you without that information.
In summary, we keep to a minimum the information that we hold about you. We use the personal information that you provide us with, to provide our services to you, respond to your enquiries, manage our relationship with you, meet our legal obligations, and improve our website and services. We delete your data when it is no longer needed for these purposes. We provide only the data required for logistical and personal safety/security purposes to our service provider in the destination country which you are planning on visiting. We remove access to your data from our service provider in the relevant destination country once your trip is completed. Furthermore, we have agreements in place with each of our service providers in our destination countries as to how they process your data, including to delete/ destroy all of the data which they hold about you once your trip is completed. Data which The Mountain Company retains after your trip, is archived for a period (as detailed below) and is only accessible to our TMC management team, as well as to yourself through your login to Adventure Engine.
We are firmly committed to protecting and respecting your privacy and to maintaining various physical, electronic and procedural safeguards to protect personal information in our care.2) What personal information do we collect, how do we collect it and how do we process it (an overview)?
This depends on our relationship with you and can broadly be divided into three categories:
1) You are just visiting our website
2) You are contacting us for information/ advice regarding a trip that you are considering doing with us
3) You are booking a trip with us and being registered on our booking portal
If you are visiting our website, you should be aware of our Cookies Policy, and understand our use of IP addresses, Social Media Integrations and Linked websites which are explained in detail in sections 3-6 below.
If you are contacting us using our Quick Enquiry tab on the website, in addition to the information above we’ll also need your name and email address so that we can respond to your questions. Rest assured that our website is SSL protected and we keep your information secure as detailed in section 7 below.
Similarly, if you are using the Apply Now tab on our website, the personal information that you are providing us with is kept secure as detailed in section 7 below. This high level of security is very important, as at this point, if you are applying for an adventure trip, we collect some sensitive data from you including medical information as well as information regarding your fitness and previous outdoor experience. As an adventure travel specialist, The Mountain Company takes your personal safety very seriously and uses the information that you provide us with to help inform you regarding your choice of trip, the risks involved, and whether or not it is an appropriate objective for you. This is in keeping with the British Standard for adventurous activities outside of the United Kingdom (BS8848: 2014) which you can read more about here
If you decide to go ahead and book a trip with us, we’ll register you on our online booking portal and you’ll have your own unique login and password. You’ll have access to all of the personal information that we hold on you through this system and you can update your information at any point. We use Adventure Engine as a third party data processor for this purpose and you can read more about how they secure your personal data in section 7 below.
Once we’ve received your information, we’ll use it as needed to organise your trip, such as arranging accommodation, transport and various permits (e.g. trekking permits). We’ll also use it for our accounting and administration processes including regulatory reporting to the Civil Aviation Authority. More details on the specific personal information collected and why it is collected is detailed in section 8 below.
As discussed in section 1 above, in order to organise your trip, we’ll need to share certain information that you provide to us with our service provider in the relevant destination country that you are travelling to, for logistical and personal safety purposes. Our service providers do not have access to your Adventure Engine portal. We provide them with the information they require using Google Drive, and we remove their access to all of this information once your trip is completed. We have agreements in place with each of our service providers in our destination countries as to how they process your data, including to delete/ destroy all of the data which they might still hold about you once your trip is completed. Please refer to section 9 below for more details on the processing of your data by our third party service providers located overseas.
Other than through the methods discussed above, you might also provide us with personal information in person, by telephone, letter, email or when you connect with us via social media. You might also share personal information with us through a post trip questionnaire with your feedback on your trip. We typically only send you one item of post, which includes your booking invoice and a copy of our terms and conditions, as well as some information on your trip.
Once your trip is completed, The Mountain Company will retain your data as required for our business purposes, or as required by law. We retain your data on Adventure Engine, which is accessible only to us and to you, and as an archive on Google Drive, which is only accessible by our management team.
We will only use your personal information to send electronic marketing materials to you in the form of our e-newsletter if you have opted-in to receive it. You can subscribe to receive e-newsletter.. You can unsubscribe from our e-newsletter at any time by following the unsubscribe prompt.
This Section 2 is an overview of how we usually process your data. There may be circumstances outside of this norm where we may be required to share your data with other third parties, or where we may collect data about you from other third parties. This is covered in more detail in Section 10.3) Cookies Policy
They enable us to estimate our audience size and usage pattern, store information about your preferences (and so allow us to customise our site according to your individual interests), speed up your searches and recognise you when you return to our site. Our website uses web analytics cookies provided by Google Analytics.
If you do not want to accept cookies, you can change your browser settings so that cookies are not accepted. If you do this, please be aware that you may lose some of the functionality of our website. For further information about cookies and how to disable them please go to: www.aboutcookies.org or www.allaboutcookies.org4) IP Addresses
When you access our website or open electronic correspondence or communications from us, our servers may record data regarding your device and the network you are using to connect with us, including your IP address. An IP address is a series of numbers which identify your computer, and which are generally assigned when you access the internet.
We may use IP addresses for system administration, investigation of security issues and compiling anonymised data regarding usage of our website.5) Social media integrations
Our websites may use social media features (“SM Features”) and widgets (such as “Like” and “Share” buttons/widgets). These are provided and operated by third party companies (e.g. Facebook and Twitter) and either hosted by a third party or hosted directly on our website. SM Features may collect information such as the page you are visiting on our website, your IP address, and may set cookies to enable the SM Feature to function properly.
If you are logged into your account with the third party company, then the third party may be able to link information about your visit to and use of our website to your social media account with them. Similarly, your interactions with the SM Features may be recorded by the third party. You can manage the sharing of information and opt out from targeted marketing via your privacy settings for the third party social media platform.
7) How we keep your information secure
We strive to protect the privacy and security of all personal information we hold through the use of encryption, security access, firewalls and computer security systems. We have physical, electronic and procedural safeguards in place to protect your data which is held by us. Access to your personal information is restricted to staff who require access in order for us to perform our function as your selected travel operator. We also use third party data processors and servers to store your personal information.
We use the very latest, industry standard Secure Socket Layer (SSL) technology. This technology encrypts the information about you that is entered on our website, prevents other computers impersonating your computer, and prevents third parties reading or changing your information as it travels over the internet.
We will destroy personal information on our systems once we no longer require it for our business purposes, or as required by law.
Adventure Engine is a third party data processor for us. Adventure Engine is PCI compliant and SSL certified. All user data is encrypted and regularly backed up. They take as a first priority potential security vulnerabilities, applying patches and changing their code to follow OWASP recommendations (Open Web Application Security Project). They use Canadian-based hosting at Digital Ocean. You can read Digital Ocean’s Customer GDPR Data Processing Agreement.8) Further details of personal information collected and what it is used for
The personal information we collect about you is the information that is needed to plan for and organise your trip with us. Some of the information is also used for personal safety purposes, both in ensuring that the trip is the right objective for you, and being able to provide you with adequate care in the event of an emergency on your trip. We therefore typically request the following personal information from you:
contact information including name, title, nickname, residential/mailing address, telephone number, email address (so that we can effectively communicate with you);
passport details (required for various permits, certain hotels and flights; also for safety and security purposes in the event that you require consular assistance during your trip) and sometimes a scanned copy of the details page of your passport (for some trekking permits and certain visas);
passport photo (required for trekking permits and certain visas);
date of birth (required for various permits and visas; we also need to know your age, as children and clients over the age of 65 require special consideration when planning for adventure holidays)
gender (relevant for group trips where you might be required to share a tent or a room with someone of the same gender)
next of kin details of someone not travelling with you, including their name, relationship to you, telephone number and email address (for use only as appropriate in an emergency situation)
information about your recent hiking and outdoor experience, previous high altitude treks and problems you might have had during them, current level of fitness and planned fitness training (this helps us to ensure that the trip you are planning to do is the right objective for you, or to make alterations to your itinerary to better suit your capabilities, or to advise on necessary training or skills development to be able to participate in certain adventure activities, etc)
medical or psychiatric conditions and treatments, previous and planned surgical procedures; allergies and other health information (this helps us to ensure that the trip you are planning to do is the right objective for you, or to make alterations to your itinerary to better suit your capabilities; furthermore, we need this information so that we can adequately look after you if you become unwell during your trip or in the event of an accident or emergency situation)
your travel insurance details (for use as appropriate in the case of illness, an accident or emergency, etc)
information about your dietary requirements (particularly relevant for camping trips where our cooks will be preparing food for you, or lodge treks where food choice may be limited)
your flight arrival and departure details (so that we can arrange transport to and from the airport for you) and sometimes a copy of your flight ticket (for certain permits and visas) and
other details relevant to your travel arrangements, such as whom you might be travelling with, whether or not you’d like to share a room, any equipment you might want to rent from us, etc (for logistical organisational purposes)
For trekking trips to Pakistan, you will also be required to complete a Curriculum Vitae form for the Gilgit-Baltistan trekking permit which requires further personal information including your marital status, number of children, profession, employment, education, training, sport, interests and travel history.9) The transfer of personal data overseas
As discussed above, The Mountain Company is a travel operator specialising in adventure holidays, organising treks and tours in Nepal, Pakistan, India, Bhutan and Myanmar (Burma). If you decide to book a trip with us, we’ll need to share certain information that you provide to us with our service providers in the destination countries. This is for logistical purposes to arrange your trip (such as hotel bookings and trekking permits), as well as for personal safety purposes so that in the event of an emergency on your trip, our service providers in the destination countries have the information required to manage the situation appropriately.
We provide only the data required for logistical and personal safety/security purposes to our service provider in the destination country which you are planning on visiting. We remove access to your data from our service provider in the relevant destination country once your trip is completed. Furthermore, we have agreements in place with each of our service providers in our destination countries as to how they process your data, including to delete/ destroy all of the data which they might still hold about you once your trip is completed.
Our service providers do not have access to your Adventure Engine portal. We provide them with the information they require using Google Drive, and we remove their access to all of this information once your trip is completed.
Our service providers will need to provide some of your personal information to third parties in order to book your accommodation, organise transport arrangements including certain flights, organise various permits, organise other activities that you’d like to participate in during your trip, etc.
These overseas recipients are located in a jurisdiction where you are unlikely to be able to seek redress under your local data protection laws and are unlikely to have an equivalent level of data protection as in your jurisdiction. To the extent permitted by the GDPR, we will not be liable for how these overseas recipients handle, store and process your personal information.
If you have any specific questions about where or to whom your personal information will be sent, please refer to the "Feedback / Complaints / Contact" section below (section 12). We will provide you with copies of the relevant safeguard documents on written request (see section 12 below).10) Other third party sharing of personal information
Other than the third parties discussed above in this Policy, some of your personal information may be disclosed if necessary to other third parties as below:
external business advisers (such as lawyers and accountants)
a person making your travel booking on your behalf, where you are travelling on a booking made on your behalf by another person (for example, a family member or friend);
a person who can verify to us that they have a relationship with you (e.g. a family member) where you are not contactable, the person correctly answers security questions and the request is, in our opinion, in your interest (for example, where the person is concerned for your welfare or needs to undertake action on your behalf due to unforeseen circumstances);
as required or authorised by applicable law, and to comply with our legal obligations;
customs and immigration to comply with our legal obligations and any applicable customs/immigration requirements relating to your travel;
government agencies and public authorities to comply with a valid and authorised request, including a court order or other valid legal process;
various regulatory bodies and law enforcement officials and agencies, including to protect against fraud and for related security purposes; and
enforcement agencies where we suspect that unlawful activity has been or may be engaged in and the personal information is a necessary part of our investigation or reporting of the matter.
Other than the above, we will not disclose your personal information without your consent unless we reasonably believe that disclosure is necessary to lessen or prevent a threat to life, health or safety of an individual or to public health or safety or for certain action to be undertaken by an enforcement body (e.g. prevention, detection, investigation, prosecution or punishment of criminal offences), or where such disclosure is authorised or required by law (including applicable privacy / data protection laws).
In some circumstances, it may be necessary for us to collect personal information about you from a third party. This includes where a person makes a travel booking on your behalf which includes travel arrangements to be used by you. Where this occurs, we will rely on the authority of the person making the travel booking to act on behalf of any other traveller on the booking.
Where you make a travel booking on behalf of another person (e.g. a family or group booking), you agree you have obtained the consent of the other person for The Mountain Company to collect, use and disclose the other person’s personal information in accordance with this Policy and that you have otherwise made the other person aware of this Policy.
You should let us know immediately if you become aware that your personal information has been provided to us by another person without your consent or if you did not obtain consent before providing another person’s personal information to us.
We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal information that you, or a person acting on your behalf, provide to us.11) Your rights in relation to the personal information we collect
Under the General Data Protection Regulation, you have a number of important rights available to you for free. In summary, these include:
the right of access: you have the right to know what data about you is being held/processed
the right of portability: you may request that personal data held by us be transported to another service provider
the right to rectification: you may request that incomplete data be completed or that incorrect data be corrected
the right to request the erasure of personal information concerning you in certain situations
the right to receive the personal information concerning you which you have provided to us, in a structured format
the right to stop any direct marketing which you can do through the unsubscribe links at the bottom of our e-newsletter
the right to object to certain data uses
For further information on each of these rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation
If you would like to exercise any of your rights listed above, please refer to the “Feedback / Complaints / Contact” section below (section 12). We may request that you prove your identity by providing us with a copy of a valid means of identification in order for us to comply with our security obligations and to prevent unauthorised disclosure of personal information.
Please note that, if you request that we restrict or stop using personal information we hold on you, or withdraw a consent you have previously given to the processing of such information, this may affect our ability to provide services to you or negatively impact the services we can provide to you.
We reserve the right to charge you a reasonable administrative fee for any manifestly unfounded or excessive requests concerning your access to your personal information, and for any additional copies of the personal information you request from us.12) Feedback/ complaints/ contact
If you have any enquiries, comments or complaints about this Policy or our handling of your personal information, or wish to inform us of a change or correction to your personal information, would like a copy of the information we collect on you or would like to raise a complaint or comment, please contact us using the details set out below:
The Mountain Trekking Company Limited
TQ13 8JF, United Kingdom
We will respond to any enquiries or complaints received as soon as practicable.
We hope that we can resolve any query or concern you raise about our use of your information. If you are not happy with how we manage your personal data, you have the right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted here13) Changes to our Policy
We may amend this Policy from time to time. If we make a change to the Policy, the revised version will be posted on our website. We will post a prominent notice on our website to notify you of any significant changes to our Policy and indicate at the end of the Policy when it was most recently updated. It is your responsibility, and we encourage you, to check the website from time to time in order to determine whether there have been any changes. If we update our Policy, in certain circumstances, we may seek your consent.