Privacy Policy
Table of contents
- Who we are
- Personal data we collect
- How we collect it
- Lawful basis for processing
- How we use your data
- Apple Sign In / Google Sign In
- Apple Wallet / Google Wallet
- Apple Pay / Google Pay
- Stripe payments
- Booking fulfilment partners
- Push notifications & device tokens
- Passport OCR & ID documents
- Geolocation
- Avatar & uploads
- Marketing & analytics
- Catch-all email forwarding
- Live-viewer & recent-bookings rotator
- International transfers
- Retention periods
- Security measures
- Your UK GDPR rights
- Children
- Cookies
- Third-party links
- Updates to this policy
- Contact & complaints (ICO)
1Who we are
The data controller is Mando Systems Ltd (Company No. 17168657), trading as Bookora, registered in England and Wales. We comply with the UK GDPR (Retained Regulation (EU) 2016/679) and the Data Protection Act 2018. Privacy enquiries: privacy@bookora.co.uk.
2Personal data we collect
| Category | Examples |
|---|---|
| Identity | First name, last name, title, date of birth (optional, for birthday vouchers and flight bookings) |
| Contact | Email, phone number, postal address (for receipts and ID-verification only) |
| Account credentials | Hashed password (bcrypt), Apple ID identifier, Google ID identifier, 2FA phone, last login timestamp |
| Profile | Avatar image (if uploaded), preferences, language, theme |
| Travel documents | Passport number, expiry, issuing country, nationality — only when making flight bookings |
| Payment | Last 4 digits of card, card brand, Stripe payment-method ID, billing address. Never full card numbers. |
| Booking data | Booking references, dates, locations, prices paid, cancellation history, reviews |
| Loyalty | XP balance, voucher codes earned, referral relationships |
| Device & technical | IP address, user agent, OS version, app version, device model |
| Push device tokens | APNs tokens, FCM tokens (only if you grant push permission) |
| Geolocation | Approximate location (city-level) only when you actively use “Nearby” |
| Communications | Support tickets, chat messages, emails sent to/from us |
3How we collect it
- Directly from you — account creation, booking forms, support tickets, profile edits
- Automatically — cookies (see Cookies Policy), server logs, device characteristics during normal use
- From third parties — Apple/Google when you use Sign in with Apple/Google, Stripe (payment status), and the airlines/hotels/operators that confirm bookings on our behalf
4Lawful basis for processing
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Creating your account & processing bookings | Performance of a contract (Art. 6(1)(b)) |
| Sending booking confirmations & service emails | Performance of a contract (Art. 6(1)(b)) |
| Customer-support communications | Performance of a contract / legitimate interests |
| Fraud prevention, security, abuse detection | Legitimate interests (Art. 6(1)(f)) and legal obligation |
| Anti-money-laundering checks | Legal obligation (Art. 6(1)(c)) |
| Marketing emails & push (other than transactional) | Consent (Art. 6(1)(a)) — opt-in only, withdrawable any time |
| Analytics & product improvement | Legitimate interests, with anonymisation where possible |
| Storing financial records | Legal obligation (HMRC; 6 years) |
5How we use your data
- Confirm and deliver bookings to you and to the airline / hotel / operator fulfilling your purchase
- Process payments and refunds via Stripe
- Send booking confirmations, e-tickets, vouchers, calendar files, Apple/Google Wallet passes
- Notify you of supplier-initiated changes (delays, cancellations, gate changes)
- Provide customer support and chat with the business you booked
- Calculate XP, vouchers, referrals and tier progression
- Detect and prevent fraud (failed-payment patterns, repeated chargebacks, multi-account abuse, honeypot triggers)
- Comply with HMRC, ICO and law-enforcement obligations
- Improve the service (analyse aggregated usage, fix bugs, add features)
6Apple Sign In / Google Sign In
When you sign in with Apple, we receive: stable identifier, and on first sign-in only, your name and email. If you choose “Hide my email”, we receive a privaterelay forwarding address only.
When you sign in with Google, we receive: name, email, profile picture URL, stable Google identifier.
We store these credentials and use them only to identify you on subsequent logins. Apple and Google’s privacy policies govern any data they collect on their side.
7Apple Wallet / Google Wallet
Apple Wallet: we generate a signed .pkpass file containing your booking reference, route or address, name and a QR code. Apple does not see this content unless you choose to add the pass to your device. The pass-update protocol may transmit subsequent changes (gate change, delay) to Apple’s push relay, which forwards them to your device. We use a Pass Type ID registered under Apple’s Developer Program.
Google Wallet: when you save a pass to Google Wallet, the pass details (name, route/address, QR) are transmitted to Google to be stored in your Wallet account. Google’s privacy policy applies.
You can remove a pass at any time from the respective Wallet app.
8Apple Pay / Google Pay
When you pay with Apple Pay or Google Pay, the underlying card transaction is still processed by Stripe. Apple/Google return only a tokenised payment method to Stripe. Bookora never sees your real card number, only the last 4 digits and brand for display purposes.
9Stripe payments
We use Stripe Payments UK Ltd (registered with the FCA) for all payments. Stripe is PCI-DSS Level 1 certified.
- Card numbers, CVV and expiry never touch our servers; they are tokenised by Stripe at checkout
- We store: Stripe customer ID, payment-method ID, last 4 digits, brand, billing postcode
- For local services we use Stripe Connect with destination charges; the connected business sees the booking holder’s name and email but not card details
- Stripe’s privacy policy: stripe.com/privacy
10Booking fulfilment partners
To fulfil your bookings, we share necessary data with the airlines, hotels, transfer operators, activity operators and connectivity carriers that actually deliver the service:
| Booking type | Data shared with the operator |
|---|---|
| Flights | Passenger name, date of birth, gender, passport details, contact details, payment authorisation, special-assistance requests where given |
| Hotels | Lead-guest name, email, phone, check-in/out dates, room preferences, special requests |
| Activities | Lead-guest name, email, phone, party size, special requests, age confirmations where required |
| Transfers | Lead-passenger name, contact phone, flight number, pickup/dropoff addresses, party size and luggage count |
| eSIMs | Customer email and country selection only — the connectivity carrier needs this to provision the eSIM and email install codes |
Each operator processes the data under their own privacy policy and applicable consumer law (UK / EU GDPR or equivalent in their jurisdiction). We share only what is necessary for fulfilment. We do not share your password, payment-method tokens, or unrelated bookings.
11Push notifications & device tokens
If you grant push permission, we store your device token (APNs for iOS, FCM for Android) along with platform, app version, and OS version. We send pushes via Apple/Google’s relay services; the message body itself transits their infrastructure but is not stored long-term by them.
You can manage categories or revoke push permission at any time via iOS/Android settings.
12Passport OCR & ID documents
If you use our optional passport-OCR feature:
- The image is uploaded over HTTPS to our servers
- We extract MRZ fields (name, DOB, passport number, expiry, country) using server-side OCR
- The extracted text is returned to your form for verification
- The original image is deleted within 24 hours; the extracted text is retained only as part of your flight booking record
- Passport details may be transmitted to the airline as required for the booking; this is the same data you would otherwise type manually
13Geolocation
We request approximate location only when you actively use the “Nearby” feature. Coordinates are sent to our backend, used for the radius search, and not stored. We do not track your location in the background.
14Avatar & uploads
If you upload an avatar or photos to a support ticket, those files are stored in our private storage and are accessible only to authenticated users associated with the relevant account/ticket. Avatars are publicly readable via signed URLs because they appear in business chat threads after you book.
15Marketing & analytics
We send marketing emails only with explicit opt-in (unticked at signup; you can opt-in later in account settings). Every marketing email contains an unsubscribe link.
For analytics we use aggregate, anonymised data wherever possible. We do not currently use Meta Pixel, Google Analytics, or any third-party tracker that personally identifies you.
16Catch-all email forwarding
Bookora maintains a mail server that catches all @bookora.co.uk addresses. Emails sent to any address are forwarded to a secure inbox and triaged by Bookora staff. Replies come from the appropriate functional email so customers never see personal addresses.
17Live-viewer & recent-bookings rotator
The “X people viewing this now” counter on business profile pages tracks aggregate, anonymous viewer counts for the last 5 minutes — no individual profile is identified to other users.
The “Recent bookings” rotator at the top of pages displays first names and city names of recent bookings for social proof. This data is anonymised before display.
18International transfers
Where we transfer data outside the UK (e.g. to airlines headquartered abroad, hotels worldwide, connectivity carriers in Europe), we rely on:
- Adequacy decisions (e.g. EU/EEA member states, Switzerland, Israel, Japan)
- UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses where adequacy is not present
- Apple, Google and Stripe operate under their global compliance programs covering UK transfers
19Retention periods
| Data | Retention |
|---|---|
| Account profile (active accounts) | For the lifetime of the account |
| Account profile (deactivated) | 30 days, then anonymised (replaced with hash) |
| Booking records (financial) | 6 years from booking date (HMRC requirement) |
| Payment records | 6 years from payment date |
| Server logs (incl. IPs) | 30 days, then deleted |
| Support tickets | 3 years after last activity |
| Marketing opt-in records | Until you withdraw + 1 year audit period |
| Passport-OCR images | 24 hours; the extracted text is retained as part of the booking |
| Push device tokens | Until you log out or revoke permission |
| Avatar images | Until you remove or delete account |
20Security measures
- HTTPS (TLS 1.3) on all endpoints, HSTS enforced, no plain-HTTP traffic accepted
- Password storage uses bcrypt with cost factor 12
- API authentication via Laravel Sanctum bearer tokens
- Rate limiting on login (5 attempts/min/IP) and sensitive forms
- Web-server firewall (Cloudflare) with bot-protection rules
- Database backups encrypted at rest, off-site daily, 30-day retention
- Stripe handles all card data (PCI-DSS Level 1 segregation)
- Apple/Google identity tokens verified server-side via JWKS
- Honeypot fields on public forms, IP rate limits on contact submissions
- Regular security review and dependency-vulnerability scanning
We will notify affected users and the ICO within 72 hours of any breach affecting personal data, as required by UK GDPR Art. 33.
21Your UK GDPR rights
- Access — request a copy of your data
- Rectification — correct inaccurate data
- Erasure (“right to be forgotten”) — subject to financial-record-keeping obligations
- Restriction — pause processing while a query is investigated
- Portability — receive your data in a structured, machine-readable format (JSON/ZIP via Settings > Account > Export data)
- Objection — object to processing based on legitimate interests, including marketing
- Withdraw consent — for any processing based on consent
- Lodge a complaint with the Information Commissioner’s Office (ICO)
To exercise any right, email privacy@bookora.co.uk. We respond within 30 days.
22Children
Bookora is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided data, contact us and we will delete it.
23Cookies
Detailed in our separate Cookies Policy. We use essential cookies (session, CSRF, theme), and you can opt out of analytics via the cookie banner.
24Third-party links
Bookora pages may link to third-party sites (airlines for online check-in, hotels, partner help centres). Our Privacy Policy does not cover those sites; check theirs.
25Updates to this policy
Material changes will be notified by email and an in-app banner at least 14 days before taking effect.
26. Contact & complaints
Mando Systems Ltd, trading as Bookora
Company No. 17168657 — England & Wales
Registered office: 10 Pilgrims Walk, Worthing, BN13 1RJ
Privacy & data requests: privacy@bookora.co.uk
If you are not satisfied with our response, you may complain to the UK’s Information Commissioner’s Office:
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Web: ico.org.uk/make-a-complaint