1. Introduction

Pedal Ventures Holidays Ltd ("we," "us," "our") is committed to protecting the privacy and security of your personal information. This privacy policy describes how we collect, use, and share your personal data when you use our services, including when you book a cycling holiday with us or visit our website.

2. Data Controller

Pedal Ventures Holidays Ltd is the data controller responsible for your personal data. Our contact details are:

• Email: hello@pedalventures.com
• Website: pedalventures.com

3. Types of Personal Data Collected

We collect various types of personal data to provide our services and ensure you have the best possible experience. This includes:

• Name, address, and contact details
• Date of birth
• Payment information
• Height
• Booking history
• Cycling experience/fitness level
• Health information (if provided)
• Dietary requirements (if provided)
• Passport details
• Any other data collected through website forms, cookies, or other tracking technologies

4. Legal Basis for Processing Data

We process your personal data based on the following legal grounds:

• Contract: Processing is necessary for the performance of a contract with you (e.g., providing the cycling holiday you have booked).
• Legitimate Interests: Processing is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not overridden by your interests or fundamental rights. For example, we have a legitimate interest in marketing relevant products and services to our customers.

5. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected and to comply with applicable laws. Specifically:

• We will retain booking data, including name, address, contact details, and booking history, for seven years from the date of your last booking, to comply with our legal obligations and for customer service purposes.
• We will retain payment information for the duration required by our payment processor (PPS) and in accordance with applicable accounting regulations.
• We will retain health information (if provided) for the duration of your trip and will securely delete it within 30 days after your trip, unless we are required to retain it for longer due to legal obligations or with your explicit consent.
• We will retain data collected for marketing purposes for three years from the date of last interaction.

After the retention period, we will securely delete or anonymize your data to prevent further use.

6. Cookies and Tracking Technologies

We collect and use cookies in order to provide the best experience for our customers, to personalise our marketing, and optimise our business. Customers can manage their cookie preferences and delete them if they choose. Our website uses the following types of cookies:

• Essential Cookies: These cookies are necessary for the website to function properly. They enable core functionality such as security, network management, and accessibility.
• Analytics Cookies: These cookies allow us to analyze how visitors use our website so that we can improve its performance and design.
• Marketing Cookies: These cookies are used to track visitors across websites in order to display advertisements that are relevant and engaging to the individual user.

You can manage your cookie preferences through your browser settings. .

7. Data Security Measures

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

• Storing all customer personal data in GDPR-compliant software.
• Restricting access to personal data to members of staff who have undergone training and need access to the data to perform their job duties.
• Using encryption to protect sensitive data, such as health information, both in transit and at rest.
• Implementing regular security updates and vulnerability patching.
• Utilising Protected Trust Services (PTS) to protect your financial information.

8. International Data Transfers

Personal details may be shared with suppliers via email to facilitate your holiday arrangements. Your bank details are securely handled by our payment processor, PPS. We may transfer your data to the following countries outside the UK and the European Economic Area (EEA) in order to provide our services to countries where our suppliers are located.

We will ensure that appropriate safeguards are in place to protect your data when it is transferred outside the UK and EEA. This may include:

• Transferring data to countries that have been deemed to provide an adequate level of data protection by the UK government.
• Using Standard Contractual Clauses approved by the UK government. You can obtain a copy of these clauses by contacting us at hello@pedalventures.com.

In some cases, the transfer may be necessary for the performance of a contract with you (e.g., to provide your holiday), in which case the transfer is permitted under Article 49 of the GDPR.

9. Third-Party Service Providers

We use third-party service providers to assist us in providing our services. We share your personal data with these providers to the extent necessary for them to perform their services. These providers include:

• PPS (Payment Processor)
• Protected Trust Services (PTS)

10. Data Subject Rights

You have the following rights regarding your personal data:

• The right to access: You have the right to request a copy of the personal data we hold about you.
• The right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data.
• The right to erasure: You have the right to request that we delete your personal data in certain circumstances.
• The right to restrict processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
• The right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
• The right to object: You have the right to object to the processing of your personal data in certain circumstances, including the right to object to processing for direct marketing purposes.

To exercise any of these rights, please contact us at hello@pedalventures.com. We will respond to your request within one month of receipt. Please provide proof of identity when making your request.

11. Health Information

When you provide us with health information, such as details of any medical conditions or dietary requirements, you are giving your explicit consent for us to process that information for the purpose of providing you with your holiday and ensuring your safety and well-being. We will take extra care to protect this sensitive information. We will only share it with suppliers who need to know it to provide your holiday, and we will store it securely and delete it as described in Section 5 (Data Retention).

12. Children's Privacy

Our services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at hello@pedalventures.com, and we will take steps to delete that information.

13. Policy Updates

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new privacy policy on our website and updating the "Last Updated" date. We encourage you to review this privacy policy periodically for any changes.

Last Updated: 20 March 2025