Privacy Policy
- Welcome
Welcome to our privacy notice (“Privacy Notice”). At LoungeKey ("we, us, our,") we respect and commit to protecting your personal data. Our Privacy Notice, together with our Terms of Use, will explain how we collect, use, store, share and look after your data:
- When you interact or use our website and App (together “Website”), or
- If you use any of our products, services and or applications (together “services”).
- About Us and Contact Details
LoungeKey is a company registered in England and Wales, at 3 More London Riverside, London, SE1 2AQ with company numbe 08792537and is a subsidiary of The Collinson Group Limited (the “Collinson Group”).
Under Applicable Data Protection Law, we are the Controller of your Personal Data we process. We may also act as a Processor if you obtained your LoungeKey benefit through your card issuer.
The Collinson Group has appointed a Group Data Protection Officer (“DPO”). If you have any questions about this Privacy Notice or would like to know how we handle your Personal Data, please contact the DPO or the Data Protection Team by post at The Data Protection Officer, 3 More London Riverside, London, SE1 2AQ or by email at Data.Protection@loungekey.com
- Our Global Presence
We are a company with a global presence and must meet many data protection and privacy law requirements in the countries we operate. If you are a resident of California, we must comply with the Californian Consumer Privacy Act (“CCPA”). Please click here for the CCPA notice.
- Personal Data we collect about you.
We will collect your Personal Data from:- You e.g. when you register your interest or sign up to use our services or provide us with your marketing preference.
- our clients or prospective clients who send us your Personal Data to allow us to give you access to our services or communicate with you.
- your devices e.g. when you connect to our Website, use our Website.
- through cookies we use on our Websites to secure our Website, to offer you personalised experiences.
- third parties such as social media platforms where you may interact with our social media pages, companies within the Collinson Group assisting us with services we offer you, service providers carrying out services on our behalf e.g. marketing and fulfilment partners, data enrichment service providers.
The table below outlines the categories of Personal Data we collect and examples of the type.
Categories of Personal Data Type of Personal Data Contact details Name, email address, telephone number, mobile number, address Benefit details Information about your benefit with us, login details, date of birth, gender, customer numbers, payment detail, marketing preference, security answer. Transaction details and history Services you access and purchase, such as lounges or merchants you visit, as part of your LoungeKey benefits; Boarding card information Nationality data Passport number, nationality, country of residence language preference Payment details Payment method used, credit and debit card, bank details Geolocation Data (if using our App) With your permission we will collect your precise location data through your internet-connected mobile device. We will use technologies such as GPS and other sensors to determine location. Device details Traffic information, IP address, time of access, date of access, location, web pages visited, device identifiers. Website use data Please see our LoungeKey cookie notice. Please see Shopify cookie policy.
Marketing and Advertising data Your marketing preferences and responses to our direct marketing, e.g. when and if you have opened, read and deleted our marketing emails, links clicked in marketing emails. Your communications with us Any Personal Data you provide us when you contact us. We also record your calls with us. We collect and store all copies of emails sent. Fraud data Any suspicious activities and details.
We do not knowingly collect or solicit Personal Data from anyone under the age of 18. If you are under 18, please do not attempt to register for our services or send any Personal Data about yourself to us. If we learn that we have collected Personal Data from a child under age 18, we will delete that information as quickly as possible. If you believe that a child under 18 may have provided us personal data, please contact us Data.Protection@loungekey.com
- How we use your Personal Data
We will use your Personal Data in the following circumstances:- to perform a contract, we have with you ( or about to enter with you.
- for our Legitimate Interest (or those of a third party), but only when your rights and freedoms do not override our legitimate interest. Our legitimate interest is, to help us improve our services and products and to obtain feedback from you.
- to comply with a legal and regulatory obligation.
- where we have your consent. If we have relied on consent to process your personal data, you have the right to withdraw your consent at any time by contacting info@loungekey.com
The table outlines the lawful basis we can rely on to process your Personal Data.
What we use your information for Our legal basis for doing so To provide you with access to our Website and or our mobile app. To perform a contract, we have with you or are about to enter into with you Provide access to travel experiences within the service programme To perform a contract, we have with you or are about to enter into with you Geolocation - To inform you of airport experiences near your current location. (App only)
Where we have your consent. To manage our relationship with you as a user of the Website which includes notifying you about changes to our Websites and the services we offer. Legitimate Interest (to keep our records updated and to study how customer use our product and services). To provide you with information you have requested, including without limitation, quotations, Service documentation, brochures, and responses to applications. Where we have your consent. To respond to any enquiries from you regarding our services. To perform a contract, we have with you or are about to enter into with you. Process any payment required for the products and services you have requested To perform a contract, we have with you or are about to enter into with you Store your payment card details, in order to be able to take agreed payments, as explained in the Conditions of Use To perform a contract, we have with you or are about to enter into with you. Provide you with newsletters, and other communications about the services you have purchased or chosen to opt into. Where we have your consent Offer customer surveys to improve our products and services For our legitimate interests to improve our services Analyse your usage of our services in order to be able to personalise your service and improve our products For our legitimate interests to improve usage of our services To provide you with information about certain other goods and services which we believe may be of interest to you. Where we have your consent. To send you targeted electronic communications about our services for marketing purposes. Where we have your consent To enrich your data Legitimate interest to better understand you as a customer to provide you with a better service. To send marketing communication by post about our services. Legitimate Interest - where you have not opted out to receive communication via post. To help us communicate to you about our services that may be of interest To receive feedback from you on our services Legitimate Interest to help understand how we can improve our services To provide a better customer experience and understand your advertising needs. Legitimate Interest to help us understand how we can develop our marketing strategy. To provide customer support services To perform a contract, we have with you or are about to enter into with you
To protect the company and you from fraud Legitimate Interest (to prevent and detect fraud and other financial crime)
- We may also keep and use your Personal Data to comply with our legal obligations, resolve disputes, and enforce our agreements.
- We may access, use and preserve your Personal Data to comply with law, in anticipation of litigation, or to protect our rights or property or those of third parties, even if your Personal Data is subject to a deletion request from you. We may also provide information to law enforcement or authorities to protect the safety of you, other users of our services or others.
- Sale, acquire, merger, or change of ownership. If we merge with another company, or our equity securities or all or a part of our assets are sold to a third party, your Personal Data may be transferred to the buyer or successor entity. We will notify you and other users of any transfer to a different legal entity.
- Marketing and your Personal Data
Marketing communications to our clients or other companies
We send commercial e-mails to individuals at our clients’ or other companies where we want to develop or maintain a business relationship or if they have used or shown interest in our services previously and have not opted out of marketing.
Marketing within the Collinson Group
We are part of the Collinson Group. If you consent to receive marketing from other companies within the Collinson Group, we will share your Personal Data with these companies so they can send you information about their products and services and any news that may be of interest to you. Each entity will be a separate Controller for the marketing they send to you and will handle your Personal Data, and any opt outs as set out in their Privacy Notice on their Website.
Third Party Marketing
With your consent we may share your information with selected third parties and partners outside the Collinson Group for marketing purposes. If you consent, we will share your Personal Data with these partners and third parties. They will handle your Personal Data, and any opt outs as set out in their Privacy Notice on their Website.
Opting out of Marketing
Where you consent to receive communication for marketing purposes, you have the right to opt-out. You can opt-out of receiving marketing communication at any time by following the opt-out links or option in any marketing messages sent to you or by contacting us any time at info@loungekey.com
If you opt-out of marketing, you will stop receiving marketing from us within 30 days. Please note, this does not apply to service communication, market research or customer surveys or any other processing outside marketing.
If opting out of marketing by post, please expect 30 days for the marketing to stop.
Where you consent to receive marketing from our selected partners, third parties or companies within the Collinson Group, you should contact them directly to opt-out of receiving their marketing communications.
- How we share your Personal Data
We may share your Personal Data with the following types of companies, (Controllers or Processors) for the reasons explained in section 6.
Companies (Processors) we will share your Personal Data with include:- IT service providers, data disposal service providers, data enrichment services and data storage service providers.
- Data enrichment service providers to enhance the data we already hold about you to help us make more informed decisions and better understand you as a customer.
- Companies within the Collinson Group acting as our processor, to help us provide our services to you e.g. our customer service function to handle your enquiries.
- Our providers, AWS, who host our Websites.
- Lounges or merchants’ providers which you visit, as part of your program benefit, so they can record and account for your visit.
- We also share your Personal Data with payment service providers and data analytics services.
Where we share your Personal Data with our service providers, we enter into contracts to ensure they also protect your Personal Data in line with Applicable Data Protection Law and to this Privacy Notice.
Companies (Controllers) we will share your Personal Data with include:
- Companies within the Collinson Group to offer you services or products, where we have your consent.
- Other third parties outside the Collinson Group to offer you services or products, where we have your consent.
- Where service is a benefit of your payment card and therefore we act as processor for issuers, the Issuers as controllers may instruct us to share your personal data with them our partners or clients which provide joint marketing services
Where we share your Personal Data with the Controllers mentioned above, we enter contracts to ensure your data is protected, as Controller they will also have a legal obligation to protect your data.
To help protect you and us from fraud, to combat money laundering and protect our Website from illegal use, we will share your Personal Data with fraud prevention agencies, payment service providers, banks, financial institutions and similar third parties for checking your identity, monitoring your behaviour on our Website. These additional service providers are Controllers and will have their obligations to protect and secure your data under Applicable Data Protection Law.
We may also share your Personal Data with law enforcement and statutory authorities when required by the law in the following circumstances:- To comply with a request for information from a governmental body such as law enforcement (police) or other public authorities;
- To comply with a court order to disclose your Personal Data;
- To comply with a regulatory investigation; and
- The establishment, exercise or defence of a legal claim (including in connection with an investigation or enquiry by a competent regulatory authority).
We may share your data with your Issuers:- Where we are controllers and have contractual obligations to share your data with Issuers.
- Where we act as a processor for issuers, the Issuers as controllers may instruct us to share your data with them.
There are other circumstances where we share your Personal Data:- The Collinson Group may transfer all your Personal Data to a third party if the operator of the Website changes, or if there is a sale of all or any part of its business or its assets or if we go out of business, enter bankruptcy, or go through some other change of control. In the event of any of these transfers occurring, the party who acquires the data will assume the rights and obligations described in this Privacy Notice.
- We may share your Personal Data with courts, law enforcement, and governmental authorities and other third parties if required by law, subpoena, a directive from a regulatory authority or as otherwise necessary to comply with legal requirements or to protect our rights or property or those of third parties.
Geolocation
If you open or use our App on your mobile device and we have your consent, we will use the location data from your mobile device (e.g. latitude and longitude), to show you a list of our nearby airport experiences.
If you choose not to give us access to your location data, you can still use the App, but you will not receive notifications detailing our nearby airport experiences.
We will also use your mobile device's background location’ to send you notifications about our nearby airport experiences, such as, our contactless ordering options, ready2order. If you have ‘background location’ turned on, our app will, from time to time, tell us about your device’s location even if you are not directly interacting with the App.
Your location data will only be used for the above purposes. Only pseudonymised consumer ID will be shared with Google analytics and Mixpanel. . For more information about location data please visit Apple’s Location Services & Privacy page for iOS and Google’s How it uses location information page for Androids.
We may have links to other sites promoting our partners and clients. Please read their Privacy Notices available on their Website to find out how they process Personal Data. This Privacy Notice will not cover their use of Personal Data.
- International Transfer of your Personal Data
We will send your data to countries outside the UK and the EEA (transfers outside the EEA include transfers to the UK), where different data protection laws may apply. These transfers will only happen when:- we use service provider companies outside the UK or EEA;
- there is a legal or regulatory obligation;
- to meet our contractual obligation with you or about to enter with you; or
- we have your consent.
Where we transfer your data to a service provider company outside the UK or the EEA, we will implement safeguards so that your data continues to be protected. We protect your data by making sure:- the country has adequacy protection approved by the European Commission or UK; or
- we conduct a security and data protection transfer assessment and put an appropriate contract in place with approved UK or European Commission standard contractual clauses between the company and us.
- Retention of your Personal Data
We will not keep your Personal Data for longer than is necessary. When defining the retention period, we take several factors into consideration, the type and sensitivity of the Personal Data in question, the reason why the data was collected and processed, our legal basis for processing the Personal Data, who the Personal Data relates to and their rights and freedom. We also consider any legal and regulatory requirements to keep the data. Where we are the Processor, we will retain and dispose of the information under instructions from the Controller.
When the retention period has expired, we dispose of your Personal Data securely.
If you opt-out of receiving marketing, some Personal Data will be retained and added to our suppression list to ensure we do not market to you again.
- Security of your Personal Data
We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorised access, disclosure, alteration and destruction. We have written procedures and policies regularly audited, and the audits are reviewed at a senior level.
Where personal data is transmitted across the internet, it will be encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of your personal data, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
- Your rights under Applicable Data Protection Law
Under Applicable Data Protection Law, you may have certain rights. The table below outlines your rights. If you would like to request to exercise your rights, please email info@loungekey.com. Your request will be reviewed and responded to as quickly as possible.
Under the CCPA, California residents also have rights relating to disclosure and access and deletion of their personal information. Please see CCPA Notice.
Your rights: Meaning: The right to object to the processing You have the right to object to the processing of your Personal Data in certain situations.
You have an absolute right to stop your Personal Data being used for direct marketing.The right to information You have the right to be informed whether and to what extent we process your data. E.g. this Privacy Notice. The right of access You have the right to request access to your Personal Data we hold. You also have the right to request a copy, and we will provide you with this unless legal exceptions apply. The right to rectification If the Personal Data that we process is incomplete or incorrect, you have the right to request their completion or correction at any time. The right to Erasure (also known as the “right to be forgotten”) You have the right to request we delete your Personal Data.
This is not an absolute right and only applies in certain circumstances, for example, we cannot delete information if there is a legal or regulatory obligation on us to keep it.The right to restrict the processing You have the right to request that we restrict the processing of your Personal Data in certain situations. - If you contest the accuracy of your personal data, you may request that its processing is restricted while we verify its accuracy
- If the processing of your personal data is considered unlawful, but you do not require the deletion of your personal data
- If we no longer need the data for the purposes of its processing, but you need it for the establishment, exercise or defence of legal claims
- If you object to our processing of your data based on our legitimate interests
The right to data portability You have the right to request that we provide your Personal Data to you in a machine-readable format.
This right can only be used where the processing relies on your consent or contract and is carried out by automated means.Your rights in relation to automated decision making and profiling You have the right to object to decisions based exclusively on the automated processing of your Personal Data.
We do not engage in profiling or any processing related to automated decision-making activity.The right to withdraw your consent If your Personal Data is processed based on your consent, you have the right to withdraw your consent at any time.
If you withdraw your consent, this will not affect the lawfulness of how we used your personal data before you withdrew consent, and we will let you know if we can no longer provide you with your chosen service.
We will keep a copy of any request. Further, we may charge a reasonable fee or refuse to act on a request if such a request is excessive, repetitive or manifestly unfounded. If you make a request, where required, we will confirm your identity and ask you to provide us with information to help us deal with your request. We have one month from receiving your request (provided we have verified your identity) to respond. Please note that for a complex request, we may extend the one month by two months. To exercise your rights please contact info@loungekey.com
Making a complaint
If you have any questions, concerns or complaints about this Privacy Notice, please contact our Data Protection Team and or our Data Protection Officer at Data.Protection@loungekey.com
If you are unsatisfied with our response, you can contact the UK’s Supervisory Authority, the Information Commissioner at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, United Kingdom
SK9 5AF
Phone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
If located within the EU, you can also make a complaint to our lead supervisory authority in Malta at:
Officer of the Information and Data Protection Commissioner
Floor 2, Airways House,
Triq Il-Kbira,
Tas-Sliema SLM 1549, Malta
- Updates to the Privacy Notice
We keep our Privacy Notice under regular review, and we will make new versions available on our Privacy Notice page on our website.
This Privacy Notice was last updated on 19th March 2021.
- Glossary
Term Definition Applicable Data Protection Law means all applicable worldwide legislation and regulation relating to data protection and privacy including without limitation UK and European Applicable Data Protection Law, the CCPA. Controller is a person(s) or company (either alone or jointly or in common with other persons) who decides how Personal Data will be processed. Criminal Data Data about criminal proceedings or convictions. Criminal Data should be treated in the same way as Special Category Data. Issuers The issuing bank of the payment card through which you receive your LoungeKey benefit Legitimate Interest Processing Personal Data for our activities and needs including providing you with the best service and experience we can offer. We will balance its interests against any possible impact on to you (both positive and negative), your rights or freedom. Where our interest and needs are overridden by your interests, rights or freedom, we will not process your Personal Data (unless you provide us with your consent or required by law). Personal Data Information relating to an identifiable person, who can be directly or indirectly identified by reference to an identifier. Privacy Notice Also referred to as a Fair Processing Notice) or a Privacy Policy)– Privacy Notice is a document explaining to data subject what Personal Data is processed and how a company will process it Processor is an external company or other third parties that collects and processes Personal Data on behalf of a Controller. We undertake activity as both a Controller, and a Processor Special Category Data Also referred to as sensitive data, is defined as Personal Data relating to the following, race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.