Carma Adventures’ Privacy Policy

Too busy to read the full policy? Here is the short version:

  • Our Role: Carma Adventures LLP is the "Data Controller" of your information.

  • Main Purpose: We use your data to deliver digital guides, build custom itineraries, and provide travel support.

  • Key Sharing: We use trusted partners like Stripe (payments) and Squarespace (hosting). We never sell your data to third parties.

  • Your Control: You can unsubscribe from marketing or request your data be deleted at any time by emailing contact@carmaadventures.com.

  • ICO Registered: We are registered with the Information Commissioner's Office (Registration No: C1886948).

Contact details

Email: contact@carmaadventures.com

Data Controller: Carma Adventures LLP

ICO Registration Number: C1886948

Company Number: OC458660

What information we collect, use, and why

We collect or use the following information to provide and improve products and services for clients:

  • Names and contact details

  • Addresses

  • Third party information (such as family members or other relevant parties)

  • Payment details (including card or bank information for transfers and direct debits)

  • Transaction data (including details about payments to and from you and details of products and services you have purchased)

  • Usage data (including information about how you interact with and use our website, products and services)

  • Health information (such as medical records or health conditions)

  • Information relating to compliments or complaints

  • Records of meetings and decisions

  • Website user information

We also collect or use the following special category information to provide and improve products and services for clients. This information is subject to additional protection due to its sensitive nature:

  • Health information

We collect or use the following personal information for the operation of client or customer accounts:

  • Names and contact details

  • Addresses

  • Purchase or service history

  • Marketing preferences

  • Technical data, including information about browser and operating systems

We collect or use the following personal information for information updates or marketing purposes:

  • Names and contact details

  • Addresses

  • Marketing preferences

  • Purchase or account history

  • IP addresses

We collect or use the following personal information for research or archiving purposes:

  • Names and contact details

  • Purchase or client account history

We also collect or use the following special category information for research or archiving purposes. This information is subject to additional protection due to its sensitive nature:

  • Health information

We collect or use the following personal information for dealing with queries, complaints or claims:

  • Names and contact details

  • Addresses

  • Payment details

  • Purchase or service history

  • Customer or client accounts and records

  • Financial transaction information

  • Correspondence

We also collect or use the following special category information for dealing with queries, complaints or claims. This information is subject to additional protection due to its sensitive nature:

  • Health information

We collect or use the following personal information to We use your data to create custom itineraries, provide 1-on-1 travel support, and deliver digital guides. This helps us personalise your travel recommendations, communicate regarding your trip, and meet legal, tax, and accounting requirements.:

  • Names and contact details

  • Third party information (such as family members or other relevant parties)

  • Health and wellbeing information (such as medical records or health conditions)

  • Other personal information required for insurance purposes (including travel, vehicle and pet ownership and home information)

  • Client accounts and records

  • Records of meetings and decisions

  • Travel preferences, lifestyle interests, and specific trip requirements (such as dietary choices and preferred travel styles) necessary for bespoke itinerary curation.

We also collect or use the following special category information to We use your data to create custom itineraries, provide 1-on-1 travel support, and deliver digital guides. This helps us personalise your travel recommendations, communicate regarding your trip, and meet legal, tax, and accounting requirements.. This information is subject to additional protection due to its sensitive nature:

  • Health information

Cookies & Tracking

We use cookies to enhance your experience on our website and to understand how you interact with our services.

  • Functionality: Some cookies are essential for the operation of our shop and customer accounts.

  • Control: You can choose to disable cookies through your browser settings, but please note this may affect the functionality of our services.

  • Analytics: We use website user information to improve our digital guides and website performance.

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information to provide and improve products and services for clients are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

    • Contract: (Primary) You need this info to fulfill the purchase of a guide or a custom itinerary. Legitimate interest: To improve your digital guides and website based on how people use them.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for the operation of client or customer accounts are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

    • Contract: To provide the account access they signed up for. Legitimate interest: To keep the account secure and functional.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for information updates or marketing purposes are:

  • Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

    • Consent: (Primary) You must have their permission to send newsletters or marketing emails. Legitimate interest: To send "soft opt-in" updates to existing customers about similar travel products.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for research or archiving purposes:

  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

    • Legitimate interest: To keep records of business performance and historical travel trends to improve future offerings. Legal obligation: For tax and accounting records that must be archived by law.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

    • Contract: To resolve issues related to a service they paid for. Legal obligation: If a complaint leads to a legal requirement to hold or share data. Legitimate interest: To protect your business in the event of a claim.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information to We use your data to create custom itineraries, provide 1-on-1 travel support, and deliver digital guides. This helps us personalise your travel recommendations, communicate regarding your trip, and meet legal, tax, and accounting requirements. are:

  • Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

  • Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

Where we get personal information from

  • Directly from you

  • Suppliers and service providers

  • Third parties:

    • Third parties: Customers who provide information about their travel companions (family or friends) when booking a custom itinerary.

  • Automated technologies such as cookies and website analytics when users interact with our site.

How long we keep information

We keep your personal information only for as long as necessary to fulfill the purposes we collected it for. Our specific retention periods are:

  • Financial & Transaction Records: We store payment and invoice data for 6 years to comply with UK tax and accounting legal obligations.

  • Custom Itineraries & Planning Data: We retain bespoke travel plans and client preferences for 3 years after the completion of the trip to assist with future bookings and provide ongoing support.

  • Marketing Information: We keep your contact details for marketing purposes until you unsubscribe or withdraw your consent.

  • General Inquiries: We store correspondence from 1-on-1 support queries for 2 years to ensure we can resolve any follow-up questions effectively.

Who we share information with

Data processors

Payment Service Providers (Financial Technology Sector, USA/UK/Ireland).

This data processor does the following activities for us: They securely process customer payments for our Digital Travel Guides, Custom Itineraries, and 1-on-1 Support. They handle encrypted credit card data so we don\'t have to store it ourselves.

Website Hosting and Content Management Platform (IT & Tech Sector, USA/UK).

This data processor does the following activities for us: They provide the infrastructure for our online shop, store our digital guide files, and collect customer information through our contact and booking forms.

Email Service Providers (Marketing Sector, USA/UK).

This data processor does the following activities for us: They store names and email addresses of customers who have opted-in to receive travel updates, newsletters, and digital product delivery emails.

Cloud Computing & Document Management Providers (IT Sector, USA).

This data processor does the following activities for us: They are used to host our Google Maps Lists, store our Custom Itinerary documents, and manage our 1-on-1 travel support records and meeting notes.

Others we share personal information with

  • Advertising Partners: We share limited data with affiliate networks to track successful referrals from our links.

  • Professional or legal advisors

  • Emergency services

  • Organisations we’re legally obliged to share personal information with

  • Suppliers and service providers

Children’s information

Family-Friendly Summary: We take extra care with information about children. We only collect details like age or dietary needs when provided by a parent to help us plan a safe and fun family trip. We never use children's data for marketing. If you are under 18 and have questions about your data, please ask your parent to email us at contact@carmaadventures.com.

Sharing information outside the UK

Where necessary, we may transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

Organisation name: Squarespace, Inc.

Category of recipient: Website hosting and e-commerce platform provider.

Country the personal information is sent to: United States

How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)

Organisation name: Stripe, Inc.

Category of recipient: Payment processing and financial services.

Country the personal information is sent to: United States.

How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)

Organisation name: Squarespace Email Marketing

Category of recipient: Email marketing and automated communication provider.

Country the personal information is sent to: United States.

How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)

Where necessary, our data processors will share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

Organisation name: Amazon Web Services (AWS) or Google Cloud.

Category of recipient: Sub-processor (Data storage and infrastructure).

Country the personal information is sent to: United States.

How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)

Data security

We implement a variety of security measures to protect your personal information:

  • Encryption: Data is encrypted using SSL (Secure Sockets Layer) technology during transmission.

  • Access Controls: Access to personal data is restricted to authorised personnel who need the information to perform a specific job (e.g., creating your itinerary).

  • Regular Security Audits: We regularly review our security practices and those of our processors (like Squarespace and Stripe) to ensure your information remains protected.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our services or legal obligations. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the bottom of this notice. We encourage you to review this Privacy Policy periodically for any changes. Changes are effective immediately when they are posted.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

  • Our Commitment: We will acknowledge any data complaint within 30 days and investigate it thoroughly.

  • Escalation: If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:           

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Last updated

4 March 2026