Privacy Policy

This Privacy Policy sets forth our commitment to protecting your personal data and explains in detail how we collect, use, and safeguard such information. We encourage you to read this document carefully to understand your rights and choices regarding your personal data.

1. General Information

1.1. Scope of Policy. This Privacy Policy (the "Policy") governs the processing of personal data collected from individual users ("you" and "your") through the website https://easy-eta.com and all associated domains, software, and services (collectively, the "Service").

1.2. Data Controller. The Service is owned and operated by EasyETA ("we", "us", and "our"). We act as the data controller for the purposes of applicable data protection legislation.

1.3. Service Description. The Service facilitates UK Electronic Travel Authorisation (ETA) applications and may, where functionality permits, offer complementary services such as hotel bookings, airline ticketing, and holiday packages for travellers to the United Kingdom.

1.4. Third-Party Services. This Policy applies exclusively to the Service. We are not responsible for the privacy practices of any third-party websites, applications, or services that may integrate with the Service. We encourage you to review the privacy policies of any third parties before providing them with your personal data.

The Service is protected by reCAPTCHA, and the Google Privacy Policy and Terms of Service apply to this feature.

1.5. Age Restrictions. The Service is not intended for use by persons under 18 years of age. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected personal data from a person under 18, we will take steps to delete such information from our systems. Parents or legal guardians may use the Service to obtain ETAs for minors, but we do not enter into direct contractual relationships with minors.

1.6. Policy Updates. We reserve the right to modify this Policy at any time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Any modifications will be effective immediately upon posting the updated Policy on the Service. For material changes:

• We will notify you via email (if we have your contact details);

• We will post a notice on the Service;

• Where required by applicable law, we will seek your explicit consent.

Your continued use of the Service following the posting of changes constitutes your acceptance of such changes.

2. Collection and Use of Personal Data

2.1. Sources of Personal Data. We obtain your personal data through the following channels:

• Direct Provision: Information you provide directly when completing our online application forms or contacting us;

• Automated Collection: Technical information collected automatically through your use of the Service via cookies and analytics tools;

• Third-Party Sources: Information received from authorised third parties with a legal basis for sharing such data (e.g., payment processors).

2.2. Data Collection Principles. Our data collection practices adhere to the following principles:

• Data minimisation - collecting only what is necessary;

• Purpose limitation - using data only for specified, legitimate purposes;

• Transparency - clearly explaining our data processing activities;

• Legal basis - ensuring all processing has a valid legal foundation.

2.3. Categories of Personal Data. We collect and process the following categories of personal data:

• Application Data:

  • Personal identifiers (full name, date of birth);

  • Contact information (email, phone number, address);

  • Travel document details (passport number, expiry date);

  • Travel information (arrival dates, trip details);

• Payment Information:

  • Billing address;

  • Payment card details (processed securely via our payment provider);

  • Transaction records;

• Technical Data:

  • Device and browser information;

  • IP address and location data;

  • Usage patterns and preferences;

  • Cookie identifiers.

2.4. Purpose and Legal Basis. We process your personal data for the following purposes:

• Contract Performance: Processing ETA applications and providing requested services;

• Legal Obligations: Maintaining required records and complying with legal requirements;

• Legitimate Interests: Improving our services, ensuring security, and preventing fraud;

• Consent-Based Processing: Marketing communications and optional features.

3. Data Retention and Storage

3.1. General Retention Principles. We retain your personal data only for as long as necessary to:

• Fulfil the purposes outlined in this Policy;

• Comply with our legal and regulatory obligations;

• Resolve disputes and enforce our agreements;

• Protect our legitimate business interests.

3.2. Specific Retention Periods. Different types of personal data are subject to different retention periods:

• Application Data: Retained for the duration of the ETA application process and any subsequent validity period;

• Payment Information: Retained for 7 years as required by Ukrainian accounting regulations;

• Communication Records: Retained for 2 years from the last interaction;

• Technical Data: Retained for up to 24 months for analytics purposes.

3.3. Data Deletion. When personal data is no longer necessary:

• It will be securely deleted or anonymised;

• Backup copies will be overwritten according to our backup rotation schedule;

• Third-party processors will be instructed to delete relevant data.

3.4. Legal Requirements. Certain data may be retained beyond standard retention periods if:

• Required by law or regulatory obligations;

• Necessary for the establishment, exercise, or defence of legal claims;

• Required by a valid court order or government request.

3.5. Non-Personal Data. We may retain non-personal and aggregated data indefinitely for:

• Statistical analysis;

• Service improvement;

• Security and fraud prevention;

• Historical record-keeping.

4. Data Sharing and Disclosure

4.1. General Principles. We maintain strict confidentiality of your personal data. Any disclosure is limited to:

• Circumstances specifically outlined in this Policy;

• Cases where we have obtained your explicit consent;

• Situations where disclosure is required by law.

4.2. Categories of Recipients. Your personal data may be shared with the following categories of recipients:

• Government Authorities:

  • UK governmental authorities responsible for ETA issuance;

  • Law enforcement agencies when legally required;

• Service Providers:

  • Payment processor for transaction processing;

  • Analytics providers (Google Analytics) for service improvement;

  • Cloud storage providers for data hosting;

  • Email service providers for communications;

• Professional Advisers:

  • Legal advisers for compliance and dispute resolution;

  • Auditors for financial and security assessments;

  • Consultants for service optimization.

4.3. International Transfers. When we transfer your personal data outside the UK or European Economic Area (EEA), we ensure adequate protection through:

• EU Commission approved Standard Contractual Clauses;

• Transfers to countries with adequate data protection standards;

• Binding Corporate Rules for intra-group transfers;

• Specific derogations provided by Article 49 of the GDPR where applicable.

4.4. Data Processor Obligations. All third-party data processors are contractually bound to:

• Process data only on our documented instructions;

• Implement appropriate technical and organizational security measures;

• Ensure staff confidentiality commitments;

• Delete or return all personal data after service completion;

• Submit to audits and inspections.

4.5. Legal Requirements. We may disclose your personal data if required:

• By law or governmental request;

• To protect our rights, privacy, safety, or property;

• To enforce our terms or agreements;

• To prevent fraud or security incidents.

5. Data Protection Measures

5.1. Technical and Organizational Measures. We implement comprehensive security measures including:

• Access Controls:

  • Strong authentication mechanisms;

  • Role-based access restrictions;

  • Regular access review procedures;

  • Automatic session timeouts;

• Network Security:

  • Industry-standard encryption protocols;

  • Secure network architecture;

  • Regular security assessments;

  • Intrusion detection systems;

• Data Protection:

  • Data encryption at rest and in transit;

  • Regular backup procedures;

  • Data minimisation practices;

  • Secure disposal methods.

5.2. Staff Security Measures. We ensure data protection through:

• Regular staff training on data protection;

• Confidentiality agreements;

• Clear security policies and procedures;

• Monitored access to personal data.

5.3. Incident Response. In the event of a security breach:

• We will promptly investigate the incident;

• Notify affected individuals as required by law;

• Implement necessary remedial measures;

• Review and update security protocols.

5.4. Limitations. While we implement robust security measures, we cannot guarantee absolute security due to:

• Inherent Internet transmission risks;

• Potential emergence of new vulnerabilities;

• Factors beyond our reasonable control;

5.5. Third-Party Security. We require our data processors to:

• Maintain appropriate security standards;

• Regularly assess their security measures;

• Report any security incidents promptly;

• Comply with our security requirements.

6. Your Rights and Data Management

6.1. Data Subject Rights. Under applicable data protection laws, you have the following rights regarding your personal data:

• Right to Access: Obtain confirmation whether we process your personal data and request a copy of that data along with information about:

  • The purposes of processing;

  • Categories of personal data concerned;

  • Recipients or categories of recipients;

  • Retention periods or criteria for determining them;

• Right to Rectification: Request correction of inaccurate personal data or completion of incomplete data;

• Right to Erasure: Request deletion of personal data where:

  • The data is no longer necessary;

  • You withdraw consent (where processing is consent-based);

  • You exercise your right to object;

  • The data was unlawfully processed;

• Right to Restrict Processing: Limit our processing where:

  • You contest the data's accuracy;

  • Processing is unlawful but you oppose erasure;

  • We no longer need the data but you require it for legal claims;

• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller;

• Right to Object: Object to processing based on legitimate interests, including profiling, and for direct marketing purposes;

• Rights Regarding Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you.

6.2. Exercising Your Rights. To exercise your rights:

• Contact us using the details provided in Section 7;

• Clearly specify which right(s) you wish to exercise;

• Provide sufficient information to verify your identity;

• Allow up to 30 days for our response.

6.3. Complaints Procedure. If you have concerns about our data processing:

• Contact us first to resolve the issue informally;

• We will investigate and respond within 30 days;

• If unsatisfied, you may contact your local data protection authority;

• For EU residents, contact your national data protection authority.

7. Contact Information

7.1. General Enquiries. For questions about this Privacy Policy or our data protection practices, please contact us using any of the following methods:

• Email: [email protected].

7.2. Data Protection Enquiries. For specific concerns regarding your personal data, please include:

• Your full name;

• Your contact information;

• The nature of your enquiry;

• Any relevant reference numbers or identifiers.

7.3. Response Time. We aim to respond to all enquiries within:

• 24 hours for urgent matters;

• 5 working days for general enquiries;

• 30 days for complex data protection requests.