Spread the Cost: Monthly payment plans

Price Drop Protection: Lowest price, guaranteed.

Secure Trust Account: Your money is protected

To the Beach

Privacy Policy

This policy explains what personal data To the Beach collects when you create an account or submit a holiday enquiry, why we collect it, and what rights you have over it. We never sell your data, and only share it with third parties where this policy says so.

Last updated: 15 July 2026 · Version 1.0

1. Who we are

This policy explains how To the Beach Holidays Ltd ("we", "us", "our") would collect, use, store, and protect personal data if this were a live package holiday booking service. For the purposes of data protection law, we would be the "data controller" of the personal data described below — meaning we'd decide what data is collected and why, even though some of it (payment processing, for example) is handled by a specialist third party on our behalf.

2. What personal data we collect

We collect different categories of data depending on how you use the site:

  • Account data: title, first and last name, date of birth, email address, and password (stored as a one-way hash — we never store or can see your plain-text password) when you register.
  • Contact and delivery data: mobile number, postcode, address, and city, which are optional at registration but help pre-fill checkout for a faster repeat booking.
  • Booking data: lead traveller name, email, and phone number, traveller count, selected extras, and total price for every booking you make, whether or not you were logged in when you made it.
  • Payment data: your card details are collected and processed directly by our payment provider, Stripe — we receive confirmation that a payment succeeded and a payment reference, but never your full card number, expiry date, or CVC.
  • Preference data: your wishlist (saved hotels), your marketing communication preference (opted in or out), and your saved search filters.
  • Technical and usage data: IP address, browser type and version, device type, pages visited, and how you arrived at the site, collected automatically via cookies and similar technologies — see our Cookie Policy for the full detail.
  • Communications: any correspondence you send us, including support requests, complaints, or newsletter sign-ups.

3. How we collect it

Most data is given to us directly — when you register, update your account details, search or book, or contact us. Some data (device, browser, and usage information) is collected automatically as you use the site, through cookies and equivalent technologies. We don't buy personal data from third-party data brokers, and we don't combine your data with profiles bought from other companies.

4. Why we process your data, and our legal basis for doing so

Data protection law requires us to have a valid reason ("legal basis") for every way we use personal data. Here's how that applies to each purpose:

  • To create and manage your account — necessary to perform our contract with you (you can't have an account without us processing the data needed to run it).
  • To process and confirm a booking — necessary to perform the contract formed when you book, and to take the steps you ask for before entering into it.
  • To pre-fill checkout with saved traveller details — based on your consent, given when you choose to save those details to your profile; you can remove them at any time.
  • To send booking confirmations and essential service messages — necessary to perform our contract with you; these aren't marketing and can't be opted out of while you have an active booking.
  • To send marketing emails about deals and inspiration — based on your consent, given at registration or via the newsletter sign-up form; you can withdraw this at any time and we'll stop within a reasonable period.
  • To detect and prevent fraud — based on our legitimate interest in protecting our business and our customers from fraudulent transactions, balanced against your right to privacy.
  • To analyse and improve how the site performs — based on our legitimate interest in understanding and improving the service, using aggregated or pseudonymised data wherever practical.
  • To comply with legal and regulatory obligations — necessary for compliance with a legal obligation, for example retaining transaction records for tax purposes.

5. Who we share your data with

We don't sell personal data. We do share specific, limited data with the following categories of recipient, only to the extent each one needs to do their job:

  • Payment processors (Stripe) — to process card payments securely; Stripe is independently PCI DSS certified and acts as a data processor on our instructions for payment data specifically.
  • Hotel, airline, and transfer suppliers — the minimum booking data needed to fulfil your package (lead traveller name, contact details, and travel dates).
  • IT hosting and infrastructure providers — who store data on our behalf under a data processing agreement, and who are not permitted to use it for their own purposes.
  • Professional advisers and regulators — where we're legally required to share information, for example in response to a valid request from a tax authority or law enforcement.
  • A buyer, in the event of a business sale — if the business were ever sold or restructured, customer data would typically transfer as part of that, subject to the same protections described here.

6. International transfers

Some of the suppliers and service providers described above may process data outside the UK or European Economic Area. Where that happens on a live site, we'd only transfer data to countries with an adequacy decision, or under a mechanism such as Standard Contractual Clauses, to make sure your data stays protected to a UK/EU standard wherever it's processed.

7. How long we keep your data

We keep personal data only for as long as we need it for the purpose it was collected for:

  • Account data is kept for as long as your account is active, plus a reasonable period afterwards in case you return.
  • Booking data is kept for as long as needed to resolve any post-holiday queries, and afterwards for as long as required for tax and accounting records (typically six years in the UK).
  • Marketing consent is kept until you withdraw it, at which point we suppress rather than delete your contact details, so we can honour your opt-out reliably.
  • Technical/usage data collected via cookies is retained according to the individual cookie's own lifespan — see our Cookie Policy.

8. Your rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct data that's inaccurate or incomplete.
  • Erasure — ask us to delete your data where we no longer have a valid reason to keep it (our account settings page already includes a self-service "Delete Account" option for this).
  • Restriction — ask us to limit how we use your data while a dispute about it is resolved.
  • Portability — request your data in a portable, machine-readable format.
  • Objection — object to processing based on legitimate interest, or opt out of marketing entirely, at any time and without needing to give a reason.
  • Withdraw consent — where processing is based on consent (such as saved traveller details or marketing emails), withdraw it at any time without affecting the lawfulness of processing before you did so.

To exercise any of these rights on a live version of this site, you'd contact us using the details in section 11 below. We'd respond within one calendar month, and wouldn't charge a fee for a reasonable request.

9. How we protect your data

Passwords are never stored in plain text — they're hashed using a strong, industry-standard one-way algorithm before being saved, so even we can't see your actual password. All traffic to and from this site is encrypted in transit, and access to the underlying database is restricted to authorised personnel only. Card payment data never touches our own servers at all — it's collected and transmitted directly to Stripe.

10. Children's privacy

This site is intended for use by adults booking travel on behalf of their party, including any children travelling with them. We don't knowingly collect account data directly from children, and registration requires the account holder to be at least 18.

11. Changes to this policy

We may update this policy from time to time to reflect changes in how the site works or in data protection law. Where a change is significant, we'd aim to make that clear on the site rather than relying only on an updated "last updated" date.

12. Special category data

Some information relevant to a holiday booking counts as "special category data" under data protection law — most commonly, health information disclosed as part of a special assistance request (for example, a mobility requirement at the airport, or a dietary need linked to a medical condition) or accessibility needs shared so a hotel can prepare an adapted room. We would only collect this where you choose to share it with us in order to get the accommodation right, we would use it solely for that purpose, and we would rely on your explicit consent as the legal basis for holding it. You would never be asked to share more detail than the supplier needs to act on the request, and you could ask us to remove it from your profile once the trip is complete.

13. Automated decision-making

We don't use automated decision-making or profiling that produces a legal or similarly significant effect on you — for example, we don't automatically decline a booking or vary a price based on an algorithm assessing your personal characteristics. Prices shown are the same for every visitor searching the same dates and package; any fraud-prevention checks on payment are a supporting signal reviewed by a person before any booking is refused, not a fully automated decision.

14. If something goes wrong

In the unlikely event of a data breach affecting your personal data, UK data protection law requires us to assess the risk to you and, where the risk is high, notify both the ICO and you directly without undue delay, and in any case within 72 hours of us becoming aware wherever feasible. That notification would explain what happened, what data was affected, and what steps we're taking in response, so you can protect yourself where relevant — for example, by changing a re-used password.

15. Marketing preferences in detail

Marketing emails (deal alerts, destination inspiration, seasonal offers) are only sent if you've actively opted in — either by choosing "Yes" to marketing communications at registration, or by signing up separately through the newsletter form in the site footer. Opting in to marketing is never a condition of booking; you can complete a purchase and receive your booking confirmation regardless of your marketing preference, because transactional emails about a booking you've made are a separate category and aren't affected by your marketing choice. You can withdraw marketing consent at any time using the unsubscribe link included in every marketing email, or by updating your preference in your account settings, and we'd aim to stop within a few working days to allow for messages already queued to send.

16. How to contact us or complain

Data protection queries and requests can be sent to info@tothebeachholiday.com. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk if you're unhappy with how a request was handled — a right that exists independently of anything we do, and doesn't require you to complain to us first.

Before escalating to the ICO, most concerns are resolved faster by raising them with us directly first, simply because we can look at your specific account and explain exactly what's held and why, whereas a regulator complaint necessarily starts from scratch. We'd always aim to acknowledge a data protection query quickly and give you a clear timeline for a full response, rather than leaving you to chase.

17. A summary in plain English

If you don't read anything else on this page: we'd collect what we need to get your holiday booked and to run your account, we wouldn't sell your data, we'd only use it for marketing if you specifically said yes, we'd keep it only as long as we have a good reason to, and you'd always be able to ask what we hold, correct it, or have it deleted. That's the same underlying commitment a much longer legal document is trying to describe precisely — the length above exists to remove ambiguity about edge cases, not to bury the core promise.

Stay in the loop

Get our best deals before anyone else

Fresh package holiday deals, price drops, and last-minute offers — straight to your inbox. No spam, unsubscribe any time.