Privacy Policy
1. Introduction
This Privacy Policy explains how Serko Limited and its group companies (collectively, “Serko”, “us”, “we” or “our”) process your personal information.
This Privacy Policy is effective from 1 February 2025 (previous versions can be obtained by contacting us). We will need to update this Privacy Policy from time to time so we encourage you to check it regularly because any changes we make will be posted on this page. We may also email you or indicate on our home page that our Privacy Policy has been updated if changes are significant. If you do not agree with the terms of this Privacy Policy, please do not provide any personal information to us. While providing some personal information is optional, failing to provide certain personal information may unfortunately mean you are unable to use our Sites and/or Services and/or that we are unable to respond to your queries.
2. Scope of Privacy Policy
This Privacy Policy applies when you:
- use our websites (“Sites”);
- use the services and applications we provide, including the travel and expense management services accessible through Zeno, Serko Online, Serko Mobile, Serko Travel, Zeno Expense, and Get There (“Services”);
- sign up to our newsletter, marketing, promotional activities; and/or
- respond or apply to a job advertisement.
Serko does not determine the purposes or ways of processing of your personal information in the following circumstances:
- the processing of your personal information by third parties like travel management companies or your employer when they use our Services. You should refer to the privacy policies of those third parties for more information; and / or
- to the processing of your personal information that we process on behalf of your employer, your organisation’s travel management company (if any) and/or business partners (for example, travel providers who process your personal information to facilitate your bookings).
Residents of the EU, the UK or California
If you are in the European Union or the United Kingdom, or you are a resident of California, and you use our Services, this Privacy Policy does not apply to your personal information that we process on behalf of Data Controllers.
These entities’ use of your personal information will be governed by their terms and privacy policies, and we will process it under their direction (as a "processor" under the General Data Protection Regulation or UK equivalent, or a "service provider" under the California Consumer Privacy Act (“CCPA”)).
If you have any questions or requests relating to these entities’ processing of your personal information, you must contact them directly.
Personal information of children
Our Sites and Services are for corporate travellers and we do not knowingly process any personal information from children. Our Terms of Use require anyone interacting with us to be over 18.
3. Personal information Serko processes
We will process different kinds of personal information depending on the Sites and/or Services that you use. Depending on the Services we provide you, you may not need to provide all of this, and some is optional because it relates to a preference.
Personal information might include:
- Identity data: name, date of birth, gender;
- Contact data: including email address, address, and phone number;
- Profile data: Serko profile information – username, ID, password;
- Documents (for international travel): passport details, visa details;
- Employment data: title, employee ID, company name, and company number;
- Payment data: including credit card details, costs, bank account number, bank state branch (BSB), credit card limit, and details of payments to and from you;
- Technical data: including internet protocol (IP) address, login data, browser type and version, time zone setting, operating system and platform, device type, unique device identification numbers, and other information your browser supplies;
- Usage data: including details of products and services you have purchased from us, and information on how you are using the products, and services;
- Communications data: including preferences in receiving marketing from us and our third parties (if any), your communication preferences, and any feedback or survey responses;
- Travel data: including details of your bookings and travel itineraries, frequent flyer details, loyalty details, rental car details, meal preferences, seat preferences, travel dates/times, flight number, ticket number, confirmation number, booking locators (booking ID, passenger name record (PNR), airline locator), origin location, destination location, third party profile ID/code, and travel components (air, car, hotel, transfers, rail);
- Expense data: including details of expenses submitted (such as copies of receipts);
- Location data: including geolocation, and travel origin and destination;
- Support data: including screenshots (of error messages, for example), support ID, and support communications; and
- Serko Job application: If you apply for a job with us, then we will collect recruitment data about you including your education history, work experience, references, and other information submitted in your CV and/or cover letter and/or job application.
Depending on your travel needs, some of the information that you provide may be sensitive; for instance, if you have religious or medical dietary preferences, or require travel support.
4. How Serko collects and receives personal information
We collect and receive personal information in different ways depending on the Sites and/or Services that you use. This might include:
- Direct interactions: For example, you may give us personal information when you contact us, use our Site and/or Services, respond to a job advertisement, or request our marketing and promotional materials;
- Customers, suppliers and other third parties: We may receive personal information from other sources such as: our customers (i.e. your organisation), our customers’ travel management companies and travel agents (if any), payment suppliers (including card operators and virtual payment suppliers), travel service providers (including accommodation providers, transport providers, and restaurants), and our customers’ suppliers (for example, who may send us receipts for expense processing); and
- Cookies and similar technologies: We automatically collect some personal information when you visit, use, and interact with our Sites and Services by using cookies and other similar technologies. We may also receive personal information if you visit other sites employing our cookies and/or from analytics providers (such as Google). You can see our Cookie Policy for further details. For example, we might use these technologies to distinguish you from other users and remember your preferences, to improve our Sites and Services, and/or for web analytics.
In certain situations, you may provide personal information to us about other individuals (such as your colleagues, customers, suppliers, directors or shareholders). If so, you warrant that you have all necessary notices, permissions, and consents in place to lawfully disclose such personal information to us to use in accordance with this Privacy Policy.
5. How we use Personal Information
We collect and use your personal information for different purposes depending on the Sites and/or Services that you use. The main purposes are:
- To provide, host, and maintain our Sites and Services – for example, to process purchases (along with our authorised payments processors), manage payments, collect monies owed, process user registrations, and to develop non-automated group and individual traveller profiles;
- To communicate and manage our relationship with you – for example, to provide you with the Services and information you have requested or that we are required to provide to you, inform you of technical notices, updates, security alerts, support and administrative messages, notify you of any changes to our Sites Services or policies, and ask you for feedback or to take part in any research we are conducting;
- To provide customer service and support – for example, to provide booking confirmations, assist with the resolution of technical support issues or other issues relating to the Sites or Services (whether by email, in-app support, or otherwise), and we may record customer calls for monitoring and training purposes;
- To measure and enhance our Sites and Services – for example, to understand how our Sites and Services are being configured and used, to understand how our Sites Services and user experience can be improved, to develop new services, and to perform internal business processes such as testing, maintenance, and quality assurance;
- For protection purposes – for example, to detect, investigate and prevent any fraudulent or malicious activity or transactions, unauthorised access, or other security incidents and other illegal activities, troubleshooting, and to ensure our Sites and Services are being used in accordance with our Terms of Use;
- For marketing and promotional purposes – for example, to send you marketing and promotional communications (about Serko or another product or service we think you might be interested in) in accordance with your marketing preferences, displaying targeted advertising online through our own Sites and Services or through third party websites and platforms, and administer referral programmes, rewards, surveys, and other promotional activities or events sponsored or managed by us or our partners;
- To analyze, aggregate and report – for example, to analyse trends and statistics regarding use of our Sites and Services and the transactions conducted, and to produce aggregated and anonymised analytics and reports;
- Recruitment – if you apply for a job with us, we will process your personal information in the application process; and
- Legal purposes and/or to comply with regulatory and/or industry requirements and standards.
6. How we disclose Personal Information
There will be times when we need to share your personal information with third parties for the purposes set out in this Privacy Policy. This might include:
- Serko group companies – who help us provide, host, and maintain our Sites and Services. Some group companies (subject to access controls) may also have access to the Serko group data centres in which we store and process your personal information.
- Customers (i.e. your organisation) – for example, so we can provide our Sites and Services (including processing and/or approving your travel bookings and/or expense claims), for user management and licence administration purposes, and they may be able to access your personal information held in our systems.
- Travel management companies, travel agents, and GDS operators (if any) – who cooperate with us to provide our Services.
- Service providers – for example, travel service providers (such as travel wholesalers, tour operators, airlines, hotels, car rental companies), banks, expense management and accounting service providers, and other contracted third party service providers such as credit and virtual card processing, fraud prevention, IT and system administration, business analytics, online advertising delivery, marketing, market research and communication, mail, freight and courier and price comparison services.
- Business partners and third parties you authorize – with whom we may jointly offer products or services, or whose products or services may be offered on and/or integrated with our Sites or Services. You may also give third parties access to your personal information on the Sites and Services.
- Our professional advisers – including our lawyers, bankers, auditors, consultants, and insurers.
- An actual or potential buyer (and its agents and advisors) – in connection with an actual or proposed purchase, merger or acquisition of any part of our business. If a change happens to our business, then the new owner may use your personal information in the same way as set out in this Privacy Policy.
- Regulators, law enforcement bodies, government agencies, courts or other third parties – where we think it is necessary to comply with applicable laws or regulations, or to exercise, enforce, or defend our legal rights.
A list of third parties and our group companies that we disclose information to is set out in our sub-processor list. As a global business, we may transfer and process your personal information in countries other than the country you live in – for example to Australia, New Zealand, the Republic of Ireland, the Netherlands, and Canada, where some of our offices, data centres or sub-processors are located.
7. Security
We have put in place appropriate technical and organisational security measures and procedures to try and prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Although we will take such measures to protect your personal information, by virtue of the nature of the internet, we cannot absolutely guarantee the security of your information transmitted online, and so any transmission is at your own risk. We have also put in place procedures to deal with breaches of personal information, and we will notify you and any applicable regulator of a breach where we are legally required to do so.
Where we have given you (or you have chosen) a password that enables you to access certain parts of our Sites and Services, you are responsible for keeping this password confidential and you must not share it with anyone.
8. Retention
We retain personal information we collect from you where we have an ongoing legitimate business need to do so in accordance with our data retention policies and practices (for example, in connection with the purposes described in this Privacy Policy, legal purposes, and/or for the purposes of satisfying any regulatory, tax, accounting or reporting requirements).
Following that period, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been temporarily stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
9. Your rights
You have rights over your personal information. For example, you may have rights to:
- obtain confirmation of what personal information we hold about you;
- request access to your personal information; and
- request a correction to the personal information that we hold about you.
Our services
To view, access, or update / correct the information that we hold about you, log into your account and navigate to the ‘profile’ section. It may be the case that your administrator uses a different system to manage traveller profiles in which case you will need to contact them directly. You can also ask your administrator to deactivate your account at any time.
Alternatively, if you wish to contact us using the details below, please describe your request with enough detail for us to understand, review, and respond. Please note that we may request specific information from you to help us confirm your identity and rights.
Opting out of communication
You can also ask us not to send you marketing communications by following the unsubscribe instructions contained in the marketing communication, clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you.
Our sites and cookies
You can also set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. However, if you disable or refuse cookies used, you may not be able to access or use parts of our Sites and Services.
10. Additional information for individuals in the European Union and United Kingdom
If you are in the European Union or the United Kingdom, the following information also applies to you with respect to your personal information:
A. Data controller
Serko Limited is the controller of your personal information (except in the circumstances described in section 2 (‘Scope of Privacy Policy’) above).
We have appointed a data protection officer (“DPO”). If you have any questions or complaints about this Privacy Policy, including with regard to any request to exercise your rights in relation to your personal information, please contact the DPO using the details set out in section 13 (‘Contact Details’) below.
We have also appointed a representative to act on our behalf in relation to our obligations under the GDPR in Europe, details of which are set out below. You can also click here for more information on how to contact our representative.
DataRep
serko@datarep.com
www.datarep.com/serko
B. Legal bases for processing your personal information
We may collect, use, and share your personal information:
- to perform a contract with you;
- where we (or a third party) have legitimate interests (and they are not overridden by your rights) – such as operating our business and providing our products and services to our customers and end users, meeting our contractual obligations to our customers, record keeping, and security and fraud prevention;
- where you have consented; and
- to comply with a legal or regulatory obligation – including financial and taxation obligations.
C. Your rights
You have rights under privacy and data protection laws in relation to your personal information. For example, you may have the following rights:
- Access – you can ask us if we are processing your personal information and, if we are, you can request access to it.
- Erasure – you may ask us to delete your personal information in certain circumstances. However, we may not always be able to comply with your request for specific legal reasons which we will notify to you, if applicable.
- Objection – where we are processing your personal information based on legitimate interests (or those of a third party), you may challenge this if you believe it impacts your fundamental rights and freedoms. However, we may in some situations be entitled to continue processing your personal information. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Restriction – you may be entitled to ask us to suspend processing some of your personal information, for example if you want us to establish its accuracy or the reason for processing it.
- Transfer – you may ask us to help you request the transfer of your personal information to another party.
- Automated decisions – you may contest any automated decision made about you where this has a legal or similar significant effect and ask for it to be reconsidered.
- Withdraw consent – where we are relying on consent to process your personal information, you may withdraw such consent. However this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you.
You can exercise your rights as described in section 10 (‘Your rights’) above. If you would like to request erasure of your personal information from our Services, please email remove.me@serko.com and state the Service that you wish to have your personal information removed from.
If you are not happy with the way we process your personal information, please let us know. You also have the right to make a complaint to your local information protection supervisory authority. Your local data protection authority will be able to give you more information on how to submit a complaint.
D. International transfers
Your personal information may be transferred internationally, including outside the EEA. Whenever we transfer your personal information outside the EEA, we put safeguards in place so your personal information is protected, for example transferring it to countries that have been deemed to provide an adequate level of protection for personal information and/or having approved transfer mechanisms in place to protect your personal information – such as using specific contracts approved by the European Commission. For more information, please contact us using the details set out in section 13 (‘Contact details’) below.
11. Additional information for California residents
If you are a resident of California, the following information also applies to you with respect to your personal information:
A. The personal information we collect, receive, and disclose
We will collect, receive, and disclose different kinds of personal information depending on the Sites and/or Services that you use. With reference to the categories of personal information set out in the CCPA, in the past 12 months we have collected the following personal information from the sources set out in section 4 (‘How we collect and receive Personal Information’) above, and disclosed it to the categories of third parties set out below (and as described in further detail at section 6 (‘How we disclose Personal Information’) above) for business purposes:
We do not "sell" your personal information for the purposes of the CCPA.
B. Your rights
You have rights under privacy and data protection laws in relation to your personal information. For example, you may have rights to:
- know what personal information is collected about you, and if any of your personal information is sold or disclosed (and the categories of third parties that purchased or received it);
- access the personal information we process about you;
- request the deletion of your personal information, if applicable;
- opt-out from the sale of your personal information, if applicable; and
- not be discriminated against for exercising any of the rights above.
You can exercise your rights as described in section 9 (‘Your rights’) above. You may also designate an authorised agent to make a request on your behalf, subject to proof of identity and authorisation.
12. Additional information for Texas Residents
If you are a resident of Texas, the following information may apply to you with respect of your personal information.
- Right to access, correct, delete: You have the right to access and correct your information. We will delete your personal information consistent with our lawful obligations and our retention needs. You will not be discriminated against for exercising your privacy rights.
- Opting out: You may have the right to opt out of processing of personal information, particularly for marketing purposes and we will endeavour to support this. We will make reasonable efforts to process opt outs for jurisdictions that require them.
- Sale of data: We do not sell personal information to third parties. We are not data brokers nor do we work with data brokers.
- De-identification: Where we de-identify data, we will not re-identify that data.
13. Contact details
If you have any questions about this Privacy Policy or want to make a privacy request, our best contact is privacy@serko.com. Otherwise, our mailing address is:
Attention: Legal Department
Serko Limited
Unit 14d, 125 The Strand
Auckland
New Zealand