Primebookings
Get started

Privacy Policy

Last updated: 14 May 2026

This Privacy Policy explains how Hero Technologies Ltd (“we”, “us”), the operator of Primebookings, collects and processes personal data. We are registered with the UK Information Commissioner’s Office (ICO Reg. No. ZC077887) and act as the data controller for the personal data of agency owners and agents who use the Service.

1. Data we collect

From agency users

  • Account data — name, work email, agency name
  • Authentication data — Google sign-in identifiers and magic-link tokens
  • Usage data — log entries, IP address, browser, actions taken in the app
  • Billing data — card details are processed directly by Stripe, our PCI-compliant payment processor. We only store non-sensitive identifiers (such as the last four digits of the card, card brand, and a Stripe customer reference) to associate charges with your account

From supplier emails forwarded to the Service

When you forward a confirmation, the email body and any attachments are stored and processed to extract booking details. This may incidentally include personal data of travellers (names, dates, contact details, passport numbers if present in the email).

For traveller data specifically, you are the data controller and we act as your data processor. Use of the Service is subject to a data processing agreement available on request.

2. How we use data

  • To provide the Service — extract bookings, render the tracking sheet, send confirmations
  • To authenticate you and keep your account secure
  • To process payments and prevent abuse
  • To respond to support requests
  • To communicate service updates (you can opt out of non-essential email at any time)

3. Lawful bases (UK GDPR Art. 6)

  • Contract — to provide the Service you signed up for
  • Legitimate interests — security, fraud prevention, product improvement
  • Legal obligation — accounting, tax, responding to lawful requests
  • Consent — for any optional marketing email; withdrawable at any time

4. Sub-processors

To deliver the Service we rely on a small number of trusted infrastructure providers, including hosting, database, transactional email, file storage and AI extraction services.

For payment processing we use Stripe, who process your card data directly under their own terms and privacy policy. We do not store full card details. A current list of all sub-processors and their locations is available on request at [email protected].

Where data is transferred outside the UK or EEA, we rely on appropriate safeguards including the UK International Data Transfer Addendum and Standard Contractual Clauses.

5. Retention

We retain your account and booking data for as long as your subscription is active. After cancellation, we keep your data for 30 days so you can reactivate or export it, then permanently delete it from our production systems.

Encrypted backups are kept for up to 35 days on a rolling basis and then overwritten. Audit logs and security records may be retained for up to 12 months where required for fraud prevention or legal obligations.

6. Your rights (UK GDPR)

You have the right to:

  • Access the personal data we hold about you
  • Request correction or deletion
  • Object to processing or restrict it
  • Receive a portable copy of your data
  • Withdraw consent where processing is based on consent

To exercise any of these rights, email [email protected]. If you are not satisfied with our response, you can complain to the UK Information Commissioner’s Office.

7. Cookies and analytics

We use a small number of essential cookies to keep you signed in and to remember your preferences. We do not use advertising or third-party tracking cookies.

For product analytics we use a privacy-friendly, cookie-free service (such as Umami or Simple Analytics). It records aggregate usage information — pages viewed, referrers, browser type, country — without setting cookies, without using fingerprinting, and without identifying individual visitors. No personal data is shared with advertising networks.

8. Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted to named personnel and logged. We will notify affected users and the ICO of any personal data breach in line with UK GDPR Art. 33.

9. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email at least 30 days in advance.

10. Contact

Hero Technologies Ltd
82a James Carter Road
Mildenhall
IP28 7DE
[email protected]