We’re Loaf Adventures Limited (“Loaf”, “we”, “us”). We run premium, athlete-led adventure trips. This notice explains how we collect, use, share and protect your personal data when you visit our website, apply for or book a trip, or communicate with us.

Controller: Loaf Adventures Limited (Company No. 16642524)
Registered office: 17 Bathurst House, London, W12 7AG, United Kingdom
Contact: privacy@loaf.so

We follow the UK GDPR and Data Protection Act 2018. If you live in the EEA or Switzerland, equivalent protections apply; see “International transfers” and “Your rights”.

1) What data we collect

• Identity & contact: name, email, phone, date of birth, postal address, emergency contact.

• Booking & travel: trip selection, rooming preferences, dietary preferences, equipment sizes, payment status, communications with us.

• Documents (if required): passport details, visas, insurance details (insurer, policy number, emergency number).

• Health data (special category): information you choose to share that’s relevant for safety and trip suitability (e.g., injuries, allergies, altitude tolerance).

• Marketing & analytics: newsletter preferences, engagement with our emails, site/app usage (cookies, pixels), referral info (e.g., athlete/partner who sent you).

• User-generated content: photos/videos from trips where you appear (see “Media”).

We usually get this from you directly (forms, email, chat, calls). We may also receive data from athlete partners (when you reply “ski”/apply via their socials), referrers, or our providers (e.g., payment or messaging systems).

2) Why we use your data (lawful bases)

• To run your trip and our contract with you (Art. 6(1)(b)): handling applications, assessing suitability, taking payments, coordinating with local operators/guides, sending pre-trip info, operating the trip, and after-trip support.

• Safety & vital interests (Art. 6(1)(d) / Art. 9(2)(c)): sharing essential info (including health data) with guides/medical responders in an emergency.

• Health data with your explicit consent (Art. 9(2)(a)): we only collect health/dietary info you provide and use it for safety, logistics and suitability. You can withdraw consent, but that may affect your ability to participate.

• Legal obligations (Art. 6(1)(c)): accounting, tax, anti-fraud, regulatory requirements (e.g., insolvency protection).

• Legitimate interests (Art. 6(1)(f)):

  • Running and improving the business and our trips.

  • Communicating with you about your application/booking.

  • Limited direct marketing to existing customers (“soft opt-in”).

  • Protecting our staff, guests, brand and community.

• Consent (Art. 6(1)(a)): for email marketing to non-customers, non-essential cookies/pixels, and using certain photos/videos in our media. You can withdraw consent anytime.

3) Who we share data with

Only what’s necessary, and only for the stated purposes:

• Local operators/guides at the destination (accommodation, logistics, safety).

• Insolvency protection/bonding provider (e.g., The Travel Vault) to protect your monies.

• Insurance/assistance partners where required for claims or emergency coordination.

• Payments (e.g., Stripe, bank processors).

• Communications & CRM (e.g., Klaviyo, email, helpdesk).

• Messaging (e.g., ManyChat) when you interact via social DMs.

• Analytics & ads (e.g., Google Analytics, Meta). Non-essential tracking only with consent.

• Professional advisers (legal, accounting, auditors).

• Authorities when required by law.

Most suppliers act as processors to us; some (e.g., insurers, local medical teams) act as independent controllers for their own compliance.

4) International transfers

We often need to share limited data with suppliers outside the UK/EEA (e.g., Kyrgyzstan, Georgia) to deliver your trip. Where we can, we use approved safeguards such as UK International Data Transfer Agreements (IDTAs) or EU SCCs. Where that’s not feasible (e.g., to a jurisdiction without formal safeguards), we rely on the performance of your contract/steps at your request (UK GDPR Art. 49(1)(b)) and share only what’s necessary (typically name, dates, dietary/rooming preferences and relevant safety info).

5) How long we keep your data

We keep data only as long as needed for the purposes above:

• Bookings & contracts: 6 years after your trip (tax/accounting limitation).

• Health data provided for a trip: up to 12 months after the trip (longer if there’s an incident/claim).

• Insurance/incident records: 7 years (or as required by insurers).

• Marketing: until you opt-out, or 24 months of inactivity (whichever is sooner).

• Queries: up to 24 months after resolution.

• Media: until you withdraw consent or ask us to delete (see “Media”).

We then delete or anonymise.

6) Marketing, cookies & lookalikes

• We send marketing only with your consent or under soft opt-in (existing customers re similar trips). You can unsubscribe anytime via footer links or privacy@loaf.so.

• We use cookies/pixels for analytics and ads only with your consent (except strictly necessary cookies). Use our cookie banner to manage preferences.
  We may create custom/“lookalike” audiences with platforms like Meta. We only do this where it’s lawful and consented via cookies; you can opt out at privacy@loaf.so.

See our Cookie Policy for details www.loaf.so/legal/cookies. 

7) Your rights

Subject to legal limits, you can:

• Access your data and get a copy.

• Rectify inaccurate or incomplete data.

• Erase data (right to be forgotten).

• Restrict or object to processing (including direct marketing).

• Portability: receive certain data in a portable format.

• Withdraw consent at any time (this won’t affect past processing).

To exercise rights, email privacy@loaf.so. We may ask for proof of identity. We aim to respond within one month.

Complaints: You can complain to the UK Information Commissioner’s Office (ICO): ico.org.uk or 0303 123 1113. We’d appreciate the chance to resolve it first.

8) Children

Our services are not directed at under-18s. We do not knowingly collect data from children. If you believe a child has provided data, contact privacy@loaf.so.

9) Security

We use technical and organisational measures to protect your data (encryption in transit, access controls, least-privilege, staff training). No system is 100% secure; we maintain incident response procedures and will notify you and regulators where legally required.

10) Media (photos & video)

We sometimes capture content during trips. We’ll always respect your choice:

• You can opt out on-site or email privacy@loaf.so.

• Where we rely on consent, you can withdraw it anytime.

• We may also rely on legitimate interests for limited internal use (e.g., trip QA, safety). Public promotional use is consent-based unless we have another lawful basis.

See also our Booking Conditions’ media clause.

11) Representatives (EEA/CH)

If/when required by law, we will appoint an EU/EEA representative (GDPR Art. 27) and, if applicable, a Swiss representative, and will publish their contact details here. Until then, EEA/Swiss residents can contact privacy@loaf.so.

12) Changes to this notice

We’ll post any updates here and update the “Last updated” date. If changes are material, we’ll notify you by email or on the site.