privacy policy

We collect personal data to respond to enquiries, manage bookings, and deliver Flatout Editions. We also collect limited website analytics data to improve performance and may use photography and video captured during Editions for promotional purposes. Where we use third-party providers (including payment processors, email platforms, booking systems, analytics providers and accommodation partners), we share only the information necessary to operate an Edition. You can opt out of marketing at any time and you have rights over your personal data, including access and deletion in certain circumstances.

  • This Privacy Policy explains how FLAT-OUT TOURS LTD (“Flatout”, “we”, “us” or “our”) collects, uses and protects your personal data.

    FLAT-OUT TOURS LTD is a company registered in England and Wales.
    Company number: 17020100
    Registered office: 31 Marford Road, Wheathampstead, St. Albans, AL4 8AY, England

    For the purposes of UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, FLAT-OUT TOURS LTD is the data controller of your personal data. This means we are responsible for deciding how and why your personal data is processed.

    This Privacy Policy applies to:

    • Visitors to the Flatout website;

    • Individuals who submit enquiries or register interest in an Edition;

    • Participants in Flatout Editions;

    • Individuals who communicate with us via email, telephone or social media.

  • We may collect and process the following categories of personal data:

    Identity Date

    • Full name

    • Date of birth

    • Nationality

    • Driving licence details

    • Passport details (where required for travel or accommodation purposes)

    Contact Data

    • Email address

    • Telephone number

    • Postal address

    Booking & Participation Data

    • Vehicle details (including make, model and registration number)

    • Emergency contact details

    • Travel preferences

    • Rooming preferences

    • Event-specific requirements

    Special Category Data

    In certain circumstances, we may collect limited health-related information where relevant to your participation in a Flatout Edition, such as dietary requirements, accessibility requirements or medical information voluntarily disclosed to us for safety purposes.

    Payment Data

    Payment deposits are processed by a third-party payment provider Ticketebo Ltd – whose terms can be seen on https://www.ticketebo.co.uk/terms-conditions-consumer. We do not store full payment card details. We may receive limited transaction confirmation information from our payment processor.

    Communications Data

    Information you provide when contacting us by email, telephone, website forms or social media.

    Technical, Usage & Device Data

    • IP address

    • Browser type and version

    • Time zone setting

    • Pages visited and website usage information

    • Cookie data

    • Approximate location derived from IP (where available)

    This data may be collected through our website and analytics tools ([UNKNOWN]).

    Server Log Data

    Our hosting provider and/or website platform may automatically collect server log information when you access the Flatout website (for example IP address, device information, pages accessed, date/time and referring URLs). This is used for website security, troubleshooting and performance.

    Media Content

    Photographs and video recordings captured during Flatout Editions, which may include identifiable images of participants and their vehicles.

  • We use your personal data for the following purposes:

    3.1 To Respond to Enquiries and Manage Bookings

    We use your identity, contact and booking data to:

    • Respond to enquiries and registration submissions;

    • Assess suitability and availability for participation in an Edition;

    • Confirm and administer bookings;

    • Communicate event information, itineraries and updates;

    • Manage payments and booking records.

    Lawful basis: Performance of a contract (or taking steps prior to entering into a contract).

    3.2 To Organise and Deliver Editions

    We use identity, booking, vehicle and (where relevant) special category data to:

    • Arrange accommodation, venues and experiences;

    • Share relevant details with hotels, restaurants or service providers;

    • Manage participant logistics and operational requirements;

    • Verify eligibility to drive in relevant jurisdictions.

    Lawful basis: Performance of a contract.

    Where we process special category data (such as dietary or medical information), we do so only where necessary and typically on the basis of your explicit consent, or where otherwise permitted under applicable data protection law (for example, in a genuine emergency).

    3.3 For Safety and Risk Management

    We may use identity, emergency contact and vehicle information to:

    • Manage safety considerations;

    • Respond to incidents;

    • Comply with insurance or regulatory requirements.

    Lawful basis: Legitimate interests (ensuring safe and responsible operation of Flatout Editions).

    3.4 For Marketing, Editorial and Promotional Purposes

    We may use:

    • Contact details to send updates about future Flatout Editions and related news;

    • Media content (photographs and video) captured during Editions for promotional and commercial purposes.

    Lawful basis: Legitimate interests.

    Our legitimate interests include documenting and promoting Flatout Editions and developing the Flatout brand across digital and print channels.

    You have the right to object to processing for direct marketing at any time. You may also notify us prior to an Edition if you do not wish to appear in identifiable media.

    3.5 To Improve Our Website and Services

    We use technical, usage and server log data to:

    • Analyse website traffic;

    • Improve user experience;

    • Maintain website security;

    • Develop and refine our services.

    Lawful basis: Legitimate interests.

    3.6 To Comply with Legal and Regulatory Obligations

    We may process personal data to:

    • Comply with legal obligations;

    • Maintain financial records;

    • Respond to lawful requests from authorities.

    Lawful basis: Compliance with a legal obligation.

  • We may share your personal data with carefully selected third parties where necessary to operate Flatout Editions and manage our business. We share only what is reasonably necessary for the relevant purpose.

    4.1 Accommodation, Venues and Service Providers

    Hotels, restaurants, experience providers and other suppliers involved in delivering an Edition (for example rooming lists, dietary requirements or other operational details).

    4.2 Payment Processing Providers

    Payments are processed by one of two providers. SUMUP and Ticketebo Ltd.

    Payment providers process data in accordance with their own privacy policies and applicable data protection laws.

    https://www.ticketebo.co.uk/terms-conditions-consumer

    https://www.sumup.com/en-us/terms/

    4.3 Booking and Event Management Systems

    We may use a third-party booking or event management systems to administer

    registrations, payments and participant records.

    4.4 Email Marketing and Communications Platforms

    We may use a third-party email platform provided by Google or Squarespace to send

    event communications and marketing updates.

    You may unsubscribe from marketing communications at any time via the link

    provided in our emails or by contacting our DPO directly on robbie@flatout.tours

    If you opt out of marketing, we may retain your email address on a suppression list to

    ensure we continue to respect your preferences.

    4.5 Website Hosting and Analytics Providers

    Our website is hosted by squarespace. Squarespace websites are hosted on their

    own secure, private cloud infrastructure with data centers primarily located in the

    United States. They utilize globally distributed Content Delivery Networks (CDNs) to

    serve images and static assets from the server closest to the visitor.

    We use analytics tools , primarily Google Analytics to monitor website usage and

    improve performance.

    4.6 Professional Advisers and Legal Authorities

    We may disclose personal data where necessary to professional advisers (including legal and accounting advisers), insurers or where required by law or regulatory authorities.

    Where we use third parties to process personal data on our behalf, we put appropriate contractual safeguards in place.

  • Our website uses cookies and similar technologies. Some cookies are necessary for the site to function, while others help us understand how visitors use the site and improve performance.

    Where required, we will request your consent for non-essential cookies via a cookie banner or preference tool. You can change your cookie preferences at any time via the cookie settings tool (where available) or through your browser settings. For more detail, please see our Cookie Policy.

    Our website may also include embedded content or links (for example maps, video players or social media features). These third parties may collect information about your interaction with their content. Their processing is governed by their own privacy policies.

  • Some third parties we use may process personal data outside the United Kingdom.

    Where personal data is transferred internationally, we will ensure appropriate safeguards are in place in accordance with UK data protection law.

  • We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting or reporting requirements.

    In general:

    Booking and Contractual Data

    We retain booking records, correspondence and contractual information for up to 6 years following the completion of an Edition.

    Financial and Transaction Data

    We retain financial records for up to 6 years to comply with UK tax and accounting obligations.

    Enquiry Data

    Where an enquiry does not result in a booking, we may retain contact details and correspondence for up to 24 months, unless you request deletion sooner.

    Marketing Data

    We retain marketing contact details until you unsubscribe or request removal. We may retain your email address on a suppression list to ensure we do not send marketing to you after you opt out.

    Special Category Data

    Health-related or dietary information collected for a specific Edition will generally be deleted within a reasonable period following the conclusion of the Edition, unless required for insurance, legal or safety reasons.

    Media Content

    Photographs and video recordings captured during Editions may be retained for archival, editorial and promotional purposes, unless a valid objection is received and upheld.

    Where personal data is no longer required, it will be securely deleted or anonymised.

  • We take the security of your personal data seriously and implement appropriate technical and organisational measures designed to protect it from unauthorised access, alteration, disclosure or destruction.

    These measures may include:

    • Secure hosting environments;

    • Encrypted connections (HTTPS/SSL) where appropriate;

    • Restricted access to personal data;

    • Use of reputable third-party service providers;

    • Password protection and access controls; and

    • Internal data handling procedures.

    While we take reasonable steps to protect personal data, no method of transmission over the internet or electronic storage is entirely secure. We cannot guarantee absolute security.

    In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will comply with our legal obligations, including notifying the Information Commissioner’s Office (ICO) where required.

  • Under UK data protection law, you have the following rights in relation to your personal data:

    • Right of access – request a copy of the personal data we hold about you.

    • Right to rectification – request correction of inaccurate or incomplete data.

    • Right to erasure – request deletion of your data in certain circumstances.

    • Right to restrict processing – request we limit how we use your data in certain circumstances.

    • Right to data portability – request transfer of data where processing is based on consent/contract and automated.

    • Right to object – object to processing based on legitimate interests, including direct marketing.

    • Right to withdraw consent – where we rely on consent, you can withdraw it at any time.

    Exercising Your Rights

    To exercise any of the above rights, please contact us at:

    INFO@FLATOUT.TOURS

    We may request verification of identity before responding. We will respond to valid requests within one month, unless an extension is permitted under applicable law.

    Complaints

    If you are concerned about how we process your personal data, you have the right to lodge a complaint with the ICO:

    www.ico.org.uk

    We would, however, appreciate the opportunity to address your concerns before you approach the ICO.

  • We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or operational needs.

    Any updates will be published on this page and will take effect immediately upon publication. Where changes are material, we will take reasonable steps to bring them to your attention.

    Last updated: 15th March 2026