Privacy Notice

LOUNGE KEY LIMITED ("we/us/our") endeavour to maintain the highest standards of confidentiality and to respect the privacy of our customers (“you”) and associated persons who deal with us. Our commitment to privacy includes being transparent about the nature and extent of the personal data processing we undertake. This privacy notice aims to inform you about how we collect, store, use and disclose information about you when you:

a) interact or use our websites; or
b) if you use any of our products, services or applications (collectively the “services”) in any manner.

As a company with a global presence, we are subject to the varying requirements of data protection legislation in  jurisdictions where we operate. Our aim is to be as consistent as possible and obey all applicable laws and apply the highest standard of privacy laws to our approach. For example, if you are a resident of the EU, we are bound by EU local laws including the General Data Protection Regulation (“GDPR”) or if you are a resident of California, we also respect the local laws of California, The Californian Consumer Privacy Act (“CCPA”). 

Categories of personal data we process or collect
We collect and process the personal data that you provide when interacting with us, either online or via email, mobile, phone or post.

Such personal data may include the following:
a) First name and surname;
b) Postal address;
c) Email address;
d) Telephone number;
e) Gender, date of birth;
f) Country of residence, nationality, language preference;
g) Unique identifier information (e.g. your customer username or number and password);
h) Financial information (e.g. payment card or bank account information);
i) Which lounges or merchants you visit, as part of your LoungeKey benefits;
j) Boarding card information;
k) Some details provided by your device such as IP address, device ID, device type, and location data.

Source and categories of personal data
The source of the above information is received from either, yourself or where LoungeKey is a benefit of your payment card issuer, we may receive the information from them. The category of information is Personal data. The information is only used for business purposes to supply the Service.

What we use your personal data for, and our legal basis for doing so

We must have a legal basis to process your personal data. In most cases, that will be for us to provide the contracted service. The table below sets out the purposes for which we use your personal data and our legal basis for doing so:

Meet our legal and regulatory obligations to investigate and prevent fraudulent activities

What we use your information for

Our legal basis for doing so

Provide you with access to our website

To provide the contracted service

Provide access to travel experiences within the service programme

To provide the contracted service

Process any payment required for the products and services you have requested

To provide the contracted service

Store your payment card details, in order to be able to take agreed payments,
as explained in the Conditions of Use

To provide the contracted service

Provide you with information you have requested, including without limitation,
quotations, service documentation, brochures, and responses to applications

Where we have your consent

Provide you with newsletters, and other communications about the services you
have purchased or chosen to opt into.

Where we have your consent

Offer customer surveys to improve our products and services

For our legitimate interests to improve our services

Analyse your usage of our services in order to be able to personalise your
service and improve our products

For our legitimate interests to improve usage of our services

Respond to any enquiries from you regarding our products and services

To provide the contracted service

Where you have agreed, provide you with information about certain other
goods and services which we believe may be of interest to you

Where we have your consent

Meet our legal and regulatory obligations to investigate and prevent
fraudulent activities

To comply with our legal obligations

Personal data sharing and transferring
We will not share rent or sell your personal data to anyone unless you agree to this, or such sharing is necessary to fulfil our contract with you, or we are legally allowed or required to do so. Moreover, your personal data will only be shared with selected organisations which comply with our security procedures and policies.

Organisations we may share your personal data with include:
a) Another member of our group of companies where they help provide or improve our services to you;
b) Third party service providers and subcontractors: We employ other companies and individuals to perform other functions on our behalf. Examples include processing credit card payment, customer services, and analysing data. They help us provide our services to you. This is provided under written contract where the personal data is only processed for the specific business purpose of providing the service to you. Service providers are prohibited from selling the personal data that we supply to them in the terms of the contract;
c) The lounges or merchants which you visit, as part of your programmeme benefits, so they can record and account for your visit;
d) A regulating body or other authority where we need to comply with a regulatory or legal obligation;
e) Fraud prevention or debt collection organisations when required to protect our legitimate interests;
f) Partners or clients with which we offer or engage in joint marketing activities;
g) With your consent: Other than as set out above, you will receive notice when information about you might go to third parties, and you will have the opportunity to choose not to share the information.

Where service is a benefit of your payment card issuer (such as your bank), we may share your personal data with that card issuer and the payment card brand associated with that card.

Some of those organisations may be based in a country outside the European Economic Area or where different data privacy laws apply. We will only transfer your personal data to that country if they ensure an adequate level of protection of your rights and freedoms, or that organisation is contractually bound to meet European Economic Area data protection law using EU approved model contract clauses.

Personal data protection and storage
We handle your personal data in accordance with adequate and reasonable procedures and technologies in order to maintain and protect its security, availability, confidentiality and integrity, and prevent its unlawful or unauthorised processing, accidental loss or damage, from its collection until its destruction.

Where personal data is transmitted across the internet, it will be encrypted.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of your personal data, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Personal data disposal and retention
We will only keep your personal data for as long as it is needed for the purposes for which it was collected and we will remove from our systems all personal data which is no longer required.

We will only retain your personal data for only as long as it is necessary and for a specified and limited purpose, where we are required to do so and in line with our retention policies, in order to meet a regulatory or legal obligation.

Cookies and Do Not Track Disclosure (“DNT”)
Currently, various browsers (including internet explorer, Firefox and Safari) offer a DNT option that relies on a technology known as a DNT header, that sends a signal to a website visited by the browser user about the user’s DNT preference. You can usually access your browser’s DNT option in your browser preferences.

A “Do Not Track” (DNT) standard is not available today therefore our website does not respond to DNT signals from browsers.

We use cookies as identifiers on our website in order to improve your user experience by enabling our website to 'remember' you, either for the duration of your visit (using a 'session cookie') or for repeat visits (using a 'persistent cookie'). We may also use cookies to enable us to tailor our services or products based, for example, on your location and/or browsing habits or to provide the website service to enable you to purchase our products. With your consent we use third party identifier cookies to help tailor adverts to you by sharing with advertisers. 

You can block or opt-out of non-essential cookies either using our cookie management tool or using your browser.

Please click here to read our Cookie Notice which explains what we do and how you can alter your cookie settings.

Your rights
If you would like to access, review, update, rectify, and delete any personal data we hold about you, or exercise any other data subject right you can email us at Our privacy team will examine your request and respond to you as quickly as possible.

Please note that we may still use any aggregated and de-identified personal data that does not identify any individual. We may also retain and use your information as necessary, for example, to comply with our legal obligations, resolve disputes, and enforce our agreements.

We respect all applicable local laws for data subject rights. For example, under the California Consumer Privacy Act, California residents have certain rights regarding the personal data that businesses have about them. This includes the rights to request access or deletion of your personal data, as well as the right to direct a business to stop selling your personal data. We also offer data subject rights as defined under the GDPR as an additional arrangement.

Your rights


The right to object to the processing

To provide the contracted service.

The right to information

You have the right to object to the processing of your personal data in certain situations.

The right of access

Subject to certain exceptions you have the right to obtain a confirmation as to whether
or not we process your personal data, and if we do, request access to your data.

The right to rectification

If the personal data that we process is incomplete or incorrect, you have the right to
request their completion or correction at any time.

The right to deletion

Subject to certain exceptions, if you consider that we should stop processing some or all
of your personal data, you have the right to request its deletion. However, there may well
be reasons why an immediate deletion may not be possible (for example where retention
is required to meet legal or regulatory obligations).

The right to restrict the processing

You have the right to request that we restrict the processing of your personal data in
certain situations:
a) If you contest the accuracy of your personal data, you may request that its processing
is restricted while we verify its accuracy
b) If the processing of your personal data is considered unlawful, but you do not require
the deletion of your personal data
c) If we no longer need the data for the purposes of its processing, but you need it for
the establishment, exercise or defence of legal claims
d) If you object to our processing of your data based on our legitimate interests

The right to data portability

Where the processing takes place on the basis of your consent or contract, and is carried
out by automated means, you have the right to request that we provide your personal
to you in a machine-readable format.

Your rights in relation to automated decision making and profiling

You have the right to object to decisions based exclusively on the automated processing
of your personal data.

The right to withdraw your consent

If your personal data is processed on basis of your consent, you have the right to
withdraw your consent at any time. The withdrawal 
of your consent does not affect
the lawfulness of processing based on consent before its withdrawal.

If you wish to exercise your rights, you can get in touch with us by contacting the Data Protection Officers from the information on the “Contact Information” section of this privacy notice.

Once we receive your request, members of our Data Protection Team will endeavour to get back to as soon as possible to confirm receipt. Where we use service providers to hold your personal data, a process exists to process the data subject right request also.

Our website may contain links to other sites

We may have links to other sites promoting our partners and clients. These links may take you to other companies who have their own privacy notice and our privacy notice will not cover their use of data. They may collect additional information therefore we encourage you to look at these linked site privacy notice. 

Business Transfers

We may choose to buy or sell assets and may share or transfer customer information in connection with the evaluation of these transactions.  Also, if we, or our assets, are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, personal data could be one of the assets transferred to or acquired by a third party.

We use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited, and the audits are reviewed at senior level. 

Contact Information
To exercise any of your rights, or if you have any questions about our privacy notice, or if you wish to make a complaint about the use of your personal data, or want to report a security issue, please contact our Data Protection Officer via

For the purposes of data protection legislation, LOUNGE KEY LIMITED, is a company registered in England and Wales with company number 08792537 and offices in 3 More London Riverside, London, SE1 2AQ, United Kingdom.

If you are unsatisfied with our response, you can contact the Information Commissioner’s Office (ICO). Further information can be found at

Information pertaining to children
We do not knowingly collect or solicit personal data from anyone under the age of 18. If you are under 18, please do not attempt to register for our services or send any personal data about yourself to us. If we learn that we have collected personal data from a child under age 18, we will delete that information as quickly as possible. If you believe that a child under 18 may have provided us personal data, please contact us a soon as possible. 

Automated decision making or profiling
We do not engage in profiling or any processing related to automated decision-making activity.

Changes to our policy
We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on our website. This privacy notice was last updated on 2 April 2020.