Skip to main content
Contact Us

Privacy Policy

Beautiful Destinations Privacy Policy

Last updated: 13 April 2026
Effective date: 13 April 2026

Beautiful Destinations Limited and its group companies ("Beautiful Destinations", "BD", "we", "us", "our") operate the Beautiful Destinations website, social channels, and the Content Operating System (the "COS" or "Platform"), a workflow tool used by BD staff and authorised clients to plan, produce, approve, and publish social media content.

This policy explains what personal data we collect, how we use it, the legal bases for processing, who we share it with, and the rights you have. It applies to visitors of beautifuldestinations.com, subscribers to BD marketing, clients and creators who work with us, and users of the COS.

If you only use our website or receive marketing from us, Sections 1 to 6 and 10 to 14 apply to you. If you use the COS, Sections 7 to 9 also apply.

1. Who we are and how to contact us

Beautiful Destinations Limited (registered in England and Wales, company number 09004889, VAT number 189825055) is the data controller for personal data collected through our website, marketing activities, and the COS. You can reach our privacy team at:

2. What information we collect

Information you give us. Name, email address, company, job title, phone number, country, billing address, and any other information you choose to provide through forms, downloads, event registrations, sales conversations, or contract negotiations.

Information from your use of our website. IP address, device identifiers, browser type, referring URL, pages visited, and dates and times of access. We collect this through cookies and similar technologies. See our Cookie Notice for details.

Information from the COS. Login credentials (including single sign-on identifiers), user profile details, project briefs and documents you upload, comments and approvals, and records of actions you take in the tool (audit logs).

Information from connected social accounts. When you link a Meta, TikTok, YouTube, or LinkedIn account to the COS through OAuth, we receive data that the platform shares with us based on the scopes you approve. Section 7 lists this in detail.

Information from third parties. We may receive data from business partners, lead enrichment providers, credit reference agencies (for client onboarding), and public sources such as company registries.

2.1 Categories of personal information (for California residents)

For the purposes of the CCPA/CPRA, in the 12 months before the date of this policy we have collected the following categories of personal information:

Category Collected Sources Purpose
Identifiers (name, email, IP, account ID) Yes You, your device, third parties Service, account, marketing
Customer records (phone, billing, company) Yes You, your employer Contracting, billing
Commercial information (services, project history) Yes You, your employer Service delivery
Internet or network activity (browsing, COS actions) Yes Your device, cookies Security, analytics, product
Geolocation (coarse, IP-derived) Yes Your device Security, analytics
Professional or employment (job title) Yes You, employer, enrichment B2B sales, service
Inferences Yes Analytics Marketing, product
Audio, electronic, visual (project media) Yes You, creators, clients Project delivery
Sensitive personal information No* - *Account credentials only, used as permitted by CCPA §7027(m)
Biometric, genetic, health, protected class No - Not collected
Education information No - Not collected

We do not sell personal information, and we do not share it for cross-context behavioural advertising, as those terms are defined under the CPRA.

3. How we use your data

  1. Deliver our services and perform contracts with clients and creators.
  2. Operate, secure, and improve the COS and our website.
  3. Send marketing communications, where permitted, and measure campaign performance.
  4. Publish content to connected social accounts on behalf of account holders who have authorised the COS to do so.
  5. Produce analytics and reports, including audience and performance data for clients.
  6. Detect and prevent fraud, abuse, and security incidents.
  7. Comply with legal, tax, and regulatory obligations.
  8. Assess, negotiate, and complete corporate transactions (including a possible sale of the business).

4. Legal bases for processing (UK and EU)

  • Contract: to deliver services you or your employer have asked us to provide, including the COS.
  • Legitimate interests: to run and grow our business, secure our systems, prevent fraud, and contact business prospects. We balance these interests against your rights.
  • Consent: for marketing to individual consumers, for non-essential cookies, and for OAuth connections to social accounts. You can withdraw consent at any time.
  • Legal obligation: to meet tax, accounting, employment, and regulatory duties.

5. Who we share data with

  • Service providers who host, secure, and support the COS and our website, including cloud infrastructure, email delivery, analytics, and customer support tools. They act on our instructions under written contracts.
  • Social platforms (Meta, TikTok, YouTube/Google, LinkedIn) when you authorise the COS to read or publish content through your account. Their privacy policies apply to their own processing.
  • Clients and creators who are party to the relevant project, to the extent needed to deliver that project.
  • Professional advisers (legal, accounting, audit, tax) under confidentiality obligations.
  • Prospective or actual acquirers of BD or its assets, under confidentiality obligations, as part of a corporate transaction.
  • Authorities where required by law, court order, or regulator request.

We do not sell personal data.

6. International transfers

BD operates in the UK, the UAE, and the US, and uses service providers located in a number of countries. Where we transfer personal data outside the UK or EEA, we rely on adequacy decisions, the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or other valid safeguards. Contact privacy@beautifuldestinations.com for a copy of the safeguards we use for a specific transfer.

7. Content Operating System: social platform integrations

The COS connects to social platforms through OAuth so that BD staff and authorised client users can draft, schedule, publish, and measure content. You control these connections through your platform account and can revoke them at any time from within the COS or from the platform's own settings.

We only request the minimum scopes needed for the feature you are using. We do not sell data obtained through any platform integration. We do not use platform data to train artificial intelligence models that serve other clients, and we do not use it for advertising. We store access tokens encrypted at rest and refresh them only while your connection is active.

7.1 Meta (Facebook and Instagram)

Scopes we may request: pages_show_list, pages_read_engagement, pages_read_user_content, pages_manage_metadata, pages_manage_posts, pages_manage_engagement, instagram_basic, instagram_content_publish, instagram_manage_comments, instagram_manage_insights, business_management, read_insights, ads_read.

What we do with each:

  • pages_show_list, business_management: list the Pages and Business accounts you manage so you can pick which to connect.
  • pages_read_engagement, pages_read_user_content, instagram_basic: read content you or your organisation have posted and engagement data (likes, comments, reach) for reporting.
  • pages_manage_posts, instagram_content_publish: publish or schedule content you or a client has approved in the COS.
  • pages_manage_metadata, pages_manage_engagement, instagram_manage_comments: update Page settings, respond to comments, and moderate on behalf of the account when you ask us to.
  • instagram_manage_insights, read_insights, ads_read: produce performance reports, audience insights, and (where agreed) ad-spend analysis.

We follow Meta's Platform Terms, Developer Policies, and the Limited Use requirements that apply to any restricted data. We retain Meta data only for as long as needed to provide the service, and we delete it when your connection is revoked or when retention limits (see Section 13) are reached.

7.2 TikTok

Scopes we may request: user.info.basic, user.info.profile, user.info.stats, video.list, video.upload, video.publish, video.insights (where available).

What we do with each:

  • user.info.basic, user.info.profile: show whose account is connected and display profile basics inside the COS.
  • user.info.stats, video.insights: produce performance reports for content posted to the connected account.
  • video.list: list videos you or your organisation have posted so they can be reviewed and reported on.
  • video.upload, video.publish: upload and publish content you or a client has approved in the COS.

We follow TikTok's Developer Terms of Service, Platform Guidelines, and Data Use rules. Data obtained through TikTok is used only to deliver the features above and is not shared with any third party except the service providers listed in Section 5.

7.3 YouTube (Google API Services)

Scopes we may request: https://www.googleapis.com/auth/youtube.readonly, https://www.googleapis.com/auth/youtube.upload, https://www.googleapis.com/auth/youtube, https://www.googleapis.com/auth/youtube.force-ssl, https://www.googleapis.com/auth/yt-analytics.readonly, https://www.googleapis.com/auth/yt-analytics-monetary.readonly.

What we do with each:

  • youtube.readonly: list channels, playlists, and videos so you can pick what to manage.
  • youtube.upload: upload videos that you or a client has approved in the COS.
  • youtube, youtube.force-ssl: update video metadata, manage playlists, and moderate comments when you ask us to.
  • yt-analytics.readonly, yt-analytics-monetary.readonly: produce performance and (where agreed) revenue reports for the connected channel.

Google API disclosure. The COS's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to train generalised artificial intelligence or machine learning models. You can revoke the COS's access at any time through your Google Account security settings.

7.4 LinkedIn

Scopes we may request: openid, profile, email, w_member_social, r_organization_social, w_organization_social, rw_organization_admin, r_ads, r_ads_reporting, r_organization_admin (where your organisation has granted these).

What we do with each:

  • openid, profile, email: sign you in and show which account is connected.
  • w_member_social: publish posts to your personal LinkedIn feed when you or a client has approved them in the COS.
  • r_organization_social, w_organization_social, rw_organization_admin, r_organization_admin: read and publish content and manage settings for Company Pages you administer.
  • r_ads, r_ads_reporting: produce reporting on paid LinkedIn activity, where agreed.

We follow LinkedIn's API Terms of Use and Marketing Developer Platform rules.

8. COS users: accounts, logs, and security

  • Account data: name, work email, role, employer, login timestamps, and session identifiers.
  • Activity data: actions you take in the tool, files you upload, comments, approvals, and API calls. We keep audit logs for security, service improvement, and dispute resolution.
  • Device data: IP address, browser, and operating system, used to secure your session.

We apply technical and organisational measures appropriate to the risks of our processing, including role-based access control, encryption in transit and at rest, multi-factor authentication, and least-privilege rules for BD staff.

9. Artificial intelligence features

  • We do not send personal data to third-party model providers except under contracts that forbid training on our inputs.
  • We do not train general-purpose models on client or creator data.
  • A human reviews and approves AI-generated content before it is published to a connected social account.
  • You can ask us how a specific decision was reached and request human review.

10. Cookies and similar technologies

We use strictly necessary cookies to run the site and the COS. We use analytics and marketing cookies only with your consent. Our Cookie Notice lists the cookies we set, their purpose, duration, and how to change your choices.

11. Your rights

  • Access your personal data and receive a copy.
  • Correct inaccurate data.
  • Delete your data (right to erasure / right to be forgotten).
  • Restrict or object to processing.
  • Port your data to another provider.
  • Withdraw consent at any time where we rely on consent.
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
  • Lodge a complaint with your supervisory authority. In the UK this is the Information Commissioner's Office (ico.org.uk). In the EU it is the authority for the country you live in.

11.1 Regional detail

European Union and United Kingdom (GDPR / UK GDPR). All rights listed above apply. Contact privacy@beautifuldestinations.com.

California (CCPA / CPRA). You have the right to:

  • Know what personal information we collect, use, disclose, and share.
  • Delete personal information we have collected from you.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information. We do not sell or share as those terms are defined under the CPRA. You can still record this preference using the link "Do Not Sell or Share My Personal Information" in our website footer, or by sending a Global Privacy Control signal from your browser, which we honour automatically.
  • Limit the use and disclosure of sensitive personal information. We do not use sensitive personal information for any purpose beyond those permitted by CCPA §7027(m). The link "Limit the Use of My Sensitive Personal Information" in our website footer records this preference.
  • Non-discrimination. We will not deny you services, charge different prices, or provide a different level of quality because you exercised a CCPA right.

To exercise these rights email privacy@beautifuldestinations.com with "California request" in the subject line, or use the links in our website footer. We verify requests using the email on file and, where needed, one additional piece of information that matches our records.

Authorised agents. A consumer may use an authorised agent to submit a request. The agent must provide a written, signed permission from the consumer, and we may contact the consumer to confirm identity and permission.

Other US states (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon). Rights comparable to those above apply. Use the same contact route.

Brazil (LGPD). You have rights of confirmation, access, correction, anonymisation, deletion, portability, and withdrawal of consent. Our Brazil contact is privacy@beautifuldestinations.com.

Canada (PIPEDA). You can access and correct your personal data, and withdraw consent subject to legal or contractual limits.

Asia-Pacific (including Singapore PDPA, Australia Privacy Act, Japan APPI, Hong Kong PDPO). We comply with the local laws that apply. Contact privacy@beautifuldestinations.com.

Middle East (including UAE PDPL, KSA PDPL). We comply with the local laws that apply. Contact privacy@beautifuldestinations.com.

Other regions. Contact us for guidance on rights in your country.

12. How to make a request or revoke a connection

  • Website and marketing data: email privacy@beautifuldestinations.com or use the unsubscribe link in any marketing message.
  • COS account data: ask your COS administrator, or email privacy@beautifuldestinations.com.
  • Social platform connections: open the COS, go to Settings > Connected Accounts, and disconnect. You can also revoke access from Meta (Business Settings > Business Integrations), TikTok (Settings > Security > Manage app permissions), Google (myaccount.google.com/permissions), and LinkedIn (Settings > Data privacy > Permitted services). Revoking in the platform invalidates our access and we delete the stored token promptly.
  • Full deletion of platform data: follow the steps at beautifuldestinations.com/data-deletion or email privacy@beautifuldestinations.com with the account you want purged. We delete within 30 days and confirm in writing.

13. How long we keep data

  • Website analytics: up to 26 months.
  • Marketing contact data: until you unsubscribe or five years after last engagement, whichever is earlier.
  • COS account data: for the life of the account plus 12 months.
  • COS audit logs: up to 7 years, to meet tax and contract requirements.
  • Content and project files: for the life of the client contract plus the period agreed in that contract.
  • Social platform data obtained through OAuth: only while the connection is active, and then deleted within 30 days of disconnection, unless a longer period is required by law or the underlying client contract.
  • Tax and accounting records: 7 years after the relevant tax year.

13A. Children

Our Services are not directed at children. We do not knowingly collect personal data from children under 16 in the EEA and UK, or under 13 in the US. If you believe a child has given us personal data, email privacy@beautifuldestinations.com and we will delete it.

13B. Automated decision-making

We do not use solely automated decision-making that produces legal or similarly significant effects. Where AI features in the COS suggest creators, draft briefs, or flag content, a human reviews the output before it affects you. You can ask for human review of any decision by emailing privacy@beautifuldestinations.com.

13C. Security and breach notification

We apply technical and organisational measures appropriate to the risks of our processing, including encryption in transit and at rest, multi-factor authentication, role-based access, logging, and regular testing. If a personal data breach is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours of becoming aware and will notify affected individuals without undue delay where the risk is high.

14. Changes to this policy

We update this policy when our services, the law, or platform rules change. The "Last updated" date at the top shows the most recent version. Material changes will be notified by email to active account holders and posted on beautifuldestinations.com. Prior versions are available on request.

15. Contact

For any privacy question, request, or complaint, email privacy@beautifuldestinations.com or write to Beautiful Destinations Limited, 107 Cheapside, London EC2V 6DN, United Kingdom.