The boring protections that matter when something goes wrong.
Travel is a low-frequency, high-stakes purchase. The systems behind it should be unsurprising. Here's what holds yours up.
ABTA membership
We are members of ABTA, the UK's travel association, with full member number ABTA Y6411. ABTA membership means we operate to a published code of conduct, and it gives you a low-friction way to escalate a dispute if our internal process stalls — ABTA's arbitration scheme is independent and binding on us.
Membership also requires us to hold financial protections (set out below), to maintain agreed customer-service standards, and to participate in industry-wide responses to disruption — the kind of co-ordination that gets travellers home when an airline goes under.
Financial protection
Hotel-only bookings are paid through our Merchant of Record account, which is ring-fenced under FCA-regulated payment rules. Your money does not sit on our balance sheet — it is held in a designated client account until the supplier has been settled for your stay.
For packaged bookings (hotel + flight bundles) we hold ATOL protection through ATOL licence number 11842. If a supplier in a packaged booking fails between you booking and travelling, you are refunded under the ATOL scheme. If a supplier fails while you are already abroad, ATOL covers repatriation.
Stand-alone flight bookings sold through our flight inventory partners are protected under the airline's own scheme of arrangement and, where applicable, the EU Package Travel Directive.
Payment safety
Card payments are processed by Stripe, a PCI-DSS Level 1 certified payment provider. Your card details are never seen by our servers — they go directly from your browser to Stripe over an end-to-end encrypted channel, and we receive only a tokenised reference we can use to charge that card again on your authorisation.
We support Apple Pay, Google Pay, and PayPal as alternatives. All of these inherit their own fraud protection and chargeback rules; if you ever need to dispute a charge, those routes remain open.
Three-D Secure (the bank-level second factor for card payments) runs on every card booking by default. We do not bypass it, even for repeat customers — the small extra friction is the part of the protection that actually works.
Data security
Customer data is stored in PostgreSQL on UK and EU infrastructure. All connections to our database, between application services, and between us and our payment, supplier, and email partners run over TLS 1.3. Backups are encrypted at rest with AES-256 and access to production data is restricted to a small number of named engineers under audit logging.
We rotate access keys regularly, run automated vulnerability scans on our codebase and infrastructure, and have a responsible-disclosure programme — if you find a security issue, contact security@billal.travel and we'll respond within one working day.
GDPR & your rights
Under UK GDPR you have the right to access the personal data we hold about you, correct it, port it to another provider, and request deletion. Most of these you can do yourself from inside Account → Privacy without contacting us. The full list of rights, and our retention windows for booking and payment data, is set out in our privacy policy.
We are registered with the UK Information Commissioner's Office under registration number ZB512447. Our Data Protection Officer is reachable at privacy@billal.travel.
Privacy in practice
Our analytics is Plausible — privacy-first, no cross-site tracking, no personal data sold or shared. Google Analytics runs in parallel for paid-attribution measurement only, and is configured to anonymise IP addresses and disable advertising features.
We do not show third-party advertising, do not sell or share your data with marketing data brokers, and have never been involved in a customer data breach.