Privacy policy
[Your Website/Company Name] ("we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website [Your Website URL], use our services, or make a booking.
We are the Data Controller for the personal data processed under this policy.
1. Identity and Contact Details
- Data Controller: [Your Website/Company Name]
- Address: [Your Company Address]
- Email for Privacy Concerns: [Dedicated Privacy Email Address, e.g., privacy@yourcompany.com]
- Data Protection Officer (DPO), if applicable:
- Name: [DPO Name, or "N/A" if not required/appointed]
- Email: [DPO Email]
2. Information We Collect
We collect and process various types of personal data, which we group as follows:
2.1 Data You Provide Directly (Account & Booking)
| Category of Data | Specific Data Collected | Purpose of Processing | Lawful Basis (GDPR Art. 6) |
|---|---|---|---|
| Account Data | Full Name, Email Address, Password (hashed) | To create and manage your user account. | Contractual Necessity (to provide account services). |
| Booking Data | Full Name, Phone Number, Email Address, Booking Dates, Service Details | To process and confirm your booking/reservation. | Contractual Necessity (to fulfil the booking agreement). |
| Payment Data | Credit/Debit Card Details (handled by third-party payment processor) | To process payments for bookings. | Contractual Necessity (to complete the transaction). |
| Communication Data | Records of correspondence (email, chat, phone) | To respond to inquiries, provide customer support, and resolve issues. | Legitimate Interests (effective management of customer service). |
| Marketing Data | Preferences for receiving marketing communications | To send newsletters and promotional offers (if consented to). | Consent (where required, with the right to withdraw). |
2.2 Data Collected Automatically (Website Usage)
| Category of Data | Specific Data Collected | Purpose of Processing | Lawful Basis (GDPR Art. 6) |
|---|---|---|---|
| Technical Data | IP Address, browser type and version, time zone setting, operating system. | To ensure the security and functionality of our website. | Legitimate Interests (network and information security). |
| Usage Data | How you use our website (pages viewed, clickstreams, time on site). | For analytics, to improve our website design and services. | Legitimate Interests (to improve our service). Consent (for non-essential cookies/tracking). |
| Location Data | Approximate location derived from your IP address. | To provide region-specific content and services. | Legitimate Interests (improving user experience). |
3. How We Share Your Personal Data
We may share your personal data with the following categories of recipients for the purposes outlined in Section 2:
- Service Providers (Data Processors): Third-party companies that perform services on our behalf, such as:
- Payment Processors (e.g., Stripe, PayPal) for securely handling payment transactions.
- Booking Software Providers for managing reservation logistics.
- Hosting and Cloud Service Providers (e.g., Amazon Web Services, Google Cloud) for website and data storage.
- Analytics Providers (e.g., Google Analytics) for understanding website usage (often using aggregated/anonymized data).
- Business Transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets.
- Legal Compliance: When required by law, court order, or governmental regulation.
We ensure all third parties acting as our Data Processors comply with GDPR and are bound by contractual data processing agreements that uphold the same standard of data protection we adhere to.
4. International Data Transfers
Your personal data may be transferred to, and processed in, countries outside of the European Economic Area (EEA), such as the United States, if our service providers are located there.
We ensure these transfers are lawful by relying on one of the following safeguards:
- Adequacy Decision: Transfer to countries deemed to provide an adequate level of protection by the European Commission.
- Standard Contractual Clauses (SCCs): Implementing the mandatory contractual clauses approved by the European Commission, combined with additional security measures where necessary.
5. Data Retention
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
- Account and Booking Data: Retained for the duration of your active account and for a period thereafter as required to comply with legal obligations (e.g., tax records, warranty claims).
- Marketing Consent Data: Retained until you withdraw your consent (unsubscribe).
- Website Usage Data: Retained for a maximum of [e.g., 26 months] as per analytics settings, or as otherwise required by law.
Upon expiration of the retention period, your personal data will be securely deleted or anonymized.
6. Your Rights Under GDPR
Under GDPR, you have the following rights regarding your personal data:
| Your Right | Description | How to Exercise |
|---|---|---|
| The Right to be Informed | The right to be provided with clear, transparent, and easily understandable information about how we use your data (this Privacy Policy). | N/A (fulfilled by this policy) |
| The Right of Access | The right to obtain a copy of the personal data we hold about you. | Contact the Data Controller via the email address in Section 1. |
| The Right to Rectification | The right to have your personal data corrected if it is inaccurate or incomplete. | Update your account profile or contact the Data Controller. |
| The Right to Erasure ("Right to be Forgotten") | The right to request the deletion or removal of your personal data where there is no compelling reason for its continued processing. | Contact the Data Controller. |
| The Right to Restrict Processing | The right to 'block' or suppress the processing of your personal data. | Contact the Data Controller. |
| The Right to Data Portability | The right to obtain and reuse your personal data for your own purposes across different services in a structured, commonly used, and machine-readable format. | Contact the Data Controller. |
| The Right to Object | The right to object to processing based on legitimate interests, public interest, or direct marketing. | Use the unsubscribe link in marketing emails or contact the Data Controller. |
| Rights in relation to automated decision-making and profiling | The right not to be subject to a decision based solely on automated processing (including profiling) which produces legal or similarly significant effects on you. | Contact the Data Controller. |
| Right to Withdraw Consent | The right to withdraw consent at any time where we rely on consent to process your data. | Use the unsubscribe link or contact the Data Controller. |
We will respond to all legitimate requests within one month.
7. Lodging a Complaint
If you have any concerns about our privacy practices, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or where the alleged infringement took place.
- For the UK: The Information Commissioner's Office (ICO).
- For other EU/EEA countries: Contact your local Data Protection Authority.
8. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will notify you of any significant changes by posting the new policy on this page and updating the "Last Updated" date.
Last Updated: December 2025