Privacy policy
How we collect, use, share and protect your personal data — written for humans, with full GDPR / UK GDPR detail in each section.
Your privacy matters. This policy explains what data we collect, why, how we use it, who we share it with, how long we keep it, and what rights you have. It's written for humans first; the formal legal references are in each section.
1. Who we are
We are the data controller for personal data collected through this Platform. We are [Company Name], registered in [Jurisdiction] with company number [Number] and registered office at [Address]. Our data protection contact is our support team.
2. What data we collect
Information you give us
- Booking details: your name, email, phone (and any optional fields the Operator asks for)
- Payment information: handled and stored by Stripe; we receive only the last 4 digits of your card and a token, never the full number or CVV
- Custom field responses: dietary requirements, accessibility needs, group composition (where the Operator requests them)
- Reviews and ratings: the content you submit after an experience
- Communications: emails and contact-form submissions to our support team
Information we collect automatically
- Browse signal: pages visited, search terms, items added to wishlist or comparison
- Device information: browser type, operating system, IP address (used for fraud prevention and to set the right currency)
- Cookies: see our cookie policy for the full list
Information from third parties
- Stripe: payment confirmation, refund status, fraud signals
- Email service provider: delivery and bounce status
3. Why we use it (lawful basis)
We use your data only for clear, specific purposes. The lawful basis under UK GDPR / GDPR is shown next to each:
- To process bookings and payments — Contract performance (Art. 6(1)(b))
- To send transactional emails (confirmations, reminders, modifications) — Contract performance
- To provide customer support and resolve disputes — Contract performance / Legitimate interests (Art. 6(1)(f))
- To detect and prevent fraud — Legitimate interests / Legal obligation (Art. 6(1)(c))
- To comply with tax, accounting and consumer protection law — Legal obligation
- To improve the Platform via aggregated, anonymised analytics — Legitimate interests
- To send marketing emails (newsletter, recommendations) — Consent (Art. 6(1)(a)) — only if you opted in; revocable any time
- To set non-essential cookies (analytics, recommendations) — Consent — only after you accept via the cookie banner
4. Who we share it with
We share your data only with parties who need it to deliver the service or comply with the law:
- Operators: the Operator running the experience you book receives your name, email, phone and any custom-field responses they need to deliver the experience. They use this only to fulfil the booking and may not market to you separately.
- Stripe: for payment processing. Stripe is the data controller for payment data; their privacy policy applies.
- Email service provider (Resend): for transactional and (with consent) marketing emails. Acts as our data processor under a Data Processing Agreement.
- Hosting infrastructure (Vercel, Supabase): our application and database run on these platforms. Acts as our data processor.
- Analytics providers (Vercel Analytics, optionally Plausible): aggregated, privacy-respecting analytics. Plausible doesn't use cookies and doesn't collect personal data; Vercel Analytics uses anonymised hashing.
- Law enforcement or regulators: only when legally compelled by valid court order or statutory request.
We never sell your data to advertisers or data brokers. Full stop.
5. International transfers
Some of our processors are based outside the UK / EEA (e.g., Stripe in the US, Vercel in the US). Where data is transferred internationally, we rely on:
- UK / EU adequacy decisions where applicable
- Standard Contractual Clauses for transfers to non-adequate countries
- Vendor self-certification under the UK Extension to the EU-US Data Privacy Framework, where applicable
6. How long we keep it
Different data has different retention periods:
- Booking records (name, email, phone, event, total): 7 years after the event, for tax and accounting compliance
- Payment data (last 4, transaction ID): 7 years, same reason
- Custom field responses (dietary, accessibility): 30 days after the event by default; longer if you've opted into our newsletter
- Reviews: indefinitely while published; deleted on request after 90 days (we anonymise rather than delete to preserve aggregate ratings for the operator)
- Cookies: see our cookie policy for individual TTLs
- Marketing list: until you unsubscribe; we re-confirm consent every 2 years
- Contact form submissions: 2 years
- Wishlist, comparison, recently-viewed: deleted when the cookie expires (90 days)
After retention periods expire, data is either deleted or anonymised so it can no longer be linked to you.
7. Your rights
Under UK GDPR / GDPR you have the right to:
- Access: request a copy of the personal data we hold about you
- Rectification: correct inaccurate or incomplete data
- Erasure: ask us to delete your data (subject to legal retention obligations)
- Restriction: ask us to pause processing while a question is resolved
- Portability: receive your data in a machine-readable format
- Object: object to processing based on legitimate interests, including marketing
- Withdraw consent: for any processing based on consent (with effect from the moment of withdrawal)
- Complaint: lodge a complaint with the UK ICO (ico.org.uk) or your local data protection authority
To exercise any of these, contact us. We respond within 30 days, free of charge for the first request.
8. Security
We protect your data with industry-standard measures:
- TLS 1.3 encryption in transit
- Encryption at rest for sensitive data
- Access controls and audit logs for all admin actions
- Two-factor authentication for staff accounts
- Regular security reviews and dependency patching
- Stripe handles all card data under PCI-DSS Level 1
No system is 100% secure; if we ever suffer a data breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours and notify affected customers without undue delay.
9. Children's privacy
The Platform is not intended for use by children under 16. We don't knowingly collect personal data from children. If a parent or guardian believes a child has provided us with personal data, please contact us to have it removed.
10. Cookies
See our cookie policy for the full list of cookies we use, why, and how to control them.
11. Changes to this policy
We may update this policy occasionally. Material changes will be communicated by email to recent customers; the latest version is always at this URL with a last-updated date.
12. Contact
Contact us with any privacy-related question. We aim to respond within 5 business days; statutory data subject requests are handled within 30 days.
Last updated: February 2026.