Policy Last Updated: October 2025
This policy outlines how Warmth & Wonder at Garn Farm (“we,” “us,” or “the Owner”) collects, uses, protects, and handles your Personal Data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller Details
| Detail | Information |
|---|---|
| Data Controller Name | Warmth & Wonder at Garn Farm (The Owner) |
| Address | Garn Farm, Clodock, Longtown, Herefordshire, HR2 0PE |
| Contact Email |
2. Personal Data We Collect
We collect and process the following categories of personal data, primarily when you make a booking, use a contact form, or subscribe to our mailing list:
| Data Category | Purpose of Collection |
|---|---|
| Identity Data | Name, address, telephone number. |
| Contact Data | Email address, postal address, telephone number. |
| Financial Data | Credit card details (processed by our third-party payment processors, including Stripe) or bank details (for refunds/payments). |
| Transaction Data | Details about payments, dates of stay, and services purchased (e.g., sauna sessions). |
| Technical Data | IP address, browser type, site usage data (via Google Analytics). |
| Preference Data | Your consent/preference for receiving marketing emails. |
3. How We Use Your Data and Our Legal Basis
UK GDPR requires us to have a valid Legal Basis for every purpose we process your data. Below outlines our processing activities:
| Purpose of Processing | Legal Basis |
|---|---|
| A. To Process and Manage Your Booking (Before, during, and immediately after your stay/session) | Contract: Necessary for the performance of the holiday let or sauna booking contract with you. |
| B. To Process Payments and Refunds | Contract and Legal Obligation: Necessary to fulfil payment terms and meet tax/accounting requirements. |
| C. To Manage Safety and Damages (e.g., contacting you regarding damage claims or an emergency during your stay) | Legitimate Interest: To protect our property and the safety of our guests and employees. |
| D. To Send Marketing Emails (e-newsletters, offers) via MailChimp | Consent: You explicitly opt-in to receive these communications. |
| E. To Analyze Website Performance (via anonymous Google Analytics data) | Legitimate Interest: To understand how our website is used and improve our service offering. |
| F. To Retain Financial Records (for 6 years) | Legal Obligation: Required by UK tax and accounting laws. |
| G. To Respond to Your Direct Enquiries (via website contact forms) | Legitimate Interest: Responding to user-initiated communications and operating our business efficiently. |
4. Data Sharing and Third Parties
We will not sell, share, or transfer your details with anyone else for marketing purposes. We only share your data with the following essential service providers:
- Holiday Live Booking: We transfer Identity, Contact, and Transaction Data to this system to facilitate your holiday let booking and core communication. Data handling is governed by their terms (www.holidaylivebooking.co.uk).
- TidyCal.com: We use TidyCal.com to facilitate and manage standalone sauna session bookings. Identity, Contact, and Transaction Data related to these bookings are processed via TidyCal.com. Data handling is governed by their terms (https://tidycal.com/privacy-policy).
- Stripe (Payment Processor): We use Stripe to securely process all credit and debit card payments for both holiday lets and sauna sessions. Your Financial Data is transferred directly to Stripe for payment authorisation and processing. Stripe acts as a third-party processor and their privacy policy governs their use of your data (https://www.google.com/search?q=www.stripe.com/privacy).
- Contact forms: If you use our website contact forms, the data you submit (Name, Email, Message) is processed and stored temporarily on our website database. We delete this data from the website database regularly.
- MailChimp: If you explicitly subscribe to our email mailing list, your Contact Data (email and name) is transferred to MailChimp for the sole purpose of sending you marketing communications. MailChimp is governed by its own terms (www.mailchimp.com/legal/).
International Transfers: Since MailChimp, Stripe, and TidyCal.com are US-based providers, your data may be transferred outside the UK/EEA. We ensure this transfer is lawful by relying on appropriate safeguards, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the Standard Contractual Clauses (SCCs).
5. Data Security and Retention
Data Security: We are committed to ensuring your data is secure. We implement appropriate technical and organisational measures, including access controls and encryption where feasible, to protect your data from loss, misuse, or unauthorised access.
Data Retention: We will only keep your details for as long as necessary:
- Guests and Customers (Booking Data): We retain booking information for 6 years after your last stay to comply with UK financial and tax legislation.
- Contact Form Enquiries: Contact form enquiry data is retained for a maximum of 12 months from the date the enquiry is resolved, to allow for follow-up and administrative purposes.
- Mailing List Subscribers: Your data is kept until you unsubscribe. Once you unsubscribe, we remove your contact details from MailChimp as soon as possible.
6. Your Rights Under UK GDPR
As a Data Subject, you have the following rights regarding your personal data. To exercise any of these rights, please contact us using the details in Section 1.
| Right | Description |
|---|---|
| Right to be Informed | The right to know how we use your data (as set out in this policy). |
| Right of Access | The right to request a copy of the personal data we hold about you (Subject Access Request). |
| Right to Rectification | The right to have any inaccurate or incomplete data corrected. |
| Right to Erasure | The right to request that we delete your personal data (The “Right to be Forgotten”). |
| Right to Restrict Processing | The right to block or suppress the processing of your personal data. |
| Right to Data Portability | The right to obtain and reuse your personal data for your own purposes across different services. |
| Right to Object | The right to object to us processing your data based on ‘Legitimate Interests’ or for direct marketing. |
| Right to Withdraw Consent | Where we rely on Consent (Section 3D), you can withdraw it at any time by unsubscribing or contacting us. |
7. Complaints and Supervisory Authority
If you have a concern about our use of your personal data, you can contact us directly.
You also have the right to lodge a complaint with the supervisory authority for data protection in the UK, which is the Information Commissioner’s Office (ICO).
8. Cookies Policy (PECR Compliance)
We use cookies to collect anonymous data via Google Analytics to see how popular our site is and what people are interested in looking at (Technical Data). These are non-essential Analytical/Performance Cookies.
By continuing to use our website, you agree to the use of these cookies. We comply with PECR by providing you with clear information about the cookies and giving you the option to refuse them (usually via your browser settings or a cookie banner).
9. Changes to this Policy
We may update this policy from time to time. The date of the latest revision will always appear at the top of the policy.