Your personal information is collected by Leehand Leisure Limited, trading as Stanley House Hotel & Spa. The protection and integrity of your personal data is very important to us.
1.1 Company Registration.
Our company registration details are:
Leehand Leisure Limited is a company incorporated in England and Wales.
Registration number 04507823,
Registered office: Stanley House, Off Preston New Road, Mellor, Lancashire, BB2 7NP
1.2 Information Commissioner Registration.
Leehand Leisure Limited is registered as a data controller with the Information Commissioner’s Office. The data controller registration details are:
Data Controller Name: Leehand Leisure Limited
Registration Number: Z8807951
Date Registered: 05 May 2011
Registered trading names:
Stanley House Hotel & Spa
1.3 Data Protection Office.
Post: Stanley House, Off Preston New Road, Mellor, Lancashire, BB2 7NP
Telephone: 01254 769200
We are a hotel like no other, providing luxury accommodation, restaurant and spa services.
This Policy has been adopted by Leehand Leisure Limited (“Stanley House”).
In this Policy, “we”, “us” or “our” refers to Stanley House, or any organisation belonging to Leehand Leisure Limited, as appropriate.
We are committed to safeguarding your personal data. This Policy describes how we collect, use, disclose and process your personal data, and applies to personal data we collect about you.
This Policy supplements but does not supersede or replace any other consents you may have provided to us, or any other agreements or arrangements that you may have with us, in respect of your personal data.
Data protection and privacy is ever changing and enhancing the rights of our customers. As such, we review our uses of personal data and may amend this Policy from time to time to reflect changes in applicable laws or the way we handle personal data. Any updated Policy will supersede earlier versions and will apply to personal data provided to us previously.
You are encouraged to re-visit our Policy from time to time so that you are aware of our culture of privacy and relevant updates we have made to our Policy.
4.1 What is personal data?
Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
4.2 You can voluntarily provide personal data.
We collect personal data that you voluntarily provide to us. The personal data we collect will often depend on the purposes for which the personal data are collected and what you have chosen to provide.
You always have the choice not to provide us with personal data. If you have provided your consent for us to process your personal data, you also have the right to withdraw your consent by contacting our Data Protection Office. However, if you do so, it may not be possible for us to fulfil the specific purposes for which we were given consent, including processing your transactions or providing you with the products and services you requested.
4.3 You may choose to provide personal data belonging to others.
If you provide the personal data of anyone other than yourself (e.g. your family members, friends, colleagues), you are responsible for informing him/her of the specific purposes for which we are collecting his/her personal data and to ensure that he/she has provided valid consent, where appropriate, for your provision of his/her personal data to us.
4.4 Accuracy and completeness or personal data.
It is important that the personal data we hold about you is accurate and up to date. We would ask you to inform us if there are any inaccuracies with the personal data that we have recorded about you and we will act to update your personal data as required.
In some situations, you will have the ability to update your own information (e.g. when using a customer account on our website or using our third party provided WiFi service, provisioned by Purple WiFi). It is your responsibility to ensure that all personal data that you provide is accurate and complete, and to inform us of relevant changes to your personal data.
If you have registered to use our guest WiFi services, you can view, edit or delete your personal data by accessing the Purple WiFi My Data Portal.
4.5 Personal data belonging to children.
Our website and our services are not specifically intended for children and we do not knowingly collect data relating to children. If you are under the age of 16, please obtain consent from your parent or guardian before you submit any personal data to us. If you are a parent or guardian of a minor and you have reason to believe your child or ward has provided us with their personal data without your prior consent, please contact us to request for erasure of their personal data or for the minor to be unsubscribed from our mailing lists.
We may collect, use, store and transfer different kinds of personal data about you which we have categorised as follows:
5.1 Identity Data.
This includes, first name, maiden name, last name, marital status, title, date of birth and gender.
5.2 Contact Data.
This includes, email address and telephone numbers and address details.
5.3 Financial Data.
This includes, bank account information and payment details.
5.4 Technical Data.
This includes, internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
5.5 Usage Data.
This includes, information about how you use our website, products and services.
5.6 Marketing and Communications Data.
This includes, your preferences in receiving marketing from us and your communication preferences.
5.7 Special Categories of Personal Data.
This includes data relating to allergens, health related data, data referencing sexual orientation, that you may voluntarily share with us during the fulfilment of our services to you. Special category data may be disclosed to use when making special dietary requests, specific requests related to physical access of our property or when using our spa and leisure facilities. We will always ask for your explicit consent to record and share Special Category Data.
6.1 Personal data you voluntarily provide to us.
We collect personal data that is relevant to our relationship with you. Your personal data may be collected by us, directly or indirectly, for instance:
- when you make a reservation or stay at the hospitality properties that we own or manage;
- when you visit or make transactions at the retail and commercial establishments that we own or manage;
- when you apply to be a member of any of our customer loyalty programs, or respond to our promotions, or subscribe to our mailing lists;
- when you participate in competitions, contests or games organised by us;
- when you attend events or functions organised by us, or conducted at our establishments, for example, property launches and sales events, promotional and marketing events and other social events;
- when your images are captured by us via CCTV cameras while you are within the properties that we own or manage, or when photographs or videos of you are taken when you attend events or functions organised by us;
- when you use our services or enter into transactions with us (or express an interest in doing so) including services and transactions in respect of properties that we develop or manage;
- when you communicate with us by telephone, email, via our website or through other communication channels, for example, through social media platforms;
- when you visit our website, or register a user account with our website;
- when we seek information about you and receive your personal data in connection with your relationship with us, for example, if you are an investor or shareholder of organisations operated by Stanley House Hotel & Spa;
- when you submit an employment application to us or when you provide documents or information including your CV in connection with such applications; and/or
- when you submit your personal data to us for any other reason.
6.2 Personal data that has been provided by others.
Depending on your relationship with us, we may also collect your personal data from third party sources, for example:
- from our business partners such as airlines, helicopter operators, tour operators, travel agencies, reservation systems, guest WiFi providers (specifically Purple WiFi) and third parties providing advertising, marketing, promotional services to us and;
- from your referees, educational organisations or previous employers (if you have applied to us for a job);
- from your family members, friends or colleagues who provide your personal data to us on your behalf; and/or
- from public agencies or other public sources.
6.3 Personal data that can be collected automatically.
As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.
6.4 External links on our website.
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
7.1 Legal basis.
We will always have a legal basis for processing personal data and we have methodically assessed our purposes and legal bases.
7.2 Our Contractual obligations to you.
Most commonly, our legal basis for processing your personal information will be in line with our contractual obligations to fulfil the services and products you request from us.
7.3 Processing purposes.
We collect, use, disclose and process your personal data for purposes connected or relevant to our business or to manage your relationship with us, such as:
- processing your transactions with us or to provide products and services to you;
- administrative purposes, including finance, IT and HR purposes, quality assurance and staff training;
- security and safety purposes, in connection with the properties that we own or manage, or events organised by us or conducted at our properties;
- compliance with laws and regulations, internal policies and procedures, including audit, accounting, risk management and record keeping;
- carrying out research and statistical analysis, including development of new products and services or evaluation and improvement of our existing products and services;
- facilitating business asset transactions;
- assisting you with your requests, enquiries and feedback;
- enforcing legal obligations owed to us, or responding to complaints, judicial proceedings or investigations concerning us;
- such purposes that may be informed to you when your personal data is collected; and/or
- any other reasonable purposes related to the aforesaid.
7.4 Specific marketing purposes.
If you have given your consent, we may use your personal data for the purposes of marketing our products and services and those of our strategic partners and business associates for marketing and communication purposes. e.g. informing you of our latest activities, special offers and promotions.
In order for us to market products and services which are of special interest and relevance to you, we may analyse and rely on your overall interaction with us (such as but not limited to your participation in promotions or events and your interactions with us).
7.5 Legitimate interests and other legal basis for processing.
In addition to collecting, using, disclosing and processing your personal data with your consent or in the fulfilment of our contractual obligations to you, we may also process your personal data to support our legitimate business interests, which we have tested to ensure that these interests are balanced, appropriate and do not override your interests or rights), for example:
- Our Guests: If you make a reservation or stay at the hospitality properties that we own or manage, we may (a) use and disclose your personal data to assist you in making arrangements that you request for, such as arranging for tours, airport transfers, restaurant reservations etc; (b) send you pre-stay communications, post-stay communications and satisfaction surveys; (c) invite you to join our customer loyalty programs or subscribe to our mailing lists; and (d) evaluate your preferences to improve and customise your experience for current and future reservations and stays at our hospitality properties.
- Loyalty programmes: If you are a member of any of our customer loyalty programs, we may send you (a) marketing and promotional information about the products and services; (b) information on events at our properties which may be of interest to you; and (c) newsletters associated with our customer loyalty programs.
- Job seeker/employee: If you are a job seeker, in addition to the specific position which you have applied for, we may disclose your personal data to departments within Stanley House Hotel & Spa for the purpose of offering additional employment opportunities.
- Investor/shareholder: If you are an investor or shareholder of organisations within Stanley House Hotel & Spa, we may use your personal data to (a) manage investor / shareholder relations; and (b) comply with regulatory requirements.
- Managing our business: We may disclose your personal data to third parties who provide services to us, including our service providers and data processors (providing services such as hosting and maintenance services, analysis services, e-mail messaging services, delivery services, handling of payment transactions, marketing, human resources, and professional services) and our consultants and professional advisors (such as accountants, compliance, lawyers, auditors).
7.6 Use permitted under applicable laws.
We may also collect, use, disclose and process your personal data, without your knowledge or consent, where this is required or permitted by law.
7.7 Using your personal data to contact you.
When we contact or send you information for the purposes described above, we may do so by post, e-mail, SMS, telephone or such other means provided by you. If you do not wish to receive any communication or information from us or wish to restrict the manner by which we may contact or send you information, you can let us know by contacting our Data Protection Office.
During the course of providing the services that you request from us, we may share your information with our processing partners, known as recipients and data processors.
When disclosing personal data to third parties, we will (where appropriate and permissible) enter into contracts with these third parties to protect your personal data in a manner that is consistent with all applicable laws and/or ensure that they only process your personal data in accordance with our instructions.
We commonly conduct due diligence with both recipients and data processors around the areas of their data security protocols and data protection policies.
8.1 Recipients of your personal data
We may disclose your personal data for the purposes described in this Policy or as required or permitted by law, for example, to:
- our third-party vendors and service providers, who are engaged to provide business, support, operational and/ or administrative functions such as IT support, auditing, legal, marketing, website maintenance, payment, fulfilment and delivery of orders.
- regulatory authorities, statutory bodies or public agencies, including to support their investigations.
- credit reference agencies, debt collection and tracing agencies, financial organisations.
In the provision of our services to you we use data processors that are outside of the European Economic Area (EEA). Specifically, we use data processors based in the USA.
The General Data Protection Regulation has strict rules about data transfers to international organisations and we use approved data transfer mechanisms, including the EU–US Privacy Shield and employ contracts with model clauses.
We take extra steps to ensure comprehensive due diligence of the data processing activities of our data processors.
If you would like any more information, please get in touch by contacting our Data Protection Office, details can be found at the start of this Privacy Notice.
10.1 Unauthorised access.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have been authorised to access your personal data. They will only access or process your personal data on our instructions and they are subject to a duty of confidentiality.
While precautions will be taken to ensure that the personal data you provide is protected against unauthorised or unintended access, we cannot be held responsible for unauthorised or unintended access that is beyond our control.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. However, we cannot guarantee that our systems or applications are invulnerable to security breaches, nor do we make any warranty, guarantee, or representation that your use of our systems or applications is safe and protected from viruses, worms, Trojan horses, and other vulnerabilities. We also cannot guarantee the security of data that you choose to send us electronically. Sending such data is entirely at your own risk.
11.1 Our retention schedules.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We consider our retention schedules to be appropriate and fair, and range between 2 to 7 years.
Details of retention periods for different aspects of your personal data are available and you can request more details of that by contacting our Data Protection Office.
By law we may have to keep certain information about our customers and this data will be held solely and securely for those legal purposes.
As a guest or employee, you may at any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: in the event that we refuse your request under rights of access, we will provide you with a reason as to why. You have the right to complain and we have provided a specific section on this below.
All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.
At your request, we can confirm what information we hold about you and how it is processed. If we hold personal data about you, you can request the following information:
- Identity and the contact details of the person or organisation that has determined how and why to process your data.
- Contact details of the data protection officer, where applicable.
- The purpose of the processing as well as the legal basis for processing.
- If the processing is based on the legitimate interests of our business or a third party, information about those interests.
- The categories of personal data collected, stored and processed.
- Recipient(s) or categories of recipients that the data is/will be disclosed to.
- If we intend to transfer personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
- How long the data will be stored.
- Details of your rights to correct, erase, restrict or object to such processing.
- Information about your right to withdraw consent at any time.
- How to lodge a complaint with the supervisory authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
- The source of personal data if it wasn’t collected directly from you.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
13.1 What forms of ID will I need to provide to access my data?
We accept the following forms of ID when details of your personal data are requested:
Passport, driving licence, birth certificate, utility bill from last 3 months.
14.1 Our Data Protection Office.
Data Protection Office
Off Preston New Road
Telephone: 01254 769200
14.2 UK’s Supervisory Authority.
The UK’s supervisory authority is the Information Commissioners Office.
Information Commissioners Office
Telephone: 0303 123 1113
If you have any queries about this Policy, please feel free to get in touch with our Data Protection Office and we will do our best to answer your questions.
Discover A Hotel Like No Other.