PRIVACY POLICY

ABOUT THIS NOTICE

Balfour Hospitality (owned by Balfour Winery LLP) is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you in accordance with data protection law.

ABOUT BALFOUR HOSPITALITY

Balfour Hospitality is a group of ten pubs and venues located across the South East, London, and the Cotswolds. We are owned by Balfour Winery LLP, whose registered office is 73 Cornhill, London, EC3V 3QQ, with registered company number OC382028.

1. INFORMATION ABOUT US

1.1 We are Balfour Winery LLP, operating under Balfour Hospitality. Our registered office is 73 Cornhill, London, EC3V 3QQ, and our registered company number is OC382028.

1.2 If you have any questions, our contact details are:

2. CONTRACT INFORMATION AND OTHER CORRESPONDENCE

2.1 When you enter a contract with us (or someone does so on your behalf), there will be personal information about you relating to that contract, such as your name, contact details, contract details, delivery details, and correspondence with us about the contract.

2.2 We need certain information to carry out our contract with you, and you must provide this to enter a contract with us (or as required under that contract). If you do not, we may not be able to carry out our contract with you. Mandatory information fields are generally set out when you are entering into the contract, but you must provide the following information:

2.3 Other correspondence or interaction (for example, by email, telephone, post, SMS, or via our website) between you and us will include personal information (such as names and contact details) in that correspondence. This may include enquiries, reviews, follow-up comments or complaints lodged by or against you, and disputes with you or your organisation.

2.4 We will keep and use that information to carry out our contract with you (if applicable), comply with any legal requirements, and/or for our legitimate interests in dealing with a complaint or enquiry and administering your (or your organisation’s) account or order, as well as to review and improve our offerings, including troubleshooting, data analysis, testing, research, statistical and survey purposes.

2.5 Where your information relates to a contract, it is kept for up to six years after the date of the contract or the date your account is closed to enable us to deal with any after-sales enquiries or claims and as required for tax purposes.

2.6 Payment information is collected by our payment card processing provider and is retained for up to six years after the date of the order.

2.7 Any other information is kept for seven years.

3. MARKETING

3.1 We may collect your name and contact details (such as your email address, phone number, or address) to send you information about our products and services that you might be interested in. We may collect this directly from you or through a third party. If a third party collected your name and contact details, they will only pass those details to us for marketing purposes if you have consented to them doing so.

3.2 You always have the right to “opt out” of receiving our marketing. You can exercise the right at any time by contacting us. If we send you any marketing emails, we will always provide an unsubscribe option to allow you to opt out of any further marketing emails. If you “opt out” of our marketing materials, you will be added to our suppression list to ensure we do not accidentally send you further marketing. We may still need to contact you for administrative or operational purposes, but we will ensure that those communications don’t include direct marketing.

3.3 If you are an existing customer or acting as a business, we use your contact details as necessary for our legitimate interests in marketing to you and maintaining a list of potential customers.

3.4 If you are not an existing customer and are not acting as a business, we will only contact you for marketing purposes with your consent (whether we have collected your details directly from you or through a third party).

3.5 We use tracking tools and cookies, including Meta Pixel, to create lookalike audiences for targeted marketing. Additionally, we use tools like Google Ad Manager to serve targeted advertisements based on your browsing activity.

3.6 We never share your name or contact details with third parties for marketing purposes.

3.7 We retain your details on our marketing list until you “opt out,” at which point we add you to our suppression list. We keep that suppression list indefinitely to comply with our legal obligations to ensure we don’t accidentally send you any more marketing.

4. WEBSITE INFORMATION

4.1 We may collect information about you and your use of our website via technical means such as cookies, webpage counters, and other analytics tools. This may include your IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website. We use this as necessary for our legitimate interests in administering our website and to ensure it operates effectively and securely, and to develop our business and inform our marketing strategy. We may also create aggregate statistical data from that information (for instance, overall numbers of website visitors), which is not personal information about you.

4.2 For detailed information on the cookies we use and the purposes for which we use them, see our Cookie Notice.

4.3 We use cookies like Google Ad Manager and Meta Pixel to track browsing habits and deliver targeted advertisements.

4.4 Our website may, from time to time, contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

5. GDPR AND DATA RETENTION POLICY FOR ORDERS

5.1 When you place an order through our website, we collect personal data such as your name, contact details, delivery address, and payment information to process and fulfil your order. This information is stored securely in compliance with GDPR regulations.

5.2 We retain your order information for up to six years after the order date to manage any post-sales queries or issues, comply with legal requirements, and for our legitimate business interests in improving our service.

5.3 Your data is processed for the purpose of fulfilling your order and any subsequent communications related to it. We ensure that all personal information is treated with the utmost confidentiality and is not shared with third parties except as necessary to complete your order or as required by law.

5.4 You have the right to access, amend, or request deletion of your personal data at any time. To exercise your rights, please contact us using the details provided above.

6. EMPLOYEE INFORMATION

6.1 If you work for one of our customers, suppliers, or business partners, the information we collect about you may include your contact information, details of your employment, and our relationship with you. This information may be collected directly from you or provided by your organisation. Your organisation should have informed you that your information would be provided to us and directed you to this policy. We use this as necessary for our legitimate interests in managing our relationship with your organisation. If we have a business relationship with you or your organisation, we may receive information about you from your organisation.

6.2 We keep this information for up to seven years after the end of our relationship with your organisation.

7. INFORMATION COLLECTED AT OUR PREMISES

7.1 Visitor Information: We collect information about visitors to our premises. We may record information on your visit, including the date and time, who you are visiting, your name, employer, contact details, and vehicle registration number. If you have an accident at our premises, this may include an account of your accident.

7.2 CCTV: We may operate CCTV at our premises, which may record you and your activities. We display notices to make it clear what areas are subject to surveillance. We only release footage following a warrant or formal request from law enforcement, or as necessary in relation to disputes.

7.3 We use this information as necessary for our legitimate interests in administering your visit, ensuring site security and visitor safety, and administering parking.

7.4 Visitor information is kept for a period of up to six years. If you have an accident on our premises, our accident records are retained for up to ten years.

7.5 CCTV recordings may be kept for up to 30 days (unless an incident occurs and it is necessary for us to keep recordings for longer to properly deal with it).

8. JOB APPLICANTS

8.1 We will collect and hold information on job applicants, including information you provide to us in your application, or provided to us by recruitment agencies, as well as information about you from any referees you provide.

8.2 We use this as necessary to enter an employment contract with you, for our legitimate interests in evaluating candidates and recording our recruitment activities, and as necessary to exercise and perform our employment law obligations and rights.

8.3 If you are successful in your application, your information will be used and kept in accordance with our internal privacy notice. If you currently work for us or used to work for us, you can request a copy of this from us. If you are not successful in your application, your information will be held for up to six months after the relevant round of recruitment has finished.

8.4 You must provide certain information (such as your name, contact details, and professional and educational history) for us to consider your application fully. If you have not provided all this information, we may contact you to ask for it. If you do not wish to provide this information, we may not be able to properly consider your application.

8.5 If you are listed as a referee by an applicant, we will hold your name, contact details, professional information about you (such as your employer and job title), and details of your relationship with the applicant. We will use this information as necessary for our legitimate interests in evaluating candidates and as necessary to exercise and perform our employment law obligations and rights. Your information will be kept alongside the applicant’s information.

8.6 If you are listed as an emergency contact by someone who works for us, we will hold your name, contact details, and details of your relationship with that worker. We will use this to contact you as necessary to carry out our obligations under employment law, to protect the vital interests of that worker, and for our legitimate interests in administering our relationship with that worker. Your information will be kept until it is updated by that worker, or we no longer need to contact that worker after they have stopped working for us.

9. LEGAL CLAIMS

9.1 Where we consider there to be a risk that we may need to defend or bring legal claims, we may retain your personal information as necessary for our legitimate interests in ensuring that we can properly bring or defend legal claims. We may also need to share this information with our insurers or legal advisers. How long we keep this information for will depend on the nature of the claim and how long we consider there to be a risk that we will need to defend or bring a claim.

10. INFORMATION WE RECEIVE FROM THIRD PARTIES

10.1 We may also receive information about you from the following sources:

10.1.1 Our service providers: We work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, and credit reference agencies) who may provide us with information about you, to be used as set out above.

10.1.2 Publicly available sources: We obtain information from the following publicly available sources: Companies House or LinkedIn.

10.1.3 Our other channels: This is information we receive about you if you use any of the other websites we operate or the other services or products we provide. In this case, we will have informed you when we collected that data if we intend to share those data internally and combine it with data collected on this website.

10.1.4 Credit information: We may also collect credit information on you from third-party reference agencies.

11. SPECIAL CATEGORIES OF DATA

We do not collect any “special categories” of more sensitive personal information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data, as well as information about criminal convictions and offences).

12. WHY ELSE DO WE USE YOUR INFORMATION

12.1 Common uses of your information: We will only use your personal information when the law allows us to do so. Although in limited circumstances we may use your information because you have specifically consented to it, we generally use your information in the ways set out in this notice because:

12.2 Change of purpose: We will only use your personal information for the purposes for which we collected it as set out in this notice unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

13. SHARING YOUR INFORMATION

As well as any sharing listed above, we may also share your information with third parties, including third-party service providers and other entities in our group. Third parties are required to respect the security of your personal information and to treat it in accordance with the law. We never sell your data to third parties.

13.1 Why might we share your personal information with third parties? We may share your personal information with third parties if we are under a duty to disclose or share your personal information to comply with any legal obligation, or to enforce or apply our agreements with you, or to protect the rights, property, or safety of us, our customers, or others, or where we have another legitimate interest in doing so. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

13.2 Which third-party service providers process your personal information?

13.3 We also may need to share your personal information with third-party service providers (including contractors and designated agents) so that they can carry out their services.

13.4 The following activities are carried out by third-party service providers: legal advice, delivery, and IT services.

13.5 When might we share your personal information with other entities in the group?

13.6 We may share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, and for system maintenance support and hosting of data.

13.7 How secure is your information with third-party service providers and other entities in our group? All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information. Where third parties process your personal information on our behalf as “data processors,” they must do so only on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

13.8 What about other third parties? We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business where necessary in connection with the purposes for which your information was collected. We may also need to share your personal information with a regulator or to otherwise comply with the law.

14. WHERE WE STORE YOUR INFORMATION

14.1 Our office headquarters are based in Staplehurst, Kent, and our main data centre is in the UK. However, where required to perform our contract with you or for our wider business purposes, the information that we hold about you may be transferred to and stored at a destination outside the UK and the EU. It may also be processed by staff operating outside the UK and EU who work for us or for one of our service providers.

14.2 We will take all steps reasonably necessary to ensure that your personal information is treated securely and in accordance with this privacy notice. Some countries or organisations outside of the UK and the EU which we may transfer your information will have an “adequacy decision” in place, meaning the EU considers them to have an adequate data protection regime in place. These are set out on the European Commission website: EU Adequacy Decisions.

14.3 If we transfer data to countries or organisations outside of the UK and the EU which the EU does not consider having an adequate data protection regime in place, we will ensure that appropriate safeguards (for example, model clauses approved by the EU or a data protection authority) are put in place where required. To obtain more details of these safeguards, please contact us.

15. DATA SECURITY

15.1 As well as the measures set out above in relation to sharing your information, we have put in place appropriate internal security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

15.2 We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where necessary.

16. HOW LONG WILL WE KEEP YOUR INFORMATION FOR?

16.1 We have set out above indications of how long we generally keep your information. In some circumstances, it may be necessary to keep your information for longer than that to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

16.2 To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information, and whether we can achieve those purposes through other means, and the applicable legal requirements.

16.3 In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

17. YOUR RIGHTS

17.1 Data protection law gives you several rights when it comes to personal information we hold about you. The key rights are set out below. More information about your rights can be obtained from the Information Commissioner’s Office (ICO). Under certain circumstances, by law, you have the right to:

If you want to review, verify, correct, or request erasure of your personal information, object to the processing of your personal information, withdraw your consent to the processing of your personal information, or request that we transfer a copy of your personal information to another party, please contact us.

No fee usually required. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you. We may need to request specific information from you to help us understand the nature of your request, confirm your identity, and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Timescale. Please consider your request responsibly before submitting it. We will respond to your request as soon as we can. Generally, this will be within one month from when we receive your request, but if the request is going to take longer to deal with, we will let you know.

18. CHANGES TO THIS PRIVACY NOTICE

Any changes we make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by email or otherwise. Please check back frequently to see any updates or changes to our privacy notice.

USE OF COOKIES ON OUR WEBSITE

A cookie is a small file, typically of letters and numbers, downloaded onto a device such as a computer when a user accesses certain websites. Cookies allow a website to recognise a user’s device.

Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer.

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit All About Cookies.

If you have any queries regarding this privacy policy or how your data is processed, please contact us. Our updated privacy policy can always be found on our website for easy reference. Please let us know if any further information is required.