Privacy Policy

Last update: 2nd March 2024

SH Retail Investments Ltd (“We” or “Us”) understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who visits our Site: https://thenookcheltenham.co.uk, https://members.thenookcheltenham.co.uk, https://nookcheltenhamevents.rendr.co.uk/pay ,https://thenookonfive.rendr.co.uk/pay , and shall only collect and use personal data in the ways that are described here, consistent with our obligations and your rights under the law.

 

Our key information and contact information

 

Organisation name	SH Retail Investments Ltd
Company number	12760398
ICO reg. number	C1391484
Postal Address	Third Floor, The Library Building, Sun Street, Tewkesbury, GL20 5NX
Email address	enquires@sh-retail.co.uk

 

It is important for you to know that we are governed by the UK’s Information Commissioner's Office (ICO). The ICO’s website provides in-depth information about personal data protection legislation applicable throughout the United Kingdom, including General Data Protection Regulation (UK-GDPR), including guidance to organisations on how to information privacy laws operate as well as information about the legal rights available to individuals.

Please read this Privacy Notice carefully and ensure that you understand it. You must fully accept this Privacy Notice for accessing and using the Site.  If you do not accept any part of this Privacy Notice, please leave the site immediately.

1.           YOUR LEGAL RIGHTS 

Under the Legislation, you have the rights which we will always aim to uphold as follows:

 

Right to access your personal data

You have the right to see the personal data that we hold about you in many circumstances, by making a request. This is sometimes termed ‘Subject Access Request’. If we agree that we must provide personal data to you (or someone else on your behalf), we aim to do so within one month from when your identity has been checked. We will not charge a fee for considering and/or complying with the request unless it is considered to be excessive in nature.

 

We would ask for proof of identity and enough information about your interactions with us so that we can locate your personal data.

 

Right to correct your personal data

If any of the personal data we hold about you is inaccurate or out of date, you may ask us to correct it.

If you would like to exercise your right, please contact us as set out below.

 

Right to stop or limit our processing of your personal data

You have the right to object to us processing your personal data for particular reasons, to have your information deleted if we are keeping it too long or have its processing restricted in some circumstances.

If you would like to exercise this right, please contact us as set out below.

 

Right to erasure of your personal data

You have the right to have personal data deleted. This is also known as the ‘right to be forgotten’. The right only applies in certain circumstances.

If you would like to exercise this right, please contact us as set out below.

 

Right to portability

The right to portability gives you the right to receive personal data you have provided to us in a structured, commonly used and machine-readable format.

If you would like to exercise this right, please contact us as set out below.

 

Right to withdraw consent

Where your consent is the legal basis for us to process your personal data, you can withdraw your consent at any time.

 

Right to complain to the supervisory authority

You can make a complaint at any time about how we hold or process your personal data.

Some or all of these rights are subject to different conditions, including limitations and exceptions.  You can find more information about these rights from ICO.

It is important that your personal data is kept accurate and up-to-date. If you are aware that any of the personal data we hold about you is inaccurate, incomplete or not up-to-date, please inform us immediately.

You may exercise your personal data related rights or raise related concerns to us by sending written notice to our contact information supplied in this Privacy Notice.  We may require you to provide specific information to confirm your identity or otherwise necessary to protect your interests as the individual whom the personal data is concerned.

In general, you will not be charged for any fee for exercising your rights above. We may charge you a reasonable fee to cover administrative costs if or when you require more than one copy of the requested information.

We welcome the opportunity to help with any concerns, and you are encouraged to prior contact us for your concerns.

 

2.           YOUR PERSONAL DATA

We may process data to enable Us to contact you (“Contact Data”).

Contact Data	Collection method / Data source
Name, telephone number, email address, postal address, social media account identifiers.	Newsletter Sign Up Form, Brevo Chat Widget, Email Enquiry Form OpenTable

 

We may process data of your account registered with the Site (“Account Data”).

Account Data	Collection method / Data source
Account identifier / creation and modification date, name, telephone number, email address, postal address, marketing preference, etc.	Email Opentable Xero Rendr

 

We may process data related to your access to and / or use of the Site and / or any our services supplied through the Site (“Usage Data”).

Usage Data	Collection method / Data source
setting, time and length of visit, navigation footprint, IP location, booking data	Google Analytics Meta Pixel OpenTable

 

We may process data related to your monetary transactions, such as purchase of goods or services via the Site (“Transactional Data”).

Transactional Data	Collection method / Data source
Name and billing address, payment card details	Rendr Stripe OpenTable Members.thenookcheltenham.co.uk

 

3.           PURPOSES AND LAWFUL BASES

Under the personal data protection legislation, we are required to always have a lawful basis for processing personal data. We process your personal data with their purposes and legal bases as follows:

Purpose	Lawful basis	Concerned personal data
The Site’s operation	Contract, Vital Interests, Public Interest, Consent	Contact Data Usage Data
Communication	Consent, Vital Interests, Public Interest	Contact Data, Account Data
Marketing	Consent	Contact Data
Security	Contract, Vital Interests, Consent	Contact Data, Usage Data, Account Data, Transactional Data
Legal compliance	Contract, Vital Interests, Public Interest	Contact Data, Account Data, Usage Data, Transaction Data
Legal proceedings	Contract,	Account Data, Contact Data, Usage Data, Transaction Data
Auction	Contract, Legitimate Interest	Account Data, Contact Data, Transaction Data

We may process your personal data for purposes in addition to, but compatible with, the purposes specified. If we process your personal data in this way and you would like us to explain the compatibilities of the purposes, you can contact us with our contact information supplied in this Privacy Notice.

We shall seek your prior consent of any use of your personal data for a purpose that is not covered, unless it is permitted by law and within the boundaries of the personal data protection legislation and your legal rights.

 

4.           STORAGE AND TRANSFER

We may store some of your personal data within European Economic Area (EEA) consisting of all EU member states, plus Norway, Iceland, and Liechtenstein.  This means that your personal data will be fully protected under the EU GDPR and / or to equivalent standards by law. Transfers of personal data between EEA and the UK are permitted without requiring additional safeguards.  We shall only transfer your personal data out of the UK and EEA where it has adequate levels of personal data protection.  For more information, please refer to ICO.

We shall only engage third party services providers to process your personal data with appropriate legal instruments which ensure the same levels of personal data protection that apply under the personal data protection legislation, including the international data transfer agreement.

The security of your personal data is essential to us, and we have various measures in place to protect your personal data, for instance,

 

1. limiting access to your personal data to those employees, agents, contractors, and other third parties on legitimate “need to know” basis; and

 

1. having the vigorous procedures in place to deal with data breaches (i.e., accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data), including giving notification to you and/or ICO where we are legally required to do so.

 

You acknowledge that any personal data you submitted and may submit to the site or us may be available in the public domain around the world, and we have no control over or access to any processing of such your personal data.

 

 

 

 

5.           RETENTION

We shall not keep your personal data for any longer than is necessary for the purposes specified in section 3, in particular,

Data type	Retention period
Contact Data	For a maximum period of 12 month from date consent is withdrawn.
Account Data	For a maximum period of 12 months from end of contract (Events or booking)
Usage Data	For a maximum period of 12 months from last recorded activity.
Transactional Data	For a maximum period of 7 years from transaction date.

 

We may retain your personal data for periods longer than any period specified except for any legal requirement or obligation that we are subject to.

6.           DISCLOSURE

Other than for the purposes specified in section 3, we shall not share any of your personal data with any third parties for any purposes, subject to the exceptions as follows:

 

1. We sell, transfer, or merge parts of our business or assets, your personal data may be transferred to a third party who may continue to process your personal data in the same way(s) that we process it;

 

1. We are in the course of establishing or defending legal claims where disclosure of your personal data is necessary; and / or

 

1. We are legally compelled to disclose certain personal data.

 

7.           THIRD-PARTY LINKS

The site may include links to third-party websites, plug-ins and / or applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy measures.

 

All third-party contents on the site may use third-party cookies described below.  Please note that we do not control the activities of such third parties, nor the data that they collect and process.

 

We do not accept any responsibility for any of your visits to any third-party websites or any activities with third parties, and you are advised to refer to their privacy policies in advance of your actions.

 

7.           COOKIES       

From the time you access the site, we place and store certain first-party cookies on your browser and / or hardware. First-party cookies are those placed directly by us and are used only by us. We use cookies to facilitate and improve your experience with the site and to provide and improve our services to you.  We have carefully chosen these cookies and have taken steps to ensure that your personal data are protected and respected at all times.

 

By accessing or using the site, certain third-party cookies may also be placed and stored on your browser and / or hardware. Third-party cookies are those placed by operators / providers of websites, services or otherwise other than us.  Third-party cookies may be used on the site for marketing purposes.  These cookies are not essential to the functioning of the site and your use and experience of the site will not be impaired by disabling or blocking them.

 

All Cookies on the site used by us are in accordance with current laws in relation to cookies.  To understand more about cookies on the Site, please refer to our Cookie Notice.

8.           DATA SECURITY  

Although there is no complete guarantee of the security of information over the internet, We strive to operate the site with the highest security standards and put in place a robust framework of policies and procedures that includes various organisational and technical measures as matter of information risk management.

 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.  We also limit access to your personal data to those employees, agents, contractors and other third parties on a “need to know” basis who only process your personal data based on our written instructions.  All these parties are subject to a duty of confidentiality.

 

We have put in place procedures to deal with any suspected personal data breach and shall notify you and any applicable regulator of a breach where we are legally required to do so.

 

Any  information transmission, including transmission to the site, is at your own risk.  And where you are given or have chosen a password, including a password to access the site, you are solely responsible for keeping it confidential.

9.    UPDATES 

We may update this Privacy Notice from time to time, and you acknowledge and agree that it is your responsibility to revisit and review this Privacy Notice to ensure you are aware of the updates, if any.  If you do not accept any part of the updates, you must stop use and leave the site immediately.

 

We are not bound to notify you for any update of this Privacy Notice.  We may notify you for significant updates.

10. Glossary

Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

 

Data subject means the identified or identifiable living individual to whom personal data relates.

 

(Data) controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

 

(Data) processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

 

Legitimate interest means the interest of our business in conducting and managing our business to enable us to give you the best service and the most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting Us.

 

Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Processing or process means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.