Discover the Broads' Best kept secret

Privacy Notice

We respect your privacy and are committed to protecting your personal data. This privacy notice will tell you how we look after your personal data and about your privacy rights. It supplements any other notices and is not intended to override them.

We have tried to be brief and clear. We are happy to provide any additional information or explanation.

This version was last updated on 14th May 2018, and historic versions can be obtained by contacting us.

It is important that the personal data we hold about you is accurate and current. Please keep us informed of any changes.

  • Who we are

    The Data Controller (the legal entity which makes decisions about how your personal data is used) is Waveney River Centre (2003) Ltd, registered company 04887417.Our registered office is Hanworth House, 43 Bull Street, Holt, Norfolk, NR25 6HP

    Our trading address is Waveney River Centre, Burgh St Peter, Norfolk NR34 0BT

    Waveney River Centre and The Waveney Inn are trading names of Waveney River Centre (2003) Ltd.

    Tel. 01502 677343
    Email: [email protected]
    Website: http://www.waveneyrivercentre.co.uk

  • How we collect your personal data

    We collect personal data in the following ways:

    • Directly from you – in person, in writing or over the phone
    • You enter your personal information on to our website, for example when making a booking
    • You provide your information to one of our agents, for example Hoseasons, Expedia, or booking.com, for the purposes of making a booking.
    • You provide your information to a website which processes data on our behalf – for example by opting to receive marketing information
    • You provide information when logging into our WiFi Portal.
    • You provide your information to an information website or directory which forwards your request to us

    Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.

  • How we use your personal data

    We will only use your personal data when the law allows us to.

    We have set out below how and why we plan to use your personal data.

    Booking contracts

    We process your personal data for the purposes of:

    • Creating bookings for accommodation, boats and other services provide by us
    • Providing quotations for a possible booking
    • Contacting you in relation to your booking – for example to confirm check in arrangements, to inform you of changes or to check that you were satisfied after you depart.
    • Ensuring that we are able to recover monies for providing services, in the event of non-payment
    • Ensuring compliance with our booking terms and conditions

    The legal basis for processing your data in relation to bookings is that it is necessary for the performance of the booking contract, or because you have asked us to take specific steps before entering into a contract.

    Marketing

    We process your personal information for the purposes of marketing our services in the form of email newsletters and/or printed brochures. We only send you marketing materials when you have given clear and verifiable consent for us to do so, and you can withdraw this consent at any time (see ‘right to withdraw consent’).

    The legal basis for processing your data in relation to marketing is that you have given your consent for this purpose.

    WiFi Access

    We process your personal information when you connect to our WiFi network, so that we can ensure that our internet connection is used in accordance with the law, and with our terms & conditions. The legal basis for processing your data in relation to WiFi access is that it is in our legitimate interest.

    You will also be offered the opportunity of receiving marketing information when you connect to our WiFi network, but you may decline.

    Our WiFi service is managed on our behalf by Purple WiFi, who collect your information either directly via a form, or via your chosen social media account.

    Customer service

    In the interests of good customer service, we retain your personal information after your booking has ended, so that:

    • the information is available when making future bookings
    • to enable us to make suggestions and recommendations to you about goods or services that may be of interest to you
    • to deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
    • to use data analytics to improve our website, products/services, marketing, relationships and experiences

    The legal basis for processing your data in relation to customer service is that it is in our legitimate interest. You may opt out of marketing communications at any time.

    Legal obligations

    We will also process your personal information if we are specifically required to do so in order to comply with a legal obligation imposed upon us.

  • Categories of personal data

    The categories of personal data which we process are:

    • Your name
    • Your address including postcode
    • Your landline and mobile phone numbers
    • Your email address
    • Email communications with you
    • Written notes of conversations with you
    • Recordings of conversations with you (we will always inform you if we are recording a conversation)
    • Records of your bookings including payments made
    • Records of quotations requested
    • Complaints or other feedback made by you

    We do not process any special categories of information as defined by the EU General Data Protection Regulation. This is data which is considered to be more sensitive, such as race, politics or religion, sexual orientation or biometric data.

    We do not knowingly collect data relating to children.

    CCTV operates throughout the park for the purposes of crime detection and the safety of our staff and guests. CCTV coverage is retained for between 7 & 14 days, but we do not operate any facial recognition or other technology which would automatically identify indidivuals.

  • Disclosure of your personal data

    We never sell or pass on your personal data to any other organisation without your express consent, other than for processing data on our behalf in accordance with this policy.

    We use the following external organisations for processing data on our behalf and may add others without updating this policy:

    • SagePay and Barclayard Merchant Services – for processing debit and credit card payments on our website, in person and over the phone.
    • Mailchimp – for sending newsletters by email and managing the opt-in/opt-out process (consent).
    • Cloud-based services are used for the backup of company data, which includes personal data.

    It may also be necessary to share your personal data with our professional advisors (including lawyers, bankers, auditors and insurers) and with HRMC, regulators and other statutory authorities, in order to comply with our legal obligations.

    We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

    We do not explicitly pass personal data to any organisations outside the European Economic Area. However, organisations processing data on our behalf, such as cloud-based marketing or backup services, may store data on servers based outside the EEA.

  • Contractual obligations

    When you create a booking, and when you connect to our WiFi network, we require you to provide personal information which allows us to identify you and contact you. Failure to provide this information, or deliberately giving incorrect details, is a breach of our terms and conditions and may result in cancellation of our contract with you.

    Automated decision making

    We do not carry out automated decision making or customer profiling in relation to contracts.

    We may use address profiling to target opted-in marketing information, in order to provide you with more relevant information.

    We use third party information processing companies, such as Facebook and Google, to target marketing information based on personal information which you have provided to those organisations. We do not have access to your personal information, unless you have expressly granted consent for your information to be passed on to us.

  • Retention period

    All data obtained by consent (for example for marketing purposes) is retained until you withdraw your consent. We may also remove your information if we no longer need it.

    Personal data relating to bookings is retained for a period of 3 years after your last booking, unless you ask us to remove it sooner.

    Personal data is always retained for a period of 6 months after the end of a booking, even if you ask us to remove it, in order to protect ourselves from payment card chargebacks, and to enable the information to be provided by the police or another statutory authority in relation to any incident during your booking.

  • Data security

    We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

    We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

  • Your rights

    The General Data Protection Regulation gives you a number of rights to help protect your personal data.

    Requesting access

    You have the right to see all personal data which we hold on you. This is commonly known as a Subject Access Request.

    If you make a Subject Access Request we will provide you with all the personal information which we hold relating to you. We can only provide your own personal information, unless we are satisfied that you are entitled to act on behalf of another person. It is your responsibility to provide evidence of this entitlement.

    Requesting corrections

    You have the right for any inaccurate personal data about you to be rectified, or completed if it is incomplete.

    Requesting erasure

    You have the right for your personal data to be erased (sometimes known as ‘the right to be forgotten’).

    This right is not absolute, but we will erase your personal information at your request as long as it is no longer necessary for the purpose for which we originally collected or processed it and there is no other overriding legitimate interest for us to continue retaining your personal data.

    When we delete your personal information, we do not delete details of bookings which you have made, but we ‘anonymise’ them so that they cannot be linked back to you.

    Restriction of processing

    You may also ask us to restrict processing of your data, for example whilst we correct inaccurate personal information, or to stop processing it altogether (the right to object).

    Transfer of information

    You have the right to data portability, which means that you can ask us to pass your data on to a third party. We will use all reasonable means to comply with such a request and will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.

    Withdrawing consent

    Where the legal basis for processing your data is consent (for example a marketing opt-in) you have the right to withdraw consent at any time.

    How to make a request

    All requests relating to provision of information, data removal or other rights can be made verbally, in writing, or by emailing [email protected]

    We will process your request within 28 days of the date when we receive it.

    You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

  • Making a complaint

    You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns first.