Last Updated: 20/10/23
● why and how we may use the personal information that we have obtained from interactions you (or others) may have with us as a business or when you contact us;
● with whom we share your personal information; and
● the rights you have in connection with the information we use.
Please read the following carefully.
2. WHO WE ARE AND OUR ROLE
We sometimes work with other organisations in connection with some of the processing activities described in this notice, such as social media platforms. Where that information is collected and sent to other organisations for processing that is for a common purpose or purposes, we will be making decisions together in relation to that particular processing and will be ‘joint controllers’ with the organisations involved. As joint controllers, we and the other organisations involved in making these decisions will be jointly responsible to you under data protection laws for this processing.
3. PERSONAL INFORMATION WE COLLECT ABOUT YOU
Personal information you provide to us
When you interact with us online or offline we collect and use information about you in the course of providing you our services and with consumer support. We may collect some or all of the information listed below to help us with this:
• information that you submit online and offline including your name, contact details including postal address, e-mail address and telephone number(s), interests, insights and preferences, date of birth, age, gender, and login credentials. We collect this in a number of ways, including when you register for an account with us and/or make a booking online or offline;
• age verification information, including photo ID;
• financial details when booking a venue which includes the card-holder’s name and payment and gift card details;
• your orders, requests and transaction information, including information about your purchases, such as prices and product information, refunds, and promotions and gifts;
• your dietary preferences and allergy information;
• your username and password in relation to our websites and mobile apps;
• information that you submit via any contact forms on the website and any correspondence we have with you over email or phone;
• details of your marketing and in-app communication preferences;
• details when you enter a competition, promotion, or prize draw, including any personal information contained in the entry itself;
• additional details that you provide at one of our events, including images and information provided in surveys;
• the content of the reviews or testimonials you leave about us; and
• any correspondence or messages (including emails, SMS or chat or social media messages or comments) that you send to us;
• your social media activity including your social media handle, comments and ‘likes’ and the time and date of that activity; and
• any additional information that you choose to tell us.
Where we need to collect personal data where legally required to do so, or perform a contract we have with you (or take pre-contract steps you have requested), and you do not provide us with your personal information, we may be unable to provide products or services to you. This may also lead to us having to cancel your booking.
You are under no statutory or contractual obligation to provide us with your personal information; however, we require at least the information above in order for us to deal with you as a prospective customer or customer in an efficient and effective manner. Where the law allows, we may combine information we receive from other sources with information you give to us and information we collect about you.
Information we collect about you including using automated methods
We collect CCTV footage and date and time information when you pass an area in which we or a company on our behalf operates CCTV surveillance or makes CCTV recordings (including from body-worn cameras). Such footage may include criminal offence or health data.
We also collect data on the use and consumption of gifts and promotions, as well as your booking history. We also collected information about your most visited venue amongst the venues that we operate.
We may automatically collect information about your use of the Digital Services, such as the number and duration of visits to the Digital Services and details of which particular pages or parts have been visited. We may also anonymise any personal information we receive about you by amending it, combining it with other data or by using other anonymisation techniques such as 'hashing (“Anonymised Information”). After we anonymise your information, it will not be attributable to you.
We use any collected Technical Information and Anonymised Information to analyse how the Digital Services are functioning and how it is used by users, for insight purposes and to help us maintain and improve the Digital Services on an ongoing basis. We also use this information to provide our services, including through our mobile applications and when you pay at our venues. We may share Anonymised Information with third parties that we work with, including our commercial partners.
We may record calls you make to our customer services team for quality and training purposes, and for the purposes of handling complaints and legal claims. We collect information about your behaviour at our venues and, if you have been banned, details of the reasons and period for which you have been banned.
Information we collect about you in connection with our loyalty programme
If you participate in our loyalty programme, we collect details relating to your participation including the period of your participation, the number of points and other benefits you have earned and details of when you have earned them, the points and other rewards you have redeemed and when you have redeemed them, your refer-a-friend activities and your favourite venues.
In certain circumstances, we provide you the option to link your bank account and/or card payment method to our loyalty programme. This is facilitated via our third-party providers, such as Bink, and utilises open banking APIs. Where your banking provider supports this facility, and you choose to link your account or card payment method to our loyalty programme we and your banking provider will receive data about the transactions you make across our venues as well as where you redeem your loyalty rewards.
We use this information to reward you with loyalty points or other loyalty benefits for qualifying purchases, provide you with redeemable rewards and to analyse your spending habits across our venues in order to better suggest offers we think will be of interest to you.
Information we collect about you from other sources
We may also obtain the following Personal Information about you from the following sources:
Apple Pay / Google Pay / Apple Pay / Google Pay / PayPal / Payment card schemes (American Express, Mastercard and Visa)
Contact, financial, technical data and transaction data
Contact and biographical data
Contact, loyalty and transaction data
Contact and review data
Contact, financial, transaction data
Contact, financial, transaction data
Design My Night
Contact, bookings, ticketing, dietary data (including data relating to allergies and food preferences
Contact, ticketing data
Financial, transaction data
Sport Insight Media
Contact, financial, technical data and transaction data
Your banking provider
Transaction data (if you link your payment card to our loyalty programme) and contact data (if you join the loyalty programme through an app provided by certain banking providers
Social media sites e.g. Facebook
Contact, biographical and interests data
Contact data & details of your past behaviour at third party venues
4. HOW AND WHY WE USE YOUR PERSONAL INFORMATION
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and complies with data protection laws.
Data protection law requires us to have a valid reason to process your personal information for each of the different purposes for which we use that information. The law refers to each reason as a ‘lawful basis’. The purposes for which we use your personal information and the lawful basis on which we rely to process it for each purpose is as follows:
Where you have provided CONSENT
We may use and process your personal information where you have consented for us to do so for the following purposes:
• to make electronic marketing communications including by email, SMS and, in relation to our mobile apps, push notices, where you opt-in to receive such communications following a request;
• to access location, camera, photos, videos, contact lists, or other information from your mobile device accessed through our mobile apps;
• to link your card payment method to our loyalty programme and use the transaction data we receive to administer our loyalty programme. Your consent for this purpose will also permit the card scheme relevant to your card to monitor your transactions and share details of qualifying purchases with us so that we can provide you with the relevant points.
We may also rely on consent to use your name and image for publicity purposes. If you do not agree, the photographs will be deleted or the image will be modified so you will be unidentifiable.
You may withdraw your consent for us to use your information in any of these ways at any time. Please see section 13 (Your Rights) for further details.
Where necessary to comply with our LEGAL OBLIGATIONS
We will use your personal information to comply with our legal obligations:
● to check and verify your age and your identification information using an ID scan machine for the prevention and detection of crime and disorder to the extent required by law;
● to respond or assist the public authorities or the police and other criminal investigation bodies where required by law;
● to keep a record relating to the exercise of any of your rights relating to our processing of your personal information;
● to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists to be able to comply with your request);
● to comply with court orders or other notices where failure to do so would result in us breaking the law; and
Where it is in your VITAL INTERESTS
We will use your personal information where it is in your vital interests to do so, for example, in relation to any emergency medical treatment you require whilst visiting our venues.
Where there is a LEGITIMATE INTEREST
We may use and process your personal information where it is necessary for us to pursue our legitimate interests as a business, or that of a third party, for the following purposes:
Processing necessary for us to promote our business and measure the reach and effectiveness of our campaigns
● to contact you with marketing information by post or by phone (if you are not registered with the Telephone Preference Service (including the Corporate Telephone Preference Service, where relevant);
● to contact you with marketing information by email and SMS (if you are a corporate customer or where you were presented with an opportunity to opt-out of such contact but did not do so);
● to tailor communications (including recommendations) to you based on your location, interests, and previous bookings and to personalise our services, products and content for you;
● to communicate targeted advertising to you in social media. You may receive advertising based on information about you that we have provided to a social media platform, or allowed it to collect using cookies on our website or code in our applications (or a combination of the two). For some of our marketing campaigns, we may use this information to exclude you from receiving advertising, if we believe it will not be relevant to you. You may also receive advertising because, at our request, the platform has identified you as falling within a group whose attributes we have selected or a group that has similar attributes to the individuals whose details it has received from us (or a combination of the two);
● to process your location in order to locate the nearest venue;
● for analysis and insight conducted to inform our marketing and business strategies, and to enhance your user experience;
● to ensure your dietary preferences are respected (and, where these are allergies or other medical conditions, to establish, bring or defend any legal claims); and
Processing necessary for us to respond to changing market conditions and the needs of our users
● to analyse, evaluate and improve our Digital Services and/or other of our products and services so that your visit and use of them are more useful (we will generally use data amalgamated from many people so that it does not identify you personally);
● to undertake market analysis and research (including contacting you with user or customer surveys) so that we can better understand your use of the Digital Services and our products; and
● to share personal information (including images) with (and to receive information from) ‘Pubwatch’ members (which include other hospitality providers, the police, and the council) to identify and prohibit from entering our venue certain customers who have been barred in order to ensure that our venues remain safe.
Processing necessary for us to operate the administrative and technical aspects of our business efficiently and effectively
● to maintain the security of our staff, customers, venues, premises and property;
● to process payments made by you to us;
● to administer the Digital Services and our products, and for internal operations, including troubleshooting, testing, training, and statistical purposes;
● for the detection and prevention of fraud and other criminal activities (and in relation to any CCTV footage containing criminal offence of health data, we rely on the corresponding condition for processing under the Data Protection Act 2018);
● for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access;
● to record CCTV footage and date and time information when you pass an area in which we or a company on our behalf operates CCTV surveillance or makes CCTV recordings (including from body-worn cameras) to ensure the safety of our employees and venue visitors;
● for the purposes of corporate restructure or reorganisation or sale of our business or assets;
● for efficiency, accuracy or other improvements of our databases and systems, for example, by combining systems or consolidating records we hold about you;
● to enforce or protect our contractual or other legal rights or to establish, bring or defend legal proceedings (and in relation to any allergy or other health data we process about you, we rely on the corresponding condition for processing under the UK GDPR);
● to inform you of updates to our terms and conditions and policies; and
● for other general administration including managing any reports you make, your queries, complaints, or claims, and to send service messages to you.
Where necessary for us to carry out PRE-CONTRACT STEPS you have requested or for the performance of our CONTRACT
We will use your personal information where this is necessary for us to perform our contract with you or to carry out any pre-contract steps you’ve asked us to so that you can enter into that contract, for the following purposes:
● to respond to your request for a booking for one of our venues;
● to administer the core elements of our loyalty programme as described in the terms applicable to that programme, including to keep track of the points and other benefits you have earned and the rewards you have redeemed;
● to send communications to you about your booking (including information about your booking status and to request payment information relating to your booking);
● to register you for and connect you to our guest WiFi service within our venues; and
● to respond to your customer service requests and enquiries.
We may collect your preferences to receive marketing information directly from us by phone, email, or SMS in the following ways:
● if you register for an account on our website or mobile applications, we will ask you if you would like to opt in to receive marketing information directly from us;
● if you make a booking with us via the designmynight website and you opt in to receive marketing information;
● if you do not complete a purchase and you have opted-in to receive marketing information, we may send a reminder to you about your incomplete purchase or ask why you did not complete the purchase so that we may better refine the service we offer.
From time to time, we may ask you to refresh your marketing preferences by asking you to confirm that you consent to continue receiving marketing information from us.
You have the right to opt-out of our use of your personal information to provide marketing to you in any of the ways mentioned above at any time. Please see Your rights below for further details on how you can do this.
Please allow up to 10 working days for your email preferences to take effect.
6. DISCLOSURE OF YOUR PERSONAL INFORMATION BY US
We may disclose your information to our third party service providers, agents and subcontractors ("Suppliers") for the purposes set out above. Our Suppliers can be categorised as follows:
Recipient / relationship to us
Industry sector (& sub-sector)
Advertising, PR, digital and creative agencies
Media (Advertising & PR)
Card-linked loyalty and other service providers that support our loyalty programmes
IT (Banking & Loyalty)
CCTV service providers
Cloud software system providers, including database, email, ordering, booking, age/identity verification software (e.g. GB Group plc), customer relationship and document management providers
IT (Cloud Services)
Facilities and technology service providers including scanning and data destruction providers
IT (Data Management)
Legal, security and other professional advisers and consultants
Professional Services (Legal & Accounting)
Market and customer research providers
Media (Market Research)
Operators of bars, pubs and other hospitality venues, including members of National Pubwatch and local 'pubwatch' schemes
Hospitality (Bars & Pubs)
Payment card schemes
Financial Services (Payments)
Social media platforms
Media (Social Media)
Website and data analytics platform providers
IT (Data Analytics)
Website and app developers
IT (Software Development)
Website hosting services providers
Wifi service providers
Payment (including gift card) processors e.g. PayPal, Google Pay and Apple Pay.
PayPal. Google Pay and Apple Pay operate secure servers to process your payment details. They encrypt your credit or debit card information and authorise payment directly. We only keep the last four digits of your credit or debit card in order for you to recognise and choose your payment method without having to type in payment details each time. To understand how our payment processors use your information, we recommend that you read their privacy policies at https://www.paypal.com/uk/legalhub/privacy-full, https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en and https://www.apple.com/uk/legal/privacy/data/en/apple-pay/
Financial Services (Payments)
When sending your information to third parties, we only disclose to them any personal information that is necessary for them to provide their service and we have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions.
When we share your personal information with any third parties that are controllers of that information, they may disclose or transfer it to other organisations in accordance with their data protection policies. This does not affect any of your data subject rights as detailed below. In particular, where you ask us to rectify, erase or restrict the processing of your information, we take reasonable steps to pass this request on to any such third parties with whom we have shared your personal information.
We may disclose your personal information to other third parties as follows:
- any third party who is restructuring, selling or acquiring some or all of our business or assets or otherwise in the event of a merger, re-organisation or similar event; and
- if we are under, or consider that we have, a duty to disclose or share your information in order to comply with any legal or regulatory obligation or request, including by the police and other law enforcement bodies, tribunals, regulators, local or central government or related agencies.
7. WHERE WE STORE YOUR PERSONAL INFORMATION
Your personal information may be transferred to countries outside the UK. Those countries may not have similar data protection laws to the UK and so may not protect the use of your personal information to the same standard.
• relying on decisions issued by the relevant UK Secretary of State (or other relevant person) declaring that a country or a company certifying to an international framework is adequately protective of personal information to a degree that allows us to safely transfer your personal information to that country or company;
• imposing contractual obligations on the recipient of your personal information using standard clauses issued by the UK Information Commissioner’s Office (or other relevant body); or
• relying on ‘binding corporate rules’ put in place by recipients of your personal information that have been approved by relevant data protection regulators.
If you use our services whilst you are outside the UK, your information may be transferred outside the UK in order to receive those services.
8. THE PERIOD FOR WHICH WE KEEP YOUR PERSONAL INFORMATION
If we collect your personal information, the length of time for which we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We do not retain personal information in an identifiable format for longer than is necessary.
We will always retain your personal information for the period that you have an active account with a Website or App. If you do not hold an account, we retain your personal information for 2 years from the date we collect it or, where applicable, the date you are unsubscribed from our marketing lists, if later.
Your account will become ‘inactive’ if you do not engage with us for more than 2 years, for example, if you do not log into your account, make a purchase with us, engage with our direct marketing campaigns, earn loyalty points or redeem any vouchers. After that 2 year period ends (or at any point you choose to delete your account with the relevant Website or App using the relevant settings), we will anonymise the records we hold about you so that we no longer hold your personal information (to find out more about the personal information we anonymise, please see ‘Personal information we collected about you’ above). The only exceptions to these periods and our retention of your personal information are where:
● the law requires us to hold your personal information for a longer period, or delete it sooner;
● you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law (see section 13 (Your Rights) below);
● you exercise your right to require us to retain your personal information for a period longer than our stated retention period (see section 13 (Your Rights) below);
● we obtain your proof of identity documentation (e.g. driving licence, passport, card bearing PASS hologram, or military ID) which we retain for no more than 31 days from the date of our receipt or, if you are subject to a ban from a venue, for the period for which you have been banned; or
● we bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings have concluded and no further appeals are possible.
9. SECURITY AND LINKS TO OTHER SITES
We employ security measures to protect the personal information you provide to us, to prevent access by unauthorised persons and unlawful processing, accidental loss, destruction and damage. When we have provided (or you have chosen) a password allowing you access to certain parts of our Digital Services, you are responsible for safeguarding it and keeping it confidential and you promise not to allow it to be used by third parties.
If you are using a computer or terminal in a public location, we recommend that you always log out and close the website browser when you complete an online session for your security. In addition, we recommend that you take the following security measures to enhance your online safety: When creating a password, we recommend you use at least 8 characters with a combination of letters and numbers and at least one special character. We recommend you frequently change your password. Keep your passwords private. Remember, anyone you knows your password may access your account. Avoid using the same password for multiple online accounts. We will never ask you to confirm any account or credit card details via email. If you receive an email claiming to be from us asking you to do so, please ignore it and do not respond.
In addition, if you linked to our Digital Services from a third party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party website and recommend that you check the policy of that third party website.
'Cookies' are small pieces of information sent to your computer or device and stored on its hard drive to allow the website and applications to recognise you when you visit it.
If you are using our websites, it is possible to switch off cookies by setting your browser preferences.
We also use other similar technologies across our websites, applications and emails to recognise you. These include web beacons, tracking pixels, pixel tags and software development kits (SDKs). These technologies are used for a variety of purposes such as facilitating payment, enhancing app navigation, analysing and optimising usage and associated with our marketing and advertising efforts, including targeting advertising through our third parties and partners.
11. AUTOMATED DECISION MAKING
12. SOCIAL MEDIA PLATFORMS
We use a number of different social media platforms to communicate with you and to promote products and services. We process your personal information using these platforms in a variety of ways, as follows:
Pages. We use your personal information when you post content or otherwise interact with us on our official pages on Facebook, Instagram, TikTok and other social media platforms. We also use the Page Insights service for Facebook and Instagram to view statistical information and reports regarding your interactions with the pages we administer on those platforms and their content. Where those interactions are recorded and form part of the information we access through these Page Insights services, we and the relevant platform are joint controllers of the processing necessary to provide that service to us.
Single sign-on. Some of our mobile apps use a feature provided by social media and other digital service providers that allow you to register and login to our account with the app using the same login details you have already set up with those providers. This feature is known as a ‘single sign-on service’. We are responsible for any use we make of the personal information we receive from the platform using this feature.
Data from your profile. When you use single sign-on services, you may be prompted to confirm that you are happy to share with us your name, email address and certain other personal information you hold with those providers. You may be asked if you would like to share information with us that goes beyond what is needed to log you into your account. For example, you may be asked if you would like us to use your contact details or date of birth for direct marketing purposes. We will only use your personal information in this way if you agree.
Our relationship with Meta. As we are joint controllers with these platforms for certain processing, we and each platform have:
• entered into agreements in which we have agreed each of our data protection responsibilities for the processing of your personal information described above;
• agreed that we are responsible for providing to you the information in this privacy notice about our relationship with each platform; and
• agreed that each platform is responsible for responding to you when you exercise your rights under data protection law in relation to that platform’s processing of your personal information as a joint controller.
Meta also processes, as our processor, contact information that we submit for the purposes of matching, online targeting, measurement, reporting and analytics purposes. These services include the processing Meta carries out when it display our advertisements to you in your news feed at our request after matching contact details for you that we have uploaded to a platform operated by Meta. These advertisements may include forms through which we collect contact information you give to us.
Further information. The Meta company that is a joint controller of your personal information is Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. For further information regarding Meta and its use of your personal information, please see:
• Meta’s Controller Addendum for Page Insights and UK Controller Addendum for Business Tools which include information regarding how our and Meta’s responsibilities to you are allocated as controllers of your personal information;
• Meta’s help pages regarding its Page Insights and Business Tools and its terms and conditions relating to those tools.
13. YOUR RIGHTS
You have a number of rights in relation to your personal information under data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within 1 calendar month from either:
● the date that we have confirmed your identity; or
● where we do not need to do this because we already have this information, from the date we received your request.
You have the following rights, some of which may only apply in certain circumstances:
To have your information corrected if it is inaccurate and to have incomplete personal information completed
To object to processing of your personal information
To withdraw your consent to processing your personal information
To restrict processing of your personal information
You may ask us to restrict the processing of your personal information in the following situations:
• where you believe it is unlawful for us to do so; or
• you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings.
In these situations, we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.
To have your personal information erased
To request access to your personal information and how we process it
Rights relating to automated decision making, including profiling
To complain to a data protection regulator
You have the right to complain to the UK data protection regulation, the Information Commissioner's Office (ICO), if you are concerned about the way we have processed your personal information. Please visit the ICO's website for further details.
15. CONTACT US
Our email address for data protection queries is firstname.lastname@example.org or alternatively you can contact us using the web form on our websites.
16. LEGAL INFORMATION
We are Stonegate Pub Company Limited.
We are a limited company incorporated in the Cayman Islands with UK company registration number FC029833 (and UK establishment number BR014816) and our registered office address is Conyers Trust Company (Cayman) Limited, Cricket Square, PO BOX 2681, Grand Cayman, Ky1-1111, Cayman Islands.
Our main trading address is 3 Monkspath Hall Road, Solihull, West Midlands B90 4SJ.