Privacy Policy

Last updated: 8 February 2026

1. Who we are

This Privacy Policy explains how Red Hill Popinn Cafe (“we”, “us”, or “our”) collects, uses, discloses, and protects personal data when you visit and use https://www.redhillpopinncafe.co.uk (the “Website”) and when you communicate with us. We are the “controller” of your personal data for the purposes of applicable data protection laws.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the Privacy and Electronic Communications Regulations (PECR). If you are located in the European Economic Area (EEA), we will also comply with the EU GDPR in relation to services we offer to you.

2. How to contact us about privacy

For any questions or requests regarding this Policy or your personal data, please contact our data protection lead at: privacy@redhillpopinncafe.co.uk.

3. What data we collect

We collect the following categories of personal data:

  1. Information you provide to us:
    • Contact details (such as name, email address, telephone number) when you make an enquiry, request information, or communicate with us.
    • Booking or order information you provide to arrange a reservation, event, collection, or delivery (for example, date, time, party size, dietary preferences, and contact details).
    • Marketing preferences (your choices about receiving updates or offers).
    • Job application data (CV/resume, cover letter, employment history, eligibility to work) if you apply for a role with us.
    • Feedback, reviews, and other content you choose to provide.
  2. Information collected automatically:
    • Technical data such as IP address, device and browser type, operating system, pages viewed, time and date of visits, referring URLs, and interaction data. We typically collect this via cookies and similar technologies (see Section 7).
  3. Information from third parties:
    • If you use a third‑party reservation, ordering, or payment service that integrates with or links from our Website, we may receive information necessary to confirm and manage your booking or order.
    • If you interact with us on social media platforms, we may receive your public profile information and communications from those platforms, subject to your settings with them.

4. For what purposes we use your data and our legal bases

We process personal data for the following purposes under the legal bases indicated:

  1. Providing our services and operating the Website (to respond to enquiries, manage reservations, orders, and events, and provide customer support). Legal bases: performance of a contract or taking steps at your request before entering into a contract; legitimate interests in operating and improving our services.
  2. Communicating with you (service updates, responses to questions, changes to your booking or order). Legal bases: performance of a contract; legitimate interests in effective customer communication.
  3. Marketing and promotions (sending news, offers, or event information). Legal bases: your consent; and, where permitted, our legitimate interests in promoting our business (including the “soft opt‑in” for existing customers, in line with PECR). You can opt out at any time (see Section 10).
  4. Analytics and performance (to understand how our Website is used, fix errors, and improve content). Legal basis: your consent for non‑essential cookies/technologies (see Section 7); legitimate interests for aggregated, non‑identifying analysis where appropriate.
  5. Security and fraud prevention (to protect our Website, systems, and users). Legal bases: legitimate interests; legal obligations where applicable.
  6. Legal and compliance (record‑keeping, tax and accounting, responding to lawful requests). Legal bases: legal obligations; legitimate interests in establishing, exercising, or defending legal claims.
  7. Recruitment (assessing job applications and candidates). Legal bases: taking steps at your request prior to entering into a contract; legitimate interests in hiring staff; legal obligations (e.g., right‑to‑work checks).

5. When we need your consent

We will ask for your consent before sending you direct electronic marketing when required by law and before placing or reading non‑essential cookies and similar technologies (see Section 7). Where we rely on your consent, you can withdraw it at any time by contacting us or using the unsubscribe or preference tools we provide. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

6. Sharing your personal data

We do not sell your personal data. We may share personal data with:

  1. Service providers who help us operate our Website, manage bookings or orders, send communications, host data, provide analytics, or deliver support. These providers act under contracts that require them to protect your data and use it only as instructed.
  2. Payment and reservation partners where you choose to use such services to complete a booking or order.
  3. Professional advisers and insurers (for example, for legal, tax, or insurance purposes).
  4. Authorities and law enforcement when required to comply with laws or enforce our rights.
  5. Business transfers if we undergo a reorganisation, merger, or asset sale; personal data may be transferred as part of that transaction under appropriate safeguards.

7. Cookies and similar technologies

Cookies are small files placed on your device to make the Website work, to remember your preferences, and to help us understand how the Website is used. We use:

  1. Strictly necessary cookies that enable core functionality such as page navigation, security, and form submission. These are always active and do not require consent.
  2. Functional cookies to remember choices (such as language or region) and enhance features. Legal basis: your consent where required.
  3. Analytics/performance cookies to measure and improve the performance of our Website (for example, pages visited and traffic sources). Legal basis: your consent.
  4. Advertising/targeting cookies if used, to deliver relevant adverts or content based on your browsing. Legal basis: your consent.

Managing cookies: On your first visit, and periodically thereafter, you may be presented with choices to accept or reject non‑essential cookies by category. You can also control cookies via your browser settings (for example, to block or delete cookies). If you disable certain cookies, parts of the Website may not function properly.

Cookie duration: Session cookies expire when you close your browser. Persistent cookies last for a defined period; analytics and advertising cookies generally expire within 13 months unless you clear them sooner.

8. International data transfers

Some of our service providers may be located outside the UK or may process data in other countries. Where we transfer personal data internationally, we do so in compliance with data protection law, using one or more of the following safeguards:

  • Adequacy regulations by the UK government confirming the destination provides an adequate level of protection.
  • Standard Contractual Clauses approved by the European Commission together with the UK Addendum, or the UK International Data Transfer Agreement (IDTA).
  • For transfers to the United States, where applicable, to organisations certified under the UK extension to the EU‑US Data Privacy Framework (the “UK‑US Data Bridge”).

We also carry out transfer risk assessments where required and implement supplementary measures when appropriate.

9. Data security

We implement appropriate technical and organisational measures designed to protect personal data, including encryption in transit, access controls, staff training, secure configuration and patching, backups, and incident response procedures. While we work to protect your data, no system can be guaranteed 100% secure.

10. Your rights

Under UK data protection law, and where applicable under the EU GDPR, you have the following rights in relation to your personal data:

  1. Access to a copy of your personal data and information about how we process it.
  2. Rectification of inaccurate or incomplete data.
  3. Erasure (the “right to be forgotten”) in certain circumstances.
  4. Restriction of processing in certain circumstances.
  5. Data portability to receive your data in a structured, commonly used, machine‑readable format and have it transmitted to another controller where technically feasible.
  6. Object to processing based on our legitimate interests and to direct marketing at any time (including profiling related to direct marketing).
  7. Withdraw consent where processing is based on consent.
  8. Not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects on you, unless permitted by law and subject to safeguards. We do not carry out such solely automated decision‑making.

To exercise your rights, please contact us at privacy@redhillpopinncafe.co.uk. We may need to verify your identity before responding. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). ICO contact details: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone: 0303 123 1113.

11. Data retention

We keep personal data only for as long as necessary for the purposes set out in this Policy or as required by law. Typical retention periods are:

  • Enquiries and correspondence: up to 24 months after last contact.
  • Bookings, orders, and related records: for the duration of the transaction and generally up to 6 years thereafter for contractual limitation, and up to 7 years where required for tax and accounting.
  • Marketing data (including consent records): until you opt out or withdraw consent; we maintain a suppression list to respect your opt‑out.
  • Job applications: up to 12 months for unsuccessful candidates (or longer if legally required or you agree to it); for employees, in accordance with our internal retention schedules and legal obligations.
  • Cookie identifiers: per the durations outlined in Section 7.

We may retain data for longer where necessary to establish, exercise, or defend legal claims.

12. Children’s privacy

Our Website is not directed to children under 13. We do not knowingly collect personal data from children under 13 without appropriate consent where required. If you believe a child has provided us with personal data without consent, please contact us so we can delete it.

13. Links to other websites and third parties

Our Website may contain links to third‑party websites, services, or integrations (such as booking or payment providers and social platforms). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy information before providing personal data.

14. Data Protection Officer (DPO) and privacy contact

We are not required to appoint a statutory Data Protection Officer under UK GDPR. However, we have designated a data protection lead to handle privacy matters. You can contact our privacy lead at privacy@redhillpopinncafe.co.uk.

15. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the operation of the Website. We will post the updated version on this page and indicate the latest revision date at the top. We encourage you to review this Policy periodically.

About The Editorial Team Terms of Service Legal Notice Privacy Policy Sitemap Contact
© 2026 Red Hill Popinn Cafe