Privacy Policy

Effective Date: 01.07.2025
Version 1.0

 

1. Introduction

Andrew Brownsword Hotels ‘ABH’ (referred to as “we” “our” or “us”) is committed to protecting your personal data in accordance with applicable UK data protection law; The UK GDPR, Data Protection Act 2018, Privacy and Electronic Communications Regulations 2003 (‘PECR’) and the Data (Use and Access) Act 2025. This also includes (and is not limited to) other applicable laws such as the EU GDPR and e-Privacy Directive. 

This privacy notice has been designed with an individuals (‘data subjects’) right to be informed to how we collect and process personal data, how we use it, secure it and what rights individuals have.

This privacy notice also applies to other hotels that form part of our group:

 

Each hotel group member is a data controller and for certain activities such as reservations and bookings, each will act as a joint-data controller with ABH head office based in Bath (more information below).

We are registered with the Information Commissioners Office ICO) under registration numbers:

  • Z2160337
  • Z2160371
  • Z2161301
  • Z8875267

 

2. Contact Information

Our head office contact details are as follows:

4 Queens Square
Bath, Somerset
BA1 2HA
United Kingdom

Emailinfo@brownswordhotels.co.uk
Tel: +44(0)1225 320470

Contact information to each individual hotel can be found on their respective website.

 

The Data Protection Officer (DPO) for ABH is as follows:

Name: RA Data Protection Ltd
Emailravi@radataprotection.com
Website: https://radataprotection.com

 

3. Lawful Basis

The lawful basis for which we will process personal data are:

  • Consent
  • Contractual obligation
  • Legal obligation
  • Vital interests
  • Our legitimate interests


Also due to the nature of our organisation we will need to process special category personal data (e.g. health for dietary purposes). Where we process special category personal data we ensure the relevant special condition is identified as required.

 

4. Data Subjects

Due to our business activities, we may process personal data of the following individuals (“data subjects”):

  • Enquirers
  • Customers (Business and Individuals)
  • Employees (including job applicants)
  • Social media users
  • Suppliers/Vendors


The above is representative and non-exhaustive.

 

5. Personal Data We Collect

The personal data we process consists of the below:

  • Name
  • Postal address (including country)
  • Email address
  • Telephone number
  • Recruitment data (e.g. CVs)
  • CCTV images (including sound)
  • Photographic ID (e.g. passports)
  • Payment information
  • Hotel booking and reservation information
  • Dietary and specific health information (e.g. allergies and disabilities)
  • Events information (e.g. weddings and private dining)


The above list is non-exhaustive and representative.

 

6. How We Collect Personal Data

We collect personal data through different ways. Examples include:

  • Through our websites
  • Through calls, emails, letters
  • Paper forms completed at individual hotels
  • Social media interactions
  • Through third parties (e.g. recruitment companies and booking sites)


The above list is non-exhaustive and representative.

 

7. How We Use Personal Data

We will only use your personal data for the below processing activities:

  • To communicate with you regarding our services and non-marketing news
  • To process job applications
  • For our internal records
  • To process any orders/bookings, refunds and cancellations
  • To carry out any booking amendments
  • To update and improve our website
  • For any legal disputes and defend legal claims
  • Marketing news and communications
  • To protect our premises and security of our employees
  • Handle any enquiries or complaints


The above list is non-exhaustive and representative.

 

8. Third-Parties Who We May Share Personal Data With

We do not rent, sell or purchase personal data to and from other organisations. In order to ensure we can complete various activities we may need to share personal data to other third parties we contract. Below are examples of who we may share personal data with:

  • Employee benefit providers
  • IT, legal and compliance advisers
  • Caterers and other suppliers for event assistance where needed


The above list is non-exhaustive and representative. Where we are required to share data with third parties, we will work with them to ensure the correct agreement is put into place.

Please note there may also be instances where we may need to share personal data with a competent law enforcement body, regulatory body, government agency, court, or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation or (ii) to exercise, establish or defend our legal rights.

 

9. Hotel and Other Bookings

Guests and visitors to ABH are able to make bookings directly on our websites or through third parties such as Booking.com. We do not share any of our booking information with third parties apart from dates we do not have any vacancies.

Guests and visitors to ABH are able to make bookings for many purposes, such as business meetings, weddings, event celebrations and lunches/dinners. We use a variety of different systems and databases to help ensure all bookings from enquiries to the events are carried out and coordinated as appropriate. These databases may hold personal data such as:

  • Names of attendees and those making bookings
  • Health information (allergies, dietary requirements, disabilities)
  • Dates and times of events


We ensure only staff who need access to the data are able to access it. If you have any questions to booking systems used you can contact us using our details above.

 

10. Children’s Data

We do not specifically market to children however we understand family bookings can include children under the age of 16. We only ask for the number and ages of children so we can ensure availability of suitable rooms and for pricing purposes only. We do not and will not ask for any data of children such as their names. Our hotels have children’s menus available and if any reasonable adjustments are needed for children please inform our hotels as soon as possible.

 

11. Joint-Data Controller and Data Sharing

As mentioned above for certain activities across the group, we may act as joint-data controllers. Examples of such instances include when hotel bookings and reservations are made. The central reservations team in Chester will make and confirm a booking (online or phone call) and will share the data with the relevant hotel(s) so they can confirm and carry out hotel reservation and booking activities their side, with the same personal data from the central reservations team.

Other instances of joint-data controller activities include certain finance activities (e.g. refunds) and Human Resources (e.g. employment and recruitment purposes).

Where we are required to share data across the group of hotels, we have ensured there are identified legitimate purposes and working with our DPO to ensure the appropriate data sharing agreements are in place.

For more information you can contact us using our details above.

 

12. CCTV

Our hotels may have CCTV installed within them. We use CCTV for multiple reasons such as (but limited to):

  • Prevention and detection of crime
  • Health and safety
  • Defend us in legal claims


We ensure CCTV signs are displayed throughout our hotels (and wider premises such as car park areas). You can contact us for more information using our contact details above.

 

13. Call Recordings

Calls into our telephone lines are recorded and automatically deleted at the end of the retention period. We record calls for training and monitoring purposes. For more information you can contact us using our details above.

 

14. Recruitment

We advertise roles on the careers section of our websites, and on other websites (e.g. LinkedIn and Indeed). You can find more information to how we process recruitment data in our recruitment privacy notice.

 

15. Marketing and Social Media

We carry our marketing communications to help ensure those who have expressed an interest in our marketing and promotional activities are contacted with these updates, but only when we have captured their consent via our website. Our marketing communications is carried out by our marketing team in our main Bath office.

We use social media sites such as X, Facebook and LinkedIn to share news, updates and for promotional activities as a few examples. Our use of social media enables us to interact with customers (including potential customers), reach new audiences and showcase our products and services as a few examples. When you interact with us on social media through means such as “likes”, “shares” or leaving comments this enables us to see certain social media details (e.g. names, social media handles and photos). We don’t record or copy any social media profiles or details, but you should be aware when interacting with us on social media, other users or viewers can view your profile and any comments/feedback and it is your responsibility to ensure you have set up suitable and appropriate privacy settings for your use of social media.

 

16. Data Transfers Outside The UK

As with many companies based in the UK there may be instances of where your personal data may need to be transferred to other countries. These countries may be in the European Economic Area (EEA; The EU member states, Norway, Iceland and Liechtenstein), in an adequate listed country or in other third countries who may not have strict and similar data protection laws to the UK.) Where we have identified personal data needs to be transferred outside the UK we will ensure there is a legitimate purpose for the data transfer, it is documented where needed and the correct data transfer mechanism under data protection law is relied on. For more information you can contact us using our details below.

 

17. Cookies

For details on the cookies we use on this website and how you can change your consent, please see our cookie notice on our website.

 

18. Links To Other Websites

This website contains links to other third party websites. We have no control or are liable of these sites, the content on these sites and how these sites protect your personal data. Please refer to their own privacy notices within them.

 

19. Data Retention

As a data controller we will retain personal data to provide our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations. This also includes our joint-data controller activities.

We will retain personal data for as long as necessary in line with various requirements, such as for example, best practice recommendations (e.g. ICO recommendations), relevant guidelines (e.g. ACAS guidance) or for as long as mandated under specific legislation (e.g. HMRC requirements). We will also determine appropriate retention periods based on our legitimate interests where identified.

At the end of the retention period personal data will be securely deleted or anonymised.

 

20. Data Security

Across our hotel group, we have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

If we become aware of any loss, misuse, alteration of personal data we will investigate the incident at hand and report (when needed to relevant parties) such instances.

 

21. Payment Card Processing

Across our hotels and websites we use accredited third party payment providers and services to help ensure payment information (i.e. credit/debit card information) is processed safely and securely. These include payment card terminals in our hotels and payment checkouts on our websites. For more information you can contact us using our details above.

 

22. Data Subject Rights

Under data protection law individuals have the following rights:

  1. Right to be informed
  2. Right to access personal data
  3. Right to rectify personal data
  4. Right to erase personal data
  5. Right to object to personal data
  6. Right to have data ported
  7. Right to restrict personal data
  8. Right to not have personal data processed by automated means and profiled


If you would like to exercise any of the above Rights you can do so by sending a written request using details above. Please note we may ask for ID (e.g. passport scan, drivers license etc) to verify identity where needed. Upon successful verification we will delete and remove all copies of ID received.

Should we also require extension of time to help fulfil any Right requests, we will be sure to contact requestors as soon as possible with reason(s) why an extension is needed and when Right requests can be fully carried out and completed.

 

23. Concerns and Complaints

If you have any concerns and/or complaints to this privacy notice and/or to how we process personal data please contact us using our details above.

You can make a complaint to the ICO (or other supervisory authority) at any time however, we hope that you would consider raising any issue or complaint you have with us first. You can submit a complaint to the ICO via https://ico.org.uk/make-a-complaint/.

If you need to complain to any other Supervisory Authority within the European Economic Area you can find their details here.

 

24. Privacy Notice Updates

We will review this notice and make changes to it from time to time. We recommend that you check this notice to see where changes have been made and to ensure you are able to review updated information at all times.

Meetings & Functions

Preferred contact method