Privacy Notice
Effective date: 14 April 2026 · Last reviewed: 14 April 2026
This Privacy Notice explains how Knavewick Club Ltd ("we", "us", "our") collects, uses, shares, and protects your personal data. We are committed to handling your personal data lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation (UK GDPR) as supplemented by the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR).
1. Who We Are (Data Controller)
The data controller is:
Knavewick Club Ltd
12 Forres Street, Edinburgh EH3 6BJ, United Kingdom
Companies House number SC814739 · ICO registration ZA123456 (placeholder)
- Email (data-protection matters): privacy@knavewick.com
- Telephone: +44 131 226 9418
2. What Personal Data We Collect
We collect the following categories of personal data:
a) Booking data: first name, last name, email address, telephone number, party size, date and time, room preference, dietary requirements, accessibility needs, special requests.
b) Contact-form data: first name, last name, email, telephone (optional), subject of enquiry, message content.
c) Private-hire enquiry data: as Booking data plus event type, estimated guests, date range, catering preference, budget indication.
d) Marketing opt-in data: email address and name for recipients who have given express consent to receive our monthly diary.
e) Gambling compliance data (only at the premises, not via website): for verification under Gambling Commission licence conditions — photo ID for Challenge 25 purposes, self-exclusion requests, large-transaction records.
f) Technical data: IP address, browser type, device type, pages visited, session duration. Collected via Cookiebot-governed cookies — see § 4 Cookie Policy (at /cookies/).
We do not collect special category data (health, religion, ethnic origin, etc.) unless you volunteer it (e.g. a dietary requirement that implies a health condition) — in such case the data is processed solely for accommodating your booking.
3. Purposes & Legal Bases
Under Article 6(1) UK GDPR we rely on the following legal bases:
| Purpose | Legal basis (UK GDPR Art. 6) |
|---|---|
| Processing a booking request | Article 6(1)(b) — contract / pre-contract |
| Responding to enquiries | Article 6(1)(f) — legitimate interests |
| Compliance with Gambling Commission licence conditions | Article 6(1)(c) — legal obligation |
| Sending marketing emails (monthly diary) | Article 6(1)(a) — your express consent |
| Financial record-keeping | Article 6(1)(c) — Companies Act 2006, HMRC |
| Site security and fraud prevention | Article 6(1)(f) — legitimate interests |
We will never sell or rent your personal data.
4. How Long We Keep Your Data
| Category | Retention period |
|---|---|
| Booking data (completed or cancelled) | 3 years from visit date |
| Contact-form data | 2 years from last contact |
| Private-hire enquiries | 3 years from date of enquiry |
| Marketing opt-in | Until withdrawn; reviewed every 2 years |
| Gambling compliance records | Typically 5 years (licence condition) |
| Financial records | 7 years (HMRC requirement) |
| Technical / log data | 13 months |
| CCTV footage (on premises, not website-related) | 31 days (normal operation) |
5. Who We Share Data With
We share personal data only with processors who act on our instructions and are bound by written agreement:
- Google LLC (reCAPTCHA fraud protection) — IP and interaction data
- Cookiebot (Cybot A/S, Denmark) — consent management
- Our hosting provider (UK-based) — technical storage
- Our email service provider — booking confirmations
- UK Gambling Commission — where required by law
- Information Commissioner's Office (ICO) — where required by law
- HMRC and other UK authorities — where required by law
- Our professional advisers — accountants, lawyers — only where necessary
Google reCAPTCHA may transfer data to the United States. We rely on the UK extension to the EU-US Data Privacy Framework and/or Standard Contractual Clauses approved by the ICO, as applicable.
6. International Transfers
Where we transfer personal data outside the United Kingdom (e.g., Google reCAPTCHA servers in the US), we rely on appropriate safeguards in accordance with Chapter V UK GDPR — typically the UK International Data Transfer Agreement or UK extension to the EU-US Data Privacy Framework. A copy of the applicable safeguards is available on request to privacy@knavewick.com.
7. Your Rights under UK GDPR
You have the following rights over your personal data:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure / right to be forgotten (Art. 17)
- Right to restriction (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21) — including to direct marketing, which is absolute
- Right to withdraw consent (Art. 7(3))
- Rights in relation to automated decision-making (Art. 22) — we do not use automated decision-making that produces legal or similarly significant effects
To exercise any right, please email privacy@knavewick.com with reasonable proof of identity. We will respond within one calendar month under Article 12(3) UK GDPR (extendable to three months in complex cases, with notification).
8. Right to Complain to the Supervisory Authority
If you believe our processing of your personal data infringes UK GDPR, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
We kindly request that, before contacting the ICO, you raise concerns with us first at privacy@knavewick.com so we may address them directly.
9. Cookies
For information about cookies and similar technologies used on knavewick.com, please see our Cookie Policy.
10. Security
We implement appropriate technical and organisational measures under Article 32 UK GDPR including encrypted connections (TLS), access controls, and regular review of processing activities. No internet transmission is entirely secure; we cannot guarantee absolute security but commit to notifying affected persons and the ICO in the event of a qualifying data breach within 72 hours as required under Article 33 UK GDPR.
11. Children
Knavewick is an 18+ venue and does not knowingly collect personal data from persons under 18. Should we learn that such data has been submitted, we will delete it promptly.
12. Changes to this Notice
We may update this Privacy Notice from time to time. The latest version is always available at /privacy/. Material changes will be notified via a prominent notice on the site for at least 14 days.
13. Contact
Email: privacy@knavewick.com
Post: Data Protection, Knavewick Club Ltd, 12 Forres Street, Edinburgh EH3 6BJ