Privacy Policy

Who We Are

Turnbridge House provides self-catering holiday accommodation near York, UK. For the purposes of data protection law (including the UK General Data Protection Regulation and the Data Protection Act 2018), the data controller is Turnbridge House.

If you have any questions about how we handle your personal data, you can contact us at [email protected].

What Data We Collect

We collect personal data when you interact with our website and services. This includes:

Booking Requests

• Name — to identify you as the guest.
• Email address — to communicate about your booking.
• Phone number — to contact you if needed regarding your stay.
• Booking dates and property selection — to process your reservation.
• Payment card details — collected securely by Stripe (see below). We never see or store your full card number.

Contact Form

• Name and email address — to respond to your enquiry.
• Message content — the details of your enquiry.

Automatically Collected Data

• IP address and browser information — collected by our hosting provider (Cloudflare) for security and performance purposes.

Why We Collect Your Data

We process your personal data on the following legal bases under the UK GDPR:

• Contract (Article 6(1)(b)) — Processing your booking request, taking payment, and managing your reservation are necessary to perform our contract with you.
• Legitimate interests (Article 6(1)(f)) — Responding to enquiries via the contact form, maintaining website security, and improving our services.
• Legal obligation (Article 6(1)(c)) — Retaining financial records as required by tax and accounting regulations.

Payment Processing

Stripe acts as an independent data controller for the payment data it processes. You can read Stripe's privacy policy for details on how they handle your information.

Third-Party Services

We use a small number of trusted third-party services to operate our website and process bookings:

• Stripe (payment processing) — Handles all card payments securely. Based in the US with EU data processing agreements in place. Stripe Privacy Policy
• Resend (email delivery) — Sends booking confirmation and notification emails on our behalf. Resend Privacy Policy
• Supabase (database hosting) — Stores booking and contact form data securely. Supabase Privacy Policy
• Cloudflare (website hosting and security) — Serves our website and provides DDoS protection. May process IP addresses and basic request data. Cloudflare Privacy Policy

Data Retention

We retain your personal data only for as long as necessary for the purposes it was collected:

• Confirmed bookings — Booking records and associated personal data are retained for 7 years after your stay, as required for tax and accounting purposes.
• Declined or cancelled bookings — Personal data is retained for 1 year after the booking was declined or cancelled, then deleted.
• Contact form submissions — Retained for 1 year after your enquiry is resolved, then deleted.
• Payment data held by Stripe — Governed by Stripe's own retention policies.

Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access — You can request a copy of the personal data we hold about you.
• Right to rectification — You can ask us to correct any inaccurate or incomplete data.
• Right to erasure — You can request that we delete your personal data, subject to any legal obligations that require us to keep it.
• Right to restrict processing — You can ask us to limit how we use your data in certain circumstances.
• Right to data portability — You can request your data in a structured, machine-readable format.
• Right to object — You can object to processing based on legitimate interests.

To exercise any of these rights, please email [email protected]. We will respond to your request within one month.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Cookies

Our website uses only essential cookies that are strictly necessary for the website to function. These include:

• Authentication cookies — Used to keep admin users logged in to the management dashboard.
• Stripe cookies — Set by Stripe during the payment process to enable secure card entry and fraud prevention.

We do not use any marketing, advertising, or tracking cookies. Because these cookies are strictly necessary for the site to operate, consent is not required under UK cookie regulations.

Analytics Cookies

We use Google Analytics 4 to understand how visitors use our website — for example, which pages are most popular and how users navigate the site. Google Analytics sets cookies to distinguish unique users and track sessions.

Analytics cookies are only set after you consent via our cookie banner. If you do not accept cookies, no analytics data is collected. Google Analytics data is processed by Google; you can read Google's Privacy Policy for details.

You can withdraw your consent at any time by clearing your browser cookies for this site. The cookie banner will reappear on your next visit.

International Data Transfers

Some of our third-party service providers (Stripe, Resend, Supabase, Cloudflare) are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or equivalent mechanisms approved by the UK government, to protect your data.

Children's Privacy

Our booking service is intended for adults aged 18 and over. We do not knowingly collect personal data from children. Booking requests must be submitted by an adult.

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page will be revised accordingly. We encourage you to review this page periodically.