Privacy Policy

Last updated: 03 October 2025

Welcome to Lilac Retreats (“we”, “us”, “our”). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit or interact with our website www.lilacretreats.co.uk (the “Site”), make bookings, subscribe to our communications, or otherwise deal with us.

By accessing or using the Site, or by giving us your personal data, you agree to the practices described in this policy.

1. Who we are & contact information

Data controller
Lilac Retreats
Address: Lilac Farm, Stoke Ferry Road, Eastmoor, King’s Lynn PE33 9QA
Email: hello@lilacretreats.co.uk
Telephone: +44(0)7860 638928

You may contact us using the details above if you have any questions about this Privacy Policy, your rights, or how we process your data.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK.

2. Scope & applicability

  • This policy applies to all personal data collected by us via the Site, or through your interactions with us (e.g. bookings, enquiries, subscriptions).

  • It does not apply to third-party websites that we do not control (for example, links you follow). We encourage you to read the privacy notices on those sites.

  • We act as the data controller for the personal data you submit.

  • Where we use third-party processors (e.g. payment gateways, email marketing, analytics), those parties act solely under our instruction and under data processing agreements.

3. What personal data we collect

We may collect the following categories of data:

CategoryCollected viaPurpose / UseLegal basisIdentity & contact data (name, email, phone, postal address)Booking forms, contact forms, registration, newsletter sign-upsTo process bookings, respond to enquiries, send newsletters or updatesContract / ConsentPayment & billing dataThrough secure payment processorTo process payments, refundsContractUsage & technical data (IP address, device type, browser, pages visited, referral source, time & date)Automatically via cookies / server logsAnalytics, performance, security, site improvementLegitimate interestsMarketing preferencesWhen you opt in or change preferencesTo deliver tailored marketing (if consent given)ConsentOther information you provide (e.g. messages, feedback)Via contact or booking forms, emailsTo respond and deliver our servicesContract / Consent

We only collect data that is necessary for the purposes described.

4. Cookies, tracking & similar technologies

We use cookies and similar tools to enhance your experience and understand how the Site is used.

  • When you first visit, you will see a cookie consent banner or settings interface from which you can accept or reject non-essential cookies.

  • Essential / strictly necessary cookies are required to enable browsing, bookings, security, and core functionality.

  • Analytics / performance cookies help us understand how users use the Site (e.g. Google Analytics, etc.).

  • Functional cookies store your preferences (e.g. language, region).

  • Marketing / targeting cookies may be used to show relevant content or ads.

If you disable or refuse non-essential cookies, some parts of the Site may not function properly.

We recommend also adjusting your browser settings to restrict or delete cookies, though doing so may reduce site functionality.

5. How we use your data

We use your personal data for the following purposes:

  1. To deliver contracts / services — process and manage your bookings, payments, refunds, and attendance.

  2. Customer communication — send confirmations, updates, support responses, invoices, or other operational messages.

  3. Marketing & promotions — send you newsletters, offers, or event information, if you have opted in. You may opt out at any time.

  4. Analytics & site improvement — understand how visitors use the Site, improve structure, content, features, and performance.

  5. Security, fraud prevention & legal compliance — ensure integrity, detect misuse, protect accounts, and comply with legal obligations (e.g. tax, accounting).

  6. Business operations — internal record-keeping, auditing, reporting, and business management.

We will not use your personal data for purposes incompatible with those explained here without further consent (if required).

6. Sharing your data & third parties

We may share your personal data with:

  • Service providers / processors — e.g. payment gateway, email marketing service, website hosting, analytics providers, marketing / advertising platforms

  • Professional advisors — e.g. accountants, legal advisers

  • Legal / regulatory bodies — where required by law, court order, or to protect rights, property or safety

  • Business transfers — if the business (or part of it) is sold or merged, your data may be transferred under confidentiality and privacy terms

Whenever we share data, we:

  • Limit what’s shared to the minimum necessary

  • Use contractual agreements (data processing agreements) to require protection and restrict use

  • Ensure adequate safeguards when data is transferred outside the UK / EEA (e.g. standard contractual clauses or as permitted by law)

7. Data retention & deletion

We retain your personal data only as long as necessary to fulfil the purposes set out above, and in line with legal, tax, or accounting requirements.

Examples of typical retention periods:

  • Booking & payment data: [e.g. 6 years] (for accounting and tax)

  • Marketing subscription data (for those unsubscribed): [e.g. 3 years]

  • Analytics / log data: [e.g. 12 months or less]

After the retention period ends, we will securely delete, anonymise, or aggregate the data.

8. Your rights under UK GDPR

You have the following rights (subject to legal limits):

  • Access — request a copy of personal data we hold about you

  • Rectification — correct inaccurate or incomplete data

  • Erasure (“right to be forgotten”) — request deletion in certain circumstances

  • Restriction of processing — in certain cases

  • Object — to processing for direct marketing or for our legitimate interests in certain contexts

  • Data portability — receive data in a structured, machine-readable format, in certain cases

  • Withdraw consent — where processing is based on consent, you may withdraw consent at any time (without affecting processing already done)

To exercise any of these rights, contact us using the contact details in Section 1. We will respond in accordance with applicable law (generally within 1 month).

If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

9. Security & how we protect your data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, loss, or misuse. These may include:

  • Encryption (in transit and where appropriate at rest)

  • Access controls and authentication

  • Secure servers and infrastructure

  • Regular security reviews, vulnerability scans, and updates

  • Limiting staff access to data on a “need to know” basis

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security; please also take care with your own passwords and devices.

10. Children & under-age users

Our Site is not intended for children under the age of 18. We do not knowingly collect or process personal data from children under 18.

If you believe we have inadvertently collected data from a child under 18, please contact us and we will delete it as soon as practicable.

If your services are intended or likely to attract minors, you must consider additional obligations under the UK “Age Appropriate Design Code” (Children’s Code).

11. International transfers of data

If we transfer personal data to a country outside the UK or European Economic Area (EEA), we will ensure that:

  • The destination country is deemed “adequate” by UK law, or

  • We use safeguards such as standard contractual clauses, binding corporate rules, or other lawful means permitted by applicable data protection law

We will also ensure that your rights and protections travel with the data and are enforceable.

12. Changes to this Privacy Policy

We may update this policy from time to time (for example, to reflect changes in law, technology, or business operations). When we do:

  • We will post the updated version on our Site

  • We will update the “Last updated” date at the top

  • If the changes are significant, we may notify you (e.g. via email)

Your continued use of the Site after the changes constitutes acceptance of the revised policy.

13. Miscellaneous & legal

  • If any provision of this Privacy Policy is held invalid or unenforceable, that provision will be deemed severed and will not affect the remaining provisions.

  • We may assign or transfer our rights under this policy, provided your rights are not adversely affected.

  • This policy is governed by the laws of England & Wales (or, if your business is Scottish, Scotland). Any disputes will be subject to the exclusive jurisdiction of the courts in that jurisdiction.

14. How to contact us

If you have any questions, complaints, or requests regarding your personal data or this Privacy Policy, please contact:

Lilac Retreats
Address: Lilac Farm, Stoke Ferry Road, Eastmoor, King’s Lynn PE33 9QA
Email: hello@lilacretreats.co.uk
Telephone: +44(0)7860 638928