Skip to main content

Legal

Privacy Policy

Last updated: March 2026

Royalton Farm is committed to protecting your personal information and being transparent about how we use it. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under UK data protection law.

Please read this policy carefully. If you have questions or concerns, you can contact us using the details in Section 9.

1. Who We Are

Royalton Farm (Royalton Farm Cottages LTD, company registration number 17005027) is the data controller responsible for the personal information collected through this website and in connection with bookings.

Our registered address is: Royalton Farm, Castle-An-Dinas, St Columb, Cornwall TR9 6JB.

We are registered in England and Wales under Company Number 17005027. This website was built and is maintained by Overpowered Software (opware.co.uk) on behalf of Royalton Farm Cottages LTD.

As data controller, we determine how and why your personal data is processed. Where we use third-party services to process data on our behalf, those parties act as data processors.

2. What Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Information you provide directly:

  • Your full name and the names of members of your party.
  • Your email address.
  • Your telephone number.
  • Your home address (for the purposes of our booking records and, where required, legal compliance).
  • Booking details including property, dates, party size, and special requirements.
  • Messages or correspondence you send to us via our contact form, email, or telephone.
  • Any special requests, such as cot hire or accessibility requirements.

2.2 Payment information:

We do not store your payment card details. All payment processing is handled by Stripe, Inc. When you make a payment, you are transmitting card data directly to Stripe’s secure servers. Stripe may retain transactional records in accordance with their own privacy policy and applicable law. We receive confirmation of payment from Stripe but do not have access to your full card number, CVV, or other sensitive payment credentials.

2.3 Technical data collected automatically:

  • Your IP address.
  • Browser type and version.
  • Operating system.
  • Pages visited and time spent on our website (via cookies and analytics tools — see Section 8 and our Cookie Policy).
  • Referring website or source (how you arrived at our site).

3. How We Use Your Personal Data

We use your personal data for the following purposes:

  • To process and manage your booking — including issuing a Booking Confirmation, processing payments and refunds, and providing access instructions before your arrival.
  • To communicate with you about your booking — including responding to enquiries, sending balance payment reminders, and providing pre-arrival information such as directions, check-in instructions, and local recommendations.
  • To request a post-stay review — we may send a single follow-up email after your stay inviting you to leave a review. You may opt out of this at any time.
  • To comply with our legal obligations — including maintaining financial records for tax purposes and responding to lawful requests from authorities.
  • To improve our website and services — using aggregated, anonymised analytics data to understand how visitors use our site and to make improvements.
  • To send marketing communications — only where you have given your explicit consent, or where we have a legitimate interest in doing so (for example, where you are a previous guest and the communication is directly relevant to your interests). You can opt out at any time; see Section 7.

4. Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:

  • Contractual necessity (Article 6(1)(b)): Processing your booking, communicating about your stay, and processing payments are all necessary to fulfil the contract between you and Royalton Farm.
  • Legitimate interests (Article 6(1)(f)): Sending post-stay review requests to previous guests, maintaining security of our systems, and analysing aggregated usage data to improve our services. We have assessed that these interests do not override your fundamental rights and freedoms.
  • Legal obligation (Article 6(1)(c)): Retaining financial records for the period required by HMRC and applicable tax law.
  • Consent (Article 6(1)(a)): Where you have opted in to receive marketing newsletters or promotional communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Data Sharing

We do not sell, rent, or trade your personal data to any third party. We share your data only where necessary with the following parties, each of whom acts as a data processor under our instruction:

  • Stripe, Inc. — Our payment processor. Stripe processes card transactions on our behalf. Stripe is certified to PCI-DSS Level 1. For more information, see Stripe’s privacy policy at stripe.com/gb/privacy.
  • Nodemailer (SMTP transactional email service) — We use an SMTP-based transactional email service to send booking confirmations, pre-arrival information, and other transactional emails. Your name and email address are transmitted to this provider for the purpose of sending emails on our behalf. The provider is contractually bound to process your data only as instructed by us and not for their own purposes.

We may also disclose personal data if required to do so by law, by a court order, or by a regulatory authority.

All third-party processors we use are required to process your data only in accordance with our instructions, to maintain appropriate security measures, and not to use your data for their own purposes.

6. How Long We Keep Your Data

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law.

  • Booking records (including your name, contact details, and booking history) are retained for 7 years from the date of the booking, in line with HMRC requirements for business records.
  • Marketing data (where you have opted in to receive marketing communications) is retained until you unsubscribe or withdraw consent. We will include an unsubscribe link in every marketing email.
  • Enquiry data (where you contacted us but did not proceed with a booking) is retained for up to 12 months, after which it is securely deleted.
  • Website analytics data is retained in aggregated, anonymised form. Where analytics data is not fully anonymised, it is retained for no more than 26 months.

When data is no longer required, it is securely deleted or anonymised.

7. Your Rights Under UK GDPR

You have the following rights in relation to the personal data we hold about you. To exercise any of these rights, please contact us using the details in Section 9. We will respond within one calendar month.

  • Right of access: You have the right to request a copy of the personal data we hold about you (a Subject Access Request).
  • Right to rectification: If any of the personal data we hold about you is inaccurate or incomplete, you have the right to ask us to correct it.
  • Right to erasure (“right to be forgotten”): In certain circumstances you have the right to ask us to delete your personal data — for example, where it is no longer necessary for the purpose it was collected. This right is not absolute and will be balanced against our legal obligations.
  • Right to data portability: Where we process your data on the basis of consent or contractual necessity, and by automated means, you have the right to receive a copy of your data in a structured, machine-readable format.
  • Right to object: You have the right to object to processing based on legitimate interests, including profiling. You have an absolute right to object to direct marketing, and we will stop as soon as we receive your objection.
  • Right to restrict processing: In certain circumstances you may request that we limit how we use your data whilst a dispute about its accuracy or legality is resolved.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

We will not charge a fee for exercising your rights in standard circumstances. If a request is manifestly unfounded or excessive, we reserve the right to charge a reasonable administrative fee or refuse to respond, and we will inform you of our reasons.

8. Cookies

Our website uses cookies. Cookies are small text files placed on your device when you visit a website. We use essential cookies required for the site to function, and analytics cookies to help us understand how visitors use the site.

For full details of the cookies we use and how to control them, please see our Cookie Policy.

9. Contact Us and How to Complain

If you have any questions about this Privacy Policy or about how we handle your personal data, please contact us:

Email: [email protected]
Post: Royalton Farm, Castle-An-Dinas, St Columb, Cornwall TR9 6JB

If you are not satisfied with our response, or if you believe we are processing your personal data in breach of UK data protection law, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection regulator:

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you contact the ICO, and we ask that you contact us in the first instance.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or our services. Any changes will be published on this page with an updated “last updated” date at the top. Where changes are significant, we will take reasonable steps to notify guests who have an active or recent booking.

Related Policies