← Homefield Grange

Privacy Policy

Effective from 24th May 2018 · Last updated May 2026

We take your privacy seriously

This privacy policy sets out how Homefield Grange uses and protects any information that you give Homefield Grange when you make a booking with us, use our guest self-service portal, or use our website, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Homefield Grange is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

Homefield Grange may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes.

Who is the Data Controller?

Suzanne Peck
Homefield Grange Retreat Limited
Manor Road, Rushton, Northamptonshire NN14 1RH

Contact: suzanne@homefieldgrange.co.uk · 01536 712219

What personal data is being processed?

Booking & Reservation Data

When you make a booking at Homefield Grange we collect the following information to enable us to process your booking:

  • Name
  • Address
  • Date of birth
  • Email address
  • Telephone number
  • Debit/credit card details (processed securely by Worldpay — we do not store card numbers)
  • Whether you have any allergies or dietary requirements

This personal data is processed under the legal basis of contractual necessity (UK GDPR Article 6(1)(b)) — it is required to fulfil your booking and provide the services you have requested.

Health & Medical Data (Special Category Data)

As part of your retreat experience, we collect health and medical information through our online health questionnaire. This may include information about existing medical conditions, medications, allergies, and physical fitness relevant to the treatments and activities included in your programme.

This data is classified as special category data under UK GDPR Article 9 and is processed on the basis of your explicit consent (Article 9(2)(a)). You will be asked to provide this consent before submitting your health questionnaire. You may withdraw your consent at any time by contacting our Data Controller; however, this may affect our ability to safely deliver certain treatments.

Guest Portal Data

If you use our Guest Portal (self-service booking management), we process the following additional data:

  • Authentication credentials (WebAuthn passkeys — stored as encrypted public key references only)
  • Session identifiers for secure login
  • Booking amendment and cancellation history

This data is processed under the legal basis of contractual necessity.

Marketing Data

Online we collect the following information for marketing purposes including the sending of relevant emails for offers and promotions:

  • Name
  • Email address
  • Telephone number

This data is processed under the legal basis of legitimate interest (UK GDPR Article 6(1)(f)). You may unsubscribe from marketing emails at any time using the link provided in every email.

Who is the personal data shared with?

We share your personal data with the following third parties, strictly as necessary:

  • Worldpay (FIS Global) — Payment processing. Worldpay has access to your debit/credit card details as part of the booking process. Registered Office: The Walbrook Building, 25 Walbrook, London.
  • MailChimp (Intuit Inc.) — Marketing email distribution. Your name, email address, and booking metadata (retreat name, dates) are shared with MailChimp to send marketing communications. MailChimp processes data in accordance with their own privacy policy and Standard Contractual Clauses for international data transfers. You may unsubscribe at any time via the unsubscribe link in any email, and your data will be permanently deleted from MailChimp upon a GDPR erasure request.
  • SMTP2GO — Transactional email delivery. Booking confirmations, pre-arrival information, and cancellation notices are delivered via SMTP2GO's secure email relay service.
  • Cloudflare — Website security and anonymised analytics. Cloudflare provides DDoS protection and collects anonymised page-view data. No personally identifiable information is collected.

Your data will not be subjected to automated decision-making or profiling.

How long is your data held?

  • Booking & financial records: Retained for 7 years from the date of your stay, in accordance with HMRC record-keeping requirements.
  • Health & medical data: Deleted within 12 months of your stay. This data is automatically purged by our GDPR compliance system.
  • Marketing data: Retained until you unsubscribe. You can do this at any point by clicking the “unsubscribe” link in any marketing email or by contacting our Data Controller.
  • Guest Portal credentials: Deleted when your booking data is purged, or upon request.

Your rights

Under UK GDPR, you have the following rights:

  • The right to access the personal data held about you (Subject Access Request)
  • The right to have your personal data rectified if it is inaccurate or incomplete
  • The right to have your personal data erased (“right to be forgotten”)
  • The right to restrict processing of your personal data
  • The right to have your personal data transferred (ported) to another controller
  • The right to object to processing, including direct marketing
  • The right to withdraw consent for health data processing at any time

Homefield Grange will stop processing personal data for direct marketing purposes as soon as we receive an objection. We will deal with all rights requests free of charge.

To exercise any of these rights, please contact our Data Controller:

Suzanne Peck
Homefield Grange Retreat Limited
Manor Road, Rushton, Northamptonshire NN14 1RH
suzanne@homefieldgrange.co.uk · 01536 712219

What happens if I don't provide my information?

The personal information that we take to confirm a booking (name, address, debit/credit card details) is a contractual requirement to secure and make payment for a booking. Failure to provide this data will mean that a booking cannot be made.

Failing to provide details of your allergies or complete the health questionnaire will mean that we are unable to safely tailor your retreat programme and treatments to your specific requirements.

Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect. These include:

  • AES-256-GCM encryption for sensitive personal data at rest
  • TLS 1.3 encryption for all data in transit
  • PCI DSS-compliant payment processing via Worldpay (we never store card numbers)
  • Role-based access controls for staff access to guest data
  • Automated GDPR data purge processes

Cookies

Our booking system uses strictly necessary cookies to manage your session and process payments securely. We do not use advertising or tracking cookies. For full details, please see our Cookie Policy.

Links to other websites

Our website may contain links to enable you to visit other websites of interest easily. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites.

Complaints

If you are not satisfied with how Homefield Grange has processed your data or handled a complaint, you can report your complaint to the Information Commissioner's Office (ICO):

Telephone: 0303 123 1113 · Website: ico.org.uk

Company Information

Homefield Grange Retreat Limited · Company Reg. No. 06444159
Registered in England and Wales
Homefield Grange, Manor Road, Rushton, Northamptonshire, NN14 1RH

Booking TermsCookie PolicyReturn to Site