1. Information We Collect
We collect data when you:
- Register for workspace memberships
- Book event spaces or lounge reservations
- Sign up for newsletters/loyalty programs
- Use WiFi or digital services (via captive portal login)
- Participate in promotions/surveys
Categories of data:
| Type | Examples |
|---|---|
| Core Data | Full name, email, phone number, billing address |
| Enhanced Data | Occupation (workspace users), company name, optional LinkedIn/Instagram handles (requires explicit consent) |
| Technical Data | IP address, device type, browser data (see Cookie Policy) |
| Financial Data | Payment card details (processed via Stripe/PayPal with PCI-DSS compliance) |
| Usage Data | Reservation history, membership duration, service preferences |
2. Legal Basis & Purpose
We process data under GDPR Article 6 as follows:
| Purpose | Legal Basis |
|---|---|
| Fulfilling reservations/memberships | Contractual Necessity |
| Processing payments | Contractual Necessity |
| Sending marketing emails | Consent (opt-in) or Soft Opt-In (for existing customers) |
| Improving services (e.g., WiFi analytics) | Legitimate Interests (LIA conducted) |
| Fraud prevention | Legal Obligation/Legitimate Interests |
3. How We Use Your Data
- Process bookings and manage workspace access.
- Personalize your experience (e.g., preferred seating, loyalty rewards).
- Send promotions via email/SMS (opt-out anytime).
- Conduct anonymous market research.
- Comply with tax/legal obligations.
We do not use automated decision-making or profiling.
4. Data Sharing
We share data only with:
- Payment processors: Stripe, PayPal (PCI-DSS compliant).
- Email platforms: Mailchimp/Campaign Monitor (DPAs in place).
- Legal authorities: When required by law.
We never sell your data.
5. International Transfers
Data is stored in the UK/EEA unless transferred to:
- Google Analytics (EU-US Data Privacy Framework certified).
- Cloud providers using Standard Contractual Clauses (SCCs).
All transfers comply with GDPR Chapter V safeguards.
7. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Financial records | 7 years | Legal obligation (HMRC) |
| Membership data | 5 years post-termination | Contractual disputes |
| Marketing consents | Until withdrawal | GDPR Article 7 |
| WiFi connection logs | 12 months | Legitimate Interests (security) |
Data is anonymized or deleted after retention periods.
8. Your Rights
Under GDPR, you may:
- Access or rectify your data (Articles 15-16).
- Erase data or restrict processing (Articles 17-18).
- Export your data in machine-readable format (Article 20).
- Object to processing (e.g., marketing) (Article 21).
To exercise rights, email Hello@peppermintsbar.co.uk. We respond within 30 days.
You may also lodge a complaint with the UK ICO (www.ico.org.uk).
9. Security
We protect data with:
- AES-256 encryption for sensitive records.
- Annual penetration testing and staff GDPR training.
- Role-based access controls for internal systems.
- Secure document shredding for physical records.
10. Policy Updates
We review this policy annually. Material changes will be notified via email or website banners.