CORYLUS RETREATS LTD – PRIVACY POLICY

Last updated: 22/12/2025

Corylus Retreats Ltd (“we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal information when you interact with us, including when you make an enquiry or booking, stay with us, or visit our website.

This policy applies to all personal data collected through:

  • Our website (staycorylus.com)

  • Our booking systems (including SuperControl and associated payment providers)

  • Email, phone, WhatsApp, and other direct communications

  • In-person interactions related to your stay

1. Who We Are (Data Controller)

Corylus Retreats Ltd
Registered in Scotland
Registered Office: Leckmelm Wood, Ullapool, Ross-Shire, IV23 2RH
Email: admin@staycorylus.com

For the purposes of UK data protection law, Corylus Retreats Ltd is the data controller of your personal information.

2. The Personal Data We Collect

We only collect personal data that is necessary for legitimate business and legal purposes. This may include:

Identity & Contact Information

  • Name(s)

  • Email address

  • Telephone number

  • Postal address (if provided)

Booking & Stay Information

  • Booking details (dates, accommodation, number of guests)

  • Communications with us before, during, or after your stay

  • Special requests or accessibility information (only where volunteered)

Payment Information

  • Payment status, transaction references, and invoices

  • We do not store full card details. Payments are processed securely by third-party payment providers.

Technical Data (Website Use)

  • IP address

  • Browser type and device information

  • Pages visited and interaction data (via cookies – see Section 8)

3. How We Use Your Personal Data

We use personal data for the following purposes:

  • To process enquiries and bookings

  • To manage your stay and provide guest services

  • To communicate essential pre-arrival, arrival, and post-stay information

  • To comply with legal and regulatory requirements (e.g. accounting, licensing, insurance)

  • To manage payments, deposits, and refunds

  • To respond to questions, feedback, or complaints

We do not sell personal data or use it for unrelated marketing purposes.

4. Legal Bases for Processing

Under UK GDPR, we rely on the following lawful bases:

  • Contract – to fulfil a booking or respond to an enquiry

  • Legal obligation – where we are required to retain records

  • Legitimate interests – to operate and improve our business responsibly

  • Consent – where you have explicitly opted in (e.g. to marketing communications)

5. Sharing Your Data

We only share personal data where necessary and proportionate, including with:

  • Booking & property management systems (e.g. SuperControl)

  • Payment processors (e.g. card payment providers)

  • Accounting and professional advisers

  • IT and communications providers (email, hosting, cloud storage)

All third-party providers are required to process data securely and in line with data-protection law.

We do not transfer personal data outside the UK or EEA unless adequate safeguards are in place.

6. Data Retention

We retain personal data only for as long as necessary:

  • Booking and financial records: typically 6–7 years (legal/accounting requirements)

  • Enquiry data: up to 24 months if no booking results

  • Marketing data: until consent is withdrawn

When data is no longer required, it is securely deleted or anonymised.

7. Your Rights

You have the right to:

  • Access your personal data

  • Request correction of inaccurate data

  • Request deletion of your data (where legally permissible)

  • Object to or restrict processing

  • Withdraw consent at any time

  • Lodge a complaint with the Information Commissioner’s Office (ICO)

To exercise any of these rights, please contact: admin@staycorylus.com

8. Cookies & Website Analytics

Our website uses essential cookies and limited analytics to understand site usage and improve performance. Cookies do not identify you personally.

You can manage or disable cookies through your browser settings.

9. Data Security

We take appropriate technical and organisational measures to protect personal data, including:

  • Secure cloud-based systems

  • Restricted access to personal data

  • Strong password and device security

  • Encrypted payment processing via third parties

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal or operational changes. The latest version will always be available on our website.

11. Contact Us

If you have any questions about this Privacy Policy or how your data is handled, please contact:

Corylus Retreats Ltd
Email: admin@staycorylus.com