Privacy Policy

THE GRANGE SPA – PRIVACY POLICY

Version: 2.0
Last Updated: 16-11-2025

1. Who We Are

The Grange Spa (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal information with transparency and care.

Data Controller:
The Grange Spa
Millthorpe Road, Pointon, Lincolnshire NG34 0NF
Email: relax@thegrangespa.co.uk
Website: www.thegrangespa.co.uk

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit our website, make a booking, sign up for marketing, complete consultation forms, or use our services.

2. The Information We Collect

2.1 Personal Information

We may collect:

  • Name

  • Postal address

  • Email address

  • Telephone number

  • Date of birth

  • Direct debit details (membership payments only – securely processed)

  • How you heard about us

2.2 Booking, Usage & Interaction Data

  • Treatment/spa day bookings

  • Appointment history

  • Customer service interactions

  • Marketing preferences

  • Website usage (only after cookie consent)

2.3 Special Category “Health” Data (Article 9 GDPR)

To provide safe, appropriate treatments, we ask for relevant health information, such as:

  • Medical conditions

  • Pregnancy details

  • Allergies

  • Injuries

  • Mobility or accessibility needs

  • Contraindications

This information is collected with your explicit consent and used solely for treatment planning, safety, and duty of care.

3. How We Collect Your Information

We collect data when:

  • You browse our website

  • You make an online booking

  • You complete consultation forms in person

  • You purchase/renew a membership

  • You subscribe to marketing

  • You email or contact us

  • You interact with our cookie consent banner

  • You attend appointments

4. Our Legal Bases for Processing

We rely on the following lawful bases:

  • Contract – to manage your bookings, memberships, and payments.

  • Explicit Consent – for health data and marketing communications.

  • Legitimate Interests – to ensure safe, efficient operation of our spa and services.

  • Legal Obligation – for financial, regulatory, and insurance compliance.

  • Vital Interests – where treatment-related health information is required to protect you in an emergency.

5. How We Use Your Personal Data

We use your information to:

  • Provide safe, appropriate spa treatments

  • Manage bookings, payments, memberships, and customer records

  • Send appointment confirmations and updates

  • Communicate operational changes

  • Deliver marketing communications (only with consent)

  • Provide personalised offers (e.g., birthday treats)

  • Improve our services, website, and customer care

  • Comply with insurance, HMRC, and regulatory requirements

We do not sell, rent, or trade your data.

6. Who We Share Your Data With

We only share data with trusted service partners who act as Data Processors under strict GDPR-compliant agreements.

6.1 Premier Core Cloud (Journey / Premier Software Solutions Ltd)

Our secure booking and CRM platform.
Stores personal information and health data as part of treatment safety and booking management.

Premier Core Cloud is fully GDPR compliant and processes personal data strictly under our instructions.
All data stored is encrypted, access-controlled, and hosted on secure UK-based infrastructure.

6.2 IOCEA Mailer (Email Marketing Platform)

Stores:

  • Name

  • Email address

  • Date of birth

Used only to send newsletters, special offers, birthday messages, service updates, and marketing you have opted into.
Fully GDPR compliant and does not share or use your data externally.

6.3 Website & Hosting Providers (Nettl Bourne / Hosting Partners)

May access website data for maintenance, support, and technical operations only.

6.4 Payment & Direct Debit Processors

Used for secure membership payments. We do not store full card details ourselves.

6.5 Legal or Regulatory Authorities

Only when required by law.

We never sell your personal data to third parties.

7. International Transfers

Some processors may operate outside the UK.
When this happens, we ensure lawful safeguards such as:

  • UK adequacy decisions

  • Standard Contractual Clauses (SCCs)

  • Robust GDPR-compliant hosting and security frameworks

8. Cookies & Consent

Our website uses cookies to enhance functionality, improve visitor experience, and help us understand how the site is used — but only with your consent.

We use Complianz to manage cookie consent, which ensures:

  • No analytics/marketing cookies load before you accept

  • Granular consent options (Preferences, Statistics, Marketing)

  • You can withdraw or change consent anytime

  • Full transparency through our updated Cookie Policy

View our dedicated Cookie Policy for more details.

9. How Long We Keep Your Information

Consultation Forms (Health Information):

Stored for 1 year, or longer if required by insurers, treatment safety, or legal obligations.

Booking Records (Premier Core Cloud):

Held while you remain an active customer.
If you leave, you may request full deletion unless legal retention applies.

Membership Payment Information:

Held for the duration of the membership plus any legally required period.

Marketing Data (IOCEA Mailer):

Retained until you unsubscribe or request full deletion.
Unsubscribed emails remain on a protected suppression list so we don’t contact you accidentally.

Financial Records:

Held for 6 years as required by UK law.

10. How We Protect Your Data

We take data protection seriously. Safeguards include:

  • Encrypted online systems

  • Secure servers and hosting

  • Restricted staff access

  • Confidentiality agreements

  • Locked physical storage for paper forms

  • Firewalls and anti-malware protection

  • Consent Mode v2 for compliant analytics

  • Regular security checks

  • Use of GDPR-compliant service providers

No system is 100% impenetrable, but we take all reasonable steps to protect your data.

11. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data

  • Request correction

  • Request deletion (“right to be forgotten”)

  • Restrict processing

  • Object to processing

  • Request data portability

  • Withdraw consent at any time

  • Opt out of marketing

  • Make a complaint to the ICO

To exercise any of these rights:

Email: relax@thegrangespa.co.uk
We will respond within one month.

12. Complaints

If you are unhappy with how we handle your data, you may contact:

Information Commissioner’s Office (ICO)
Website: www.ico.org.uk
Phone: 0303 123 1113

We encourage contacting us first so we can address any concerns directly.

13. Updates to This Policy

We may update this Privacy Policy from time to time.
The current version will always be available on our website, with the version number and last updated date shown above.

14. Contact Us

If you have questions or requests regarding your personal data, please contact:

The Grange Spa
Millthorpe Road, Pointon
Lincolnshire NG34 0NF
Email: relax@thegrangespa.co.uk

Gift Vouchers

Treat a Loved one to a Treatment or Spa Day Experience

Buy Vouchers Here

You can book or Purchase a Voucher online...