top of page

Privacy Policy

Applies to: elysium-retreats.co.uk and all holiday accommodation, retreats, and properties owned, managed, or operated by Elysium Retreats Ltd (collectively referred to as ‘our sites’ or ‘the properties’)

1. Introduction

Elysium Retreats Ltd acts as the Data Controller for the personal information collected through our website, booking services, and at all physical holiday accommodation, retreats, and properties owned, managed, or operated by us (collectively referred to as ‘our sites’). This means we are responsible for deciding how and why your personal data is processed.

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We encourage you to read this policy carefully to understand your rights and our practices. If you have any questions or wish to exercise your rights, please contact us at the details provided in Section 15.

Note: References to ‘agreeing’ to this policy by using our services have been removed — under UK GDPR, consent to a privacy policy is not a valid legal basis for processing personal data. Our lawful bases are set out in full in Section 6.

2. Who We Are

Elysium Retreats Ltd is a company registered in the United Kingdom. We provide nature-led holiday accommodation across our portfolio of properties. This policy governs data processing across our entire portfolio, including any sites acquired or managed by us in the future.

As a Data Controller under UK GDPR, we determine how and why your personal data is processed. Elysium Retreats Ltd is a subsidiary of Sight Acre LLC, which operates as a separate entity with its own privacy policy available at sightacre.com/legal/privacy.

3. What Personal Data We Collect

We collect and process the following types of personal data:

  • Identity Data: Name, date of birth (where relevant to the booking), title, visual images captured by CCTV at our sites

  • Contact Data: Email address, phone number, billing address, postal address

  • Elysium Retreats Ltd — Privacy Policy | For internal review Page 2 of 9 | elysium-retreats.co.uk

  • Booking Data: Reservation details, number of guests, stay preferences, special requirements

  • Payment Data: Billing details processed securely by our third-party payment provider — we do not store full card details

  • Technical Data: IP address, browser type, operating system, device identifiers, cookies, and connection logs from guest Wi-Fi used at our sites (including MAC addresses collected via on-site Wi-Fi landing pages)

  • Usage Data: Information about how you use our website and digital platforms

  • Marketing & Communications Data: Your preferences for receiving promotional content and your communication history with us

We also collect any information you choose to provide in free-text enquiry or contact forms, and may collect emergency contact or accessibility information where this is relevant to your stay.

3.1 Special Category Data

We may collect information revealing health-related data, such as specific accessibility requirements or severe allergies. We process this data only where you have provided Explicit Consent to enhance your stay, or where it is necessary to protect your Vital Interests in a medical emergency.

4. How We Collect Your Data

We collect personal data in the following ways:

  • Directly from you: when you make a booking, sign up to our newsletter, fill in a form, or contact us by phone or email

  • Automatically: when you use our website, via cookies and analytics tools (subject to your consent — see Section 5)

  • From third parties: for example, from booking platforms such as Host Seasons or other online travel agents, payment processors, or social media platforms when you interact with us through those services

Where you book through a third-party platform (such as an online travel agent), that platform’s own privacy policy will also apply to your initial interaction with them. We will only contact you directly if you have given us specific consent to do so, or where it is necessary to fulfil your booking.

5. Cookies

We use cookies and similar tracking technologies on our website. Essential cookies are placed on the basis of Legitimate Interest and are strictly necessary for the site to function. Non-essential cookies — including analytics cookies — are placed only with your Consent, via the cookie banner displayed on your first visit. You may update your cookie preferences at any time. For full details, please see our Cookie Policy.

6. Legal Basis for Processing

Under the UK GDPR, we are required to have a lawful basis for every processing activity. The table below sets out each activity we carry out, the personal data involved, and the specific legal basis we rely on. This replaces the previous general list of legal bases, which did not make clear which basis applied to which activity.

Where we rely on Legitimate Interest, you have the right to object to that processing at any time. Please contact us using the details in Section 15.

7. Data Sharing

We do not sell your data. We may share it with service providers (Mailchimp, cloud hosting, payment processors), professional advisers, and regulatory bodies. Some providers may be based outside the UK. Where your data is transferred internationally, we ensure safeguards are in place, including Adequacy Decisions or Standard Contractual Clauses (SCCs).

  • Service providers: including cloud hosting providers, payment processors, booking platforms, email marketing platforms (Mailchimp), IT support providers, and customer support tools

  • Business partners: where you have engaged with us via a partner platform or booking channel

  • Legal and regulatory bodies: where required by law or in connection with legal proceedings

  • Professional advisers: accountants, auditors, insurers, and legal representatives

Successor entities: in the event of a business transfer or acquisition — you will be notified and your data will continue to be protected

All third-party service providers are subject to contractual obligations requiring them to keep your data secure and process it only on our instructions.

8. International Data Transfers

Some of our service providers (such as cloud hosting or email marketing platforms) may be based outside the UK. Where your data is transferred outside the UK, we ensure that appropriate safeguards are in place, including:

  • Adequacy decisions made by the UK Secretary of State

Standard Contractual Clauses (SCCs) approved for international transfers, where no adequacy decision exists

You may request details of the specific safeguards in place for any transfer by contacting us at the details in Section 15.

9. Data Retention

We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. The previous policy did not specify retention periods clearly — the following table sets out our specific periods:

Where data is no longer required, it is securely deleted or anonymised.

Note: The previous policy stated booking records are kept for ‘up to 6 years’. This has been updated to 7 years to align with HMRC requirements for financial records.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data from unauthorised access, alteration, disclosure, or destruction. These include secure servers, encryption protocols, access controls, staff training, and regular reviews of security measures.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours and, where required, notify you directly.

Note: The previous policy contained the phrase ‘you share personal data with us at your own risk’. This has been removed as it is not appropriate under UK GDPR, which places responsibility for data security with the Data Controller.

11. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. If this changes, we will update this policy and obtain any necessary consent before introducing such processing.

12. Your Rights

Under the UK GDPR, you have the following rights:

  • Right of Access: request a copy of your personal data

  • Right to Rectification: correct inaccurate or incomplete data

  • Right to Erasure: request deletion of your data (subject to legal obligations)

  • Right to Restrict Processing: request that we limit how your data is used

  • Right to Data Portability: request transfer of your data in a structured, machinereadable format

  • Right to Object: object to processing based on Legitimate Interest or for direct marketing

  • Right to Withdraw Consent: withdraw consent for marketing or non-essential cookies at any time, without affecting the lawfulness of prior processing

Right not to be subject to Automated Decision-Making: as noted in Section 11, we do not engage in such processing.

To exercise any of these rights, please see Section 14 for how to submit a Data Subject Access Request.

13. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your personal data has been processed unlawfully. We would appreciate the opportunity to address your concerns first — please contact us at the details in Section 15 before approaching a regulator.

United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk — 0303 123 1113

European Economic Area: Your local data protection authority — full list available at edpb.europa.eu

14. Data Subject Access Request (DSAR) Procedure

Submitting a Request

Requests can be made by email, in writing, or via our website contact form. They do not need to be formally labelled as a “Data Subject Access Request” to be valid.

Email: privacy@elysium-retreats.co.uk (or the contact email in Section 15)

Post: Elysium Retreats Ltd — please see address in Section 15

Please include “DSAR Request” in the subject line to ensure your request is directed to the right team. A direct link to our DSAR form should be made available on the website — making this easy to find is a requirement under UK GDPR.

Verification and Timeframes

We may require proof of identity before processing requests. We will respond within one calendar month. Where requests are complex, we may extend this by up to two further months, informing you within the first month.

Requests are free of charge. We may charge a reasonable fee or decline requests that are manifestly unfounded, excessive, or repetitive.

How We Respond

  • Access: confirmation of processing, data categories, purposes, recipients, retention periods, and a copy of the data

  • Rectification: correction of inaccurate or incomplete data

  • Erasure: deletion where legally appropriate; some data may be retained if required by law

  • Restriction: limiting processing where legally justified

  • Portability: data provided in structured, machine-readable format

  • Objection: immediate stop to direct marketing processing; assessment of other objections against our Legitimate Interest Withdrawal of consent: actioned promptly where consent is the legal basis

Record Keeping

All requests and responses will be logged, including dates, actions taken, and outcomes. Records will be retained for at least three years to demonstrate compliance.

15. Email Marketing and Consent

Where you have provided consent, we may send you newsletters, promotions, and updates about our services via Mailchimp. You can opt out at any time by clicking the “unsubscribe” link in any email or by contacting us directly.

We will only send you marketing communications for the specific purposes you have opted in to. Opting in to one type of communication (such as a newsletter) does not constitute consent for all marketing.

If you have booked with us, the personal data you provided for that booking will be used only for the fulfilment of your reservation and related customer service — unless you have separately opted in to our marketing communications.

All data capture points — including website forms, competition entries, and email signup forms — will include a link to this Privacy Policy and clear, specific opt-in choices before your data is collected.

Every marketing email we send will include a clear and easy unsubscribe option. Please ensure this is in place for all Mailchimp campaigns.

17. Children’s Data

Our services are not directed at children under 18, and we do not knowingly collect personal data from minors. If we become aware that we have collected such data, we will delete it promptly.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements, technology, or our business practices. Updates will be posted on this page with a revised “Last Updated” date. Where changes are material, we will notify you by email or through a notice on our website.

19. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about our data practices, please contact:

Data Protection Team — Elysium Retreats Ltd

Email: info@elysium-retreats.co.uk

Website: elysium-retreats.co.uk

stay in the know

Subscribe to our mailing list to receive exclusive news and offers

Contact Us

Careers at Elysium Retreats

Gift Vouchers

FAQs

Terms & Conditions

Cookie Policy

Privacy Policy

Environmental Policy

Your stay with us is part of a wider commitment to sustainable travel. We prioritise eco-friendly practices, from energy and water use to responsible sourcing, to ensure our impact on the environment is a positive one. Together, we can protect the landscapes we enjoy today and safeguard them for the future.

© 2025 Elysium Retreats Ltd

bottom of page