Moorland Hall Ltd

GDPR & UK GDPR Privacy Policy

1. Who we are

Moorland Hall Ltd (“we”, “us”, “our”) is the controller of personal data collected through our activities as an outdoor education and activity centre.

Contact details
Website: www.moorlandhall.com
Emaill: moorlandhall.devon@gmail.com
Postal address: Moorland Hall, Brentor Road, Mary Tavy, Tavistock, Devon, PL19 9PY, United Kingdom

If you need this policy in another format, please contact us.

2. What this policy covers

This policy explains how we collect, use, store and share personal data. It applies to UK visitors and to visitors from the European Economic Area (EEA) and Switzerland. We comply with the UK GDPR and the Data Protection Act 2018. Where relevant, we also align our approach with EU GDPR principles.

3. The personal data we collect

Depending on your relationship with us (enquirer, customer, group leader, participant, parent/guardian, supplier), we may collect:

  • Identity and contact details:
    Name, address, email, phone number, nationality (if needed for travel/administration).
  • Booking and visit information:
    Dates, programme details, accommodation details, dietary requirements.
  • Participant information (including children):
    Age/date of birth, school/group, emergency contacts.
  • Health and safety information (medical forms):
    Medical conditions, allergies, medication, accessibility needs, swimming ability, incident/accident details.
    This may be collected via online and paper medical forms.
  • Consent records:
    Photo/video permissions, marketing preferences, consent from parents/guardians where required.
  • Payment and transaction information:
    Invoices, payment status, payer details (we do not aim to store full card details if processed by a payment provider).
  • Communications:
    Emails, messages and call notes.
4. How we collect personal data:
  • Directly from you (email, phone, forms, booking enquiries)
  • From group organisers (schools, agents, trip leaders)
  • From parents/guardians where participants are under 18
  • Via online and paper medical forms completed for participation in activities
  • From third parties where necessary for safety/administration (for example, travel providers or insurers)
5. Why we use your data (purposes) and our lawful bases

We only use personal data where the law allows. Common lawful bases we rely on:

  • Contract:
    To respond to booking enquiries, confirm bookings, deliver courses/activities, provide accommodation and catering, and manage changes/cancellations.
  • Legal obligation:
    To meet health and safety duties, safeguarding obligations, insurance requirements, and accounting/tax rules.
  • Legitimate interests:
    To run our centre safely and efficiently, communicate with group leaders, improve our services, and prevent fraud.
  • Consent:
    For marketing communications where required, and for photo/video use where consent is the appropriate basis.
  • Vital interests:
    Where necessary to protect someones life in an emergency.
  • Special category data (health information):
    Health and medical information is treated as special category data. We process it only where necessary for health and safety, to make reasonable adjustments, and to respond to incidents, relying on appropriate UK GDPR conditions (for example, substantial public interest/health and safety, vital interests, and explicit consent where appropriate).
6. Children’s data

We regularly provide services to children and young people. We take additional care with children’s data, including:

  • Collecting only what we need to keep participants safe and deliver the programme
  • Limiting access to staff who need the information
  • Using parent/guardian consent where appropriate (for example, for photography)
7. Photo and video consent

We may take photos/videos during activities for safeguarding records, incident documentation, and/or promotional purposes.

  • Where photos/videos are used for marketing or publicity, we will seek appropriate photo consent (including from parents/guardians for children where required).
  • You can withdraw consent at any time. Withdrawal will not affect past lawful use, but we will stop future use and remove content where reasonably possible.
8. Cookies and analytics

Our website may use essential cookies to help it function.

If we use analytics cookies (for example, to understand how visitors use our site), we will ask for your consent via a cookie banner.

9. Who we share personal data with

We may share personal data with trusted third parties where necessary, including:

  • Staff and instructors delivering activities
  • Accommodation, catering and transport providers involved in your booking
  • Professional advisers (accountants, insurers, legal advisers)
  • IT and communications providers (email, cloud storage, booking systems)
  • Emergency services or medical professionals where required
  • Regulators or authorities where we are legally required to do so

We do not sell personal data.

10. International transfers

Some of our service providers may store or process data outside the UK and/or EEA (for example, where cloud services use global infrastructure). Where this happens, we ensure appropriate safeguards are in place, such as:

  • UK International Data Transfer Agreement (IDTA) and/or UK Addendum to EU Standard Contractual Clauses
  • EU Standard Contractual Clauses (where relevant)
  • Adequacy regulations/decisions where applicable
11. How long we keep your data (retention)

We keep personal data only as long as necessary for the purposes set out above. Typical retention periods:

  • Booking and financial records: 6 years (tax/accounting)
  • Booking/enquiry correspondence (email and Microsoft Forms): up to 6 years (to manage bookings and handle queries/complaints)
  • Health/medical forms:
    • Adults: 3 years after the visit/course
    • Children: until age 21 (3 years after 18)
  • Incident/accident records:
    • Adults: 3 years after the incident
    • Children: until age 21 (3 years after 18)
  • Photo/video consent records: for as long as the related photos/videos are kept in use, or until consent is withdrawn
  • Marketing records: until you unsubscribe/withdraw consent
12. How we keep your data secure

We use appropriate technical and organisational measures, such as:

  • Access controls (need-to-know access)
  • Secure storage for paper records (locked storage with controlled access)
  • Password protection and device security
  • Staff confidentiality expectations
13. Online forms (Microsoft Forms)

We use Microsoft Forms for some online forms (including booking/enquiry forms and medical forms). The information you submit is processed and stored within Microsofts systems. Microsoft acts as a processor on our behalf. We manage access to form responses and only authorised staff can view them.

14. Your rights

Depending on your location and the applicable law, you may have rights including:

  • Access to your personal data
  • Rectification of inaccurate data
  • Erasure (in certain circumstances)
  • Restriction of processing
  • Data portability (where applicable)
  • Objection to processing based on legitimate interests
  • Withdrawal of consent (where processing is based on consent)

To exercise your rights, contact us using the details above.

15. Complaints

We’d like the chance to resolve any concerns first.

If you are in the UK, you can also complain to the Information Commissioner’s Office (ICO):  https://ico.org.uk

If you are in the EEA, you may also have the right to complain to your local supervisory authority.

16. Changes to this policy

We may update this policy from time to time. The latest version will be published on our website.