We are committed to ensuring that your privacy is protected and understand the need for appropriate protection of all personal information provided by you to us.
What data do we collect about you?
We collect data from you when you make a booking, use our facilities or our services, via our team, either in person or over the phone, and also when you book online via our Website.
We also collect data when you fill in our guest forms or by connecting using our social media websites.
Facilities include, but are not limited to the following; The Packhorse Inn, The Rupert Brooke, The Northgate, The Blackbirds, The Black Lion including, restaurant and guest Wi-Fi.
We have CCTV installed in our premises in public areas and particularly around entrances and exits; this is for the purposes of prevention and detection of crime and employee monitoring.
We also collect Data from you when you subscribe to any of our marketing communications, complete our voluntary customer surveys, enter our competitions or provide feedback. These may be carried out online, by telephone or in person.
Some of the Data we collect may be classed as Personal Data, that is, it is information about an individual who can be identified from it. It may be collected any time you submit it to us, whatever the reason may be.
Without limitation, any of the following “Data”; (meaning collectively all information that you submit to the Website, including but limited to, personal details and information submitted using any of our services, as provided on the Website), may be collected by us via our Website including:
a) Your full name;
b) Your contact information such as email addresses and telephone/mobile numbers;
c) Your demographic information such as preferences and interests;
d) Your geographic information such as home address and postcode (where applicable);
e) Your date of birth
f) Your IP address (automatically collected);
g) Your web browser type and version (automatically collected);
h) Your operating system (automatically collected);
i) Your credit or debit card details where you make a payment
j) A list of URLs starting with a referring site, your activity on this Website, and the website you exit to (automatically collected); and
k) Your Cookie information (see below).
In addition, the following Data will be collected when you fill in our spa treatment applications or guest forms:
l) Your full name,
m) The name of your partner or spouse;
n) The name of your children;
o) Your date of birth;
p) Your contact information such as email addresses and telephone/mobile numbers;
q) Your demographic information such as preferences and interests;
r) Your geographic information such as home address and postcode (where applicable);
s) Your special dietary requirements;
t) Your credit or debit card details where you make a payment;
u) Your medical history;
v) Your physical health history;
w) Your car registration for car parking arrangements and events; and
x) Your passport or driving licence details
If you choose to connect with us via social media websites, for example such as Facebook or Twitter, we may collect your username, (which may contain your name and surname) by you “liking” or “following” our page. We may also run competitions via these social media websites which will send you to a separate competition website link. By connecting with us via social media websites you are bound by their terms and conditions and privacy policies.
If you provide us with any Personal Data relating to any third party (e.g. information about your spouse, children, employees or colleagues) for particular purposes, by submitting such information to us, you warrant and represent to us that you have obtained the consent of such third party to provide us with their Personal Data for the respective purposes.
How will we use the data about you?
We use the information we collect about you to;
• process your bookings and accommodation;
• answer your queries;
• process your voucher purchases;
• provide our food and beverage facilities and services; and
• provide our spa treatment and services.
With your consent, we will contact you via our marketing and sales channels (via email, phone or post) about other related products and services we, or our group business, provide which we think may be of interest to you. Our marketing communications are generally sent by email but we may sometimes use other methods of delivery such as by post or SMS. At any time you may stop these communications by texting “STOP” or unsubscribing.
We may use your Data collected from the Website, via cookies or direct input, to personalise your repeat visits to our Website.
We operate a centralised reservation system for reservations and marketing purposes.
Any or all of the above Data may be required by us from time to time in order to provide you with the best possible service and experience. Specifically, Data may be used by us for the following reasons:
a) internal record keeping;
b) improvement of our offers, products and Website;
c) linking you with third parties that are offering services you may require;
d) transmission by email of promotional materials that may be of interest to you;
e) to pass on to the police and government authorities as requested by them, for example in cases of fraud and theft.
f) to comply with any applicable rules, laws, regulations, codes of practice or guidelines issued by any legal or regulatory body which are binding on us;
g) linking you with third-party payment collecting company for payments; and
h) contact for market research purposes which may be done using email, telephone or post.
We sometimes engage the services of trusted third parties to process the Data collected by generating anonymised statistics to assist us with our marketing campaigns and business analysis. We do not disclose this anonymised Data outside of our business group. It is not possible for the business to identify an individual from such anonymised Data presented in our internal reports.
We adhere to the following working principles:
access to Data for our third-party clients’ is restricted to our relevant staff members.
any Data disclosed to third-party clients’ is anonymous and you cannot be identified by it, save for payment details where we use a third party payment collecting company.
all hard copies of Data and confidential documents are kept securely under lock and key.
We have registered with the ICO under the Data Protection Act 1998 and adhere to the following principles:
All our relevant employees have received training in how to handle Data. This includes ensuring they are aware of the importance of handling Data safely and securely, and understanding the procedures in place to ensure this happens.
When collecting Data for third-party clients all Data is anonymised, save for payment details where we use a third party payment collecting company InnCharge.
Once every year we will evaluate our database and securely delete any contacts no longer engaged or any Data no longer needed by us.
We have measures in place to keep the Personal Data we hold safe and secure.
All personal information is stored in Chestnut Group’s secure web server hosted site to which access is only granted to key personnel. Where data is downloaded to be updated, and as a backup to the cloud, it is only stored on personal drives, only accessible via individual login.
The Data Processor and the Data Controller can be contacted via email on
please but the topic of your enquiry in the header title.
The Data Controller recognises possible recipients of your Data include; our employees, agents, consultants, third parties and data processors.
Any or all of the above Data may be required by us from time to time in order to provide you with the best possible service and experience when using our Website. Specifically, Data may be used by us for the following reasons:
internal record keeping;
improvement of our products, Services and Website;
linking you with third parties that are offering services you may require;
transmission by email of promotional materials that may be of interest to you;
to pass on to the police and government authorities as requested by them, for example in cases of fraud and theft.
linking you with third-party payment collecting company for payments; and
contact for market research purposes which may be done using email, telephone or post. Such information may be used to customise or update the Website.
We share your Data within Chestnut Group and its subsidiaries.
Where we use contracted and trusted third parties to facilitate our provision of services and offers, we will also share your Data with those parties for that purpose. This includes the processing and delivery of marketing communications to you, processing review and upgrade services and any other third party services engaged to perform payment, business support, operational or administrative function.
Data Controller acknowledges possible recipients of your Data include; our employees, agents, consultants, third parties and data processors. All Data is processed within the UK.
Third parties are subject to confidentiality obligations and may only use your Personal Data to perform the necessary functions as requested by us and not for any other purposes.
We may also disclose Personal Data as permitted or required by law. For instance, if asked by the police or HMRC, we may share your Personal Data with them for the purposes of prevention and detection of crime.
Transaction and data security
Whilst we take reasonable, appropriate technical and organisational measures to safeguard the Personal Data that you provide to us, no transmission over the internet can ever be totally guaranteed secure. Consequently, please be aware that we cannot guarantee the complete security of any Personal Data that you transfer over the internet to us whilst in transit. Sending such information is entirely at your own risk.
We understand how important it is to securely store any Data that you provide. We take the privacy and security of your payment and personal details very seriously. Although we take reasonable care to keep your Personal Data secure, we cannot be held liable for any loss you may suffer from unauthorised access or loss of any Data provided.
As part of our security measures, we use encryption technologies for online transactions via our Website including “Verified” by Visa and MasterCard secure code – SSL Secure Shopping.
To use this service, you must first register with the bank or other organisation that issued your card. You can find out more about these services by visiting the relevant Visa and MasterCard websites:
Visit the Verified by Visa website
Or visit the MasterCard Secure Code website
Once you have registered and created your own private password with your card issuer, you will be prompted automatically at checkout to provide this password each time you use your card on our website. We do not have access to your Verified by Visa or MasterCard Secure Code password.
You can tell whether a page is secure as 'https' will replace the 'http' at the front of the in your browser address window. A small locked padlock will also appear either in the bottom bar of your browser window or alongside the browser address, depending upon which browser software and version you are using.
Where you make a payment in person at our properties we use the secure third party payment companies called CardNet or FirstData. Please see their privacy policies here – and
On pre-payment bookings payment is taken up-front and money taken at the time of booking. It is important that you take note of our cancellation policy in our Terms and Conditions we reserve the right to charge and take payment from your card for a “no-show” should you fail to turn up for your stay and have not let us know by the agreed time period in advance of arrival.
Where asked, you are required to be able to produce the same card, used for any booking paid in advance online, at check-in.
In addition to the Data collected via our Website when we collect Data in person, we keep this information in secure files with restricted access to keys.
We would like to send you information about Chestnut Group products, offers and services, which we believe may be of interest to you. If you have consented to receive our marketing, you may opt out at any time.
If you no longer wish to be contacted, you can unsubscribe by any of the following methods:
Select the UNSUBSCRIBE link included in our emails or on our Website;
Contact our Marketing Team at the email address: and the subject matter in the email header.
Accessing and amending your data
You have a right to access a copy of the Data which we hold about you. If you would like to do this, please email us at and the subject matter in the email header or write to us at the address above. We will provide the Data within thirty (30) days of receipt of your written request.
We want to make sure that your personal Data is accurate and up to date.
You may need to modify or update your Data if your circumstances change. Additional Data as to your marketing preferences may also be stored and you may change this at any time.
You are able to make amendments, or withdraw your consent for use, by telling our reception staff when you check in or by contacting our Data Processor via email at and the subject matter “Opt-out” in the email header.
If you withdraw your consent to any or all use of your Personal Data, depending upon the nature of your request, we may not be able to provide or continue providing our products and services to you, or administer any contractual relationship already in place. You understand and agree that in such instances where we require your Personal Data to fulfil a contractual obligation to you and you withdraw your consent to collect, use or disclose the relevant personal Data for those purposes, we cannot be held liable for breach of that agreement. Our legal rights and remedies in such event are expressly reserved.
Retention of information
Your Personal Data will be retained for as long as it is necessary to fulfil the purpose for which it is collected, for business or legal purposes, or in accordance with applicable laws.
Should you choose to unsubscribe from our mailing list, please note that your personal Data may still be retained on our database for up to 12 months or to the extent permitted by law.
We may set and access Cookies on Your “Computer” meaning any computer, laptop, tablet, a mobile or other device that the Website can be viewed on.
A “Cookie” is a small file of letters and numbers which asks permission from your browser to be placed on your Computer's hard drive. Cookies allow web applications to respond to you as an individual and allow us to distinguish you from other users on our Website. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences and allows us to improve our Website.
Our Cookies use:
a) Google Analytics Cookies to identify which pages are being used. This helps us analyse data about web page traffic (the number of visitors and how visitors move around our Website when they are using it) and improve our Website in order to tailor it to your needs.
b) Third-party Cookies within our email campaigns, predominantly sent using third-party email marketing tools, as well as Google Analytics. Cookies are used to monitor open rates and improve your experience and also for the tracking of website activity initiated from hyperlinks within email marketing campaigns.
c) Session Cookies on our Website. These are temporary Cookies, which only exist in the period you access the Website (or more strictly, until you close the browser after accessing the Website). Session Cookies help the Website remember what you chose on the previous page, therefore avoiding having to re-enter information.
d) Cookies used for customer email, customer name, customer id*, token*, customer profile link*, customer flags* (*= these are generated by our own system) and social media share.
The length of time a Cookie will remain on your Computer will depend on the type of Cookie. On our Website, these Cookies do not contain personal information, and cannot be used to identify you.
To find out more about how to manage cookies through your chosen browser go to:
You may delete/disable your Cookies or manage your Cookies preferences (Please see the link on how to disable Cookies cookies#ie=ie-11). If you do decide to disable or delete the Cookies altogether our Website will not work as well as it could as it relies on Cookies to provide you with the service you have requested.
You can choose to enable or disable Cookies in your web browser. By default, your browser will accept Cookies; however, this can be altered. For further details please consult the help menu in your browser on your Computer and search for “cookies”.
Phishing is the practice of tricking someone into giving confidential information. Examples include falsely claiming to be a legitimate company when sending an e-mail to a user, in an attempt to get the user to send private information that will be used for criminal activities such as identity theft and fraud.
Save where you are sending us your signed contract such as treatment or booking form via email. We will never separately ask you to confirm any account or credit card details via email. If you receive an email claiming to be from us asking you to do so, please ignore it and do not respond. You can contact our reception staff by phone or when you check in or by contacting our Data Processor via email at and the subject matter “Credit Card Fraud” in the email header to report it or if you are unsure.
We will on occasion take bookings over the phone. We will give our name and name of our company when we do this. If you are anxious about the phone call, revealing your payment details or do not believe the person at the end of the phone is us, we suggest you put the phone down and ring us directly using the telephone number on our website asking for the person you spoke to.
Links to other websites
Have a question?
Modern slavery statement
We are committed to monitoring our practices to ensure that slavery and human trafficking are not taking place in any of our supply chains or in any part of our business. This statement is our public commitment that no slavery or human trafficking will knowingly be permitted, supported or endorsed through our business or supply chains at any time. We commit to ensuring our business practices are continuously reviewed and checked and we will apply a robust approach to the management of existing suppliers as well as identification and selection processes for all new suppliers to mitigate and manage any risks.
Our policy on modern slavery
We have zero tolerance towards modern slavery and we are fully supportive of the Modern Slavery Act 2015 and its intention to tackle modern slavery in all its forms, including slavery, servitude, forced labour and human trafficking.
We are committed to ensuring that there is no modern slavery or human trafficking in our supply chains or in any part of our business. Our policy is that we will act ethically and with integrity in all our business relationships and will implement and enforce effective systems and controls to ensure slavery and human trafficking is not taking place anywhere in our supply chains.
Our business and supply chain
We currently operate exclusively in East Anglia, United Kingdom, however, we acknowledge and recognise the potential for modern slavery to occur regardless of location. We commit to remaining vigilant at all times and to mitigate the risks in all our business activities and within our supply chains.
We are committed to implementing and enforcing effective systems and controls to seek to ensure that modern slavery is not taking place anywhere in our business or supply chains. We will monitor and take a continuous improvement approach to doing this. We will aim for greater transparency within our business and supply chain so that we can better understand where the risks lie thus becoming better informed in our decisions to prioritise improvement processes that will prevent our direct or indirect support for any act of modern slavery.
ADDITIONAL PRIVACY NOTICE – NHS TEST AND TRACE
Recording Customer Details: how we use your information
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we have been mandated by law to collect and keep a limited record of staff, customers and visitors who come onto our premises for the purpose of contact tracing.
By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.
As a customer/visitor of Chestnut you will be asked to provide some basic information and contact details. The following information will be collected:
the names of all customers or visitors, or if it is a group of people, the name of one member of the group
a contact phone number for each customer or visitor, or for the lead member of a group of people
date of visit and arrival time and departure time
The venue/establishment are the data controllers for the collection of your personal data, will be responsible for compliance with data protection legislation for the period of time it holds the information. When that information is requested by the NHS Test and Trace service, the service would at this point be responsible for compliance with data protection legislation for that period of time.
The NHS Test and Trace service as part of safeguarding your personal data, has in place technical, organisational and administrative security measures to protect your personal information that it receives from the venue/establishment, that it holds from loss, misuse, and unauthorised access, disclosure, alteration and destruction.
In addition, if you only interact with one member of team during your visit, the name of the assigned team member will be recorded alongside your information.
NHS Test and Trace have asked us to retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them.
For example, if another customer at the venue reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).
Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing, it will be destroyed by us 21 days after the date of your visit.
However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name, email and phone number). Where this is the case, this information only will continue to be held after 21 days and we will use it as we usually would, unless and until you tell us not to.
Your information will always be stored and used in compliance with the relevant data protection legislation.
The use of your information is covered by the General Data Protection Regulations Article 6 (1) (c) – a legal obligation to which we as a venue/establishment are subject to. The legal obligation to which we’re subject, means that we’re mandated by law, by a set of new regulations from the government, to co-operate with the NHS Test and Trace service, in order to help maintain a safe operating environment and to help fight any local outbreak of coronavirus.
By law, you have a number of rights as a data subject, such as the right to be informed, the right to access information held about you and the right to rectification of any inaccurate data that we hold about you.
You have the right to request that we erase personal data about you that we hold (although this is not an absolute right).
You have the right to request that we restrict processing of personal data about you that we hold in certain circumstances.
You have the right to object to processing of personal data about you on grounds relating to your particular situation (also again this right is not absolute).
If you are unhappy or wish to complain about how your information is used, you should contact a member of our team in the first instance to resolve your issue.
If you are still not satisfied, you can complain to the Information Commissioner’s Office. Their website address is www.ico.org.uk.
The data protection officer, Sarah Barclay, is contactable on firstname.lastname@example.org .
We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on the Chestnut website and all property websites. This privacy notice was last updated on 16 September 2020.
Agellus Hotels Limited
t/a The Westleton Crown
Company reg 05299619
Agellus Hotels Limited
t/a The Ship at Dunwich
Company reg 05299619
The Northgate (Bury St. Edmunds) LTD
Company reg 10282710