GDPR / Data Protection Policy - The Cairndale Hotel & Spa

Effective Date: October 2025

Controller: James Wallace Dumfries Ltd. trading as The Cairndale Hotel & Spa
Contact Email: hello@cairndalehotel.co.uk
Address: English Street, Dumfries DG1 2DF, Scotland UK
Responsible Officer: Matthew Wallace Jnr., Director

1. Overview

The Cairndale Hotel & Spa respects your privacy and is committed to protecting your personal information. This policy explains what data we collect, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR).

2. Information We Collect

We may collect the following personal data when you book, visit, or communicate with us:
• Contact details (name, address, email, telephone)
• Booking details and payment information
• Spa intake or consultation forms including relevant health or allergy information
• Dietary requirements and accessibility preferences
• CCTV footage from public areas and car parks
• Wi-Fi usage information via Stampede
• Competition entries and marketing preferences
We do not collect or store children’s data other than basic details attached to family bookings.

3. How We Use Your Information

Your data is used to process bookings, provide services, respond to enquiries, manage health or dietary needs, ensure safety, and send marketing updates (with your consent). We never sell or rent your data to third parties.

4. Lawful Basis for Processing

Contract – to manage bookings and provide services.
Consent – for marketing and spa health information.
Legal obligation – to retain guest records as required by law.
Legitimate interest – for security and business operations.

5. Marketing and Preferences

If you choose to receive marketing from us, we may send emails, SMS, or postal updates. You can unsubscribe at any time using the link in our emails or by emailing hello@cairndalehotel.co.uk.

6. Sharing Your Data

We share data only with trusted service providers including Guestline, Trybe, Revinate, FireText, Stampede and PlanDay. Revinate (USA) is certified under the Data Privacy Framework and SOC 2 standards.

7. Data Storage and Retention

We retain your information only as long as necessary. CCTV footage is kept for ~2 months, spa records up to six years, and marketing data is reviewed regularly.

8. Security Measures

Your data is protected through secure passwords, access controls, encryption, and restricted staff access. Systems are regularly reviewed.

9. Your Rights

You may request access, correction, deletion, or portability of your data, or withdraw consent for marketing. Email hello@cairndalehotel.co.uk – we will respond within 30 days.

10. Data Transfers Outside the UK/EEA

Where data is transferred to the USA (Revinate), safeguards such as the Data Privacy Framework ensure adequate protection.

11. Data Breaches

If a breach occurs, we will notify the ICO within 72 hours and affected individuals promptly where necessary.

12. Changes to This Policy

This policy is reviewed annually or after significant changes. Updated versions appear on our website.

13. Contact Us

The Cairndale Hotel & Spa
English Street, Dumfries DG1 2DF, Scotland UK
hello@cairndalehotel.co.uk | 01387 254111
If you are unsatisfied, contact the ICO at www.ico.org.uk.