Privacy Policy

Effective Date: 24/04/2025

Data Controller: Peppermints Bar, UNIT 2, 165 GREAT DUCIE ST, M3 1FF, UK

We are committed to protecting your privacy. This policy explains how we collect, use, and safeguard your personal data under the GDPR. For questions, contact us at [email protected] or +447710 060507.

1. Information We Collect

We collect data when you:

Register for workspace memberships
Book event spaces or lounge reservations
Sign up for newsletters/loyalty programs
Use WiFi or digital services (via captive portal login)
Participate in promotions/surveys

Categories of data:

Type	Examples
Core Data	Full name, email, phone number, billing address
Enhanced Data	Occupation (workspace users), company name, optional LinkedIn/Instagram handles (requires explicit consent)
Technical Data	IP address, device type, browser data (see Cookie Policy)
Financial Data	Payment card details (processed via Stripe/PayPal with PCI-DSS compliance)
Usage Data	Reservation history, membership duration, service preferences

2. Legal Basis & Purpose

We process data under GDPR Article 6 as follows:

Purpose	Legal Basis
Fulfilling reservations/memberships	Contractual Necessity
Processing payments	Contractual Necessity
Sending marketing emails	Consent (opt-in) or Soft Opt-In (for existing customers)
Improving services (e.g., WiFi analytics)	Legitimate Interests (LIA conducted)
Fraud prevention	Legal Obligation/Legitimate Interests

3. How We Use Your Data

Process bookings and manage workspace access.
Personalize your experience (e.g., preferred seating, loyalty rewards).
Send promotions via email/SMS (opt-out anytime).
Conduct anonymous market research.
Comply with tax/legal obligations.

We do not use automated decision-making or profiling.

4. Data Sharing

We share data only with:

Payment processors: Stripe, PayPal (PCI-DSS compliant).
Email platforms: Mailchimp/Campaign Monitor (DPAs in place).
Legal authorities: When required by law.

We never sell your data.

5. International Transfers

Data is stored in the UK/EEA unless transferred to:

Google Analytics (EU-US Data Privacy Framework certified).
Cloud providers using Standard Contractual Clauses (SCCs).

All transfers comply with GDPR Chapter V safeguards.

6. Cookies & Tracking

Essential Cookies (no consent required):

Session management, shopping cart, workspace login.

Optional Cookies (require prior consent via banner):

Google Analytics (anonymous usage stats).
Social media pixels (e.g., Instagram for ads).
Heat mapping tools (e.g., Hotjar).

Manage preferences via our Cookie Policy or browser settings.

7. Data Retention

Data Type	Retention Period	Reason
Financial records	7 years	Legal obligation (HMRC)
Membership data	5 years post-termination	Contractual disputes
Marketing consents	Until withdrawal	GDPR Article 7
WiFi connection logs	12 months	Legitimate Interests (security)

Data is anonymized or deleted after retention periods.

8. Your Rights

Under GDPR, you may:

Access or rectify your data (Articles 15-16).
Erase data or restrict processing (Articles 17-18).
Export your data in machine-readable format (Article 20).
Object to processing (e.g., marketing) (Article 21).

To exercise rights, email [email protected]. We respond within 30 days.

You may also lodge a complaint with the UK ICO (www.ico.org.uk).

9. Security

We protect data with:

AES-256 encryption for sensitive records.
Annual penetration testing and staff GDPR training.
Role-based access controls for internal systems.
Secure document shredding for physical records.

10. Policy Updates

We review this policy annually. Material changes will be notified via email or website banners.

Contact Us:

📧 [email protected]

📞 +447710 060507

📫 UNIT 2, 165 GREAT DUCIE ST, M3 1FF, UK