Privacy Policy
Llanhedric House
Website: www.llanhedrichouse.co.uk
Effective date: 15/6/26
Last reviewed: 15/6/26
Next review due: 15/6/27
1. Who we are
1.1. Llanhedric House legal name is the controller of the personal data described in this privacy policy.
1.2. “Controller” means that we decide why and how personal data is used.
1.3. You can contact us about this privacy policy or about how we use your personal data at:
Data protection contact: Elaine Lynch, Owner/Manager
Email: info@llanhedrichouse.co.uk
Postal address: Walford, New Road, Ludlow, Shropshire SY82LS
Telephone: 07816148818
1.4. If we are required to appoint a Data Protection Officer, the contact details are:
Data Protection Officer: Elaine Lynch, Llanhedric House
Email: info@llanhedrichouse.co.uk
Postal address: Walford, New Road, Ludlow, Shropshire SY82LS
The ICO says privacy information must include the controller’s identity and contact details, the purposes of processing, the lawful basis, recipients, retention periods and rights information. It must be concise, transparent, intelligible, easy to access and written in clear language.
2. What this privacy policy covers
2.1. This privacy policy explains how we collect, use, store, share and protect personal data.
2.2. It applies when you:
2.2.1. visit our website;
2.2.2. contact us;
2.2.3. buy goods or services from us;
2.2.4. enquire about our goods or services;
2.2.5. subscribe to updates or marketing;
2.2.6. attend an event, meeting or appointment;
2.2.7. interact with us on social media;
2.2.8. apply for a role with us;
2.2.9. work with us as a supplier, contractor, partner or professional contact;
2.2.10. make a data protection complaint.
2.3. This policy is intended to comply with the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 and relevant changes introduced by the Data (Use and Access) Act 2025. The DUAA does not replace the UK GDPR, the Data Protection Act 2018 or PECR; it amends parts of them.
3. Personal data we collect
3.1. We may collect and use the following categories of personal data.
3.1.1. Identity data
Name, title, date of birth, username, customer number, account number, company name, job title and similar identifiers.
3.1.2. Contact data
Postal address, billing address, delivery address, email address, telephone number and social media contact details.
3.1.3. Transaction data
Details of goods or services purchased, payments, refunds, invoices, order history, account history and related communications.
3.1.4. Financial data
Payment method, payment confirmation, billing details and limited payment-related information. We do not usually store full card details unless expressly stated.
3.1.5. Technical data
IP address, browser type, device information, operating system, referral source, pages visited, access times, cookie identifiers and similar technical information.
3.1.6. Usage data
Information about how you use our website, services, emails, forms, booking systems, portals or digital platforms.
3.1.7. Marketing and communication data
Your marketing preferences, communication preferences, email engagement, survey responses and records of consent or opt-out.
3.1.8. Enquiry and correspondence data
Messages, emails, call notes, complaint records, support requests and other information you give us when you contact us.
3.1.9. Recruitment data
CVs, covering letters, application forms, interview notes, work history, education, references, right-to-work information and recruitment assessment information.
3.1.10. Supplier and business contact data
Business contact details, contract details, payment records, due diligence records, performance records and correspondence.
4. Special category data and criminal offence data
4.1. Special category data includes information about health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, sex life or sexual orientation.
4.2. We only collect special category data where we have a valid lawful basis under Article 6 UK GDPR and a valid special category condition under Article 9 UK GDPR.
4.3. We may collect special category data where:
4.3.1. you have given explicit consent;
4.3.2. it is necessary for employment, social security or social protection obligations;
4.3.3. it is necessary to protect vital interests;
4.3.4. it is necessary for legal claims;
4.3.5. it is necessary for substantial public interest reasons;
4.3.6. another lawful condition applies.
4.4. We only collect criminal offence data where authorised by law and where a valid condition under the Data Protection Act 2018 applies.
5. How we collect personal data
5.1. We may collect personal data directly from you when you:
5.1.1. complete a form;
5.1.2. contact us by email, phone, post, website, social media or live chat;
5.1.3. buy from us;
5.1.4. create an account;
5.1.5. subscribe to updates;
5.1.6. attend an event or meeting;
5.1.7. apply for a role;
5.1.8. make a complaint;
5.1.9. otherwise provide information to us.
5.2. We may also collect personal data automatically when you use our website or digital services, including through cookies, server logs and similar technologies.
5.3. We may receive personal data from third parties, including:
5.3.1. payment providers;
5.3.2. booking platforms;
5.3.3. analytics providers;
5.3.4. advertising platforms;
5.3.5. social media platforms;
5.3.6. professional advisers;
5.3.7. public sources;
5.3.8. referees and recruitment agencies;
5.3.9. suppliers, clients or partner
6. Why we use personal data and our lawful basis
6.1. We only use personal data where we have a lawful basis.
6.2. Our lawful basis may include consent, contract, legal obligation, vital interests, public task, legitimate interests or recognised legitimate interests where applicable.
6.3. The table below explains our main purposes and lawful bases.
| Purpose | Personal data used | Lawful basis |
| Responding to enquiries | Identity, contact, correspondence data | Legitimate interests / contract steps |
| Providing goods or services | Identity, contact, transaction, payment and service data | Contract |
| Managing bookings, orders or accounts | Identity, contact, transaction and account data | Contract / legitimate interests |
| Taking payment and managing invoices | Identity, contact, financial and transaction data | Contract / legal obligation |
| Customer support | Identity, contact, correspondence and service data | Contract / legitimate interests |
| Handling complaints | Identity, contact, complaint and correspondence data | Legal obligation / legitimate interests |
| Handling data protection complaints | Identity, contact, complaint, correspondence and relevant case evidence | Legal obligation |
| Responding to subject access requests or other rights requests | Identity, contact, verification, request and response data | Legal obligation |
| Sending service communications | Identity, contact and account data | Contract / legitimate interests |
| Sending marketing where consent is needed | Identity, contact and marketing data | Consent |
| Sending marketing where soft opt-in or legitimate interests applies | Identity, contact, transaction and marketing data | Legitimate interests / PECR rules |
| Managing opt-outs and suppression lists | Identity, contact and marketing preference data | Legal obligation / legitimate interests |
| Improving our website and services | Technical, usage, enquiry and feedback data | Legitimate interests / consent where required for cookies |
| Website security and fraud prevention | Technical, usage and security data | Legitimate interests / legal obligation |
| Recruitment | Identity, contact, recruitment and reference data | Contract steps / legal obligation / legitimate interests |
| Supplier management | Identity, contact, contract and payment data | Contract / legitimate interests / legal obligation |
| Legal claims, compliance and record keeping | Relevant records depending on the issue | Legal obligation / legitimate interests |
| Business administration and reporting | Identity, contact, transaction and operational records | Legitimate interests |
6.4. Where we rely on legitimate interests, our interests may include:
6.4.1. running and improving Llanhedric House;
6.4.2. responding to enquiries;
6.4.3. managing customer, supplier and partner relationships;
6.4.4. protecting our systems and records;
6.4.5. preventing fraud or misuse;
6.4.6. recovering debts;
6.4.7. managing legal, regulatory and insurance matters;
6.4.8. understanding how people use our services;
6.4.9. sending relevant business-to-business communications where permitted.
6.5. Where required, we carry out a legitimate interests assessment to balance our interests against your rights and freedoms. ICO guidance updated for DUAA confirms legitimate interests remains a lawful basis under the UK GDPR and is most appropriate where the use is reasonably expected and has minimal privacy impact.
6.6. Where we rely on recognised legitimate interests under DUAA, we will only do so where the processing falls within a recognised category and is necessary for that purpose. The government’s DUAA guidance identifies recognised legitimate interests as one of the key changes.
7. Consent
7.1. Where we rely on consent, you can withdraw your consent at any time.
7.2. Withdrawing consent does not affect the lawfulness of processing before consent was withdrawn.
7.3. You can withdraw consent by:
7.3.1. clicking unsubscribe in a marketing email;
7.3.2. changing your cookie preferences;
7.3.3. contacting us at info@llanhedrichouse.co.uk.
8. Direct marketing
8.1. We may send marketing communications where permitted by law.
8.2. We will only send electronic marketing where:
8.2.1. you have consented;
8.2.2. we can rely on the soft opt-in under PECR;
8.2.3. another lawful route applies.
8.3. You can opt out of marketing at any time by:
8.3.1. using the unsubscribe link in our emails;
8.3.2. replying with your opt-out request;
8.3.3. contacting us at info@llanhedrichouse.co.uk.
8.4. If you opt out, we may keep your details on a suppression list to make sure we do not send further marketing to you.
8.5. DUAA amends PECR in several areas, including direct marketing definitions, storage and access technologies such as cookies, and certain electronic marketing rules.
9. Cookies and similar technologies
9.1. We use cookies and similar technologies on our website.
9.2. Cookies may be used for:
9.2.1. essential website functions;
9.2.2. security;
9.2.3. remembering preferences;
9.2.4. analytics;
9.2.5. performance measurement;
9.2.6. advertising or remarketing, where used.
9.3. We do not use non-essential cookies unless the required consent or legal permission applies.
9.4. DUAA allows the use of storage and access technologies without explicit consent in certain low-risk situations, but this does not remove the need to comply with PECR where consent is still required.
9.5. You can manage cookies through:
9.5.1. our cookie banner or preference centre;
9.5.2. your browser settings;
9.5.3. device-level privacy settings.
9.6. For full details, see our Cookie Policy. Email info@llanhedrichouse.co.uk
10. Automated decision-making and profiling
10.1. We do not make solely automated decisions about you that have legal or similarly significant effects unless this is clearly explained below.
10.2. Llanhedric House
No significant automated decisions
We do not currently use your personal data to make decisions based solely on automated processing that produce legal or similarly significant effects.
If significant solely automated decisions are made, we will provide appropriate safeguards, including information about the decision, the ability to make representations, the ability to challenge the decision and the ability to obtain human intervention. DUAA creates a more permissive UK framework for significant automated decision-making but requires safeguards.
11. Children’s data
11.1. Our services are intended for adults and families
11.2. We do not knowingly collect children’s personal data unless:
11.2.1. it is necessary for the service we provide;
11.2.2. we have appropriate consent where required;
11.2.3. we have taken account of the child’s age, needs and rights;
11.2.4. we have appropriate safeguards in place.
11.3. If our online services are likely to be accessed by children, we will consider how to protect and support children when designing and operating those services. DUAA introduces new children’s data protection requirements for certain online services likely to be accessed by children.
11.4. Llanhedric House is not in scope of the Age Appropriate Design Code / Children’s Code.
12. Research
12.1. We may use personal data for research, analysis, service improvement or statistical purposes where lawful.
12.2. Where we use personal data for research, we will apply appropriate safeguards.
13. Who we share personal data with
13.1. We may share personal data with the following categories of recipient where necessary:
13.1.1. IT and hosting providers;
13.1.2. email, CRM and communication providers;
13.1.3. payment processors and banks;
13.1.4. booking, order or fulfilment platforms;
13.1.5. professional advisers, including lawyers, accountants, auditors and insurers;
13.1.6. marketing platforms and analytics providers;
13.1.7. fraud prevention and security providers;
13.1.8. delivery or logistics providers;
13.1.9. recruitment providers and referees;
13.1.10. regulators, public authorities, law enforcement bodies or courts where required or permitted by law;
13.1.11. prospective buyers, investors or advisers in connection with a business sale, merger, restructuring or investment.
13.2. Where another company processes personal data on our behalf, we require it to protect the data and use it only for agreed purposes.
13.3. We do not sell personal data.
14. International transfers
14.1. We may transfer personal data outside the UK where our systems, suppliers, partners or service providers are located outside the UK.
14.2. Where we transfer personal data internationally, we will use one of the following safeguards where required:
14.2.1. UK adequacy regulations;
14.2.2. the UK International Data Transfer Agreement;
14.2.3. the UK Addendum to the EU Standard Contractual Clauses;
14.2.4. another lawful transfer mechanism.
14.3. You can contact us for more information about the safeguards used for international transfers.
The ICO’s privacy notice guidance requires Llanhedric Houses to tell people if personal data is transferred internationally and to explain the safeguards where applicable.
15. How long we keep personal data
15.1. We keep personal data only for as long as necessary for the purposes for which it was collected.
15.2. Retention periods depend on:
15.2.1. the type of personal data;
15.2.2. the purpose of use;
15.2.3. legal, accounting, tax, regulatory and insurance requirements;
15.2.4. whether there is a complaint, dispute, claim or investigation;
15.2.5. whether the data is needed for security, fraud prevention or evidence.
15.3. Our standard retention periods are:
| Data type | Retention period |
| Customer account records | 6 years |
| Order and transaction records | 6 years |
| Enquiry records | 6 years |
| Marketing consent records | 6 years |
| Marketing suppression records | 6 years |
| Website analytics data | 6 years |
| Cookie consent records | 6 years |
| Complaint records | 6 years |
| Data protection complaint records | 6 years |
| Subject access request records | 6 years |
| Recruitment records for unsuccessful candidates | 6 years |
| Employee records | 6 years |
| Supplier records | 6 years |
15.4. Where we no longer need personal data, we will delete, anonymise or securely archive it.
16. How we protect personal data
16.1. We use appropriate technical measures to protect personal data.
16.2. These may include:
16.2.1. access controls;
16.2.2. password protection;
16.2.3. multi-factor authentication where appropriate;
16.2.4. encryption where appropriate;
16.2.5. secure backups;
16.2.6. staff training;
16.2.7. supplier due diligence;
16.2.8. data minimisation;
16.2.9. incident response procedures;
16.2.10. audit and review processes.
16.3. No system is completely risk-free. If we become aware of a personal data breach, we will assess it and take appropriate action in line with our legal obligations.
16.4. DUAA changes the PECR breach notification period for communications providers to “without undue delay and where feasible, not later than 72 hours” after becoming aware of the breach.
17. Your data protection rights
17.1. You may have the following rights under data protection law:
17.1.1. the right to be informed;
17.1.2. the right of access;
17.1.3. the right to rectification;
17.1.4. the right to erasure;
17.1.5. the right to restrict processing;
17.1.6. the right to data portability;
17.1.7. the right to object;
17.1.8. rights relating to automated decision-making;
17.1.9. the right to withdraw consent where processing is based on consent;
17.1.10. the right to complain.
17.2. These rights are not absolute. They may depend on the lawful basis, the type of data and the reason we process it.
17.3. To exercise a right, contact us at:
Email: info@llanhedrichouse.co.uk
Postal address: Walford, New Road, Ludlow, Shropshire SY8 2LS
17.4. We may need to verify your identity before responding.
17.5. We usually respond to rights requests within one month, unless an extension or lawful pause applies.
17.6. DUAA clarifies the subject access request rules by including a “stop the clock” rule where Llanhedric House needs more information from the requester, and by confirming that Llanhedric Houses need to make reasonable and proportionate searches.
18. Data protection complaints
18.1. If you are concerned about how we collect, use, store, share, delete or protect your personal data, you can make a data protection complaint directly to us.
18.2. You can complain by:
18.2.1. emailing info@llanhedrichouse.co.uk;
18.2.2. writing to Data Protection Lead, Llanhedric House Elaine Lynch, Walford, New Road, Ludlow, Shropshire, SY8 2LS
18.2.3. calling 07816148818
18.3. You do not need to use legal wording or mention data protection law. We will treat your concern as a data protection complaint if it appears to relate to how we have handled personal data.
18.4. We will acknowledge your complaint within 30 days of receiving it.
18.5. We will investigate without undue delay, take appropriate steps to understand what happened, keep you informed where appropriate and tell you the outcome.
18.6. From 19 June 2026, all UK companies are legally required to have a data protection complaints process. The ICO says companies must give people a clear way to raise a data protection complaint, acknowledge it within 30 days, investigate without undue delay, keep people informed and tell them the outcome.
19. Complaining to the ICO
19.1. You have the right to complain to the Information Commissioner’s Office.
19.2. The ICO may expect you to raise your concern with us first so that we have the opportunity to respond.
19.3. ICO contact details:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
ICO website: ico.org.uk
ICO helpline: 0303 123 1113
20. Third-party links
20.1. Our website may contain links to third-party websites, platforms or services.
20.2. We are not responsible for the privacy practices of third parties.
20.3. You should read the privacy policy of any third-party website or service you use.
21. Changes to this privacy policy
21.1. We may update this privacy policy from time to time.
21.2. The latest version will be published on our website.
21.3. Where changes are significant, we may take additional steps to tell you.