Privacy Policy

The data controller responsible for your personal data is:

If you have any questions about this Privacy Policy or our data practices, please contact us using the details above.

We may collect and process the following categories of personal data:

• Account Information: Name, email address, phone number, job title, and organisation name when you register for an account.
• Booking Data: Details of reservations you make or manage, including resource type, date, time, location, and any notes or special requirements.
• Payment Information: Billing address, payment card details (processed securely by our payment providers — we do not store full card numbers), transaction history, and invoices.
• Usage Data: Information about how you interact with the Service, including pages visited, features used, session duration, device type, browser, IP address, and referring URLs.
• Communication Data: Records of correspondence with us, including support requests, feedback, and survey responses.
• Technical Data: Log files, error reports, and performance metrics necessary for maintaining and improving the Service.

We process your personal data on the following lawful bases under the UK GDPR:

• Contract (Article 6(1)(b)): Processing necessary for the performance of our contract with you, including providing the Service, managing your account, and processing bookings and payments.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including improving the Service, preventing fraud, ensuring security, and sending relevant service communications. We balance our interests against your rights and freedoms.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with our legal obligations, such as tax reporting and regulatory requirements.
• Consent (Article 6(1)(a)): Where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time.

We use your personal data for the following purposes:

• To provide, maintain, and improve the Service
• To process bookings, payments, and refunds
• To send transactional communications (booking confirmations, reminders, receipts)
• To provide customer support and respond to enquiries
• To personalise your experience and provide AI-powered recommendations
• To generate anonymised analytics and usage reports for your organisation
• To detect, prevent, and address fraud, abuse, and security issues
• To comply with legal and regulatory obligations
• To send marketing communications (only with your consent)

We may share your personal data with the following categories of recipients:

• Your Organisation: If you use the Service through an organisation (e.g., a council or employer), relevant booking and usage data may be visible to authorised administrators within that organisation.
• Payment Processors: Stripe and GoCardless process payment transactions on our behalf under their own privacy policies.
• Cloud Infrastructure Providers: We use enterprise cloud infrastructure to host the Service, with data stored in UK and EEA data centres.
• Service Providers: Third-party providers who assist with email delivery, analytics, monitoring, and customer support, bound by data processing agreements.
• Legal Requirements: We may disclose data when required by law, court order, or government authority, or to protect our rights and safety.

We do not sell your personal data to third parties.

We primarily store and process your data within the United Kingdom and the European Economic Area (EEA). Where we transfer data outside the UK/EEA (for example, to service providers based in the United States), we ensure appropriate safeguards are in place, including:

• UK adequacy decisions
• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
• Binding Corporate Rules where applicable

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting obligations:

• Account data: Retained for the duration of your account and for 12 months after account closure, unless longer retention is required by law.
• Booking data: Retained for 6 years after the booking date for audit and legal compliance purposes.
• Payment data: Retained for 7 years as required by HMRC regulations.
• Usage data: Retained for 24 months, then anonymised or deleted.
• Marketing consent records: Retained for as long as consent is active, plus 12 months after withdrawal.

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
• Right to Restriction: Request that we restrict the processing of your data in certain circumstances.
• Right to Data Portability: Request your data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Rights Related to Automated Decision-Making: Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, please contact us at cecureid@cil.support. We will respond to your request within one month, as required by law.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We use cookies and similar technologies to enhance your experience, analyse usage, and improve the Service. Our cookies fall into the following categories:

• Strictly Necessary: Essential for the Service to function (e.g., session management, authentication). These cannot be disabled.
• Analytics: Help us understand how visitors interact with the Service to improve performance and usability. Set only with your consent.
• Functional: Remember your preferences (e.g., language, display settings) to provide a personalised experience.

You can manage your cookie preferences at any time through the cookie banner or your browser settings. Note that disabling certain cookies may affect the functionality of the Service.

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at cecureid@cil.support and we will take steps to delete such data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:

• Posting the updated policy on our website with a new effective date
• Sending an email notification to registered users for significant changes
• Displaying a prominent notice within the Service

We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: