Privacy & Cookie Policy

Provenance Collective Limited is referred to in this policy as “we”, “us”, or “our”.
The person accessing our website and whose data is processed is referred to as “you” or “your”.

Introduction

At Provenance Collective Limited, we are committed to respecting and protecting your privacy. This Privacy & Cookie Policy explains how we collect, use, disclose, and protect personal data when you visit or interact with our website.

This policy applies to all visitors and users of our website. It outlines our practices in relation to personal data, including data collection, usage, and storage, and details your rights under the UK GDPR and Data Protection Act 2018.

By using our website, you consent to the practices described in this policy. If you do not agree with any part of this policy, please discontinue use of our website.

Information

  • Our Site is owned and operated by Provenance Collective Limited.
  • Registered in England under company number 16607034.
  • Registered address: Roberts & Co, 24 High Street, Chipping Sodbury, Bristol, BS37 6AH.
  • Data Protection Officer (DPO): Ness Harrison.
  • Contact email: enquiries@provenancehospitality.co.uk
  • Telephone: 07809 329851

What does this policy cover?

This Privacy & Cookie Policy applies specifically to your use of our website. It explains how we collect, use, disclose, and protect your personal data.

Please note: our website may include links to third-party websites. We are not responsible for the content or data-handling practices of these external sites.

Children’s Privacy

Our website and services are not intended for individuals under the age of 13, and we do not knowingly collect personal data from children without parental or guardian consent.

What is personal data?

Personal data includes any information that can directly or indirectly identify an individual (the “data subject”). Examples include:

  • Name and contact details
  • IP address, browser type, and device information
  • Browsing history and website interactions

Special category data (e.g., health or religious beliefs) is only processed with explicit consent or as permitted by law.

Your rights in relation to data

You have the following rights under the Data Protection Legislation:

  • Right to Access – to request confirmation and a copy of your personal data.
  • Right to Rectification – to have inaccurate or incomplete data corrected.
  • Right to Erasure – to request deletion of your data (“right to be forgotten”).
  • Right to Restrict Processing – to request suspension of data processing.
  • Right to Data Portability – to receive your data in a structured, machine-readable format.
  • Right to Object – to object to processing, including for direct marketing.
  • Right Not to Be Subject to Automated Decisions – we do not use data in this way.
  • Right to Withdraw Consent – to withdraw consent at any time.

What data is collected and how

a) Data you provide directly: via forms, email, account registration, newsletters, surveys, or feedback.
b) Data collected automatically: technical and usage data such as IP address, device, browser, and navigation activity.
c) Data from third parties: analytics providers (e.g., Google Analytics), advertising networks.
d) Legal basis for processing: performance of a contract, legitimate interests, consent, or legal obligation.

Data retention

We retain personal data only for as long as necessary to fulfil the purposes collected, including legal, accounting, or reporting requirements. Once retention periods expire, we securely delete or anonymise your data.

Keeping your data secure

We take appropriate measures to protect your data, including:

  • Access control (restricted authorised access)
  • Data encryption
  • Secure storage
  • Data minimisation and anonymisation
  • Regular security audits
  • Breach response protocols
  • Staff training and awareness

Data Protection Impact Assessments (DPIA)

For high-risk processing, we conduct DPIAs to identify and mitigate risks to individuals’ privacy.

Transferring your data

  • We primarily store data within the UK and EEA.
  • If data is transferred outside the UK/EEA, we use safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions.
  • For transfers to the US, we work with providers certified under the UK/EU-US Privacy Frameworks or apply equivalent safeguards.

Third-party data sharing

We may share data only where necessary and in compliance with UK GDPR:

  • Service providers: hosting, IT, analytics, marketing.
  • Business transfers: mergers, acquisitions, or reorganisations.
  • Legal obligations: compliance with law enforcement or courts.
  • Anonymised data: for statistical or research purposes.
  • Consent-based sharing: with explicit consent.

All third parties must protect data securely and confidentially.

How can I access my personal data?

You can make a Subject Access Request (SAR) by contacting us in writing.

  • Verification of identity may be required.
  • We respond within 1 month (extensions possible for complex requests).
  • Requests are generally free unless unfounded or excessive.

If dissatisfied, you may also lodge a complaint with the ICO (Information Commissioner’s Office).

About cookies

Our website uses cookies and similar technologies.

  • Strictly Necessary Cookies – essential for site operation.
  • Analytical/Performance Cookies – measure site usage.
  • Functionality Cookies – remember preferences.
  • Targeting/Advertising Cookies – track usage for relevant advertising.
  • Third-party Cookies – e.g., Google Analytics.

You can manage cookie preferences via our cookie banner or your browser settings.

Changes to this Privacy & Cookie Policy

We may update this policy from time to time to reflect changes in practices, legal requirements, or for transparency. Updates will be posted on this page, and significant changes may be highlighted on our website.

Last updated: 13th January 2025