GDPR Statement

Review of GDPR 2018 impacts and compliance – The House of Bread (Holiday Cottages)

Change In The Law

We have reviewed our data use and storage in our business based on our understanding of the changes in Data Protection law on GDPR applicable from May 2018. The statements below represent our findings as a result of that review.

What Data Do We Hold?

By Law we are required (by our Local Authority) to have the details of those who are booked to stay in our cottages. Therefore, we store information provided to us/required by us of those booking accommodation with us on a Booking Acknowledgement form (a word document). This is compiled & sent to guests to confirm the details of their booking (unless it is an AirBnB Booking). The information stored includes:

  • Lead booking contact name
  • Contact telephone number(s)
  • Email address
  • Postal address
  • Details of the booking including dates, bedroom set up required, any pets and the tariff

We also have guests’ email addresses/mobile numbers in our email/mobile message records.

We do not take card payments through our website so we do not store bank card details. The majority of our accommodation payments are paid directly into our bank account or by cheque.

On occasion, we do take card details over the phone to put through our card machine but they are hand written and destroyed immediately once payment is taken.

Limited payment data is stored by the business’s Paypal card payments system within our Paypal account although this is only transaction data and no names and addresses and only partial card details are retained. Whilst the Paypal system does often supply a contact email/mobile number within the transaction to send a receipt, these details are not available to us once the transaction is complete.

How Do We Store The Data We Hold?

All accommodation Booking Acknowledgement Forms are kept on our private computer as part of our business records and the data on them is not processed or used for marketing purposes or any other purposes by ourselves or any third party.

We also have guests’ email addresses/mobile numbers in our email/mobile message records.

How Do We Use The Data We Hold?

The data we hold is purely used to contact guests about their stay prior to their visit or after they have departed as a courtesy to say thank you for staying with us or in relation to damages or items left behind.

We do not contact guests (past, present or future) with any information regarding any promotions or future events at The House of Bread. All promotional marketing of this nature is undertaken via our ‘Latest News’ on our website, on our Facebook page, Twitter, WVFDTA website, press releases, printed materials and advertising.

The House of Bread Facebook page is used to update those who have indicated they wish to be ‘friends/followers’ of the business. This is subject to the normal security protocols of Facebook, contains no personal information and people can ‘unfriend/unfollow’ at any point.

The only time where we would share contact details with a third party would be in relation to Covid-19 Track and Trace where we are required to hold contact details for 21 days in case they are needed.

What Will We Do If You Wish To Change Your Data Record Or Have It Removed?

We do not proactively contact guests (past, present or future) in relation to anything apart from their accommodation booking.

We have stated here what data we hold on guests, why and how we hold it and what it is used for.

In terms of personal data removal, should guests wish us to remove their personal data held then the following would happen (aside from the current requirement to store details for 21 days due to Covid-19 and Track and Trace). We would delete all emails/mobile messages in our records relating to their email address/mobile number and strip their postal address, email address and phone numbers from the Booking Acknowledgement Form stored on our computer.

In terms of any messages/communications/reviews etc left by guests on Google, TripAdvisor, Facebook or any other third party platform then we would expect guests to manage and remove those as they saw fit, although we do feature some on our website and if we were asked to remove these we would.

We would undertake this within a month of receiving the request (to allow for delay if we are on holiday) and we would then confirm the removal of data (and then destroy that communication).

Data Security

As our business is run by 2 people who are a married couple and they are the only people who have access to the data we hold, our assessment of the risk of a breach is that it is highly remote. We do not anticipate any security breaches.


We do not believe that the way we store and use the data we hold provides a security risk or falls within the scope of the changed data protection legislation in GDPR from May 2018.