top of page

Privacy Policy - GDPR 2018 compliant


The General Data Protection Regulation (GDPR) and the current Data Protection Act 2018 regulate our use of your personal data.


Upper Vobster Farm understands and takes seriously that the personal information you entrust us with is important. We are committed to respecting and protecting your personal information and ensuring compliance with data protection legislation. The purpose of this Privacy Policy is to define how we collect, use, retain and protect your personal information.

For the purpose of the General Data Protection Regulation (GDPR):

  1. The ‘Data Controller’ is Upper Vobster Farm Partnership of Upper Vobster Farm, Upper Vobster, Radstock BA3 5SA. References to “we”, “us”, “our” or “the Business” in this Privacy Policy are references to Upper Vobster Farm Partnership.

  2. In the context of providing booking software to our customers to facilitate online bookings, Upper Vobster Farm Partnership together with the software provider, Free to Book, will together operate as ‘Joint Data Controllers’ for the processing of your personal data.

  3. The ‘Data Protection Officer' (DPO) is Michael Nicholson, one of the partners of Upper Vobster Farm Partnership


Data Protection Policy

This policy applies to all customers, visitors and guests. It confirms that Upper Vobster Farm will comply with all statutory GDPR requirements by registering all personal data held on its computer and or/related electronic equipment and by taking all reasonable steps to ensure the accuracy and confidentiality of such information.


As ‘Data Controller’ for the purposes of your personal data Upper Vobster Farm Partnership determines the purpose and means of the processing of your personal data.

The GDPR sets out seven key principles:

  • Lawfulness, fairness and transparency – how it is processed

  • Purpose limitation – collected and processed only for specified, explicit and legitimate purposes

  • Data minimisation - adequate, relevant and limited to what is necessary for the purposes for which it is processed

  • Accuracy - accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay

  • Storage limitation - not be kept for longer than is necessary for the purposes for which it is processed

  • Integrity and confidentiality (security) - be processed secure

Accountability -  Upper Vobster Farm Partnership is accountable for these principles and must be able to show that we are compliant.


The Data protection Act 2018 also stipulates that Personal data shall be processed in accordance with the rights of data subjects under this Act and Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.



  • ·We only collect personal information you have consented to provide, and you may withdraw your consent at any time. You can contact us at any time using the details provided below.

  • ·We are committed to acting promptly and respectfully to any request you have to view, amend or delete any personal information we hold about you, and equally any request to join or withdraw from any mailing lists we manage.

  • ·We will not sell your personal information to a third party and will only share your personal information without your consent in response to requests by law enforcement agencies.

  • ·We will not send you service marketing material unless you have given us permission to do so and make it simple for you to opt out at any time that you elect to be removed from our mailing list.

  • ·We will protect your personal information. In order to prevent unauthorised access or disclosure we have put in place robust physical, electronic and managerial procedures to safeguard and secure the information we collect both online and offline.

  • ·We will retain your information for only as long as is necessary.

  • ·We review our Privacy Policy regularly and any updates will be posted on this page and in relevant policy communications.

  • We ensure we notify the Information Commissioner’s Office (ICO) on an annual basis of the personal information we hold or are likely to hold and the general purposes that this information will be used for.

  • Our website may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party sites or services and they are not covered by this privacy policy.


Information we collect

We only collect information that you or your organisation have provided to Upper Vobster Farm for the purposes of enquiring about and/or acquiring our accommodation and event services. As a customer of Upper Vobster Farm you may provide us with:


  1. Contact Information such as name, title, email address, physical address, telephone numbers, job title and bank account details in order to process payments (sort code and account number only).

  2. Location

  3. Other information required to reserve and/or purchase any aspect of our accommodation or event services as deemed necessary and reasonable.


To process your information for the purposes described in this policy, we rely on the following legal basis:

  • Performance of a contract. The storage of your information may be necessary to perform the contract that you have with The Lighthouse in relation to the purchases you may make

  • Legitimate Interests. We may use your information for our legitimate interests such as for administrative, fraud detection and legal purposes.


Children’s Information

We do not knowingly collect personally identifiable information from children under 13 years of age. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us. If we discover that a child under the age of 13 has provided us with personal information, we will delete such information from our servers and systems immediately.



We may be required by HMRC to provide details of our trading activity. In order to meet our obligations, we may:

  • Cite your name or that of your organisation as a guest.

  • Share information with our Accountant, but only to the extent that is required by law.

The only circumstances under which we will disclose your personal information without your consent is when we are required to do so by law or subpoena.


How we use the information you provide us

We will gather the information you provide us with in order to carry out our function as a business, which may include:

  • Communication with you or your organisation by way of email or postal address;

  • Internal record keeping for financial reporting and public accountability;

  • Developing and improving our service delivery;

  • Processing payments;

  • We may also use anonymised IP address information as part of website analytics; (Google Analytics), however this is not traceable to an individual.


How we securely handle and store your information

  • We will take precautions to prevent the loss, misuse or alteration of information you give us.

  • When not in use, personal information collected in hard copy (paper) form is stored confidentially in a locked cabinet.

  • We make sure that any personal information no longer required in hard copy (paper) form is shredded and disposed of securely, or in electronic form is permanently deleted from computers and electronic devices.

  • Any devices through which personal information storage is accessed, are password protected and effective security software enabled. Electronic devices are shut and all devices locked when left unattended. 

  • Communication with the Business may be sent by electronic means e.g. email and, for ease of use and compatibility, communications (other than payments where applicable) will not be sent in an encrypted form. Email unless encrypted is not a fully secure means of communication. The security of your personal information is important to us, but no method of transmission over the internet, or other method of electronic storage is 100% secure. To the extent we can, we are committed to protecting your personal information and to preventing unauthorised access to your data.


Retention of your information

  • Personal information will only be held by the Business to enable it to perform its functions and to ensure the information it processes is accurate.

  • The information we gather about you is subject to various regulatory and legislative requirements. Our aim is not to retain your information any longer than is necessary for us to fulfil our obligations.

  • The business shall only retain personal information for as long as it is necessary for the purpose for which it was collected.

  • We will only retain the information you provide us for as long as it is necessary for the purpose for which it was collected.

  • If you have stayed at Upper Vobster farm your information will be kept for two (2) years, in accordance with Our legal obligations.

  • If you unsubscribe from our Newsletter, we will remove your details from our list immediately. You can unsubscribe from our newsletter by using the ‘Un-subscribe” function at the bottom of every newsletter. You can also send a request by email to: with the word “Unsubscribe” in the subject box.

  • We are a member of Premier Cottages, a professional collective of independent luxury cottage owners. Premier Cottages promotes properties on our behalf as well as other luxury cottages. As members of Premier Cottages we would like to give them your information so that they can contact you about other quality properties that you might like. You may unsubscribe from this service at any time.


Your Data Subject Rights

  • You have the right to information about what personal data we process, how and on what basis as set out in this policy.

  • You have the right to access your own personal data by way of a subject access request (see above).

  • You can correct any inaccuracies in your personal data. To do you should contact of the person for responsible for Data in the Business.

  • You have the right to request that we erase your personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected. To do so you should contact the person for responsible for Data in the Business.

  • While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made. To do so you should contact the person for responsible for Data in the Business.

  • You have the right to object to data processing where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own and you wish us to stop.

  • You have the right to object if we process your personal data for the purposes of direct marketing.

  • You have the right to receive a copy of your personal data and to transfer your personal data to another data controller. We will not charge for this and will in most cases aim to do this within one month.

  • With some exceptions, you have the right not to be subjected to automated decision-making.

  • You have the right to be notified of a data security breach concerning your personal data.

  • In most situations we will not rely on your consent as a lawful ground to process your data. If we do however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, you should contact the person for responsible for Data in the Business.



The security of your personal information is of the utmost importance to us, and we have robust procedures in place to prevent unauthorized access.


Credit and Debit Card data provided by you through our website, via third party booking agents and other channels is automatically encrypted and stored in compliance with the current Payment Card Industry Data Security Standard Level 1 compliant payment gateway providers on our web based reservations platform. It is deleted seven (7) days after the expiry date of the service purchased by you.


Correspondence that is received in the post or printed out is stored in locked drawers or a locked storage area and we encourage a clear desk policy. Any devices through which personal information storage is accessed, are password protected and effective security software enabled. Electronic devices time out automatically and all devices are password protected when left unattended.


In the unlikely event of a data breach that affects your personal information we will advise you within 72 hours.


Dealing with Data Breaches

We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur (whether in respect of you or someone else) then we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals, then we must also notify the Information Commissioner’s Office within 72 hours.


If you are aware of a data breach you must contact the DPO immediately and keep any evidence you have in relation to the breach.


Responsibilities - Partners

The partners have overall responsibility for the business’s data protection compliance.


This policy will be reviewed and approved by the Partners annually and any changes will be posted on this page and in relevant policy communications.


We are responsible for notifying the Information Commissioner’s Office (ICO) of the personal information it holds or is likely to hold and the general purposes that this information will be used for.  The notification is renewed annually by the partners for any changes in the way the business holds personal information.


Responsibilities - Others

It is the responsibility of all individuals employed or undertaking work at the farm to comply with the procedures set out in this policy. Any non-compliance with this policy will be referred to the partners and may constitute a disciplinary matter. All individuals undertaking work on behalf of Upper Vobster Farm have a responsibility to report non-compliances. If individuals are unsure as to whether a particular activity amounts to a non-compliance they should discuss their concerns with the Partners.



You may be asked to send feedback after your stay to support Upper Vobster Farm to further improve our services. Your email address will be used for this purpose. If you complete a review it may be posted on our website, Facebook page, Trip Advisor page, Twitter and/or Google Plus. However, no identifying details will ever be attached to a review posting.


Controlling your personal information

If you believe that any information we are holding on you is incorrect or incomplete, please write to us at the above address or email us. We will promptly correct any information found to be incorrect.


For any questions, concerns, complaints about how we process your information, or if you would like information deleted from our records, please email:


Partners and Contact Details

Michael Nicholson

Tricia Nicholson


Phone: 01373 812166


If you are unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO). Full contact details including a helpline number can be found on the Information Commissioner’s Office website ( This website has further information on your rights and our obligations.



April 2021

bottom of page