Luxury Castle Destination in the English Countryside

Privacy policy

How We Collect, Use, and Protect Your Personal Information

Last Updated: June 2026

This Privacy Policy explains how Lympne Castle Management Ltd (“Lympne Castle”, “we”, “us”, “our”) collects, uses, and protects personal data when you visit our website at lympnecastle.com, use our AI-powered chatbot, make an enquiry, or engage with our services. We are committed to handling your personal data responsibly and in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions or concerns, contact us at privacy@lympnecastle.com before using our services.

1. Data Controller

The Data Controller for your personal data is:
Lympne Castle Management Ltd
The Street, Lympne, Hythe, Kent, CT21 4LQ, United Kingdom
Email: privacy@lympnecastle.com | Tel: +44 1303 533533
We are registered with the Information Commissioner’s Office (ICO). If you have concerns about how we handle your data, you have the right to contact the ICO at ico.org.uk or call 0303 123 1113.

2. What Information We Collect

2.1 Information You Provide

When you submit an enquiry, book an event, use our chatbot, or otherwise contact us, we may collect:

  • Full name, email address, phone number, and postal address
  • Event details, preferences, and requirements you share with us
  • Payment information (processed securely via our payment provider — we do not store card details)
  • Any other information you voluntarily provide in correspondence or forms
  • Chatbot conversation content, including questions, preferences, and any personal details you share during a chat session

2.2 Information Collected Automatically

When you visit our website, we and our third-party partners automatically collect:

  • IP address, browser type, device type, and operating system
  • Pages viewed, time spent, referral URLs, and interaction events
  • Approximate location derived from IP address
  • Cookie identifiers and session data (see Section 6)
  • Analytics events via Google Analytics 4, managed through Google Tag Manager (GTM) — GTM acts as a tag management system that loads and controls third-party tracking scripts on our site
  • Advertising and measurement events via Meta Pixel (Facebook/Instagram) — this fires on page load and certain interaction events to measure campaign performance

2.3 Chatbot Data

Our AI-powered chatbot collects and processes:
  • The content of your messages and any information you share within the chat
  • Session metadata (timestamp, device type, referring page)
  • Cookie and session data used to personalise responses during your visit
  • Inferred preferences or interests based on your enquiries
Chat transcripts are retained for up to 24 months to support service improvement, dispute resolution, and future AI model training (see Section 5). You may request deletion at any time.

3. How We Use Your Information

We process your personal data for the following purposes:

  • Service Delivery: Responding to enquiries and providing information about our services
  • Bookings: Processing event bookings, wedding enquiries, and accommodation reservations
  • Marketing: Sending marketing emails, newsletters, and promotions (with your consent)
  • Chatbot & Personalisation: Operating and improving our AI chatbot and personalising your experience
  • Analytics: Measuring website performance and user behaviour via analytics tools
  • Advertising: Displaying targeted content via Meta Pixel and Google tools
  • Security: Detecting and preventing fraud, abuse, or security threats
  • Legal Compliance: Complying with our legal obligations
  • AI Training: Improving our services through analysis of chatbot transcripts and user feedback (data anonymised where possible)

4. Legal Bases for Processing (UK GDPR)

We only process your personal data where we have a valid lawful basis under UK GDPR Article 6. The table below maps each processing purpose to its legal basis. Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA); a copy is available on request.
Processing Purpose Legal Basis Details
Responding to enquiries and contact form submissions Contract / Legitimate Interests (Art. 6(1)(b), (f)) Necessary to take steps prior to entering a contract or to respond to your request.
Processing event bookings and reservations Contract Performance (Art. 6(1)(b)) Necessary to fulfil your booking.
Sending marketing emails and promotions Consent (Art. 6(1)(a)) Only where you have opted in; withdraw at any time
Operating and improving the AI chatbot Legitimate Interests (Art. 6(1)(f)) LIA conducted — interest in providing responsive digital service, not overridden by user rights
Chatbot personalisation using session/cookie data Consent (Art. 6(1)(a)) Consent captured via cookie banner before session data is used
Website analytics (GA4, GTM) Legitimate Interests / Consent (Art. 6(1)(f), (a)) Anonymised analytics under LI; full tracking requires cookie consent
Meta Pixel advertising measurement Consent (Art. 6(1)(a)) Only fires where marketing cookies are accepted
AI model training using chat transcripts Consent (Art. 6(1)(a)) Anonymised/aggregated where possible; opt-out available on request
Fraud prevention and security Legitimate Interests (Art. 6(1)(f)) Necessary to protect our systems and users
Financial record-keeping Legal Obligation (Art. 6(1)(c)) Required under UK tax and accounting law (7-year retention)
Vital interests (emergency situations) Vital Interests (Art. 6(1)(d)) Applied only in exceptional circumstances to protect life
You may withdraw consent at any time by contacting us at privacy@lympnecastle.com or via the cookie preference centre. Withdrawal does not affect the lawfulness of prior processing.

5. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy:
  • Enquiry and contact data — 2 years from last contact
  • Booking and event records — 7 years (legal and financial compliance)
  • Chatbot transcripts — up to 24 months, then securely deleted or anonymised
  • Marketing consent records — for the duration of the marketing relationship plus 2 years
  • Website analytics data — per platform defaults (GA4: up to 26 months; Meta: per Meta’s data policy)
  • Cookie data — per category (see Section 6)
When data is no longer required, it is securely deleted or irreversibly anonymised. Backup copies are isolated from active processing and deleted on the next scheduled purge cycle.

6. Cookies and Tracking Technologies

6.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. We also use similar technologies including tracking pixels and tag management scripts.

6.2 Cookie Categories and Lifespans

6.3 Your Cookie Choices

When you first visit our site, a cookie consent banner will appear. You may:
  • Accept all cookies
  • Accept strictly necessary cookies only
  • Customise your preferences by category
You may change your preferences at any time via the Cookie Settings link in our website footer. Withdrawing consent for analytics or marketing cookies will stop those technologies from activating on subsequent visits. It will not affect cookies already set during a prior consented session. You can also control cookies through your browser settings. Note that disabling all cookies may affect website functionality.

6.4 Analytics Tracking — Two-Tier Approach

We operate Google Analytics 4 in two modes depending on your consent status, in line with the Data (Use and Access) Act 2025 (DUAA) which came into force on 5 February 2026:

  • Anonymised first-party analytics (no consent required): GA4 configured with IP anonymisation, no Google Signals, and no cross-device tracking. This processing is exempt from PECR (Privacy and Electronic Communications Regulations) consent requirements under the DUAA 2025 statistical purposes exemption. It runs by default for all visitors and provides us with aggregated, anonymised data about how the website is used.
  •  Full analytics tracking (consent required): Full GA4 with Google Signals, demographic data, and cross-device tracking. Activated only where you have accepted analytics cookies via our consent banner. This does not qualify for the DUAA exemption as it involves profiling.
  • Meta Pixel (consent required): A third-party advertising measurement tool. It is blocked at the tag management level and only activates where you have accepted marketing cookies. No DUAA exemption applies — explicit consent is always required.

6.5 Behavioural Analytics and Personalisation (Future)

We plan to introduce a marketing intelligence layer that will enable richer behavioural analytics, cross-session personalisation, and audience segmentation. This is not yet active. Before activation, we will: (1) update this Policy to describe the specific technologies in use; (2) implement a Consent Management Platform (CMP) capable of capturing, storing, and syncing granular consent; and (3) present users with a clear choice before any new tracking activates. Legitimate Interests cannot be relied upon for this category of processing — explicit consent is required. We will not activate this layer until a compliant consent architecture is in place.

7. Sharing Your Personal Data

We do not sell your personal data. We may share it with:
  • Google LLC — Analytics, Tag Manager, and advertising services
  • Meta Platforms, Inc. — Meta Pixel measurement and advertising
  • Our AI chatbot infrastructure provider — for chat processing and hosting (data processed under a data processing agreement)
  • Email and CRM platform providers — for sending communications and managing contact records
  • Professional advisers — legal, accountancy, or insurance providers, under confidentiality obligations
  • Regulatory authorities — where required by law or legal proceedings
  • A successor entity — in the event of a merger, acquisition, or sale of assets
All third-party processors are bound by contractual obligations to process data only on our instructions and in accordance with applicable data protection law.

8. International Data Transfers

Some of our service providers operate outside the UK. Where we transfer personal data internationally, we ensure appropriate safeguards are in place as required by UK GDPR Chapter V:
Provider Country Safeguard
Google LLC (GA4, GTM)s United States UK adequacy regulations / Standard Contractual Clauses (SCCs) under UK GDPR
Meta Platforms, Inc. (Meta Pixel) United States Standard Contractual Clauses (SCCs) under UK GDPR
AI Chatbot Infrastructure Provider TBC Data Processing Agreement with SCCs where applicable
You may request a copy of the relevant transfer safeguards by contacting us at privacy@lympnecastle.com.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted data transmission (HTTPS), access controls, and regular security reviews.

No internet transmission is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security. You use our services at your own risk in this regard.

10. Children

Our website and services are not directed at children under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@lympnecastle.com and we will delete it promptly.

11. Automated Decision-Making

Our AI chatbot uses automated processing to generate responses based on your inputs and session context. This processing does not produce legal or similarly significant effects — it is used solely to provide helpful information and personalise your experience on our website.

If in future we deploy automated processing that produces decisions with significant effects (such as eligibility decisions or pricing), we will update this Policy, establish an appropriate legal basis under Art. 6 and Art. 22 UK GDPR, and provide you with the right to obtain human review, express your point of view, and contest any decision.

12. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:
  • Access — request a copy of the data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — request deletion of your data where there is no lawful basis for continued processing
  • Restriction — ask us to limit processing in certain circumstances
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests or for direct marketing
  • Withdraw Consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing
  • Automated Decision-Making — object to decisions made solely by automated means that significantly affect you
To exercise any of these rights, email privacy@lympnecastle.com. We will respond within one calendar month. If you are dissatisfied with our response, you have the right to lodge a complaint with the ICO at ico.org.uk or call 0303 123 1113.

13. Marketing Communications

We will only send you marketing emails or SMS messages with your explicit consent. You may unsubscribe at any time by clicking ‘Unsubscribe’ in any marketing email, replying STOP to any SMS, or emailing enquiries@lympnecastle.com. Withdrawal of marketing consent does not affect service-related communications.

14. Updates to This Policy

We may update this Policy from time to time to reflect changes in our practices or applicable law. The ‘Last Updated’ date at the top of this document will reflect any revisions. Material changes will be communicated via a prominent notice on our website or by direct email notification to existing contacts where appropriate.

15. Contact and Requests

For any privacy-related questions, requests, or complaints:
  • Email: privacy@lympnecastle.com
  • Post: Lympne Castle Management Ltd, The Street, Lympne, Hythe, Kent, CT21 4LQ, UK
  • Data Subject Access Requests: via the ICO-compliant request form linked on our website
  • Legitimate Interests Assessments: available on request at the above email address