Privacy Policy Statement

1 Introduction

This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data, and keep it safe.

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in European Union law on data protection and privacy for all individuals within the European Union and the European Economic Area. It comes into force on 25th May 2018. It does not only apply to EU/EEA citizens. It applies to all citizens who use a service offered within the EU or EEA.

We know that there’s a lot of information here, but we want you to be fully informed about your rights, and how Cardiff History and Hauntings uses your data.  

We hope the following sections will answer any questions you have but if not, please do get in touch with us.


2 What is Cardiff History and Hauntings?

Cardiff History and Hauntings is a small Cardiff based business which designs and delivers guided walking tours to help participants discover the history, legends and ghost stories of Wales. It employs trained guides and stewards to deliver the tours.

For simplicity throughout this statement, ‘we’ and ‘us’ means Cardiff History and Hauntings.


3 Explaining the legal bases we rely on

The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:


3a Consent

In specific situations, we can collect and process your data with your consent.

For example, when you register as a client with us you are invited to opt to receive occasional email newsletters from us. We have always maintained an "opt-in" approach to the newsletters (ie we have never "presumed" consent) which uses your email address to let you know about new tours or reminders about special events we are running (such as Halloween-related events). You do not have to opt-in to receive newsletters from us, and you can unsubscribe from this service at any time by emailing us at

If you contact us with an online website enquiry form you can opt to offer us a telephone number to contact you. 


3b Contractual obligations

In certain circumstances, we need your personal data to comply with our contractual obligations. 

If you are purchasing a service from us, such as buying tickets for a walk, we ask you for your name, postal address, email and contact telephone number.

We also store your username and password used by you to access your client account.

We also store your registration internet protocol (IP) address. This is the unique code for your electronic device you use to communicate with us (personal computer, laptop, tablet or phone) which allows us to communicate over the internet. It also enables us to monitor any incident of fraudulent login or attempted criminal activity.

We always make clear to you which data is necessary by indicating *required* when you open an account with us. This is in order for us to contact you to confirm your booking, or to get in touch on any issue related to your purchase or account.

We neither receive, have sight of, nor store, any of your financial and/or bank details as all transactional elements of a ticket purchase are handled by an external agent (PayPal). 

On the rare occasion when we need to engage in a direct financial transfer with a customer (in either direction) we offer or request only the information necessary to complete that transaction: sort code, account number (and in the case of international payments IBAN and SWIFTBIC codes). 

If you write to us to request a gift certificate we collect a delivery address so we can send it to you or the person you would like us to send it to.

If you contact us with a website enquiry using the online form we require an email address for you otherwise we cannot contact you.


3c Legal compliance

If the law requires us to, we may need to collect and process your data.  

For example, we can pass on details of people involved in fraud or other criminal activity affecting our business to law enforcement.


3d Legitimate interest

The data privacy law allows allows for legitimate interest in understanding our customers and providing the highest levels of service.

When you create an account with us, we ask how you heard about us. This helps us identify the impact of our previous marketing and communications.

The contact information you provide on registering with us as a client (and as set out in 3b above) is held by us in order for us to understand better the broad geographical spread of our customer base. This helps us identify geographical areas on which we can focus future marketing. 


4 When do we collect your personal data?

When you create an account with us we request the information set out in 3b above.

If you write to us to request a gift certificate we collect a delivery address so we can send it to you.

If you contact us with a website enquiry using the online form we require an email address for you otherwise we cannot contact you. We also ask for your name, so we know how to address you, and offer you the option of providing a telephone number if you would like us to call you.


5 Do we keep any other personal data?

We store records of correspondence with you. This enables us to track and refer to previous correspondence.  


6 Why and how do we use your personal data?

We want to give you the best possible customer experience from the moment you first communicate with us. One way to achieve that is to make sure we can contact you as quickly and flexibly as possible, and to enable you to book further tours with us as easily as possible by logging into your account.

If you opt to receive newsletters from us, we can use the information provided by you to offer you information on new tours and events.

We also find it helpful to know broadly where our customers travel from to join our tours, and how they heard about us.

If you wish to change how we use your data, you’ll find details in section 10 below.

Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services, or offer them to the highest level we can. For example, if you choose not to provide us with a telephone number, it means that if there was a last minute need to cancel a tour, we might not be able to get in touch with you as quickly as we might.

To process an order that you make using our website, we won’t be able to process your order and comply with our contractual and legal obligations, without the information we request as set out in 3b above.

To respond to your queries, refund requests and complaints. Handling the information you sent enables us to respond. We may also keep a record of these to inform any future communication with us and to demonstrate how we communicated with you throughout. We do this on the basis of our contractual obligations to you, our legal obligations and our legitimate interests in providing you with the best service and understanding how we can improve our service based on your experience.

To protect our business and your account from fraud and other illegal activities. This includes using your personal data to maintain, update and safeguard your account. 

For example, by checking your password when you login and automated monitoring of IP addresses to identify possible fraudulent log-ins from unexpected locations.

If we discover any criminal activity during our tours or during the transaction process, we will process this data for the purposes of reporting, preventing or detecting unlawful acts. Our aim is to protect our clients from criminal activities either during the transaction process or during the tours we operate.

To send you, via our newsletter, communications required by law or which are necessary to inform you about our changes to the services we provide you. For example, updates to this Privacy Statement. These service messages will not include any promotional content and do not require prior consent when sent by email. If we do not use your personal data for these purposes, we would be unable to comply with our legal obligations.

To comply with our contractual or legal obligations to share data with law enforcement.

For example, when a court order is submitted to share data with law enforcement agencies or a court of law.

To send you, via our newsletter, survey and feedback requests to help improve our services. These messages will not include any promotional content and do not require prior consent when sent by email. We have a legitimate interest to do so as this helps make our products or services more relevant to you.


7 How we protect your personal data

We treat your data with the utmost care and take all appropriate steps to protect it.

Our website uses ‘https’ technology. This means that all communication between us is encrypted using "SSL" (padlock) technology.

Access to your personal data is password-protected, and strictly controlled. It is limited to the company owner and web and data management service provider (see 9 below). The tour guides have access to the name and emergency contact telephone number of customers signed up for the tour they are leading, in order to contact them should the need arise (eg if a customer is late).

All data is stored in a secure data centre.

Our systems are routinely monitored for possible vulnerabilities and cyber-attacks.


8 How long will we keep your personal data?

We will keep your data for as long as you wish us to do so. We have many customers who return time and again to rebook a tour experience, or to book a new tour with us, sometimes after a gap of many years. We wish to make it as easy as possible for you to do so by logging into your account. 

However, you can ask for your account to be closed and your details removed from our system at any time by emailing us at


9 With whom do we share your personal data?

We never share your data with third parties for the purpose of marketing, sales, promotion, research or any other type of commercial or analytical activity.

As set out in 3c above, if the law requires us to, we may need to share the data we hold on you (ie the data we set out in 3b above).  

For example, we can pass on details of people involved in fraud or other criminal activity affecting our business to law enforcement.

We share your contact telephone number with the tour guide allocated to the tour on which you have booked. This is in order for them to contact you if needed (eg if you are late for the tour).

For secure data storage purposes, your data is shared with our web and data management service, x3 Internet Solutions LLP, PO Box 3685, Stafford, ST16 9TR, and stored in secure encrypted form in their data centre.


10 What rights do you have concerning the personal data we hold on you?

You have the right to request:

  • access to the personal data we hold about you, free of charge.
  • the correction of your personal data when incorrect, out of date or incomplete.
  • that we remove you from the newsletter mailing list. The newsletter has always been an optional "opt-in" service and has always relied on your active, not presumed, consent. However, you can unsubscribe from it at any time.
  • that we delete all of your information from our database (once you have taken part in the tour for which you have booked, or if you had previously made a booking but decided to cancel).

To request any of the above please contact us in writing on

We will respond within 2 working days to your request (unless the business is closed for a vacation, in which case you will receive an automated reply telling you when we reopen)

If we choose not to action your request we will explain to you the reasons for our refusal.


11 Contacting the regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

You can contact them by calling 0303 123 1113.
Or go online to (opens in a new window; please note we can't be responsible for the content of external websites)

If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence. 


12 Any questions?

We hope this Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it.

If you have any questions that haven’t been covered, we will be happy to help you.

Please contact us at