• Purpose & Scope: Emphasise your commitment to privacy, compliance with UK GDPR and the Data Protection Act 2018, and outline who the policy applies to (website visitors, customers, guests, applicants, suppliers).

• Entity Identification: Clarify that “Fountain House” refers to the legal entity operating the hostel, bakery, and bistro.

Identify Fountain House (with a business address) as the data controller, responsible for processing personal data and ensuring compliance.

Use the lawful bases prescribed under GDPR:

• Consent – for marketing communications, newsletter sign-ups, feedback surveys.

• Contract – to fulfil a booking or purchase (e.g., hostel stay, food order).

• Legal Obligation – e.g., for accounting, regulatory compliance.

• Legitimate Interests – e.g., improving services, personalising offers, business analytics.

List potential data categories, including:

• Contact details: name, email, phone, postal address.

• Booking/purchase details, payment history.

• Digital data: website usage, IP address, cookies.

• Dietary/allergy or health information, where relevant

• Staff/recruitment data (if relevant).

Mapping of data usage:

• To process bookings/orders and facilitate service (contractual necessity).

• To respond to inquiries, complaints, or refund requests.

• To conduct marketing (emails, offers) — only with consent/unsubscribe option.

• To personalise content and improve services (legitimate interests).

Describe:

• What cookies are and how you use them (functional, analytics, marketing).

• Options for users to disable or manage cookies via browser settings.

Explain when data may be shared, for example:

• With third-party service providers (payment processors, booking platforms, delivery partners) for fulfilment or security.

• In response to legal obligations (e.g., court orders, law enforcement).

• In business continuity scenarios (e.g., sale or transfer of business assets).

• State where data is stored—within the UK/EEA, or, if external, under GDPR-compliant safeguards.

• Note if any data is stored on third-party servers (e.g., cloud or email providers) located abroad, and how you secure transfers.

Outline retention periods:

• Booking and transaction records — retained for X years for legal/accounting purposes.

• Marketing data — as long as consent is active.

• Recruitment applications — for up to a year if unsuccessful, or transferred to personnel files if successful.

Inform users of their rights under GDPR:

• Access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection to processing.

• Right to withdraw consent (especially for marketing).

• Right to lodge a complaint with the ICO.

Reassure users of implemented technical and organisational safeguards to protect data from unauthorised access, disclosure, or loss.

State that the policy may be updated and will be published on your website, with an effective date, and that continued use implies acceptance.

Provide clear contact details (email and/or postal address) for privacy queries or requests.