1. Who We Are

Data Controller: Thistle Suites

Address: 2 York Place, Queen Street, Edinburgh, EH2 1HY

Email: karen@thistlesuites.com

We are responsible for determining how and why your personal data is processed.

2. What Personal Data We Collect

We may collect and process the following personal data:

• Full name

• Email address and telephone number

• Billing address

• Booking and stay details

• Payment information (processed securely by third-party providers; we do not store full card details)

• Communications with us (emails, messages, call records)

• Technical data (IP address, browser type, device information)

• Website usage data (via analytics tools)

• CCTV footage in communal areas (where applicable)

3. How We Collect Your Data

We collect personal data when you:

• Make a booking directly or via a third party (e.g. Booking.com)

• Contact us by email, telephone or website forms

• Visit and use our website

• Stay at our property

• Provide information required for legal or regulatory purposes

4. How We Use Your Personal Data

We use your data to:

• Process and manage your reservation

• Communicate essential information about your stay

• Provide guest services and support

• Improve our website, services and guest experience

• Comply with legal, regulatory and tax obligations

• Protect our property, guests and staff

• Prevent fraud and misuse

Where you have opted in, we may also use your data to send marketing communications.

5. Legal Basis for Processing

We process your personal data under the following lawful bases:

• Contractual necessity – to fulfil your booking and provide services

• Legal obligation – to comply with applicable laws and regulations

• Legitimate interests – for business operations, security, fraud prevention and service improvement

• Consent – for marketing communications (where applicable)

6. Sharing Your Personal Data

We may share your personal data with trusted third parties where necessary, including:

• Mews (property management and booking system)

• Squarespace (website hosting and infrastructure)

• Payment processors (for secure payment handling)

• Klaviyo (email communications, where subscribed)

• Google Analytics (website analytics and performance tracking)

• Meta (Facebook/Instagram) (advertising and audience measurement)

• Booking platforms and channel managers

• IT and system providers

• Legal or regulatory authorities where required

All third parties are required to process your data securely and in accordance with applicable data protection laws.

7. International Data Transfers

Some of our service providers (such as Google, Meta, Squarespace and Klaviyo) may process data outside the UK.

Where this occurs, we ensure appropriate safeguards are in place, such as:

• UK adequacy regulations

• Standard Contractual Clauses (SCCs)

• Equivalent legal protection measures

8. Data Retention

We retain personal data only for as long as necessary:

• Booking and financial records: up to 7 years (legal and tax requirements)

• Communication records: as required for dispute resolution

• Marketing data: until you unsubscribe or withdraw consent

• CCTV footage: retained in line with security policies unless required for investigation

9. Your Data Protection Rights

Under UK GDPR, you have the right to:

• Access your personal data

• Request correction of inaccurate data

• Request deletion of your data (where applicable)

• Restrict or object to processing

• Request transfer of your data (data portability)

• Withdraw consent (where applicable)

• Lodge a complaint with the Information Commissioner’s Office (ICO)

Requests should be submitted to karen@thistlesuites.com.

We will respond within statutory timeframes.

10. Data Security

We take appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, misuse or disclosure.

This includes secure systems, restricted access controls and trusted third-party providers.

11. Cookies & Website Tracking

Our website uses cookies and similar technologies to ensure functionality and improve user experience.

These may include:

• Essential cookies – required for site functionality

• Analytics cookies (Google Analytics) – to understand website usage

• Marketing cookies (Meta, Klaviyo) – where applicable

You can control or disable cookies through your browser settings. Where required, cookie consent is obtained via our website.

12. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

The most recent version will always be available on our website.