top of page

User privacy and data protection

We take your privacy seriously. This document lets you know how we will process and protect any data you share with us.

Our data protection policy is based on the following principles:

  • We recognise the need for user privacy and data protection legislation compliance

  • We understand we have a duty of care to our clients

  • We only collect and process Data that is absolutely necessary and in the best interests of our clients and any data collected will be for the purpose of the services we provide

  • We will never pass any client Data to a third party unless we have your express permission and it is in your best interest

  • We endeavor to ensure that all our Data is correct and up to date

We aim to comply with

  • UK Data Protection Act 1988 (DPA)

  • EU Data Protection Directive 1995 (DPD)

  • EU General Data Protection Regulation 2018 (GDPR)


What is the source of your personal data?

The source of the data we collect will be you, through communication in person, via email or over the telephone. 


We may also collect personal data about you via CCTV observation and footage.


What lawful basis do we have for processing your personal data?

We process your personal data where:

  • processing is necessary for compliance with a legal obligation on us, for example to make sure we submit accurate company accounts and tax returns;

  • we have a legitimate interest in processing personal data, for example

    • to provide you with news or information on upcoming events which may be of interest to you; or

    • to make sure an event booking runs smoothly, and to make future event bookings easier by being able to refer to your previous menu choices.


Where we process CCTV data (which may include criminal offence data), we do so because the processing is necessary for reasons of substantial public interest, and because we have a legitimate interest in processing this personal data, i.e. to prevent theft and vandalism, to respond to police requests in investigations; and to deter criminal acts and protect staff and customers.

Where we rely on legitimate interests as a reason for processing data, we have considered whether or not those interests are overridden by your rights and freedoms and have concluded that they are not.


What personal data do we process and who do we share it with?

Booking enquiries and bookings

If you book or enquire about an event or table booking with us, we will process your contact details including your name, email address and postal address.  We will also process email communications with you. 

We share this data internally with relevant staff only, and, in the event of a booking, with our bookkeeping company and accountancy firm. 

External IT staff may also have access to your personal data for IT purposes only, e.g. to install technological safeguards to protect your data. 

Data is stored in a range of different places, including our email system (we use Google’s gmail as our email provider, so your personal data will be shared with them) and Dropbox.


The movements and activities of Vaults & Garden staff and customers/visitors are collected via CCTV placed in the following locations:

  1. CCTV 1 – Monitoring Till and Bar Team

  2. CCTV 2 – Monitoring Bar Team and Queue of Customers

  3. CCTV 3 – Monitoring Entrance in corridor (Staff cupboards, customer entrance and queue)

  4. CCTV 4 – Side entrance/exit and fire exit as well as customer tables at the far end of café monitoring entrances and exits

CCTV data is shared with

  • our IT company to the extent necessary to service and remedy technical faults/problems with the CCTV system; and

  • the Police when this data is requested in order to support them in their investigations.

How do we protect your personal data?

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by employees in the performance of their duties.

Where we transfer your personal data to third parties, we ensure there is a contract in place that provides sufficient guarantees that the requirements of the GDPR will be met and your rights protected.


Personal data transfers to third countries or international organisations.

Because some of your personal data may be stored on Dropbox, it may be stored, processed and transmitted in the United States and locations around the world.  When transferring data from the European Union, the European Economic Area and Switzerland, Dropbox relies on a variety of legal mechanisms, including contracts with their users. Dropbox complies with the EU-US and Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use and retention of personal information transferred from the European Union, the European Economic Area and Switzerland to the United States. You can find Dropbox's Privacy Shield certification here. You can also find out more about Privacy Shield at

Our email works through Google’s gmail which means that some personal data may be transferred outside the UK.  Google, including Google LLC and its wholly-owned US subsidiaries, has certified that it also adheres to the Privacy Shield Principles. Google remains responsible for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing on our behalf, as described in the “Sharing your information” section of their privacy policy, which can be found here. To learn more about the Privacy Shield program, and to view Google’s certification, please visit the Privacy Shield website.


How long do we keep your personal data for?

Booking enquiries and bookings:


We will keep your personal data for as long as is necessary to fulfil the purposes for which we collected it:


  • If you have enquired about a booking, your contact details (name, telephone number, email address and address) and enquiry details will normally be kept for 2 years from enquiry in order to make any future bookings by you easier;


  • If you have made a booking with us, your contact details (name, telephone number, email address and address) and emails relating to orders placed will be kept for 7 years after the date of the order, primarily for accounting purposes, and also to make any future bookings you may wish to make easier for you.





CCTV footage will be kept for one month, after which time it will be automatically deleted.


What are your rights in respect of the processing?

  • You have the right to be informed about the collection and use of your personal data, as provided for in this privacy notice.  At the time we collect your personal data, you are entitled to know our purposes for processing it, our retention periods, who it will be shared with and other information, which is all set out in this privacy notice (there are a few circumstances when we do not need to provide you with privacy information, such as if you already have the information or if it would involve a disproportionate effort to provide it to you).  If we obtain personal data from other sources, you are entitled to receive privacy information within a reasonable period of obtaining the data and no later than one month.  The information we provide to you must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language – if you feel this is not the case, then please let us know.

You can also (verbally or in writing):

  • ask us to give you access to the personal data we hold about you;

  • ask us to correct or complete incorrect or incomplete data; and

  • ask us to erase or restrict/stop processing your personal data (although this right is not absolute and only applies in certain circumstances)

Finally, you have the right to object to the processing of your data where we are relying on legitimate interests as the legal ground for processing.  However, we may be able to continue processing if we have a compelling reason for doing so. 


If you would like to exercise any of these rights or have any queries or concerns about them, please contact us using the contact details on page 1. 

You also have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (Tel. 0303 123 1113).


Because the processing of your personal data is not carried out by automated means and consent/contract, the right to data portability does not apply.


Can we oblige you to provide personal data, and what happens if you don’t?

We generally need your contact information in order to get in touch with you regarding an enquiry, although you could of course enquire without providing contact information if you prefer. 

We will however need your contact information in the event of a booking in order to be able to invoice you (unless you are able to pay in advance).  If you are not able to pay in advance, and don’t provide us with this information, we will not be able to take a booking.

If you would like us to stop contacting you at any time regarding news or information on upcoming events which may be of interest to you, please contact our Data Protection Officer on page 1.

To use the services of Vaults & Garden Café, if will not be possible to avoid CCTV, so if you would not like us to process CCTV data about you, you will not be able to use the Café.


Automated decision-making

No decisions are based on automated decision-making.

Email newsletter

If you sign up for our email newsletter your email address will be sent to our chosen marketing services provider. Your email address will remain with the marketing services provider, and we will not store it anywhere on our own system. You can request removal of your email address from this service. You will be able to unsubscribe from email newsletters at any time. A link to do so will be at the foot of every newsletter. Alternatively, you can contact us directly to request to be removed from our email list.

Site visitor tracking

This site uses Analytics software to track user interaction. This information allows us to determine the number of people using our site, so we can understand how our site is being used, so we can improve our services. We do not have access to information which will identify you.

You can prevent the Analytics software from tracking your interaction with the site by disabling cookies on your internet browser.

Data Breaches

In line with data protection regulations, we are obliged to report any data breaches. We will adhere to the requirement to do so within 72 hours and will report to the appropriate authorities. This also applies to any data theft.

Data Controller

The data controller of this website is: Fresh Connection Ltd., The Vaults And Gardens, The University Of St Mary Virgin, High Street Oxford, Oxfordshire, OX1 4AH (“we”, “our” and “us”) 

University Church, 1 Radcliffe Sq, OX1 4AH

Data Protection Officer: Natacha Cirou (Tel. 01865 279112, email

Our privacy policy may change from time to time in line with legislation or industry developments. Any changes will be detailed on our website.




Questions and Comments

If you have any questions or comments at all, please don’t hesitate to email or talk to our Data Protection Officer on page 1.


Privacy Notice version 19/08/20. 

bottom of page