Privacy Policy (UK GDPR)

Effective date: 19 February 2026
Website: https://www.passporttoleisure.co.uk
Contact email (Data Controller): passporttoleisuress@gmail.com

1) Who we are

Passport to Leisure (“we”, “us”, “our”) operates this website and provides children’s camp bookings and related services. For data protection purposes, we are the data controller of personal data collected through this site.

2) What personal data we collect

When you browse, contact us, or place a booking, we may collect:

A. Booking and account details

  • Booker/parent/guardian name, email, phone number, billing address

  • Child/participant name and basic details you enter for the booking (eg age group, camp selection)

  • Order details (what was booked, dates, price, and booking notes)

B. Payment information (bank transfer)

  • We do not take card payments on the website.

  • If you pay by direct bank transfer, we may record your payment status, the amount received, the date received, and any reference you provide (eg order number).

C. Communications

  • Emails/messages you send to us and our replies

D. Website and device information

  • IP address, approximate location (derived from IP), browser/device information, and pages visited

  • Cookies needed for the site to work (see Cookie Policy below)

E. Optional information you choose to provide

  • Any information you include in booking notes or messages

  • Health information (eg allergies/medical needs) only if you provide it to help us keep your child safe (see section 4).

3) How we use your data

We use personal data to:

  • Take and manage bookings (including confirmations and changes)

  • Provide customer support and respond to enquiries

  • Manage attendance lists and operational planning for camps

  • Record and reconcile bank transfer payments

  • Keep the site secure and prevent fraud/abuse

  • Meet legal, tax and accounting obligations

  • Improve the website (and only use non-essential analytics/marketing cookies if you consent)

4) Our lawful basis for processing (UK GDPR)

We process personal data under the UK GDPR lawful bases, including:

  • Contract (Article 6(1)(b)): to take your booking and provide the camp service.

  • Legal obligation (Article 6(1)(c)): for record-keeping required by law (eg accounting/tax).

  • Legitimate interests (Article 6(1)(f)): to operate and secure our website and services (eg preventing fraud, troubleshooting, improving service).

Special category data (health information)
If you provide health details (eg allergies/medical needs), this is “special category data”. We will only use it to support safe participation and safeguarding. We rely on:

  • Explicit consent (Article 9(2)(a)) where required, and/or

  • Vital interests (Article 9(2)(c)) where necessary to protect the child in an emergency (where applicable).

You can withdraw consent at any time by emailing us, but this may affect our ability to safely provide the service.

5) Children’s data

Our camps are for children, but this website is intended to be used by parents/guardians making bookings. Where children’s details are entered, the person booking confirms they have the authority to provide that information.

6) Who we share your data with

We keep sharing to what’s necessary to run the site and deliver bookings. This may include:

  • Website hosting / IT providers (to store and run the website)

  • Email service providers (so we can send and receive messages)

  • WooCommerce / WordPress service providers and plugins (site functionality)

  • Professional advisers (eg accountant) where required

  • Authorities if required by law

We do not sell personal data.

7) International transfers

Some providers (eg hosting, email, plugin services) may process data outside the UK. Where this happens, we use appropriate safeguards required by UK data protection law (such as contractual protections).

8) How long we keep your data

We keep personal data only as long as needed for the purposes above and to comply with legal requirements. The ICO expects you not to keep data longer than necessary.
Typical retention periods:

  • Booking and payment records: up to 6 years (for tax/accounting and to handle disputes)

  • Enquiry emails: usually up to 24 months unless needed longer for a booking/dispute

  • Cookies: see Cookie Policy

9) Your rights (UK GDPR)

You have rights including:

  • Access to your data

  • Correction of inaccurate data

  • Deletion (in some cases)

  • Restriction and objection (in some cases)

  • Data portability (in some cases)

  • Withdraw consent (where we rely on consent)

To exercise your rights, email: passporttoleisuress@gmail.com

10) Complaints

If you’re unhappy with how we handle personal data, please contact us first so we can help. You also have the right to complain to the Information Commissioner’s Office (ICO) (the UK regulator).

11) Security

We use appropriate technical and organisational measures to protect personal data, including access controls and security measures appropriate to a small booking website. No method of transmission is 100% secure, but we work to protect your information.

12) Changes to this policy

We may update this Privacy Policy from time to time. The latest version will be posted on this page with an updated effective date.

Cookie Policy (UK PECR + UK GDPR)

1) What cookies are

Cookies are small text files stored on your device when you visit a website. They help the site function and can also be used for analytics/marketing.

2) Cookies we use and why

Under UK cookie rules (PECR), you must tell users about cookies and generally get consent, unless the cookies are strictly necessary to provide a service the user requests (eg keeping items in a basket).

A) Strictly necessary cookies (no consent required)

These are essential for the site to work (eg booking/checkout and security). On a WooCommerce/WordPress site, these commonly include cookies used to:

  • Remember what’s in your basket and maintain your session

  • Help the site load securely and consistently

Examples you may see (names can vary by configuration):

  • woocommerce_cart_hash / woocommerce_items_in_cart (basket functionality)

  • wp_woocommerce_session_* (session for checkout/basket)

  • WordPress core cookies for logged-in users/admins (if applicable)

B) Optional cookies (consent required)

If you use any of the following, we will ask for your consent via a cookie banner/settings tool:

  • Analytics cookies (eg to measure traffic and improve the site)

  • Marketing/advertising cookies

  • Social media or embedded content cookies (eg YouTube, Meta, etc.)

If you do not consent, these cookies will not be set.

3) How to manage cookies

You can:

  • Use our cookie banner/settings (where available) to accept/reject optional cookies.

  • Control cookies through your browser settings (block/delete cookies).
    Blocking strictly necessary cookies may stop parts of the booking/checkout from working properly.

4) Updates to this Cookie Policy

We may update this Cookie Policy as the site changes (eg if we add analytics). Updates will be posted on this page.