Privacy Policy

Privacy Policy – Customer Facing
Effective Date: August 2025

About This Policy

This Privacy Policy explains how Abriand Topco Limited (Company No. 13862195) and its subsidiaries, of which includes; Abriand Limited (07690482), Heartwood Collection Limited (Company No. 05699494), Heartwood Inns Limited (Company No. 07118269), Blanc Brasseries Limited (Company No. 04782459), and Heartwood PropCo Limited (Company No. 15559847) — (together referred to in this policy as “we”, “us”, or “our”) collect, use, share, and protect personal data.

For the purposes of the UK GDPR, all of the above companies act as joint data controllers in respect of the personal data covered by this policy. This means that we collectively determine the purposes and means of processing, and have agreed to coordinate in meeting our data protection obligations. It applies to:

  • Website visitors
  • Customers across our venues
  • Individuals interacting with our digital or physical services in the United Kingdom

Joint Controller Arrangement Summary

The companies listed above act as joint data controllers for the personal data covered by this Privacy Policy:

This means we collectively decide how and why your personal data is processed and work together to meet our data protection obligations.

We have a formal agreement in place that sets out our respective roles and responsibilities, including:

  • Single contact point: Heartwood Collection Limited acts as the central point for all data subject rights requests (including subject access requests). You can contact them at mydata@heartwoodcollection.com.
  • Privacy notices: Heartwood Collection Limited maintains and updates this Privacy Policy on behalf of all joint controllers.
  • Breach management: If a personal data breach occurs, Heartwood Collection Limited coordinates the response and communication with the ICO and affected individuals, working with the relevant companies.
  • Record keeping: Heartwood Collection Limited will maintain a central record of processing activities (ROPA) for the in-scope data.

Your rights: You can exercise your data protection rights against any of the companies listed above, and your request will be handled in accordance with our joint arrangements.

Data Controller Details

Heartwood Collection Limited
Registered address: Ground Floor, Cairns House, 10 Station Road, Teddington, TW11 9AA
Email: mydata@heartwoodcollection.com – Appointed DPO is contactable via this address. 

Information Commissioners Office  – https://ico.org.uk/

What Personal Data We Collect

  • Identity Data – Name, date of birth, gender
  • Contact Data – Email, phone number, postal address
  • Financial Data – Payment method, billing information
  • Transaction Data – Bookings, orders, loyalty activity
  • Technical Data – IP address, device type, browser type, cookies, session metadata
  • Usage Data – Website interaction logs, email engagement
  • Marketing Data – Campaign engagement, preferences, consent records, loyalty membership
  • Special Category Data – Health or diversity information (recruitment purposes only)
  • CCTV Footage – We operate closed-circuit television (CCTV) systems in and around our premises for the purposes of safety, security, crime prevention, and operational management.

How We Collect Your Data

  • Directly from you: When making bookings, completing forms, or providing feedback
  • Automatically: Via cookies and tracking tools when you interact with our website or emails
  • From third-party platforms: Including:
    • Acteol: CRM and marketing automation
    • Wireless Social: Wi-Fi and behavioural analytics
    • Guestline, Zonal: Venue bookings and point-of-sale data
    • Harri: Recruitment processing
    • Google Analytics & Ads, Microsoft Clarity: Website optimisation
    • GuestRevu: Customer feedback
    • Meta: Advertisement and journey tracking

Under Article 6(1) and, where applicable, Article 9(2) of the UK GDPR, our processing relies on the following legal bases:

Processing bookings and orders – Contract performance (Art. 6(1)(b))

  • We process personal data such as your name, contact details, payment information, and booking details because it is necessary to enter into and fulfil a contract with you — for example, to reserve a table, process payment, confirm your booking, or fulfil an order you have placed. Without this data, we cannot provide the service you have requested.

Sending service communications – Legitimate interests (Art. 6(1)(f))

  • We may use your contact details to send operational messages directly related to your booking or our services, such as changes to your reservation, venue closures, safety notices, or service updates. We consider this to be in our legitimate interests, as it enables us to provide a smooth and safe service, and it does not unduly infringe your rights or freedoms.

Marketing via email or SMS – Consent (Art. 6(1)(a)); PECR Regulation 22

  • We will only send you marketing messages about our offers, events, or promotions by email or SMS if you have actively opted in to receive them, in line with PECR Regulation 22. You may withdraw your consent at any time by using the unsubscribe link in our messages or by contacting us directly.

Analytics and improvement – Legitimate interests; Consent (where cookies apply)

  • We analyse data such as website usage, customer feedback, and sales patterns to improve our services, menus, and online experience. Where we use cookies or similar technologies for analytics that are not strictly necessary, we will first obtain your consent in line with PECR. Where analytics can be carried out without intrusive tracking, we rely on our legitimate interest in improving our operations and customer experience.

Recruitment – Legitimate interests; Employment law (Art. 9(2)(b)) or explicit consent (Art. 9(2)(a))

  • When you apply for a role with us, we process the personal data in your application (such as employment history, qualifications, and interview notes) to assess your suitability for the position and to take steps prior to entering into an employment contract. Where recruitment involves processing special category data (e.g. diversity monitoring or health-related adjustments), this is processed either under our employment law obligations or with your explicit consent.

Special category data (e.g. health) – Employment obligations or explicit consent

  • We may process health-related information, such as details of allergies, medical conditions, or visit adjustments, to comply with our obligations under health and safety, or equality law. Where no legal obligation applies, we will only process such data with your explicit consent, ensuring that you are fully informed and able to withdraw that consent at any time. 

You have the right to withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal. We have conducted Legitimate Interests Assessments (LIAs) where applicable. To exercise your rights, contact: mydata@heartwoodcollection.com. Or via the unsubscribe links in marketing communications. 

Cookies and Similar Technologies

We use cookies and tracking technologies in compliance with PECR and UK GDPR:

  • Strictly necessary cookies: Required for website functionality (exempt from consent)
  • Analytics cookies: Require prior consent; used to improve website performance
  • Marketing cookies: Require prior, informed, opt-in consent

Consent is obtained via Cookiebot, which:

  • Classifies cookies by purpose
  • Delays non-essential cookie deployment until consent is given
  • Logs and stores consent decisions for audit purposes

More information on the cookie data we collect can be found: https://heartwoodinns.com/legal/cookies/

More information: https://ico.org.uk/your-data-matters/online/cookies

Our website implements Google Consent Mode (Advanced). This allows Google services to respect user consent preferences:

  • If consent is granted: Google Analytics, Ads, and other services operate normally. To understand how Google uses your data visit: https://policies.google.com/privacy?hl=en-US
  • If consent is withheld: Only non-identifiable “pings” are sent
  • These pings:
    • Do not contain personal data
    • Are aggregated and anonymous
    • Are not used for tracking or profiling
    • Are compliant with UK GDPR and PECR

Digital Marketing (Google Ads)

We use Google Ads for advertising and campaign performance analysis.

  • Personalised advertising is shown only with your explicit consent
  • Conversion tracking helps us measure service effectiveness
  • Users can manage or revoke consent via https://adssettings.google.com

A/B Testing (Stellar)

We use Stellar for A/B testing to enhance website usability:

  • Data is aggregated and pseudonymised
  • No personally identifiable data is collected
  • Legal basis: Legitimate interests (performance optimisation)

Data Aggregation and Pseudonymisation

We process certain operational and analytical data in an aggregated and pseudonymised form to assess and optimise the performance of our services. This means that personal identifiers are replaced with codes or other non-identifying markers, and datasets are structured so that individuals cannot be directly identified without access to separate, securely stored information. We do not combine pseudonymised datasets with other information in a way that would enable re-identification.

Legal basis: Legitimate interests (service performance optimisation and improvement). We have balanced these interests against the rights and freedoms of individuals and consider the impact to be minimal, as the data cannot be used to directly identify you without additional, separately held information.

Use of Meta Business Tools (including Meta Pixel and Conversion API)

We use Meta Business Tools, including the Meta (Facebook) Pixel and Conversion API, to measure the effectiveness of our advertising, understand user behaviour on our website, and deliver personalised ads to users across Meta platforms such as Facebook and Instagram.

These tools collect information about your use of our website (e.g. pages visited, actions taken, device and browser details, and referrer URLs) and share it with Meta Platforms Ireland Limited. This enables us to better understand how users engage with our content and services, and to target or optimise our ads accordingly.

  • Consent (PECR & UK GDPR): We rely on your consent to store or access information on your device (e.g. via cookies or pixels) in accordance with the Privacy and Electronic Communications Regulations (PECR).
  • Legitimate interests (UK GDPR): Once data is collected, we rely on our legitimate interests to analyse and optimise our advertising campaigns and website performance, provided such interests are not overridden by your rights and freedoms.

Joint controllership with Meta

For certain aspects of data processing, such as the collection and transmission of event data via Meta tools, we act as joint controllers with Meta Platforms Ireland Limited. This relationship is governed by Meta’s Controller Addendum.

Meta is independently responsible for the processing of any personal data it receives. For further details on how Meta processes your information, including the legal bases it relies on and how you can exercise your rights, please see Meta’s Privacy Policy: https://www.facebook.com/privacy/policy

Your choices

You can manage your cookie preferences, including Meta Pixel, through our Cookie Consent Banner when you first visit our site or by updating your settings.

You can also manage your ad preferences directly through Meta:

Microsoft Clarity

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

Data Sharing

We may share personal data with:

  • Subsidiaries and service providers under Art. 28 – compliant Data Processing Agreements (DPAs)
  • Law enforcement or regulators, where required by law
  • Successors in corporate restructuring, under strict data protection terms

All recipients are contractually required to handle your data securely and lawfully.

International Transfers

Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as:

  • UK Addendum to EU Standard Contractual Clauses (SCCs)
  • EU Standard Contractual Clauses (SCCs)
  • International Data Transfer Agreements (IDTA)
  • Encryption, access controls, and risk assessments

Data Retention

We retain personal data only as long as necessary:

  • Booking & loyalty data- 5 years after last interaction
  • Recruitment applications – 12 months, unless consented for longer
  • CCTV footage – Up to 6 months (unless required longer)
  • Consent logs – Minimum of 6 years (PECR standard)
  • Aggregated/anonymous data – Indefinitely

Your Rights

You have rights under UK data protection law to:

  • Access your data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Request erasure (“right to be forgotten”) (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Object to automated decision making (Art. 22)
  • Withdraw consent at any time (Art. 7(3))
  • Complain to the ICO at https://ico.org.uk

To exercise your rights, contact: mydata@heartwoodcollection.com

Children’s Data

Processing of children’s data may occur incidentally due to the operation of CCTV in our business. Where children may also inadvertently access our sign-up campaigns, this can be rectified by contacting mydata@heartwoodcollection.com

CCTV Monitoring

CCTV operates at our venues to:

  • Prevent and detect crime
  • Ensure the safety of staff and guests

Footage is stored securely and retained for up to 6 months, unless extended for investigations or legal obligations.

Data Processors

We use carefully selected third-party service providers to help us deliver our services. These providers act as data processors and only process personal data on our instructions, in compliance with the UK GDPR. We require all processors to implement appropriate technical and organisational measures to protect your information.

The types of service providers we may use include:

  • Customer Relationship Management (CRM) platforms – to manage bookings, reservations, and customer interactions.
  • Payment gateway providers – to securely process online and in-venue payments.
  • Online booking and reservations platforms – to facilitate reservations and event bookings.
  • Email marketing and communication services – to send service updates, newsletters, and promotions (where you have consented).
  • Mobile ordering, loyalty, and rewards platforms – to manage mobile app orders, loyalty schemes, and offers.
  • IT hosting and support providers (including cloud based hosting) – to host and maintain our websites, apps, data and business systems.
  • Analytics and performance tools – to analyse service usage and improve our operations (where consent is required for cookies, we will obtain it first).
  • We do not allow our data processors to use your personal data for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.

You have the right to request information on the specifics of the systems of providers we use. All requests for this information should be made to: mydata@heartwoodcollection.com.

All data is:

  • Transferred over secure, encrypted connections
  • Stored only as necessary to complete transactions or comply with legal obligations
  • Subject to strict access controls and audit logging
  • Not shared with any party outside of the above processors without your consent

You will not be required to store card information to use our mobile ordering functionality. If you choose to save payment details within an app or browser, this is managed through the secure features of the payment processor (STRIPE) or your device, not by Heartwood Collection Limited or its subsidiaries.

Data Breach Response

In accordance with Articles 33–34 UK GDPR, we maintain strict incident response procedures. In the event of a breach:

  • Affected individuals will be notified where there is a high risk
  • The ICO will be informed within 72 hours, where applicable
  • Incidents are logged and reviewed for compliance and audit

TREATS Mobile Application

The TREATS mobile application is owned and operated by Heartwood Inns, a brand of Heartwood Collection Limited, who acts as the data controller for all data collected via the app.

Data Controller Details

Heartwood Collection Limited
Registered address: Ground Floor, Cairns House, 10 Station Road, Teddington, TW11 9AA
Email: mydata@heartwoodcollection.com
Data Protection Officer: Appointed and contactable via the above email address

Information Commissioners Office  – https://ico.org.uk/

Data Collected

PepperHQ Ltd operates as a data processor on our behalf, under a binding data processing agreement that complies with Article 28 UK GDPR. Where referred to in this policy as “we”, “us”, or “our”, strictly relates to PepperHQ. 

This Privacy Policy, along with the TREATS App Terms of Use, explains how your data is collected, used, and safeguarded when you interact with the TREATS mobile application. Please review both documents carefully.

What We Collect Through TREATS App

We collect personal data when you:

  • Registration – This includes;
    • Mandatory: First Name, Last Name, Email Address and Date of Birth
    • Optional: Photo 
  • Attempt to check in to one of our venues
    • Mandatory: Location Services Data via device accessing the app 

We may also collect:

  • Device ID and IP address
  • Usage data (e.g. app screens viewed, feature use)
  • Purchase history (linked to offers and loyalty)
  • Geolocation data (with consent) and pseudonymised geolocation data (in-line with Advanced Consent Mode)

Where mandatory data collection is collected and processed under Article 6(1)(b) UK GDPR: processing is necessary for the performance of a contract (i.e. enabling the core functionality of the app), and Article 6(1)(a) where explicit consent is required for marketing, geolocation, or analytics.

How We Use Your Data

We use your personal data to:

  • Provide the core functionality of the TREATS App
  • Personalise your experience (e.g. loyalty offers, birthday rewards)
  • Notify you of app updates, service changes, or maintenance
  • Analyse how users engage with the app, to improve design and performance
  • Manage promotions, competitions, surveys, and user feedback
  • Send direct marketing (only where consent is given)

We may use your geographic location, with your consent, to identify your proximity to a Heartwood venue and enhance your visit experience (e.g. check-ins, location-based rewards).

You can opt out of location tracking through your device settings, although this may limit app functionality.

Marketing and Communications

Where you provide explicit consent, we may contact you via the app or other contact methods to:

  • Share offers and promotions relevant to your profile
  • Conduct customer surveys or research

You can withdraw your consent at any time via the “My Account” section in the app. Doing so will not impact your ability to use the app for other purposes.

We will never sell or share your personal data with third parties for marketing purposes.

Data Security and Storage

Your data is:

  • Stored in an encrypted database
  • Transmitted using secure, encrypted network connections
  • Hosted within the UK or EEA, or in countries with appropriate safeguards (e.g. SCCs or UK IDTA in place)

Data is retained as follows:

  • As long as your TREATS account remains active
  • If inactive for 12 months, your account and identifiable data (including profile photo) will be securely deleted
  • You may request deletion at any time

Your Rights and Access Requests

You have rights under UK data protection law to:

  • Access your data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Request erasure (“right to be forgotten”) (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Object to automated decision making (Art. 22)
  • Withdraw consent at any time (Art. 7(3))
  • Complain to the ICO at https://ico.org.uk

To exercise your rights, contact: mydata@heartwoodcollection.com

Data Sharing and Disclosure

We will only share your personal data:

  • With your explicit consent
  • With trusted service providers (processors) under binding contracts
  • With regulatory authorities or law enforcement where legally required
  • With successors to our business, under strict confidentiality and data protection terms

If your data is transferred outside the UK or EEA, we ensure the transfer is governed by Standard Contractual Clauses (SCCs), UK International Data Transfer Agreement (IDTA), or equivalent safeguards.

Changes to This Section

This section of the Privacy Policy is correct as of August 2025 and reflects the latest version of the TREATS App. We reserve the right to make changes to the app or this policy. Where changes are material, we will notify you via the app or your registered contact details.

Policy Updates

This policy may be updated to reflect legal or operational changes. Where material changes are made, we will notify you via our website or through direct communication where appropriate.

[End of Privacy Policy for Abriand TopCo Limited]