How ukwaterpark.org/ Handles Personal Data — UK GDPR & Data Protection Act 2018
This Privacy Notice sets out what personal data we collect, why, how long we keep it, who we share it with, and your rights under the UK GDPR, the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations (PECR). It also explains how to complain to the Information Commissioner’s Office (ICO).
ukwaterpark.org/ is an editorial directory. We do not hold, process or store any venue booking, ticket purchase, locker rental, swim-class enrolment or other transactional record. Booking information is held by the venue and its booking-system provider. For booking access, refunds or any account-related concern, contact the venue directly using its own contact channel.
What is in this notice
1. Scope and Controller
This Privacy Notice applies to ukwaterpark.org/. The "controller" for the purposes of the UK GDPR is ukwaterpark.org/ Editorial, contactable at info@ukwaterpark.org.
This notice does not apply to the Health and Safety Executive (HSE), PWTAG, RLSS UK, CIMSPA, the ICO, any local authority, any leisure-trust operator, any parent group, or any venue we link to. Each of those is its own controller with its own privacy notice. For booking-related data, follow the venue’s own privacy notice.
2. Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Identifiers | IP address, device ID, browser user agent | Automatic when you visit |
| Usage data | Pages viewed, time on page, referrer, internal searches | Automatic |
| Contact data | Email address, name (if you provide it), message content | You — only if you email us |
| Cookies / similar tech | See Cookie Policy | Automatic; managed by the cookie banner |
| Approximate location | City inferred from IP | Automatic |
We do not collect your name, address, NI number, NHS number, booking reference, ticket number, payment card data, bank account data, special-category data under Article 9 UK GDPR (health, disability, etc.), or criminal-offence data under Article 10 UK GDPR. If you accidentally include any such data in an email to us, we delete it on receipt and ask you to take the venue-specific question to the venue itself.
3. Why We Collect It (Purposes)
- To operate the site — load pages, remember your cookie preferences, protect against abuse
- To understand which directory pages are useful — aggregated, anonymised analytics
- To respond to you when you email us a correction, accessibility report, data-subject request or other inquiry
- To display non-personalised or personalised advertising depending on your consent
- To detect and prevent abuse — fraud, scraping, attacks
- To comply with legal obligations — e.g., responding to lawful information requests from the ICO, the police, the courts, or local authority Trading Standards under the Consumer Protection from Unfair Trading Regulations 2008
4. Lawful Bases Under Article 6 UK GDPR
| Processing | Lawful basis |
|---|---|
| Strictly necessary cookies, security and abuse prevention | Legitimate interests (Article 6(1)(f) UK GDPR), balanced against your rights |
| Analytics and advertising cookies | Consent (Article 6(1)(a) UK GDPR), captured via cookie banner in line with PECR regulation 6 and the ICO’s cookie guidance |
| Responding to your email enquiries | Your request and consent (Article 6(1)(a)/(b) UK GDPR) |
| Legal obligations | Article 6(1)(c) UK GDPR (compliance with a legal obligation) |
6. How Long We Keep Personal Data
| Category | Retention period |
|---|---|
| Web server and security logs | 30 days |
| Aggregated GA4 analytics | 14 months |
| Email correspondence | 24 months from last interaction |
| Cookie consent records | 12 months from your choice |
| Data subject rights request audit trail | 3 years (ICO enforcement window) |
7. Your Rights Under UK GDPR and DPA 2018
| Right | UK GDPR article | What it means |
|---|---|---|
| Right to be informed | Articles 13–14 | You know what we do with your data — this notice |
| Right of access (subject access request) | Article 15 | Get a copy of the personal data we hold about you |
| Right to rectification | Article 16 | Correct inaccurate or incomplete data |
| Right to erasure (“right to be forgotten”) | Article 17 | Delete data where the lawful conditions apply |
| Right to restrict processing | Article 18 | Limit how we use data in certain situations |
| Right to data portability | Article 20 | Receive your data in a structured, machine-readable format |
| Right to object | Article 21 | Object to processing based on legitimate interests, and to direct-marketing processing |
| Rights related to automated decision-making and profiling | Article 22 | We do not make decisions about you using solely automated processing with legal/similar effects |
| Right to withdraw consent | Article 7(3) | Withdraw consent at any time without affecting the lawfulness of prior processing |
| Right to complain to the ICO | Article 77; section 165 DPA 2018 | See section 12 below |
8. How to Exercise Your Rights
Email info@ukwaterpark.org with the subject line “Data subject rights request” and the right you are exercising. We respond within one calendar month as required by Article 12(3) UK GDPR, extendable by a further two months for complex requests (with notification).
We may need to verify your identity before responding — for example, by asking you to confirm details we already hold, or in exceptional cases by requesting proof of identity. We do not retain identity-verification documents longer than necessary.
Exercising your rights is free of charge in most cases, except for manifestly unfounded or excessive requests under Article 12(5) UK GDPR.
9. Children — Article 8 UK GDPR
The site is not directed at children. Article 8 UK GDPR, as modified by the Data Protection Act 2018 (section 9), sets the age threshold at 13 years for valid consent to information-society services in the UK; below this age, parental consent is required. We do not knowingly collect personal data from children under 13. We design the site in line with the ICO’s Age Appropriate Design Code (the Children’s Code), even though we are not directed at children.
If you are a parent or guardian and believe a child has provided personal data to us, email us with the subject “Child data request” and we will delete it.
10. International Data Transfers
Some of our processors (Google Analytics 4, Google AdSense) are based in the United States. We rely on:
- The UK Extension to the EU-US Data Privacy Framework where the processor is certified, or
- The International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the ICO under section 119A DPA 2018,
- together with appropriate supplementary measures consistent with the ICO’s transfer risk assessment guidance
11. Security
We use technical and organisational measures appropriate to the limited categories of personal data we process — TLS/HTTPS in transit, encryption at rest where applicable, access controls, vendor due diligence, and a breach-response procedure aligned with Articles 33 and 34 UK GDPR (notification to the ICO within 72 hours where required, and to data subjects without undue delay where the breach is likely to result in a high risk to rights and freedoms).
12. Complaints to the Information Commissioner’s Office
If you are unhappy with how we have handled your personal data or your data-subject rights request, you have the right to lodge a complaint with the supervisory authority:
- Information Commissioner’s Office (ICO) — ico.org.uk — helpline 0303 123 1113 (Monday to Friday, 9am to 5pm)
- The ICO is the UK’s independent regulator for data protection and information rights
We encourage you to contact us first to try to resolve the issue, but the right to complain to the ICO is always available (Article 77 UK GDPR).
13. Changes to This Notice
We update this notice when our practices change or when UK data protection law changes. The “Last reviewed” date at the top reflects the current version. Material changes are flagged on the site for 30 days.
14. Contact
For any privacy question or rights request, email info@ukwaterpark.org with the subject “Data subject rights request”.
Exercise a Data Subject Right
Email us with the subject “Data subject rights request”. We respond within one calendar month as required by Article 12(3) UK GDPR.
📧 info@ukwaterpark.org