Privacy Policy | Hestia Darkness Hotel

1. Introduction

Hestia Darkness Hotel (we, us, our, or Hestia) is committed to protecting your privacy and ensuring you have a positive experience on our website and during your retreat booking and participation. This Privacy Policy explains how we collect, use, disclose, and safeguard your information.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our services or book a retreat.

2. Information We Collect

2.1 Booking and Registration Information

When you book a darkness retreat with us, we collect:

Full name and contact details (email, phone number, postal address)
Payment information (processed securely through encrypted payment gateways)
Preferred retreat dates and duration
Any special requests or preferences

2.2 Health and Medical Information

During your mandatory preparation consultation, we collect sensitive health information including:

Current mental and physical health status
Current medications and medical history
Mental health history (depression, anxiety, trauma, PTSD, psychiatric hospitalization)
Substance use history and current use patterns
Dietary restrictions, allergies, and intolerances
Mobility limitations or sensory impairments
Any previous trauma or emotional difficulties
Medical clearance or professional assessment letters (if applicable)
Claustrophobia, sleep disorders, or isolation-related concerns

Legal Basis: This health information is collected under the legal basis of contract performance (necessary to deliver safe retreat services) and legitimate interest (ensuring participant safety and wellbeing). Processing is necessary to assess your suitability for darkness retreat and manage your safety during the experience.

2.3 Emergency Contact Information

We collect emergency contact details including name, relationship, phone number, and email address of a close family member or trusted friend. This information is used solely for genuine emergency communication during your retreat.

2.4 Consultation and Communication Records

Notes from your preparation consultation with Greg Manning or other qualified Hestia member of staff may be recorded and retained to support your retreat experience and ensure continuity of care. These notes document your intentions, any health concerns discussed, preparation recommendations, and any special accommodations agreed.

2.5 Website and Technical Information

When you visit our website, we automatically collect:

IP address and device identifiers
Browser type and version
Pages visited and time spent on pages
Referral source
Cookie data (see Section 7)

3. How We Use Your Information

3.1 Primary Uses

We use your information to:

Deliver retreat services: Process your booking, facilitate your preparation consultation, provide your retreat experience, and offer post-retreat integration support
Ensure safety: Assess your suitability for a Darkness retreat, screen for health contraindications, and manage safety protocols during your stay
Provide support: Enable Greg Manning and Hestia staff to support you during your retreat via call button systems and 24-hour availability
Communicate with you: Send booking confirmations, retreat details, preparation guidance, and post-retreat follow-up
Process payments: Manage your payment, invoicing, and financial records
Legal compliance: Fulfill legal and regulatory obligations

3.2 Secondary Uses

With your explicit consent, we may use your information to:

Send newsletters and updates about future retreats or related offerings
Invite you to provide feedback on your experience (testimonials require separate written consent)
Conduct anonymized research on Darkness retreat outcomes and benefits

3.3 Marketing Communications

We will only send marketing communications if you have explicitly opted in. You may unsubscribe from marketing emails at any time by clicking the unsubscribe link or contacting us directly.

3.4 Data Aggregation and Analytics

We may anonymize and aggregate your data (removing all personally identifiable information) to improve our services, understand retreat outcomes, and enhance the guest experience. This anonymized data cannot be used to identify you.

4. Legal Basis for Processing (GDPR)

Under UK GDPR, we process your information on the following legal bases:

4.1 Contract Performance

Processing is necessary to perform the retreat services contract. This includes collecting and using booking details, health information, emergency contacts, and payment information to deliver your Darkness retreat experience.

4.2 Legitimate Interest

We process certain information based on our legitimate interest in:

Maintaining health and safety standards for all participants
Improving our retreat offerings and services
Protecting Hestia and our guests from harm
Conducting business operations efficiently

4.3 Consent

For optional uses such as marketing communications, testimonials, and research participation, we obtain your explicit written consent. You may withdraw consent at any time.

4.4 Legal Obligation

We process certain information to comply with legal requirements, including tax and accounting obligations, and emergency response requirements.

4.5 Vital Interests

In case of medical emergency, we may process your health information as necessary to protect your vital interests or the vital interests of others.

5. Data Protection & Security

5.1 Storage and Protection Measures

We take the security of your personal information seriously. Your data is protected through:

Encryption: Sensitive data including health information and payment details are encrypted in transit and at rest using industry-standard SSL/TLS encryption
Access Control: Only Greg Manning and essential Hestia staff with a legitimate need to know have access to your personal information
Physical Security: Hestia facilities maintain secure storage for physical records containing personal information
Administrative Safeguards: Staff are trained in data protection practices and confidentiality obligations
Regular Review: We conduct regular security assessments and updates to maintain data protection standards

5.2 Health Information Confidentiality

Your health and medical information is treated with the highest level of confidentiality. This sensitive data is:

Stored separately from general booking information where possible
Accessible only to Greg Manning unless you explicitly authorize other access
Protected against unauthorized disclosure
Never shared with third parties without your explicit consent, except where legally required

5.3 Data Breach Response

In the unlikely event of a data breach affecting your personal information, we will notify you without undue delay in accordance with GDPR requirements (within 72 hours of discovering the breach, unless not likely to result in risk to your rights and freedoms).

5.4 Limitations

While we implement robust security measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining the highest reasonable standards.

6. Data Sharing and Disclosure

6.1 Who We Share Your Data With

We do not sell, trade, or rent your personal information. Your data is shared only in the following circumstances:

6.2 Essential Service Providers

We may share information with third-party service providers who assist us in operating our website and delivering retreat services, including:

Payment Processors: Your payment information is shared with secure, encrypted payment processing providers (limited to minimum necessary information)
Email Communication Providers: Email service providers handle administrative and booking communications
Booking and Calendar Systems: Systems managing retreat scheduling and availability

All service providers are contractually bound to maintain your data confidentiality and use your information only as necessary to provide services to Hestia.

6.3 Legal Requirements and Emergencies

We may disclose your information if required by law or in response to valid legal process (court orders, subpoenas). In genuine medical emergencies, we may share health information with emergency services personnel as necessary to protect your health or safety.

6.4 Emergency Communication

Your emergency contact information will be shared only with the emergency contact you designate, and only in case of genuine emergency during your retreat.

6.5 No International Transfers

Your personal information is stored and processed within the UK and EU. We do not transfer data to countries outside the UK/EU except where strictly necessary and with appropriate safeguards in place.

6.6 Business Transfers

If Hestia is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of such changes and any resulting changes to this Privacy Policy.

7. Cookies and Tracking Technologies

7.1 Cookie Use

Our website uses cookies to enhance your browsing experience. Cookies are small text files stored on your device that allow us to recognize you on return visits.

7.2 Types of Cookies

Essential Cookies: Required for basic website functionality (login, booking forms, security)
Analytics Cookies: Help us understand how visitors use our website and improve user experience (Google Analytics)
Marketing Cookies: Track your interests to deliver personalized content (used only with your consent)

7.3 Consent and Control

You can control cookie settings through your browser. Most browsers allow you to refuse cookies or alert you when a cookie is being sent. Please note that disabling essential cookies may impair website functionality. You may withdraw consent to non-essential cookies at any time through our cookie consent tool.

7.4 Third-Party Analytics

We use Google Analytics to understand website usage patterns. Google may collect data about your website visits for its own purposes. Google's privacy policy governs their use of this data.

8. Your Rights Under GDPR

8.1 Right to Access (Subject Access Request)

You have the right to request a copy of all personal information we hold about you. Submit a Subject Access Request (SAR) by emailing hello@hestiaretreat.co.uk with "Data Subject Access Request" in the subject line. We will respond within 30 days.

8.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal information. Contact us to request corrections.

8.3 Right to Erasure ("Right to be Forgotten")

You may request deletion of your personal information in certain circumstances, such as when data is no longer necessary or when you withdraw consent. However, we may retain certain data where required by law (tax, legal obligations) or where we have a legitimate interest in retention.

8.4 Right to Restrict Processing

You may request that we restrict how we use your data in certain circumstances (e.g., while you contest accuracy of data).

8.5 Right to Data Portability

You have the right to request your personal information in a portable, machine-readable format and to transmit it to another organization.

8.6 Right to Object

You may object to processing of your data based on legitimate interest or marketing purposes. We will cease such processing unless we have compelling legal grounds to continue.

8.7 Right to Withdraw Consent

Where we process data based on your consent (marketing, testimonials, research), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at www.ico.org.uk.

9. Data Retention

9.1 Retention Periods

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected:

Booking and Retreat Data: Retained for 7 years following your retreat (for legal, tax, and safety documentation purposes)
Health Information: Retained for 7 years to support ongoing participant wellbeing and legal protection
Payment Records: Retained for 6 years to meet tax and financial regulation requirements
Emergency Contacts: Retained for duration of our business relationship, then securely deleted
Website Analytics: Automatically deleted by Google Analytics after 26 months
Marketing Consent: Retained until you unsubscribe or withdraw consent

9.2 Secure Deletion

When data is no longer needed, it is securely deleted or anonymized to prevent recovery. Physical records are destroyed through secure document shredding.

10. Children's Privacy

Hestia Darkness Hotel services are not directed at individuals under 18 years of age. We do not knowingly collect information from minors. If we become aware that we have collected personal information from a minor without proper parental consent, we will take steps to delete such information and terminate the minor's access to our services. For UK GDPR purposes, Darkness retreat is not suitable for anyone under 18.

11. Third-Party Links

Our website may contain links to third-party websites. This Privacy Policy applies only to Hestia's website and services. We are not responsible for the privacy practices of external websites. We encourage you to review the privacy policies of any third-party sites before providing personal information.

12. Updates to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. The "Last Updated" date will be changed accordingly. Your continued use of our services constitutes your acceptance of the updated Privacy Policy. Significant changes will be communicated to you via email if they substantially affect your rights or how we process your information.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your GDPR rights, or have privacy concerns, please contact us:

Email: hello@hestiaretreat.co.uk

Location: Hestia Darkness Hotel, Robins Folly, Semley, Shaftesbury, Dorset, SP7 9AQ

Data Protection Officer availability: We do not have a formally appointed Data Protection Officer, but all data protection inquiries will be handled by Greg Manning with the utmost care and attention to your privacy rights.

Last Updated: January 2026