This Privacy Notice describes how Saspherton & Hertford Ltd ("we", "us", "our", "the salon") collects, uses, shares, retains and protects your personal data when you visit our website at saspherton.co.uk, when you reserve a table, when you join Saspherton Klub, when you correspond with us, or when you visit the salon in person.
We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). We are registered with the Information Commissioner's Office under registration number ZB845721.
2.1 Who we are
The data controller is Saspherton & Hertford Ltd, of 22 Chiltern Street, Marylebone, London W1U 7QB. Our Data Protection Officer is reachable at dpo@saspherton.co.uk.
2.2 Personal data we collect
| Source | Data we collect |
|---|---|
| Reservation form | Your name, email address, phone number (optional), date and time of reservation, number of guests, room preference, Klub membership status, your notes (which may include dietary or accessibility information), email-update opt-in. |
| Contact form | Your name, email address, subject of enquiry, your message. |
| Klub application | Your name, postal address, email address, phone number, two character references' names and contact details, payment details processed via our card-terminal provider (which we do not retain). |
| Salon visit (in person) | When you make a reservation in person or by phone, we record your name, the date, and the number of guests. Card-terminal transactions are processed by our card provider; we do not retain card numbers. |
| Cookies and analytics | The website does not load analytics cookies by default. Where the operator activates analytics post-deploy, the cookies set will be declared in our Cookie Policy. |
| Email correspondence | We retain emails sent to / from @saspherton.co.uk addresses for the retention period set out in Section 2.6. |
| CCTV | Front-door CCTV (one camera, 24-hour recording, 14-day retention) covering the immediate Chiltern Street pavement and the salon's entrance. Inside the salon, no CCTV. |
2.3 Lawful bases for processing
We process personal data under one or more of the following lawful bases under Article 6(1) UK GDPR:
- Contract (Article 6(1)(b)) — to perform a reservation or Klub-membership contract you have entered into with us; for example, contacting you to confirm a reservation.
- Legitimate interests (Article 6(1)(f)) — for the operation of the salon (for instance, recognising returning members, assigning a card host with appropriate language skills, retaining email correspondence for service-quality monitoring), where those interests are not overridden by your fundamental rights and freedoms.
- Legal obligation (Article 6(1)(c)) — for VAT records, tax records, employment records, alcohol-licence records, food-hygiene records, and the like.
- Consent (Article 6(1)(a)) — for any direct-marketing email (including the Saspherton Klub paper newsletter, where collected by email pre-printing) and for non-essential cookies.
Special-category data (Article 9 UK GDPR) — for example, dietary information that reveals a health condition — is processed only with your explicit consent, given when you provide it on a reservation note.
2.4 How we use your data
We use your personal data for the following purposes:
- Reservation handling — confirming, amending, cancelling, or pre-preparing for your reservation.
- Klub administration — managing your Saspherton Klub membership, processing your annual subscription, sending the quarterly paper newsletter, issuing guest passes, sending Hedera Hour invitations.
- Customer service — responding to enquiries; handling complaints; resolving billing or service issues.
- Compliance — meeting legal duties (VAT, accounting, alcohol licensing, food hygiene), responding to lawful enquiries from authorities, and supporting any legal claim.
- Quality monitoring — anonymous review of email correspondence to identify service-improvement opportunities. We do not share, publish, or commercialise this analysis.
- Direct marketing — only with your prior consent, and only for the salon's own purposes. We do not sell or rent your data.
2.5 Sharing your data
We share your personal data only:
- with our service providers: our reservation-form endpoint provider (post-deploy: to be specified in this notice); our card-terminal provider; our hosting provider (post-deploy: to be specified in this notice); our email provider; our printer for the paper newsletter (Park Communications, London); our wine-and-supplier list does not receive your personal data.
- with our professional advisers: lawyers, accountants, auditors, when needed.
- with public authorities: when required by law (HMRC for tax, the Information Commissioner's Office for data-protection enquiries, the police for criminal investigation, the Westminster City Council for licensing matters).
- on the salon's sale: in the event Saspherton & Hertford Ltd is sold or its business transferred, your personal data will pass to the buyer under the same terms as this notice. We will notify members of any such change at the email address we hold for you.
We do not share, sell, rent, lease, or otherwise dispose of your personal data to any third party for that party's own marketing purposes.
2.6 How long we retain your data
| Data | Retention |
|---|---|
| Reservation records | 12 months from the date of the reservation. |
| Klub-membership records | duration of your membership plus 6 years (in case of subsequent dispute). |
| Email correspondence | 24 months from the last reply, then archived; archive retained for the legal-claims limitation period (typically 6 years). |
| VAT and tax records | 7 years (HMRC requirement). |
| Employment records | as required by employment law (typically 6 years from termination). |
| CCTV at the front door | 14 days, then automatically overwritten on the recorder. |
| Cookies | per the Cookie Policy. |
2.7 Your rights
Under UK GDPR you have the right to:
- be informed about how we use your data (this notice fulfils that right);
- access the personal data we hold about you (a Subject Access Request);
- rectify inaccurate or incomplete personal data;
- erase your personal data (the "right to be forgotten"), subject to legal-retention exceptions;
- restrict the processing of your personal data;
- port your personal data, where the processing is based on contract or consent;
- object to processing where the lawful basis is legitimate interests or direct marketing;
- withdraw consent at any time, where the lawful basis is consent;
- complain to the Information Commissioner's Office (https://ico.org.uk/).
To exercise any of these rights, contact our Data Protection Officer at dpo@saspherton.co.uk. We will respond within one month of receiving your request, or sooner where the request is straightforward; we may extend by up to two further months if the request is complex, in which case we will inform you of the extension within the first month.
2.8 Cookies
The use of cookies on the website is described in the Cookie Policy at /cookies/. Cookiebot manages our cookie consent under our CBID e7c189d4-3b25-4a8f-9217-6d50e4b1f8cd.
2.9 International transfers
Where any of our service providers processes your personal data outside the United Kingdom, we rely on:
- the UK Adequacy Decisions (where applicable);
- the Standard Contractual Clauses (SCCs) approved under UK GDPR;
- the UK International Data Transfer Addendum (IDTA) appended to standard contractual clauses;
- the EU-US Data Privacy Framework, where the recipient is certified.
Specifically, the following named transfers occur on our website:
- Google reCAPTCHA tokens generated on our reservation and contact forms are transmitted to Google LLC in the United States. Google LLC is certified under the EU-US Data Privacy Framework and the UK Extension to that framework; the transfer is therefore made in reliance on those certifications.
- Google Fonts are served from
fonts.gstatic.comoperated by Google LLC, also relying on the same Data Privacy Framework certifications. Google Fonts does not place cookies; the transfer is limited to font-file requests bearing your IP address and User-Agent header. - Google Maps embed on /contact/ and /reservations/ sends your IP address and User-Agent to Google LLC under the same certifications when the iframe is loaded; we have set
loading="lazy"so the embed loads only when scrolled into view. - Our hosting provider is selected by the operator post-deploy and disclosed here at that time.
A current list of our international data-transfer arrangements is maintained by the DPO; please contact dpo@saspherton.co.uk for an up-to-date statement.
2.10 Children
The salon is an eighteen-plus venue. We do not knowingly collect personal data from any person under the age of eighteen. If you believe we have inadvertently done so, please contact our DPO and we will delete the data.
2.11 Changes
We may amend this Privacy Notice from time to time. Material changes will be announced on the website and, where you are a Klub member, by email. The "last reviewed" date at the top of this notice indicates the most recent revision.
2.12 How to contact our Data Protection Officer
| dpo@saspherton.co.uk | |
| Postal | Data Protection Officer · Saspherton & Hertford Ltd · 22 Chiltern Street · Marylebone · London W1U 7QB |
| Telephone | +44 20 7935 4225 (office line; ask for the DPO) |
If after contacting us you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office · Wycliffe House · Water Lane · Wilmslow · Cheshire SK9 5AF
Telephone: 0303 123 1113 · Website: https://ico.org.uk/