Privacy Policy – Smith and Field Pubs and Bars

 Who we are: Smith and Field Pubs and Bars operated by [Smith & Field Tracing Co “A trading Name”], hereafter “Smith and Field”) is the data controller responsible for your personal data. We are committed to full compliance with the UK GDPR and Data Protection Act 2018. We provide clear contact information (including our email Contact@SmithAndField.co.uk and Data Protection Officer details) so you know who is collecting and using data.

Types of Data Collected: We collect personal information you provide directly (e.g. through bookings, orders or account registrations) and data gathered automatically. This includes:

• Identity & Contact Data: Name, date of birth, home address, email address and phone number if you supply them.
  
  
• Profile Data: Personal preferences (e.g. food and drink preferences, newsletter sign-ups) when you provide them.
  
  
• Tracking & Usage Data: Internet Protocol (IP) address, device or platform information, analytics cookies, and app usage data. We track how you use our website and app (e.g. pages visited, time spent, and clicks) for marketing and traffic analysis. These cookies and similar trackers are used in accordance with the Privacy and Electronic Communications Regulations (PECR) – we give clear notice about cookies and obtain consent for any that are not strictly necessary.
  
  
• Social/Third-Party Data: Interaction data from social media or maps (Facebook, Instagram, Twitter, Google Maps, Apple Maps, etc.) – we note that these platforms may collect data according to their own privacy policies, which is outside our control.
  
  
• On-Site Data (Wi-Fi): When you connect to our on-site Wi-Fi or other networks, we automatically collect device identifiers and usage data (e.g. sites visited, data volumes, time online). By using our access points you consent to this monitoring. We may block or restrict proxies, VPNs or high-volume commercial uses at our discretion (our Wi-Fi is for personal/domestic use).
  
  
• CCTV Footage: All Smith and Field premises use video surveillance. If you are on our premises, you are likely captured by CCTV cameras. We record live video images and store them as personal data (see “CCTV and Surveillance” below).
  
  

We collect data directly from you (e.g. through order forms, logins or app accounts) and indirectly (e.g. via cookies or sensors on our network). Whenever possible, we limit collection to data necessary for our purposes.

We use your personal data only for lawful and specified purposes, and we always identify our lawful basis under Article 6 of the UK GDPR. Our main purposes and bases include:

• Service Delivery (Contract): To process your orders, memberships or reservations and administer accounts, we process your identity and contact data as necessary to fulfill our contract with you (e.g. processing payments, delivering goods and services).
  
  
• Legal Obligations: We process personal data to meet legal or regulatory obligations (for example, financial/accounting records required by law, age verification for alcohol sales, or responding to law enforcement requests) on the basis of legal obligation or public interest.
  
  
• Legitimate Interests: We may use certain data on the basis of our legitimate interests (for example, to maintain security, prevent fraud on our networks, and manage our business). For instance, CCTV footage is processed for security and loss prevention – this is a legitimate interest of the business. We balance these interests against your rights, and you have the right to object.
  
  
• Marketing and Analytics (Consent/Legitimate Interest): We analyze aggregated traffic data (e.g. via Google Analytics on our site) to improve our services. For direct marketing (email, SMS or post), we will obtain your consent or rely on the “soft opt‑in” rule if you are an existing customer. We adhere to PECR: for marketing emails to individuals we require consent (or legitimate interest if you have not opted out). You can unsubscribe or opt out of marketing communications at any time.
  
  
• App Functionality (Contract and Legitimate Interest): If you use our mobile ordering app, we process device information and app usage to provide the service (contract) and improve app performance.
  
  

In all cases, we explain each purpose to you transparently. As required by GDPR, we inform you of the lawful basis for processing your data.

We do not sell your personal data for unrelated commercial purposes. We may share personal data with third parties only as follows:

• Service Providers: We use third-party vendors for certain services (e.g. IT hosting, payment processing, delivery services, marketing agencies, customer support tools). These parties act as processors on our behalf and are bound by contract to protect your data.
  
  
• Affiliates and Agents: We may share data with other companies in the Smith and Field group or with our authorized business partners (e.g. loyalty program partners, joint promoters) strictly for the purposes outlined above.
  
  
• Legal and Regulatory Authorities: We may disclose personal data if required by law (such as court orders or requests by law enforcement) or to protect our rights. For example, CCTV footage may be provided to the police if a crime is under investigation.
  
  
• Advertisers/Platforms: To enable targeted marketing, we may link or match customer data (e.g. hashed email addresses) with advertising platforms like Facebook or Google. These platforms then use their data to deliver ads. However, we do not directly share personal contact details with them unless you consent.
  
  
• Other Controllers: Certain information (e.g. anonymized site usage statistics) may be shared with analytics or research partners.
  
  

In summary, your data is shared only with recipients who need it to perform services for Smith and Field or for compliance. As the UK GDPR notes, we are transparent about who receives data.

Our website and app use cookies and similar technologies. We inform you about the use of cookies and ask for consent for non-essential cookies (analytics, advertising). You have options to control these in your browser or app settings. Note that third-party content (e.g. Google Maps, social media plugins) may set their own cookies; we are not responsible for those.

We track IP addresses and device data to understand traffic sources and improve services. Users can manage their cookie preferences or opt out via the tools we provide. For any cookies not strictly necessary, we will obtain your clear consent first.

If you use Smith and Field’s on-site Wi-Fi or data points, please note: we may log your device MAC/IP address, browsing domains, and bandwidth usage for network management and security. By connecting, you agree to this monitoring. We reserve the right to block proxy/VPN services and to enforce an acceptable-use policy: our internet is for private/domestic use only. Use of our networks for illegal, terrorist, or commercial resale activities is prohibited and may be reported to authorities.

All Smith and Field premises are equipped with video surveillance cameras for security and compliance. CCTV footage constitutes personal data and is processed under UK GDPR. In accordance with guidance, we register our CCTV with the ICO and pay the data protection fee. We also inform individuals via clear signage that CCTV recording is in operation.

Access to CCTV recordings is strictly controlled and limited to authorized personnel. We use CCTV footage only for its intended purpose (e.g. preventing crime, ensuring safety) and will not repurpose it without legal justification. If an incident occurs (such as a crime or health & safety issue), footage may be shared with law enforcement or relevant authorities under lawful grounds. If your image is recorded and a legal matter arises, we may be required to provide it to the courts or police.

You have the right to request access to any recordings of yourself. As with other personal data, such requests (subject access requests) must be answered within one month and are generally provided free of charge.

We retain personal data only as long as necessary to fulfill the purposes outlined above, consistent with the GDPR’s storage limitation principle. For example:

• Account/Transaction Data: We keep customer account and order history as long as your account is active and, in some cases, for statutory periods (e.g. up to 7 years for tax records).
  
  
• Marketing Data: We keep marketing consents and mailing lists until you unsubscribe or request deletion.
  
  
• CCTV Footage: Our CCTV recordings are stored for a limited time (usually [e.g. 30 days]) unless needed for an investigation; old footage is regularly deleted unless retained for a specific purpose.
  
  

If we do not have a defined retention period, we will explain the criteria used (for instance, reviewing data annually and removing inactive records). In all cases, data that is no longer needed is securely erased or anonymized.

Under UK GDPR, you have several rights regarding your personal data. We will inform you of these rights and how they apply to our processing. These rights include:

• Right to be informed: You have the right to be informed about how your data is collected and used. This Privacy Policy is part of that obligation.
  
  
• Right of Access (Subject Access Request): You can request a copy of the personal data we hold about you. Please send your request to Contact@SmithAndField.co.uk with “DSAR” in the subject line. We will respond within one month (one month by law, in rare cases we may extend by two months if the request is complex). A copy of your data will generally be provided free of charge.
  
  
• Right to Rectification: If you believe any information we hold about you is incorrect or incomplete, you can ask us to correct it.
  
  
• Right to Erasure: In certain circumstances you can ask us to delete your data (for example, if it is no longer needed for the purpose it was collected, or if you withdraw consent).
  
  
• Right to Restrict Processing: You can request that we limit how we use your data (for example, if you contest its accuracy or if you object to processing).
  
  
• Right to Object: You have the right to object to our processing of your data when the basis is our legitimate interests (for example, objection to marketing or analytics). If you object, we will stop processing unless we have compelling legal grounds. We will always make clear how you can object in our communications.
  
  
• Right to Data Portability: You may request a machine-readable copy of data you have provided to us, if applicable.
  
  
• Right to Withdraw Consent: If we are processing your data based on consent, you may withdraw that consent at any time easily (for example, by unsubscribing or deleting your app account).
  
  

To exercise any of these rights, please contact us at Contact@SmithAndField.co.uk with the appropriate subject (e.g. “GDPR” or “Data Protection”). We comply with all GDPR requirements for handling such requests. If at any point you are unhappy with how we handle your data, you can lodge a complaint with the UK Information Commissioner’s Office (ICO). If you are UK-based, you can complain to the ICO (details below).

We implement appropriate technical and organizational measures to protect personal data. For example, all electronic data is stored on secure servers, access to personal data is limited to authorized staff, and sensitive transactions are encrypted. We regularly review our security practices to guard against unauthorized access, loss or disclosure.

If any personal data is processed by third-party providers outside the UK (for example, using cloud servers or international payment services), we will ensure transfers are made in compliance with UK GDPR. We rely on adequacy decisions (the UK recognizes certain countries as offering adequate protection) or on standard contractual clauses as safeguards. (Note: the UK has an adequacy arrangement with the USA under the Data Privacy Framework for participating companies.)

This Privacy Policy may be updated from time to time (for example, if laws change). We will post any changes on our website with a clear update date. It is your responsibility to review updates.

If you have any questions about this policy or our data practices, please contact our Data Protection Officer at Contact@SmithAndField.co.uk (subject “Data Protection” or “GDPR”). You can also write to our registered office or call us at [Phone Number].

Supervisory Authority: If you wish to appeal or complain about our data practices, you can contact the UK Information Commissioner’s Office (ICO). The ICO’s website is ico.org.uk, or you can phone 0303 123 1113. We encourage you to contact us first so we can try to resolve any issue internally.

Last updated: 24/06/2025

This policy is drafted in accordance with UK data protection law and ICO guidance on privacy notices and CCTV. All specific statements above reflect legal requirements under the UK GDPR and Data Protection Act 2018.