Privacy Policy | New Softplay in Birmingham

HOME

Party and Play Privacy Policy Last updated: 14 November 2025 Party and Play ("we", "us", or "our") is committed to protecting your privacy in compliance with the UK General Data Protection Regulation (UK GDPR) and related laws. We have written this Privacy Policy in clear, plain language – avoiding unnecessary legal jargon – to explain what information we collect, how and why we use it, and the choices and rights you have. This policy applies when you use our website or otherwise interact with us online (for example, by submitting an enquiry form). Please read it carefully to understand our practices. Who We Are and How to Contact Us Party and Play is a soft play party service provider based in the United Kingdom and is the “data controller” responsible for the personal data collected through this website. In other words, Party and Play determines the purposes and means of processing your personal data[2]. If you have any questions about this Privacy Policy or wish to exercise any of your rights (described below), please contact us at [info@partyandplay.uk]. We take privacy seriously and will respond to your inquiries promptly. (Note: If you prefer to contact us by mail or phone, please see our Contact page for additional contact information.) What Personal Data We Collect and Why We collect personal information that you voluntarily provide to us (for example, by filling out forms on our website), as well as some data automatically collected through cookies and tracking tools when you use our site. We do not collect more data than necessary for our purposes, and we do not knowingly collect personal information from young children without appropriate consent. Below is an overview of the types of data we collect and the purposes for which we use it: •Information You Provide to Us: This includes details you submit via our web forms or other communications: name, email address, your child’s age, party preferences or requirements, and any other information you choose to provide in your messages. We collect these details so that we can respond to your enquiries, customize and plan your child’s party, and provide the services or information you request. For example, we need your contact information to get in touch about your booking or question, and knowing the child’s age and party preferences helps us tailor our party packages to your needs. If you opt-in to receive marketing emails, we will also use your name and email to send you updates, special offers, or newsletters about our services. •Information Collected Automatically (Cookies and Usage Data): When you visit our website, certain data about your device and browsing actions is collected automatically through cookies, pixels, and similar tracking technologies. This usage data may include your device’s IP address, browser type, device identifiers, pages or screens you view, date/time of visits, and how you interact with our site. We use this information to understand how visitors find and use our website, to troubleshoot and improve our website’s functionality, and to measure the effectiveness of our marketing campaigns[3]. For instance, we use Google Analytics cookies to gather statistics on website traffic and user behavior (e.g. which pages are most visited)[4]. We also integrate Facebook (Meta) Pixel, which uses cookies and similar technologies to collect data about your visit for analytics and targeted advertising purposes[5]. This helps us (a) analyze the effectiveness of our Facebook/Instagram ads and (b) show you relevant ads on those platforms if you have visited our site. Please note that these third-party tools (Google Analytics and Meta Pixel) may collect and process data for their own purposes as well; for example, Google may associate analytics information with your Google account if you are logged in while browsing[6]. For more details, see the Cookies and Tracking section below and refer to Google’s and Meta’s privacy policies. Importantly, we do not use the automatically-collected data to try to personally identify you or profile you by name – we review it in aggregate to improve our services[7]. •Other Data: If you contact us directly via email, phone, or social media, we may keep a record of that correspondence and any personal data you provide during the interaction (such as your name, contact information, and the nature of your enquiry). We will use such information solely to communicate with you and resolve your enquiry or provide the requested service. No User Accounts at Present: As of the date above, our website does not require or offer user accounts or memberships. This means we do not collect any registration or login credentials (usernames, passwords) at this time. If in the future we introduce a membership system or customer accounts, we will collect the personal data necessary for account creation and management (such as account name, password, and profile details) and use it to provide and administer the membership features. We will update this Privacy Policy accordingly before launching such features to inform you about any new data collection and uses. Rest assured, we will not begin collecting new categories of personal data without notifying you and obtaining any required consent. Children’s Privacy: Our services are generally aimed at parents and guardians planning events for children, and our website is not intended for use directly by children under the age of 13. We do not knowingly collect personal information from children under 13 without parental consent. If you are under 13, please do not submit any personal data to us. If we discover that a child under 13 has provided us with personal information without a parent/guardian’s consent, we will delete that information. In situations where we ask for a child’s details (such as age or interests for a party), we assume this information is provided by a parent or guardian and with their authorization. Under UK data protection law, children under 13 require parental permission for their personal data to be processed, whereas children aged 13 or above can provide their own consent in most online contexts[8]. We encourage parents to supervise their children’s online activities and help enforce this Privacy Policy. How We Use Your Personal Data We will only use your personal data for specific purposes and where we have a valid legal basis to do so (see the Legal Bases section below). In general, we use the collected information for the following purposes: •Providing and Personalizing Our Services: We use your information to organize and deliver the services you request, such as booking and planning your soft play party. For example, we use the details you provide on the party inquiry form (name, contact info, child’s age, party preferences) to communicate with you about your event, tailor the party package to the appropriate age group, and make the necessary arrangements. This also includes general customer service – responding to your questions, confirming bookings, and otherwise communicating with you to fulfill your requests. •Communicating with You: We may use your contact information (email or phone number) to send service-related communications. These include responses to inquiries, confirmations and updates about your party booking, or important information about changes to our services or policies. We will not bombard you with messages, but we will contact you when needed to carry out our obligations and ensure you have the information you need. •Marketing and Promotional Emails (with Consent): If you have explicitly opted in to receive marketing communications, we will use your name and email address to send you newsletters or promotional offers related to our soft play parties, events, or new services. These emails might include special discounts, announcements of new party themes, or helpful tips for planning children’s parties. You are free to opt out of marketing emails at any time (see Your Choices below), and we will only send you such communications with your consent. We do not share your contact details with third parties for their own marketing. •Website Analytics and Improvements: We use data collected through cookies and similar technologies to understand how our website is used and to improve its design, content, and functionality[3]. For instance, analytics data helps us identify which pages are popular, how users navigate the site, and if any pages are slow or encountering errors. This analysis informs improvements to the user experience (such as making navigation easier or content more relevant). We also evaluate the effectiveness of our advertising and outreach – for example, Google Analytics and Wix Analytics inform us how visitors found our site (e.g., via a Google search or a Facebook ad)[9], so we can measure our marketing campaigns’ success and optimize our efforts. These processing activities are generally done on an aggregated basis (not tied to individual identities) and help us run our business more efficiently. •Advertising and Retargeting: We may use certain data to serve you targeted advertisements about our services, only if you have permitted the use of advertising cookies/pixels. For example, if you consent to our use of the Facebook Pixel on our site, that Pixel will report your visit back to Facebook, which may allow us to show you a Party and Play advertisement on Facebook or Instagram later. This practice is known as retargeting – showing ads to people who have visited our website[10][11]. We use retargeting to remind you of our services and special offers, but only if you have agreed to such tracking. We want to emphasize that we do not see your individual browsing on other sites – we only receive reports and the ability to display our ads through Facebook’s or Google’s systems. You have the right to object to this kind of targeted advertising and to opt out of the associated data collection (see Your Choices below)[12]. •Security and Fraud Prevention: We may process data (such as IP addresses or other logs) to protect our website, business, and users from fraud, abuse, or security threats. This includes using information to verify user activity, detect bots or malicious behavior, and safeguard the integrity of our website. For example, we might use automated tools to filter out spam form submissions or block IP addresses that show patterns of suspicious activity. These measures help ensure our services remain safe and secure for all users. •Legal Obligations and Record-Keeping: In certain circumstances, we may need to use or retain your data to comply with our legal obligations. For example, we might keep invoice records of any transactions for tax and accounting purposes, or disclose information if required by law enforcement or regulatory authorities (only when such disclosure is mandated by law). We will also use your data as necessary to exercise or defend our legal rights, or to comply with safety obligations. For instance, if you inform us of any health and safety needs for your event, we will use that information as needed to ensure the well-being of participants. We will not use your personal information for any purpose that is incompatible with the above purposes without obtaining your consent or unless required or permitted by law. If we ever need to process your data for a new purpose not described here, we will inform you and, if required, seek your permission. Legal Bases for Processing Your Data (UK GDPR) Under the UK GDPR, we must have a valid legal basis to process your personal data[13]. Depending on the specific context and type of personal data, we rely on one or more of the following legal bases: •Consent: We will process your personal data with your consent in situations where consent is required or the most appropriate basis. For example, we rely on your consent to send you marketing emails or newsletters – we only send these communications if you have opted in. Likewise, we ask for your consent before setting non-essential cookies or using analytics/advertising tools like Google Analytics and Facebook Pixel on your device[14]. You have the right to withdraw your consent at any time (see Your Choices below), and we will immediately stop the processing that was based on consent[15]. For instance, if you unsubscribe from our mailing list, we will cease sending you promotional emails. (Please note that withdrawing consent does not affect the lawfulness of any processing we already carried out while we had your consent.) •Performance of a Contract: When we enter into an agreement to provide you with services, we process your personal data as necessary to perform our contract with you or to take steps at your request before entering into a contract[16]. In practical terms, this means we use your data to arrange and deliver the party or event you booked, since those processing activities are required to fulfill our service commitment to you. If you ask for a quote or information about a party, using your details to respond is a pre-contractual step taken at your request. Without this data, we wouldn’t be able to provide the services you expect. •Legitimate Interests: We may process your personal data where it is in our legitimate interests to do so, provided that such processing is not overridden by your own rights and interests[17]. We have a legitimate interest in running, improving, and securing our business. For example, analyzing website usage to improve our services, or using cookies for analytics and metrics, can be based on our legitimate interest in understanding our customers and enhancing their experience[18]. Similarly, responding to your inquiries and keeping basic records of our communications are within our business interests of providing good customer service. When we rely on this basis, we carefully consider and balance any potential impact on you (both positive and negative) and your rights. We will not use legitimate interests as a ground for processing your data if we conclude that our interests are outweighed by the impact on your privacy. Important: Where privacy laws (like PECR or ePrivacy directives) require consent for certain activities (e.g. setting advertising cookies), we will seek consent even if we could argue a legitimate interest – your choice comes first in such cases. •Legal Obligation: We will process your personal data if necessary for us to comply with a legal obligation[19]. This means if UK law or regulations require us to process data (for example, retaining certain transaction records for tax compliance, or providing information to authorities under a lawful order), we will do so. We only disclose or use the minimum data necessary to meet our legal responsibilities. For instance, under financial regulations, we may be obliged to keep billing information for a certain number of years, or we might have to share personal data if properly required by a court order or the Information Commissioner’s Office (ICO). •Vital Interests: Although unlikely, we may process personal data if it is necessary to protect someone’s vital interests[20] – essentially, to protect someone’s life or an emergency situation. An example could be if a serious incident occurred at one of our events and we needed to provide a participant’s medical information (that we had on file) to first responders to prevent harm. This is a rare basis that would only apply in critical, life-or-death scenarios. •Public Task: (This basis typically applies to public authorities and is not generally relevant to our private business operations. We do not anticipate processing data under this basis, as it is not applicable to Party and Play’s activities.) In summary, the main bases we use are Contract (for providing our services and responding to requests), Consent (for optional uses like marketing and certain cookies), Legitimate Interests (for improving and securing our services in ways that do not unduly impact your privacy), and Legal Obligation (where we have a duty under law). If you have questions about the specific legal basis for any processing of your data, feel free to contact us for more information. Cookies and Tracking Technologies Like most websites, we use cookies and similar tracking technologies (such as web beacons and pixels) on our site. Cookies are small text files that are placed on your device (computer, tablet, smartphone) when you visit a website, which allow the website to recognize your device and store certain information about your preferences or past actions[21]. In this section, we explain how we use cookies and other trackers, and how you can manage your preferences. Types of Cookies We Use: The cookies and tracking technologies on our site serve different purposes: •Essential Cookies: These cookies are necessary for the basic functionality of our website. For example, if our site uses a cookie to remember your cookie consent choice or to enable you to fill out forms without re-entering details on every page, that is an essential cookie. We do not require consent for essential cookies, as they are needed to provide you with the service you requested (such as navigating the site or using basic features). •Analytics Cookies (Google Analytics and Wix Analytics): We use Google Analytics, a web analytics service provided by Google, and Wix’s built-in analytics, to collect information about how visitors use our site. Google Analytics sets cookies (such as _ga and others) on your browser to gather data like your IP address, pages visited, time spent on each page, and interactions with our site[4]. We have configured Google Analytics in a privacy-friendly manner as much as possible (for example, by anonymizing IP addresses if feasible) and we use the insights from these cookies to improve our website’s content, performance, and marketing. Similarly, Wix Analytics may use cookies or other means to track visitor activity on our site (since our website is built on the Wix platform). The information from analytics cookies is aggregated and does not directly identify you; it simply helps us understand trends in site usage. Important: We do not activate Google Analytics or other analytics cookies without your consent. When you first visit our site, you will be presented with a cookie banner requesting your permission to place analytics cookies on your device, in compliance with applicable law[14]. If you decline, Google Analytics will remain inactive during your visit, and only essential cookies will run. •Advertising and Social Media Cookies (Facebook/Meta Pixel): With your consent, we utilize the Facebook Pixel (now commonly referred to as the Meta Pixel) on our site. This is a piece of code provided by Meta (Facebook) that, when enabled, sets cookies or similar tracking tools to collect data about your visit. The Pixel reports information such as the pages you viewed, actions you took (e.g., clicking a button), and certain technical details to Facebook[5]. Facebook can then use that data to provide us with analytics about ad performance and to serve you targeted advertisements on their platforms. In other words, if you allow these cookies, you might later see an ad for Party and Play on Facebook or Instagram because the Pixel indicated that you visited our site[22]. These cookies work by uniquely identifying your browser and device; however, we do not see personal information like your Facebook profile data – we only receive marketing reports and the ability to create “custom audiences” for ads. As mentioned above, we do not load the Facebook Pixel unless you have given consent via the cookie banner. If you opt out, the Pixel will not track your visit. (Please note that Facebook may still collect certain information if you have an account and are logged in due to their own cookies, but our integration will not actively send data without consent.) For more information on how Meta uses data collected via the Pixel, you can review Facebook’s Data Policy and Facebook’s Cookie Policy. We ensure that any use of these advertising cookies is done in compliance with UK GDPR and the Privacy and Electronic Communications Regulations (PECR). •Other Third-Party Cookies: We currently do not use other third-party advertising networks or plugins that set cookies (for example, Google Ads remarketing, Twitter widgets, etc.), aside from the ones mentioned above. If this changes in the future (say we partner with another analytics provider or embed content that sets cookies), we will update this policy and obtain necessary consents. Our goal is to be transparent and give you control. Your Cookie Choices: When you first visit our website, you will see a cookie consent banner. You can choose to accept all cookies or reject non-essential cookies. If you reject, we will not set analytics or advertising cookies – only essential cookies will be used for the site to function. If you accept, you are helping us improve our site and marketing, but it’s completely your choice. You can also manage or change your cookie preferences at any time. For instance, if you initially accepted but later change your mind, you might find a “Cookie Settings” link on our site (often in the footer) to adjust your preferences. Alternatively, you can clear cookies from your browser, which will usually reset the consent banner to appear again on your next visit so you can make a new choice. Regardless of your selection on our site, you can always control cookies through your browser settings. Most web browsers allow you to refuse new cookies, delete existing cookies, or warn you when new cookies are being set. Please note that blocking all cookies (including essential cookies) through your browser could affect the functionality of our site – for example, some features may not work properly if cookies are disabled. For analytics specifically, Google provides an opt-out browser add-on you can install that prevents Google Analytics from collecting data on any websites you visit[23]. If you want to opt out of the Facebook Pixel, you can use your Facebook account ad settings to control what ads you see and how your off-Facebook activity is used. Facebook also honors the AdChoices opt-out options: you can visit sites like the YourAdChoices (DAA) or Your Online Choices (EDAA for EU/UK) to opt out of interest-based advertising from participating networks. We have provided these links for your convenience; using them will set opt-out cookies in your browser to signal your preferences. In summary, cookies help us give you a better experience and relevant content, but we respect your choices. We advise you that third parties (like Google and Facebook) may use cookies on our site to collect information and provide you with targeted advertising based on that information[11]. You have the right to object to this and opt out, as described. See the Your Rights and Your Choices sections for more on how to opt out of cookies and tracking. For more detailed information on all cookies used on our site (names, purposes, expiration), please refer to our Cookie Policy or contact us. Data Sharing and Disclosure We treat your personal data with care and do not sell it to third parties for their own marketing or other independent use[24]. However, in order to run our business and provide our services, we sometimes need to share your information with certain third parties (service providers and partners) who process data on our behalf. We only share the information that is necessary for them to perform the agreed services, and we require all such third parties to protect your data and use it only for our specified purposes[25][26]. The main categories of third parties with whom we may share personal data are: •Website Hosting and Platform Provider (Wix.com): Our website is built on and hosted by the Wix platform. Wix acts as a data processor for the data collected through our site, which means Wix processes visitor data on our instruction and for our purposes[2]. Personal data entered in our web forms or generated by your browsing is stored on Wix’s servers. Wix is a reputable website provider that is contractually committed to keeping personal information secure and confidential in line with industry standards[26]. Wix will not use your data for its own unrelated purposes. For more information, you can review Wix’s Privacy Policy and Wix’s Data Processing Agreement. Notably, Wix may store data on servers located outside the UK (see International Data Transfers below), but it employs robust safeguards for data protection. •Analytics Services (Google Analytics and Wix Analytics): As described in the Cookies section, we use Google Analytics to analyze our website traffic. In doing so, certain data (like your IP address and device info) may be collected by Google. Google acts as a data processor for us in providing aggregated statistics reports, but Google may also use analytics data for its own purposes in accordance with its privacy policy (for example, improving its Analytics service). We have enabled settings to limit the data Google can see (like IP anonymization). Google may process collected data on servers in the United States or other countries; however, Google is required to provide an adequate level of protection for personal data, and our use of Google Analytics is governed by Google’s terms which incorporate the EU/UK Standard Contractual Clauses for data transfers. We do not share any information with Google beyond what is automatically collected through the Analytics tool. Similarly, if Wix Analytics is active, Wix may collect usage data to provide us with insights. That data is handled under Wix’s privacy framework. In summary, these analytics providers get certain pseudonymized information about your visit, which they aggregate for statistical purposes. They do not receive your name, email, or other directly identifying information through our integration. •Advertising Partner (Meta/Facebook): If you consent to advertising cookies (Facebook Pixel), certain data about your visit is shared with Meta (Facebook). In that case, Meta acts as a joint controller of the data collected via the Pixel, since it will use that information for its own advertising purposes (to improve ad targeting and user experience on its platforms) in addition to providing us with advertising services[27]. We ensure that our use of the Pixel complies with Facebook’s Business Tools terms, which require us to notify users of this data sharing and obtain consent for it[28]. Any information we share via the Pixel is hashed and does not include things like your name or email (unless you yourself are logged into Facebook and they link it on their side). We do not receive any personal data from Facebook about you – we only see audience sizes and ad performance metrics. Facebook may combine data from our site with data from your Facebook profile or activity to personalize ads, according to your Facebook settings. Please refer to Facebook’s Data Policy for details on how they process and share this information. You have choices to opt out of this processing (see Your Choices). Aside from the Pixel, we do not directly share your personal data with Facebook or Meta. •Email Service Provider: If you subscribe to our marketing emails or newsletter, we may use a third-party email delivery service to manage our mailing list and send out emails (for example, services like MailChimp, SendGrid, Wix’s Email Marketing, or similar). In doing so, we would provide your name and email address to that service provider for the sole purpose of sending you the emails you signed up for. Our email service providers are bound by contracts to protect your data and not to use it for any other purpose. They typically operate servers in the US or EU; if any data is transferred outside the UK, we ensure appropriate legal safeguards are in place (such as Standard Contractual Clauses). You can unsubscribe from our emails at any time, and we will then remove your data from the active mailing list. •Payment Processors (if applicable): Currently, Party and Play does not process payments through the website. If in the future we offer online payments for deposits or bookings, we may use a third-party payment gateway (such as PayPal, Stripe, etc.). In that scenario, the payment processor would handle your payment details directly on their secure system. We would only receive confirmation of payment and basic details needed to reconcile the transaction (e.g., name, amount, timestamp). We would update this policy with the relevant details at that time. Any payment processor we engage will be required to comply with data protection standards and securely handle your financial information (most are PCI-DSS compliant by industry requirement). •Other Service Providers: We may use trusted third-party companies for various support services, such as IT support, cloud storage or backup, customer relationship management (CRM) tools, or analytics consultants. If any such provider needs access to personal data to perform their function (for example, if we store data backups on a cloud server, or if an IT support vendor is troubleshooting an issue that involves personal data), we will ensure they are contractually obligated to keep the information confidential and secure. They will also be required to delete or return the data once they have completed the service. We will only engage providers that can demonstrate compliance with data protection laws. •Business Transfers: If in the future our business is involved in a merger, acquisition, sale of assets, or similar corporate transaction, personal data may be transferred to the new owner or partner as part of that deal. If such a transfer occurs, we will ensure that your data remains subject to confidentiality obligations and, at a minimum, the same protections outlined in this Privacy Policy. We would provide notice on our website if a business transfer materially affects how your personal data is handled. We will never share your personal information with third parties for their own independent marketing or advertising purposes without your consent. All third parties that process user data on our behalf are carefully vetted. We have data processing agreements in place with them, requiring them to implement appropriate security measures and to process data only according to our instructions[26]. In the event any third-party access to personal data is no longer needed, we ensure they securely dispose of it. Disclosure Required by Law: Aside from our service providers, we may also disclose personal information to third parties if required by law or strictly necessary to comply with legal obligations. For example, we might have to provide information in response to a court order, subpoena, or lawful request by government authorities (such as the police or regulatory agency). We will evaluate any such request carefully and only provide the minimum data necessary to comply with the law. Whenever permitted, we would inform you of such disclosure. Aggregated or Anonymized Data: We may share statistics and insights in aggregate form (i.e., not linked to any individual) – for instance, reporting the total number of website visitors in a month, or the percentage of users interested in a certain party theme. This kind of information does not identify you personally and is typically used to communicate our business performance or user trends (for example, in marketing materials or partnership discussions). Data Storage and Security We understand that the security of your personal data is extremely important. We have implemented appropriate technical and organizational measures to protect your information against unauthorized access, loss, or alteration. These measures include, for example: •Our website is secured via SSL/TLS encryption. This means any data you enter on our site (such as form submissions) is transmitted securely over HTTPS – you should see a padlock icon in your browser address bar when interacting with our site. Encryption helps ensure that your information cannot be intercepted and read by unauthorized parties during transmission[29]. •We rely on secure servers operated by our platform provider (Wix) and other service providers. Wix and related services have robust security protocols in place, including firewalls, intrusion prevention systems, and regular security monitoring[29]. For instance, Wix stores data in secure data centers with physical and electronic safeguards, and implements encryption to protect stored personal information[29]. They also maintain industry security certifications (such as PCI DSS for any payment processing, although we currently don’t process payments through Wix) to ensure a high standard of data protection. •Within our organization, we restrict access to personal data. Only authorized personnel who need to process your information for the purposes described (for example, our booking staff or management responsible for customer service) have access to your personal data. These persons are trained on privacy requirements and are bound by confidentiality obligations. •We implement password protection and access controls for any accounts or systems that store personal data. For example, access to our website’s backend and any databases requires authentication and is limited to our administrators. We also keep our systems and software up to date with security patches to reduce vulnerabilities. •We periodically review our information collection, storage, and processing practices to ensure we are following industry best practices for security. We also use secure methods to dispose of or anonymize personal data if it is no longer needed (see Data Retention below). While we take many precautions to safeguard your data, it’s important to note that no method of transmission over the Internet, and no method of electronic storage, is completely secure or infallible. Despite our efforts, we cannot guarantee absolute security of information in all circumstances – for example, there is always some risk that an unauthorized third party could find a way to thwart our security measures or that a vulnerability unknown today could be exploited[30]. You share and transmit data to us at your own risk. We encourage you to take steps as well, such as using secure networks and keeping your own devices and passwords protected. If you believe your interaction with us or any of your personal data is no longer secure, please contact us immediately so we can investigate. Data Breach Procedures: We have a plan in place to deal with any suspected personal data breach. A data breach could be, for example, a security incident that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. If such an event were to occur, we would act promptly to contain and assess the breach. Part of our plan, if a breach is likely to result in a high risk to your rights and freedoms, is to inform you and the appropriate authorities within the required timeframe. Under UK GDPR, we are required to notify the ICO and potentially affected individuals without undue delay and, where feasible, within 72 hours of becoming aware of a serious breach. In line with this, if we discover a breach that compromises your personal data, we will endeavor to inform you within 72 hours of detection[31], along with information on what happened and any steps you should take to protect yourself. We hope never to have to deal with such an incident, but we want you to know that we are prepared and that your safety is our priority. Data Retention: How Long We Keep Your Information We will not keep your personal data for longer than is necessary to fulfill the purposes we collected it for, unless a longer retention period is required or allowed by law[32]. In practice, this means: •If you submit an enquiry but do not end up booking a service with us, we may retain the information from your enquiry (including your contact details) for a certain period in case you have follow-up questions or decide to book at a later date. Generally, we would keep enquiry data for up to 12 months before deletion, unless you request us to delete it sooner. We believe this timeframe is reasonable to accommodate typical planning cycles for parties, but we will not keep unused enquiry data indefinitely. •If you do book a party or event with us, we will retain the personal data related to that booking for as long as necessary to manage your event and provide any post-event customer service. After your party is completed, we may keep your data for a period to handle any potential follow-up issues (for example, billing questions or feedback). Booking records (which may include your name, contact, and transaction details) will also be kept as needed to comply with legal requirements – e.g., financial records may be kept for 6 years to satisfy HMRC auditing rules, as this is a legal obligation for businesses. During the retention period, we will securely store the data and restrict access to it. •If you have opted into marketing communications, we will retain your email and name on our mailing list until you unsubscribe or otherwise tell us you no longer wish to receive emails. We include an unsubscribe link in every marketing email so you can easily opt out. If you unsubscribe, we will promptly remove you from the active mailing list. (We may however keep a record of your opt-out request to ensure we do not accidentally send you further communications, as allowed by law.) •Data collected via cookies and analytics is generally stored in an aggregated or anonymized form. Google Analytics data, for instance, is retained for a default period (commonly 14 months for user-level data in GA, unless we configure otherwise). We periodically review analytics data and may delete or anonymize older data that is no longer needed for analysis. Any identifiers in analytics (like unique cookie IDs) can also be erased or reset upon your request (e.g., if you exercise your right to erasure or if you clear cookies on your browser). •In determining retention periods, we consider factors such as: the volume, nature, and sensitivity of the data; the potential risk of harm from unauthorized use or disclosure if we keep it too long; the purposes for which we process it and whether we can achieve those purposes through other means; and applicable legal requirements. We aim to minimize data retention and will either securely delete personal data or render it permanently anonymous when it is no longer needed. For example, we may archive and anonymize old booking records by stripping out personal identifiers, keeping only statistical information for business analysis. When we delete personal data, we use measures to ensure the data is irrecoverable (for instance, wiping electronic records and shredding any physical documents). If complete deletion is not immediately feasible (for example, because the data is stored in backup archives that are only accessed in disaster recovery scenarios), we will securely isolate such data and protect it from further processing until deletion is possible[33]. If you have any specific questions about how long we keep a particular type of information, please contact us. We can provide more tailored information based on your interactions with us. Your Rights Under UK GDPR Under data protection laws, including the UK GDPR, you have several important rights regarding your personal data. We respect and uphold these rights. Your rights include[34]: •Right of Access: You have the right to request access to the personal data we hold about you and to obtain information about how we process it. This is commonly known as a “Data Subject Access Request.” Upon request, we will provide you with a copy of the personal information we have about you, in a concise and understandable format[34]. This allows you to verify the lawfulness of our processing and see what data we have collected. •Right to Rectification: If any of your personal data we have is inaccurate or incomplete, you have the right to have it corrected or updated. We want to ensure we have correct information, so please let us know if you need us to fix any details (for example, if you change your email address or notice a spelling error in what we have on record). •Right to Erasure: You have the right to request deletion of your personal data in certain circumstances – this is sometimes called the “right to be forgotten.” We will erase your data upon request if, for example, the data is no longer necessary for the purposes it was collected, or if you withdraw consent and we have no other legal basis to keep it, or if you object to processing and we have no overriding legitimate grounds to continue, among other grounds. Please note that this right is not absolute; sometimes we may need to retain certain information to comply with legal obligations or establish/exercise legal claims. But we will always assess requests on a case-by-case basis and inform you of the outcome. •Right to Restrict Processing: You can ask us to restrict or “pause” the processing of your personal data in certain scenarios. For instance, if you contest the accuracy of the data, you can request a restriction while we verify the information. Or if you have objected to processing (see below), you may want to restrict use of data while we determine if our reasons override yours. When processing is restricted, we can still store your data but will not use it for the time being (except, for example, to address legal claims or protect others’ rights as permitted). •Right to Data Portability: For data that you provided to us and that we process by automated means on the basis of consent or contract, you have the right to request a copy in a commonly used, machine-readable format (for instance, CSV or JSON file), and you have the right to have that data transmitted to another controller (e.g., another service provider) where technically feasible. In simple terms, this allows you to reuse your data across different services. This right typically applies to data you actively gave us (like form inputs) and data generated by your actions (like account history, if we had accounts). •Right to Object: You have the right to object to our processing of your personal data in certain circumstances. Notably, you have an absolute right to object to your data being used for direct marketing purposes at any time[35]. If you object to marketing, we will stop using your data for that purpose immediately. Additionally, if we are processing your data based on legitimate interests, you can object to that processing and we will consider your objection. Unless we have a compelling legitimate reason that overrides your rights, or the processing is needed for legal claims, we will cease the processing in question. For example, you can object to our use of cookies/analytics that track your behavior, and if so, we will disable those (this ties in with the opt-out rights discussed in the next section). •Rights related to Automated Decision-Making: We do not use your personal data for any automated decision-making that produces legal or similarly significant effects on you (such as profiling algorithms with significant impact). In the event we ever consider such practices, we would inform you and ensure compliance with GDPR Article 22. As of now, this right is not applicable because we don’t engage in those automated processes. If you wish to exercise any of these rights, you can contact us at [EMAIL ADDRESS] with your request. We may need to verify your identity before fulfilling certain requests (to ensure we don’t provide your data to someone else), so we might ask for some verification information (never more than necessary). We will respond as soon as possible and at least within one month as required by law, or inform you if we need more time in complex cases. There is generally no fee for exercising your rights. However, if a request is unfounded or excessive (for example, repetitive), the law allows us to charge a reasonable fee or refuse it – but we will explain our reasoning if that situation arises. We commit to honoring your rights and will facilitate them in accordance with the law[36]. For instance, if you request access, we will gather all relevant data and provide it in a structured format along with an explanation of our processing. If you request erasure, we will delete the data from our active systems and instruct our processors to do the same, except for any data we are allowed or required to retain. If you correct data, we will update and inform any third parties (service providers) that also received the inaccurate data so they can correct it too. If you object to or restrict processing, we will comply and let you know of the effect (such as, certain services might not be available if they relied on that processing). Your Right to Complain: If you have concerns or believe that we have not handled your personal data lawfully or satisfactorily, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO), which is the supervisory authority for data protection issues in the UK[37]. You can contact the ICO at 0303 123 1113 or via their website ico.org.uk for more information on how to report a concern. We would appreciate the chance to address your concerns before you approach the ICO, so please consider reaching out to us first, and we will do our best to resolve the issue. If you are located outside the UK, you may have the right to complain to your local data protection regulator as well (for instance, an EU citizen can contact their country’s Data Protection Authority). We will cooperate fully with any official investigations and comply with the directives given by regulatory authorities. In summary, you are in control of your personal data. We are here to help you exercise those rights and to ensure that you feel confident about how we handle your information. Don’t hesitate to contact us with any questions or requests regarding your privacy. Your Choices: Opt-Out and Consent Withdrawal In addition to the formal rights described above, we want to highlight how you can make choices about your data, especially regarding marketing and online tracking. You should have the ability to opt out of certain uses of your information and to withdraw consent where we are relying on consent. Opting Out of Marketing Communications: If you have subscribed to our marketing emails and no longer wish to receive them, you can opt out at any time. The easiest way is to click the “unsubscribe” link in any promotional email you receive from us – this will automatically remove you from our mailing list. Alternatively, you can contact us at [EMAIL ADDRESS] and request to be removed, and we will take care of it. Once you opt out, we will stop sending you marketing messages. Please note, even after you opt out of marketing, we may still send you non-promotional messages if you have an active relationship with us – for example, emails about an upcoming party you booked or updates to our terms or privacy policy – because those are not marketing, they are service or legal notices. However, we will not send further newsletters, offers, or similar communications once you’ve unsubscribed. We always honor opt-out requests; you have the right to object to direct marketing, and we will respect that[35]. Opting Out of Targeted Advertising (Analytics/Tracking): As detailed in the Cookies section, you have choices regarding cookies and tracking: •If you do not want Google Analytics to track your website visits, you can decline analytics cookies via our cookie banner. If you previously consented but changed your mind, you can delete cookies or use our site’s cookie settings to disable Analytics. Additionally, Google offers a browser Opt-Out Add-on that you can install to prevent data from being used by Google Analytics on any site[23]. You can download this add-on from Google (it’s available for most browsers). •If you want to opt out of the Facebook/Meta Pixel and associated retargeting, the first step is to make sure you decline or disable the Facebook cookies on our site (via the cookie settings). Without the Pixel firing, no further data will be sent from our site to Facebook. If you had allowed it before, you can clear your browser cookies to remove the Facebook Pixel cookie and then choose “reject” when our cookie banner reappears. Additionally, you can adjust settings in your Facebook account: under your Facebook profile’s Ad Preferences, you can control whether you see personalized ads and you can disconnect “Off-Facebook Activity,” which includes data from Pixels. Facebook also supports the industry opt-outs mentioned earlier (via YourAdChoices etc.). For a more direct approach, Facebook’s own help center provides instructions on opting out of seeing targeted ads – typically, they advise users to manage preferences at Facebook > Settings & Privacy > Settings > Ads > Ad Settings. Through those, you can turn off ads based on data from partners (which would include our site’s Pixel data). We recommend you review Facebook’s guide on “How can I opt out of seeing ads?” if you wish to completely opt out of Facebook’s targeted advertising. We also provide here a link to Facebook’s Data Policy for more information. Importantly, you have the right to opt-out of the collection and use of your data for targeted advertising, and we have made sure to implement a mechanism for you to do so[12]. If you object to our use of the Pixel, we will honor that – your experience on our site will not be affected beyond not receiving the targeted ads later. •Opting out of Other Cookies: If in use, you can opt out of any other third-party tracking by either not giving consent or by using tools like browser extensions that block trackers (for example, many antivirus browser extensions or privacy-focused browsers can automatically block known tracking scripts). You may also use the “Do Not Track” setting in your browser; however, note that not all websites or third-parties honor DNT signals. Our site’s behavior with DNT will depend on Wix and the integrated tools – currently, we rely on explicit consent mechanisms to control tracking. Withdrawing Consent: Whenever we are processing your data based on your consent, you have the right to withdraw that consent at any time[38]. This includes consent for marketing emails, consent for cookies, consent for processing a child’s data, etc. Withdrawing consent is easy – it can be as simple as unsubscribing from an email (withdraw consent to marketing), toggling off a switch in a cookie preference center (withdraw consent to analytics), or contacting us with your request. Once you withdraw consent, we will stop the processing that was based on consent. For example, if you withdraw consent for us to use your child’s information after an event, we will delete that information unless another basis applies. Withdrawal of consent will not affect the lawfulness of processing carried out before you withdrew (in other words, up until the point you withdrew, it was legal because you had given consent)[38]. It also won’t affect processing of your data under other bases – for instance, if you withdraw consent for marketing emails, we will stop those emails, but we might still process your email address if you have an ongoing booking with us under the contract necessity basis. We will always make it clear what consent covers so you know what can be withdrawn. To withdraw consent, you can use the same channels through which you gave consent. For example, if you gave consent by ticking a checkbox on a form, you can contact us to reverse that decision. If you gave consent via the cookie banner, you can update your preferences on our site or clear cookies. If any difficulties arise, simply reach out to us and we will assist. Objecting to/Opting Out of Other Processing: As noted, you can object to processing based on legitimate interests. One common example is objecting to analytics if you feel it infringes on your privacy – in practice, that overlaps with the cookie opt-out which we honor. If you have any objection outside of cookies/marketing (for example, you don’t want us to keep your data for the retention period), please inform us. We will review objections and either cease processing or provide a justification as to why we must continue (only if allowed by law). Our aim is to meet your wishes wherever possible. In summary, we provide multiple ways for you to opt out of data uses you are not comfortable with. Our website gives you control over cookies, and our communication always includes an opt-out mechanism. We believe in empowering you to make decisions about your data. If something is unclear or you need help opting out, we welcome you to contact us – we will happily assist, as it’s crucial that you know you have the right to opt-out of targeted data collection and how to do so[12]. International Data Transfers Party and Play is based in the UK, but the nature of online services means that some of your personal data may be transferred to, or stored in, other countries outside the United Kingdom. Specifically, we want to be transparent that: •Our website is hosted on Wix, which is a global platform. According to Wix, personal information of site visitors may be stored in data centers located in the United States of America, Europe (for example, Ireland), Israel, South Korea, Taiwan, and other jurisdictions as necessary[39]. Wix utilizes a multi-region cloud infrastructure (including Amazon Web Services and Google Cloud) to ensure performance and reliability. While our primary interface is through Wix’s UK/EU servers (to the extent they have them), it is possible that your data will be mirrored or backed up in a non-UK location. •Wix and UK Data Protection: Wix.com, though originally an Israeli company, is committed to protecting personal data in compliance with GDPR and UK GDPR standards. Israel is a country that the UK (and EU) currently recognize as providing an adequate level of data protection (meaning transfers to Israel are permitted under an adequacy decision). For other locations that may not have an adequacy decision (like the U.S. or Taiwan), Wix has assured that any transfers of personal data are made in accordance with approved mechanisms such as Standard Contractual Clauses (SCCs)[40]. In simpler terms, this means Wix has agreements in place to legally safeguard data moved out of the UK/EU, so that your data continues to have a high level of protection no matter where it is stored. Wix’s Data Processing Agreement incorporates these SCCs to cover its global data flows. •Google Analytics and Meta (Facebook): The analytics and advertising services we use (Google and Meta) may also process data in the United States or other countries outside the UK. Google LLC and Meta Platforms, Inc. are both U.S.-based organizations. The personal data that gets transferred (like cookie identifiers or IP addresses) could be routed to servers in the U.S. for processing. Both Google and Meta have committed to compliance with GDPR requirements for transfers. Google, for instance, typically relies on Standard Contractual Clauses for its analytics services, and Meta does the same for its Pixel and other tools to legitimize transfers of European/UK data to the U.S. Additionally, these companies implement extensive security controls and encryption to protect data in transit and at rest. We are monitoring the legal landscape around international data transfers (for example, the new EU-U.S. Data Privacy Framework and its UK extension in development). If there’s an approved UK transfer mechanism or certification scheme that covers these providers, we will take advantage of it once available. As of now, we trust in the SCCs and supplementary measures in place. •Email and Cloud Services: If we use third-party services for email, customer management, or data storage, those services might also involve international transfers. For example, if we use an email marketing service whose servers are in the U.S., or a cloud backup located in the EU or U.S., data will travel to those places. In all such cases, we will ensure that one of the legal safeguards is in effect: either the country has an adequacy decision (as is the case for EU member states, since the UK recognizes the EU/EEA as adequate, or countries like Canada, Japan, etc.), or we have an agreement with standard clauses, or the provider is certified under an accepted framework. We will not use providers in jurisdictions with weak data protection unless we can secure your data through encryption or other means to an acceptable standard. Whenever personal data is transferred out of the UK, we take steps to protect it to the standards required by UK law. This means that your rights and protections travel with your data. If a service provider cannot meet these requirements, we would not use them or we would seek your explicit consent for the transfer (which you would be free to decline). If you would like more details about international data transfers in relation to your personal data (for example, if you want to know if your specific data was stored in the US vs Europe), please contact us. We can provide you with information on the specific transfer safeguards applied to your data. By using our website or providing us with information, you acknowledge that your personal data may be transferred to and processed in countries outside of your country of residence. However, this does not change our commitment to privacy: we will always handle your data in accordance with this Privacy Policy and applicable laws, no matter where it is processed. Updates to This Privacy Policy We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the services we offer. If we make significant changes, we will notify you either by posting a prominent notice on our website or by contacting you directly (e.g., via email, if we have your email on file for this purpose). We encourage you to periodically review this page for the latest information on our privacy practices. When we update the policy, we will revise the “Last updated” date at the top of the document. Any changes will become effective when we post the revised Privacy Policy on our website. If the changes materially affect how we handle personal data, we may also provide an additional notice to obtain any required consent. For example, if in the future we introduce user accounts or new data uses, we will update this policy and highlight what’s new. We will always ensure that our use of your data is in line with the latest policy posted here (and of course, with applicable law). Your continued use of our website or services after any update to this Privacy Policy will signify your acceptance of the changes, provided that we have informed you of your rights in this regard. If you do not agree with any aspect of an updated policy, you are free to stop using our site and services, and you may also contact us to express any concerns. We will be happy to clarify any changes. How to Contact Us If you have any questions, comments, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to reach out to us. We are here to help and address any issues. •By Email: info@partyandplay.uk (Preferred method – we typically respond within a few business days.) •By Postal Mail: 115 Sutton new road, Birmingham, B23 6RP (You can send written inquiries or requests to our business mailing address.) For privacy-specific concerns, you can address your message to the attention of “Privacy Officer” or the owner of Party and Play. We value your privacy and will do our utmost to assist you. Thank you for trusting Party and Play with your special events – we are excited to help you create fun memories, and we are equally committed to keeping your personal information safe and respecting your rights. ________________________________________