Privacy Policy
Tranquility Atelier | tranquilityatelier.co.uk
Last updated: May 2026
1. Who We Are
The data controller for this website is Catherine Lawson, operating at tranquilityatelier.co.uk. We are a spa and wellness retreat business based in the United Kingdom.
For any questions about how we use your personal data, please contact us at:
Catherine Lawson
47 Cabbell Road, Cromer, Norfolk, UK NR27 9HY
07449 534 440
2. What Personal Data We Collect and Why
2.1 Website enquiries and contact forms
When you contact us through our website, we collect your name, email address, phone number (if provided), and the details of your enquiry. We use this information to respond to your message and, where relevant, to facilitate a booking through our booking partner Fresha.
Lawful basis: Legitimate interests — it is necessary for us to process this information to respond to your enquiry.
2.2 Bookings via Fresha
All bookings are handled by Fresha (operated by Treatwell Group). When you make a booking, you will be directed to Fresha’s platform. Fresha acts as a separate data controller in respect of the data you provide during the booking process. We encourage you to read Fresha’s privacy policy at:
fresha.com/legal/privacy-policy
We receive confirmation details of your booking from Fresha, including your name and appointment details, in order to prepare for your visit.
Lawful basis: Contract — processing is necessary to fulfil your booking with us.
2.3 Mailing list and marketing communications
If you sign up to receive news, offers or updates from us, we collect your email address and, where provided, your name. We will only send you marketing communications with your explicit consent.
You can withdraw your consent and unsubscribe at any time by clicking the unsubscribe link in any email we send, or by contacting us directly. Withdrawal of consent will not affect the lawfulness of any processing carried out before you withdrew it.
Lawful basis: Consent.
2.4 Website analytics (Google Analytics)
We use Google Analytics to understand how visitors use our website. This service collects anonymised data about your visit, including pages viewed, time spent on the site, and how you arrived. Google Analytics uses cookies to gather this information.
We have enabled IP anonymisation in Google Analytics, which means your full IP address is not stored. The data collected is aggregated and does not identify you personally.
Google LLC is our data processor for this service. Google may transfer data to the United States; it does so under the EU–US Data Privacy Framework and Standard Contractual Clauses. For further information, see Google’s privacy policy at:
Lawful basis: Legitimate interests — we have a legitimate interest in understanding how our website performs so we can improve it for visitors.
You can opt out of Google Analytics tracking across all websites by installing the Google Analytics Opt-out Browser Add-on:
tools.google.com/dlpage/gaoptout
2.5 Comments (if enabled)
If you leave a comment on our website, we collect the data shown in the comment form, along with your IP address and browser user agent string to assist with spam detection. An anonymised string derived from your email address may be shared with Gravatar to check whether you use that service. Gravatar’s privacy policy is available at:
If your comment is approved, your profile picture (if you use Gravatar) may be visible alongside your comment.
Lawful basis: Legitimate interests.
3. Cookies
Our website uses cookies — small text files stored on your device — for the following purposes:
3.1 Strictly necessary cookies
These are essential for the website to function. If you leave a comment, cookies may save your name, email and website address for one year so you do not need to re-enter them on future visits. Login session cookies last for two days (or two weeks if you select ‘Remember Me’) and are removed when you log out.
3.2 Analytics cookies
Google Analytics sets cookies to help us understand how visitors use our site. These cookies collect information in an anonymised form. You can prevent the setting of cookies by adjusting your browser settings (please note this may affect website functionality) or by using the Google Analytics opt-out tool linked above.
3.3 Third-party cookies
Pages that include embedded content from other websites (such as videos or maps) may also set cookies. We do not control these cookies; please refer to the relevant third party’s privacy policy.
Under current UK law, we are required to obtain your consent before placing non-essential cookies on your device. A cookie consent notice will appear when you first visit our website. You may withdraw or change your consent at any time.
4. Embedded Content from Other Websites
Pages on this site may include embedded content such as videos, images or articles. Embedded content from other websites behaves exactly as if you had visited those websites directly. Those third-party websites may collect data about you, use cookies, embed additional tracking, and monitor your interaction with the content, including if you have an account and are logged in.
5. Sharing Your Data
We do not sell your personal data. We may share your data with the following categories of third parties:
- Fresha (Treatwell Group) — for processing and managing your bookings
- Google LLC — for website analytics via Google Analytics
- Our email marketing platform — MailerLite — for sending newsletters and updates to subscribers
- Automattic (Gravatar) — for comment profile images, if applicable
- Our hosting provider — HostGator — who processes data on our behalf to keep the website running
All processors are required by contract to keep your information secure and to process it only on our instructions.
We may also disclose personal data where required to do so by law or in response to a lawful request from a public authority.
6. International Transfers
Some of our third-party service providers, including Google, may transfer your personal data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved for use under UK GDPR, or that the transfer is to a country with an adequacy decision from the UK Secretary of State.
7. How Long We Keep Your Data
- Enquiry data: we retain correspondence for 2 years from the date of your last contact with us, after which it is securely deleted.
- Booking data: retained for 3 years after your appointment, in line with our legal and accounting obligations.
- Marketing data: retained until you unsubscribe or withdraw consent, after which it is removed from our mailing list promptly.
- Comment data: comments and associated metadata are retained indefinitely to allow us to recognise and approve follow-up comments. You may request deletion at any time (see Section 8).
- Analytics data: aggregated, anonymised data is retained in accordance with Google Analytics’ standard retention settings (26 months by default).
Where we are required by law to retain certain records (for example, financial records under the Companies Act or HMRC requirements), we will retain those for the legally required period.
8. Your Rights Under UK GDPR
Under UK data protection law, you have the following rights in relation to the personal data we hold about you:
- Right of access: you may request a copy of the personal data we hold about you (known as a Subject Access Request).
- Right to rectification: you may ask us to correct inaccurate or incomplete data.
- Right to erasure: you may ask us to delete your personal data where there is no legitimate reason for us to continue processing it.
- Right to restrict processing: you may ask us to pause processing of your data in certain circumstances.
- Right to data portability: where processing is based on consent or contract, you may ask us to provide your data in a structured, machine-readable format.
- Right to object: you have the right to object to processing based on legitimate interests, including for direct marketing purposes. If you object to direct marketing, we will stop immediately.
- Right to withdraw consent: where we rely on consent as our lawful basis, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us using the details in Section 1. We will respond within one month of receiving your request.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have not handled your personal data in accordance with the law:
ico.org.uk/make-a-complaint | 0303 123 1113
9. Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. Our website uses HTTPS encryption. Access to personal data is restricted to those who need it to carry out their responsibilities.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform you directly.
10. Children
Our website and services are not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please contact us and we will delete it promptly.
11. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated ‘last updated’ date. We encourage you to review this policy periodically.
12. Contact Us and How to Complain
If you have any questions about this policy or how we handle your personal data, or if you wish to exercise any of your rights, please contact us:
Catherine Lawson
47 Cabbell Road, Cromer, Norfolk, UK NR27 9HY
07449 534 440
If you are not satisfied with our response, you have the right to complain to the ICO: ico.org.uk
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113