Craggan Leisure

Privacy Policy


Our Privacy Promise: Craggan Leisure is an independent hospitality company. It is our passion to create original, unforgettable moments for our guests and looking after the personal data they share with us is an important part of these experience. This Policy demonstrates our promise to protect the privacy and security of your personal data.

We are committed to being transparent about the ways in which we intend to use your data and provide you with choices about how we use it so you can be confident that our data is safe and secure with us. We are happy to provide any additional information or explanation needed and/or answer any questions you may have (please refer to the "Contact us" section below for details on how to contact us).


We keep our Privacy Policy under regular review and will lace updated versions on our website when changes are made. If there are substantive changes we will also notify you when appropriate. This Privacy Policy was last updated on 23 February 2023.


This Policy describes and oversees the nature of all data that we collect, use and otherwise process about you in connection with your relationship with Craggan Leisure as a guest, patron, visitor, potential customer or as an enquirer. The scope of the Policy cover the following areas:

Who we are and how to contact us
What is personal data
How we will use the data
Where we collect the data from
Our legal basis for processing your personal data
Your rights and how you can see, update or delete your personal data


Craggan Leisure is an independent hospitality company owned by Martyn David Barrow and Sarah Louise Barrow. Craggan Leisure is a registered partnership in Scotland with Licence Number AS00017F. Queensborough Group are the data processor of your information and sub processor services are provided by HotelHost Company and Rackspace in connection with on-line bookings.


Craggan Leisure is responsible for your personal data. For the purposes of the data protection legislation we are the "Data Controller" of all personal data that we collect, use and/or otherwise process about you under this Privacy Policy. If you have any questions about this Policy, including any requests to exercise your legal rights then please contact us at Craggan Leisure is located and registered at Craggan, Bridge of Gairn, Ballater, Aberdeenshire, AB35 5TY.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO) the UK supervisory authority for data protection issues ( We would however appreciate a chance to deal with your concerns or questions before you approach the ICO, so please contact us in the first instance at


Personal data means information that relates to an identified or identifiable individual. For example, it can be as simple as a name or a number or could include other identifiers such as an IP address, cookie identifier, payment details, or other factors. For avoidance of doubt, data must "relate to" the identifiable individual to be personal data. This means that it does more than simply identifying a person - it must concern the individual in some way.

CONTACT DATA includes address, email address and telephone numbers.
FINANCIAL DATA includes bank account and payment card details.
TRANSACTION DATA includes details about payments to and from you and other details of products and services you may have purchased from Craggan Leisure.
ENQUIRY DATA includes data you provided us with when you contact us (by any means of communication including written communications, via our website, telephone, email, or our social media channels or when you visit us.
PROFILE DATA includes bookings you have made with us in the past, your dietary requirements, travel details, dates of special occasions, preferences, feedback and survey responses.
USAGE DATA includes information about how you use our website, social media channels and when using our WI-FI services.
MARKETING AND COMMUNICATIONS DATA includes your preferences in receiving marketing from us and your communication preferences.


We will use your data for a variety of different purposes some of which will be dependent on the location(s) that you interact with us.

To facilitate and record your relationship with us. This includes administering your stay with us, manging restaurant reservations, providing special assistance when necessary, travel information and additional activities.

To process and facilitate transactions and payments.

To keep you updated on our products and services. For example, sending you any communications relevant to the services or products you've requested from us. This includes sending you emails to notify you of changes to your bookings or itinerary.

For marketing communications to keep you up-to-date with our latest news, offers and competitions unless you have told us that you would prefer not to hear from us. We may do this using analysis compiled from information we have collected from you or which we have generated about you or which we have lawfully received about you from our partners (on the basis of our legitimate interests to provide you with marketing communications where we may lawfully do so or where you have provided your consent). Please see the "Digital & Marketing section below for this information.

To personalise and improve customer experience. We will use your information to provide you with a more personalised service.

To provide you with customer service and support, deal with your enquiries, scheduling changes, complaints, comments or observations shared with us. This includes interactions on social media platforms such as Facebook, Twitter, Instagram and LinkedIn in the way of posting updates, responding to comments and messages, posting, retweeting and liking posts.

To provide you with suggestions and recommendations. To share your information with selected third parties such as suppliers and partners, to enable them to contact you with information about things that may interest you (where we have your consent to do so).

Where we need to perform the contract, we are about to enter into or have entered into with you.

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Where we need to comply with legal or regulatory obligations. For example, to comply with our policies and procedures.

To facilitate in a seamless login to our free WI-FI platform between visits and between sites. With an automatic login to the WI-FI available after your initial visit.

To create remarketing campaigns that utilise interest data from social platforms to advertise Craggan Leisure's events. The interest data is also utilised to create look-a-like data bases for wider advertising on social platforms.


Most of the personal data we process is provided to us directly by you. When you interact with our newsletter sign-up, enquire about our services, book our services, sign up to our WI-FI and other digital services.

We may also collect data about you if:

You provide additional data to us when you visit such as dietary requirements, special assistance or other useful information to enhance your experience. For example:

You visit our location website and enter data through a webform, sign up to attend an event, you give us a business card or meet with us at an event, you complete a survey.


Data protection legislation states that we must have a legal basis in order to process your personal data. Craggan Leisure relies on 5 out of 6 bases' available for processing your data. They are as follows:

We have a contractual obligation: Where you are in a contractual relationship and we need to process personal information to allow us to perform the contract or where you intend to enter into a contractual relationship with us.

We have a legal obligation: Where we need to process personal information to comply with a legal obligation placed on us.

We have a legitimate interest: Where we process your data in a way in which you would reasonably expect us to.

Your consent: You have given your consent to the processing of personal information for the specified purpose.

It is in your vital interests: Where we need to process personal information to protect your life.

Where we rely on your consent to process your data, you are free to unsubscribe at any time by clicking the unsubscribe link in any email you receive from Craggan Leisure or you can email us at When you unsubscribe, your email address will be retained on the system suppression list to ensure you no longer receive emails from us.


We will only retain your personal data for as long as reasonably necessary to enable us to provide you with the services that you have requested from us, fulfil any other purpose we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

We may retain your personal data for a longer period where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests of another natural person, or in the event of a complaint, or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

We carry out regular audits to ensure date is up-to-date, practice data minimisation where possible and ensure purpose limitation is practiced.


We utilise a free WI-FI service, wireless social at our location that requires a sign up to enable access to the WI-FI and for an automatic login upon your return. This sign up is completed either through the platform or through linking of a social platform, such as Facebook. A separate marketing permission sign up is presented at the time of initial login.


Please see our Cookie Policy for further information.


When you use a social media platform and interact with Craggan Leisure you do so by consenting to the Terms & Conditions of such platforms. This can include Facebook, Twitter, Instagram, LinkedIn, Pinterest and You Tube. For more information please see their individual Terms & Conditions and privacy policies.


We will send you marketing emails and newsletters to keep you updated on our products and services. You can at any time opt out of receiving these emails.

For business customers our lawful basis is legitimate interest as is necessary to inform business customers and stakeholders about our products/services to grow their business offering and ours. Your information will be securely destroyed 3 years from the last recorded interaction.

For our guests, patrons and visitors our lawful basis is consent and will be securely destroyed 1 month after consent is withdrawn.

We know how important it is to protect and manage your personal data. We take robust security measures to help protect your personal data from accidental loss and from unauthorised access, use, alteration and disclosure. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.

The personal data that we collect from you may be transferred to and stored at, a destination outside the European Economic Area (EEA). It may also be processed by organisations outside the EEA such as our Third Party IT/Applications suppliers. We put in place appropriate protection to make sure your personal data remains adequately protected and that is is treated in line with this Policy. These protections include, but are not limited to, appropriate security measures, standard contract clauses such as those approved by the EU.

We have also put in place policies and procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Some of the steps we use to protect your information from unauthorised access, use or alteration and unlawful destruction, include where appropriate:

Limiting access to the data we collect about you (for instance, only those of our personnel who need your data to carry out our business activities are allowed access).
Ensure the physical and digital security of our equipment, devises and systems by mandating appropriate password protection.
Ensure appropriate access controls so that access to your data is only granted to those of our people that need to use it in the course of their work.
Carry out regular penetration testing of our systems and Third Party reviews of our software.
Maintain internal policies and deliver robust data protection and data handling training to ensure our people also understand their responsibilities in looking after your data and commit to taking appropriate measures to enforce these responsibilities.


Your credit card data is encrypted through the Payment Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted. All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council which is a joint effort for brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information.


Under data protection legislation, you have certain rights as an individual which you can exercise in relation to the data we hold about you.

In some situations, you may have the:

Right to be informed - this means that we must tell you how we use your data, and this is the purpose of this privacy policy.
Right to request access - you have the right to access the data that we hold on you. To do so, you should make a subject access request.
Right to request correction - if an data that we hold about you is incomplete or inaccurate, you are able to require us to correct it.
Right to request erasure - if you would like us to stop processing your data you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it.
Right to object to the inclusion of any data - in situations where we are relying on a legitimate interest (or those of a third party) you have the right to object to the way we us your data where we are using it.
Right to request the restriction of processing - you have the right to ask us to stop the processing of data of your personal data. We will stop processing the data (whilst holding it) until we have ensured that the data is correct.
Right to portability - you may transfer the data that we hold on you for your own purposes - tell you why we are holding it, tell you how long we keep it for and the lawful basis for doing so, tell you who it could be disclosed to, let you have a copy of the data in a commonly used electronic format unless the individual request