Privacy Policy

We are committed to safeguarding the privacy of our customers and potential customers. This policy sets out how we will treat your personal information. It also explains our policy regarding session and persistent cookies.

About this policy

The Data Controller (the organisation responsible for looking after your data) is STAYGB LTD. When we say "we", "our", "us", etc., that's who we're talking about. We are committed to protecting your information and we believe you have a right to know how we will use it. This policy sets out the data protection principles we follow. We will update this Privacy Policy from time to time due to changes in data protection law or our business practice / procedures.

This version of the policy is effective from 11 June 2026.

Data Protection Officer

Our Data Protection Officer is Oliver Brown, who can be contacted by email at dpo@staygb.com or by post to: The DPO, STAYGB LTD, Wayford Bridge Yacht Station, Wayford, Norwich, Norfolk, NR12 9LL, UK.

Your rights

• We use your data either on the basis of consent, or based on the existence of a contract between us.
• You have the right to withdraw your consent at any time.
• Marketing emails include an unsubscribe link making it easy to withdraw your consent. If you withdraw your consent (e.g. by opting out of marketing communications), we will stop processing the personal information relating to the request. Please bear in mind that we will need to continue to process personal information that is relevant to any services being provided to you under contract. That's because the contract between us is the basis for using your data (rather than consent).

If you are concerned about the processing of your data, please contact our Data Protection Officer (see above). If you are unhappy with our use of your data, you also have the right to make a complaint to the Information Commissioner's Office, which supervises data protection in the UK. STAYGB LTD is registered with the Information Commissioner's Office, registration reference ZA271214. You have the right to receive a copy of your personal data. You also have the right to request that we correct or remove your data, when there remains no legal basis for keeping it. Please note that when these rights are exercised, we will need to conduct identification checks in order to ensure your privacy is safeguarded. You will need to contact us by email or post to exercise these rights.

Personal Information we collect

In order to provide our services we may collect the following information:

Personal Identification

• Your full legal name and title

Contact details

• Address - used to verify the identity of an individual and/or send items by post;
• Landline and / or mobile phone number – Used for billing and other service notifications (and marketing if specific consent is granted).
• Email address - Used for billing and other service notifications (and marketing if specific consent is granted), as a "username" to identify you on our dashboard / online account.

Account login details

We use Amazon Cognito (leveraging Google, Facebook and Amazon OAuth) to authenticate access to our online dashboard. To identify you on our systems your authentication with Google, Facebook or Amazon will pass the following data to us, via the Amazon Cognito service:

• OAuth Service used (Google, Facebook or Amazon);
• Social account ID (Facebook ID, Google ID etc.);
• Your name (name the account was registered under);
• Email address associated with the account;
• Social handle / username (if one exists);
• URL of your profile image and access to the profile photo (if sufficient permission has been granted on your social media account).

Amazon Cognito will provide us with a random unique identifier for you. We use this random identifier to tag all the data you submit to our systems.

Payments

Electronic payments by credit or debit card are taken on the hosted payment pages supplied by our payment service provider, Elavon. During the process of making your card payment you will be asked for your payment card type (VISA, Mastercard etc.), card number, expiry date and three-digit security code. You will supply this data directly to Elavon. We will never have access to your full card number or security code.

Marketing preferences

Whether you wish to receive marketing information from us, and if so, by which methods.

Data gathered about your use of our websites and Apps

When you visit our websites or use our software or Applications we gather data which relates to how you use them.

Webserver Logs

When you make a request for a page on our website, data relating to your request is stored in the form of webserver logs. These logs consist of the date and time the request was made, the URI of the page requested, your IP address, the user agent (an indication of the type of computer, operating system and browser you used), your approximate location (generated from your IP address) and how you found our site (your referrer).

We gather and store webserver logs for the purpose of providing legal evidence should our services come under attack by hackers or other potential illegal activity is discovered. Such logs are also used when troubleshooting our systems in addition to security hardening and system integrity testing.

These logs are only stored for a short period of time, after which they are automatically deleted.

Client-side (JavaScript) usage tracking

Some of our sites have additional client-side tracking installed. This service is similar to Google Analytics, in that it allows us to follow your behaviour on our website in real-time, reporting to us detailed usage such as which buttons you click on and the length of time you view certain content.

The purpose of client-side tracking is to provide us information on how to improve your experience of our websites and to provide you individual guidance and support should you have difficulty in operating our online services.

Client-side tracking is only in operation on some of our websites. On your first visit to a website which operates client-side tracking you will be presented with a Privacy Notice which will ask you to provide your explicit consent to the use of this type of tracking. If you do not wish to give consent you will still be able to use the website as normal, but please note that we may not be able to provide support in your use of the website should you get into difficulties.

Location Data

We collect data relating to your current physical location when you use our services. Location data originates from the following sources:

• Amazon CloudFront provides us with the country from which the request was made;
• Your IP address gathered when you access our websites (very approximate);
• Supplied from your mobile device by a JavaScript request to the GeoLocation API. This can be inaccurate (based on IP address), or very precise as it can use your device position obtained by mobile carrier or your GPS location;
• For users connected to our WiFi networks – Your position is obtained by triangulation from your devices' position relative to the access point(s) it is connecting to.

The search facility on staygb.com uses your location to sort your search results by distance. You are also able to modify this location by moving your flag marker on the map to any position within the UK.

Your browser will ask you if you are OK with your location being disclosed to us. You can also disable the JavaScript geolocation feature in your browser settings. This geolocation data gathered on staygb.com is only used to enable distance searches. This data will be stored as part of Webserver logs as discussed above.

Location data obtained by connection of your device(s) to our access points is processed by our Connected Mobile Experiences (CMX) system. This system allows us to gather information about how our places of business are used. Please note that location data obtained in this way is anonymised (we are unable to match the location of a device with the identity of the user.

CCTV Data

Video, still images, event/trigger data and vehicle registration numbers recorded on CCTV systems.

Communications

• Recording phone calls - We record all calls in order for us to fulfill our obligations to our contract holders, and to protect ourselves from fraud.
• Voicemail
• Email
• Chat messaging

Cookies

Some parts of our website (particularly the Dashboard) require the storage of small pieces of information on your computer called "Cookies". These cookies perform various functions including:

• Remembering your preferences – so you are not shown the same notification again and again;
• Storage of unique login IDs or other personal identifiers to enable your authentication / session to persist as you move from page to page;
• Remembering your data protection preferences (e.g. whether you have agreed to the use of client-side usage tracking);
• Using persistent cookies to determine whether it is your first visit to our site (when client-side tracking is enabled).

Our dashboard is a JavaScript application, and as a result authentication can only be maintained when cookies are permitted. You can disable Cookies in your browser settings but please be aware that access to the Dashboard will not be possible.

MAC Address

The physical address of your computer or mobile device gathered when connecting to our WiFi network. We use this to apply data policies (such as bandwidth and content filtering) to devices.

How we use your personal information

We use your personal information to:

• Provide the services stipulated in accordance with the contract terms we have entered with you;
• Manage the dashboard and our online systems;
• Ensure you can log into your account with us;
• Understand how to improve our services;
• Detect and prevent fraud and abuse of our services;
• Personalize your experience of our websites (when specific consent is granted for client-side tracking);
• Communicate with you, for example responding to your emails or phone calls;
• Process your payments;
• Manage your billing accounts;
• Send you relevant marketing information (when specific consent granted);
• Manage offers, promotions and competitions;
• Ensure that our IT systems and business processes are operating efficiently and securely.

How we collect personal information

We receive personal information from:

• Directly from you as a customer or potential customer entering into a contract with us or making an enquiry;
• Your use of our websites and mobile apps;
• Third party providers such as communicating with us via social networks;
• Your interaction with our marketing activities (provided consent has been given);
• Your electronic devices in the form of WiFi and Bluetooth signaling when accessing our WiFi networks or you are in range of our access points;
• Our CCTV systems operating at our places of business;
• Our IoT and device monitoring systems for services such as electricity usage.

Legal basis for processing

The grounds on which we will store and use your data are:

• Contract – We will store and use data in a reasonable manner to enable us to deliver the requested service(s) to you, governed by the contract existing between us;
• Consent – We require your specific consent to operate client-side web usage tracking and to send you marketing information. You can withdraw your consent at any time.
• Legal obligations – We are under certain binding legal obligations to retain data. For example, we are obligated to retain billing and payment records for seven years to comply with UK tax requirements;
• Legitimate interests – We use data to manage our operations and to make improvements to our business processes, products and services. Rest assured, our legitimate interests will never override your right to privacy.

How we share your personal information

We share your personal data with our partner companies to provide our products and services to you as if they were the same company:

• STAYGB CLOUD LTD. (company number 09788466), Wayford Bridge Yacht Station, Wayford, Norwich, NR12 9LL, UK.
• STAYGB SERVICE LTD. (company number 11119511), Wayford Bridge Yacht Station, Wayford, Norwich, NR12 9LL, UK.
• STAYGB MARINE LTD. (company number 10059594), Wayford Bridge Yacht Station, Wayford, Norwich, NR12 9LL, UK.
• A I Brown T/A The Vintage Boat Company, Wayford Lodge, Wayford, Norwich, NR12 9LL, UK.

When you make a payment online by credit or debit card we share only the information necessary to process the payment with our payment services provider, Elavon.

You can review the Elavon privacy policy at https://www.elavon.com/. We will share information with Elavon only to the extent necessary for the purposes of processing payments you make via our website and dealing with complaints and queries relating to such payments.

We will never share your personal data with a third party not identified in this Policy without obtaining your explicit, unambiguous consent.

Technology / Cloud Service Providers

Personal data accessed online via our websites or apps is stored, processed and hosted using infrastructure services provided by Amazon Web Services (AWS). In terms of the GDPR, AWS is operating as a "Data Processor".

Security of Your Data

We take the security of your personal data very seriously. We use hosted payment solutions from Elavon so we do not come into contact with your credit / debit card details. All our websites operate only over bank grade encrypted connections (TLS). We also ensure that wherever operationally possible we store any personal data in an encrypted form when at rest. All your electronic data is stored on servers located in the European Economic Area (EEA).

Data Retention

We will store your personal information securely for the shortest period of time possible, necessary to satisfy the legal basis for processing the data.

The following general retention periods apply:

• Continuous video footage obtained from CCTV cameras is retained for a maximum of 7 days;
• Copies of invoices and payment transaction data are kept for a maximum of seven years in compliance with UK tax law;
• The retention period for webserver logs depends on the nature of the system for which logs are being collected. For basic websites where no account / login interface or comments system exists, request logs are retained for 30 days. For more complex websites and Apps collecting personal data, logs are retained for 100 days.
• Email has a complex set of retention periods which depend on the type of data contained within the message and the recipient address. However, an email cannot exist in a user mailbox for longer than three years.
• In some circumstances we may decide to retain small amounts of data longer than the specified retention period. We will only do this if we have a legitimate interest to protect our business or our customers against, for example, breaches in contract, potential fraud or deception, suspected illegal activity or any action which has the potential to result in litigation.