Forge Holiday Group Ltd Privacy Notice

Hello there and welcome to the Forge Holiday Group Ltd privacy notice. We’re not asking you to agree to this notice or hiding anything in it that should be elsewhere, we’re just using this space to tell you what we are doing with your personal information. We hope we’re doing this in a friendly and plain English way but if anything isn’t clear or you want to know more we’ll tell you how you can ask us a question later. Where we say Forge, we, our or us in the rest of this notice we mean Forge Holiday Group Ltd, it saves us typing it out every time.

We hope you find this easy to read and you feel happy with what we are doing.

If you have questions after reading this please email dpo@forgeholidays.com and we will get back to you as soon as we can.

This privacy policy was issued in February 2024 and is version 1.0.

Who we are

The data Controller for your information is Forge Holiday Group Ltd who are the parent company of Sykes Cottages Ltd, Forest Holidays Ltd and UKcaravans4hire.com Ltd.

Forge provides shared technology, legal and other services for Forge and its subsidiaries.

Forge Holiday Group Ltd is a limited company registered in England and Wales with company registration number 12255564, whose registered office is at One City Place, Chester, Cheshire, CH1 3BQ, United Kingdom, and whose VAT registration number is 204 9794 88.

Our contact details

You can contact us at the address above or for data protection queries you can email dpo@forgeholidays.com. For general queries please contact hello@forgeholidays.com.

Our relationship with you as a data controller and a data subject

For our shared services any data we hold about you is held by us as a data controller. That means we have certain responsibilities about how we use your data and you have rights in relation to it.

The data we collect about you

We collect your personal details including your name, address, email addresses, telephone numbers, title and country of residence. Depending on your taxation or residency status we may also be required to collect your date of birth, your NI number or taxpayer identification number as well as any VAT numbers you may have and your country of residence and/or tax domicile. We also collect details about your property which will include the address and photographs and may include prospective, current and past properties you have let through us or may let through us. We sometimes collect or check this data using publicly accessible sources such as Companies House or the Land Registry. We will also sometimes need to collect copies of documentation such as passports or driving licences to verify your identity.

We generally receive data from our subsidiary companies. Sometimes this is used to provide direct services to you (such as identity verification) and sometimes it is so that we can co-ordinate consultancy across our group using personal data.

We have an intra group data sharing agreement in place and specific agreements for specific pieces of work.

We may receive special category data from you, mainly on official documents such as your driving license or passport. We have appropriate safeguards in place where this happens.

What we do with your data and our lawful bases for doing so

Identitiy verification - We verify your identity to comply with our legal obligations as a group or as necessary for the performance of your contract with us or one of our group companies.

Research – We receive data from our subsidiary companies and other outside sources to plan for our future business development. We use this on the basis of our legitimate business interests.

Who we share your data with

Other companies in the Group may receive your personal data either when necessary. Some of these companies may not be based in the EEA.

IT service providers - Our technology is often hosted in the cloud and we use a number of service providers such as Amazon, Microsoft, Yoti and Salesforce to support our websites and other technology stacks. Generally speaking these companies will be data processors acting entirely on our instructions. Some of these companies will not be in the EEA.

Professional advisors - We use external auditors, legal advisors, consultants, insurers and banks among others who will sometimes receive your personal information. The services they provide may be based outside the EEA.

Purchasers or potential purchasers of our business - Third parties whom we may choose to sell, transfer, or merge parts of our business or our assets. If a change of ownership happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.

International data transfers

Forge is an international company with subsidiary companies or brands in more than one country. Not all of these countries are in the EEA with many employees based in New Zealand in particular. Additionally a number of our service providers are based in countries outside the EEA and, as you would expect, this includes the USA and other high technology countries.

Where we transfer your data we will either transfer it to a country where there is a ruling in force that says that the level of data protection is adequate in the country the information is transferred to or we will use the standard contract clauses provided by the European Commission and validated by the UK Information Commissioner’s Office to provide protection and we will perform a risk assessment on any international transfer of data where these clauses are used.

If you want to know more about specific safeguards for your data in relation to international transfers please email dpo@forgeholidays.com.

How long we keep your data for

We keep different categories of data for different periods of time depending on what they are used for and we seek to delete what we do not need as early as possible. We are required to keep some information for longer periods by law and we keep some because it is in our legitimate interests.

As a guide, you can expect us to retain enough data to identify you for six years after you last interacted with us or we had a commercial relationship with you. This is mainly because that is when records relating to corporate taxation can be removed.

Because holiday letting is a long term proposition and can involve large periods of time between actions such as buying a property we will continue to send you marketing promoting our services for up to four years after your last response although the frequency of communications will decrease with time and you can ask us to stop at any time.

While we have a commercial relationship with you we retain full records, including data from more than six years ago and if we reasonably contemplate there may be litigation or there has been a complaint in relation to your property we may retain information beyond the six year standard.

Your statutory rights

Right of access - You have the right to ask us for a copy of the data we hold about you or any part of that data along with some further information about how we process it and keep it safe. We are allowed to ask you for more information about your identity and to ask you to narrow down your request to help us find your data. This right always applies but there are exemptions that mean you may not always receive all of the information we process and if you are a corporate owner (a company owns your property) the corporate owner cannot make an Access request. You cannot make an access request for someone else’s data without their written authorisation.

Right of Erasure - This is not a simple right and does not always apply. We have to erase your data if it is no longer needed for the purposes we collected it for or if you withdraw your consent where the processing is based on consent.

For people who have signed a contract with us we will not erase your data at all while the contract is still valid or if money is owed by us or by you. We will also not erase all of your data for six years because of the rules around corporate financial records.

We will erase your data if we have processed it unlawfully, if you have successfully objected to the processing of your data or if we have a legal obligation to do so.

If your main concern is about marketing communications you may want to tell us to stop sending you marketing communications instead and where this seems to be the reason for an erasure request we will always cease marketing while we discuss this with you.

Right to rectification - You always have the right to require us to make sure that the data we hold about you is accurate. Please let us know if it is not and we will fix it. Where we disagree that it is wrong we will tell you why and give you the opportunity to provide evidence that we have made a mistake.

Right to restriction of processing - Where you have objected to our data processing and we are still in discussions or there is a dispute over the accuracy of the data or we have agreed our processing is unlawful but you wish to preserve evidence or you require the data for a legal claim you can ask us to restrict processing such that we can only continue to store it.

Right to data portability - Where our basis for processing your data is for the performance of a contract or based on your consent you can ask us to provide your data in a machine readable format for transmission to another data controller.

General right to object - Where our basis for processing your data is based on legitimate interests you can object at any time and the Data Protection Officer will consider whether the company has an overriding legitimate interest that would mean we would continue to process your data or whether we should stop. You should note that legal claims would generally be regarded as an overriding interest.

Right to object to direct marketing - This is an absolute right and you can exercise it at any time by getting in touch with us.

Right to appeal an automated decision - If we have made a decision purely by automated means, generally meaning a computer made the decision, you can ask us to have that decision reviewed by a human. We will tell you when a decision has been made by purely automated means.

Right to withdraw consent - Where our processing is based on your consent then that consent can be withdrawn at any time. We will tell you when our processing is based on your consent.

Making a complaint or exercising your rights

Any complaint about our data processing should be sent to the Data Protection Officer using the contact details above who will investigate and respond to you directly. The Data Protection Officer acts independently of the management of the company in considering complaints about Data Protection.

You always have the right to complain to the regulator and for customers in the UK this would be the Information Commissioner’s Office whose details can be found at www.ico.org.uk or if you are in the EU you can complain to the Irish Data Protection Commission whose details can be found at www.dataprotection.ie

Both organisations will expect you to have complained to us first and to have given us an opportunity to respond and will generally refer you back to us if you have not. We would also really appreciate the opportunity to try and resolve your complaint first because we would prefer to resolve matters amicably where we can.

Changes to this privacy policy

We always record the date on which the privacy policy has been changed at the top of this page. You can ask us for copies of previous privacy policies and when they were effective from at any time. When we change our purposes for processing your data we will let you know either through this privacy policy or by sending you a direct communication if we think it has a large impact on you. Regular communications may indicate when we have updated this policy and ask you to take a look at it.