(including use of cookies)
This privacy notice (Notice) explains how Historic Royal Palaces (HRP) or, as applicable, Historic Royal Palaces Enterprises Limited (HRPE), collects, uses and shares your personal data through your use of our website, applications and other technologies outlined in this Notice, and your rights in relation to the personal data we hold.
In this Notice, us, we and our all refer to HRP and HRPE (as applicable), and you and your refer to our customers, application users, visitors to our website and all other users of our services and those who interact with us in any other way.
Consultants, employees, job applicants / candidates and Volunteers should review our Internal Privacy Notice.
About this Notice
We may modify this Notice at any time. Any major changes or updates will be notified directly to those affected wherever practicable.
Data controller and contact details
HRP is a registered charity (registered charity number 1068852) having its principal place of business at Hampton Court Palace KT8 9AU. HRPE is a registered company (company registration number 03418583) which is wholly owned by HRP. HRP and/or HRPE will be the ‘controller’ of your personal data and we are subject to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, Privacy and Electronic Communications Regulations 2003 and any successor legislation or regulations governing data protection and privacy in the UK.
If you have any questions about this Notice, or if you would like to exercise any of your legal rights in respect of your personal data, please contact our Data Protection Lead at [email protected].
How we collect your information
We may collect your personal information in a number of ways, including:
- when you purchase tickets, membership or other products and/or services (either at one of our locations or from our online store), or when you join one of our special public engagement programmes;
- from the information you provide us when you fill in one of our forms on our websites, or during a visit to one of our locations (if applicable);
- when you submit a comment on one our blog articles or other similar pieces;
- when you correspond with us by phone, email, or by other means;
- when you participate in one of our competitions which are run with third parties and social media platforms;
- when you use our Royal History Quiz App (Quiz App) or the Tower Superbloom AR App (Superbloom App), or any other apps that HRP may develop in the future (together, the Apps);
- through the due diligence we may conduct if you make a donation to HRP or conduct business with us;
- when you subscribe to our e-mail updates or newsletter;
- if you participate in one of our school initiatives such as the HRP Teacher Network or Access Fund;
- when you take part in a market research survey or evaluation exercise, including where we need your personal information in order to contact you about a project, respond to any of your comments recorded in a survey, or record your consent for the use of photographs or video content, or individually-attributable comments;
- from third party social media platforms when you engage with us in that way, depending
- on your privacy settings on that platform;
- from third parties with whom we work closely, including (but not limited to) business partners, professional advisers, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies and trade partners. Please note that we may combine and use this information we receive from third party sources with information that you provide us;
- from publicly available sources where necessary for providing bespoke approaches to philanthropists with an existing or potential interest in providing us with charitable support;
- during photography or filming taking place by, or on behalf of, HRP at one of our locations; and
- in various other ways in which you may interact with us.
The types of information we collect
Information you give us.
This may include your name, email address, postal address, billing address, telephone number (including any telephone number used to call our customer service number) and financial and credit card information.
Information we collect about you on the Historic Royal Palaces website. With regard to each of your visits to our website we may automatically collect the following information:
- technical data, including the Internet protocol (IP) address, cookie identifier, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system, platform and geographic information; and
- website data, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page.
Information we collect about you on the Apps.
With regard to each of your visits to our Apps, we may automatically collect the following information:
- technical data, including usernames (for the Quiz App) and a unique ID (for both Apps). All the data collected will be anonymous and for the purpose of administering the Apps only;
- in the case of an error when using the Apps, log data and information (through third party services) on your phone, which may include your device IP address, device name, operating system version, the time and date of your use of the Apps, and other statistics; and
- information about your visit (through third party services), including device model, geo-location, through and from our app (including date and time); length of time on certain screens, screen interaction information (such as scrolling and clicks), game statistics such as the pollinator collection and flowers spotted and number of captured images or videos when using the Superbloom App, and scores, levels and correct/incorrect answer rate, number of shares and challenges sent statistics when using the Quiz App.
Other personal information.
In addition to the above, we may collect, use, store and process the following personal information about you, where relevant:
- marketing data such as engagement with our direct marketing emails (such as whether the email was opened and if you opened hyperlinks within the email);
- market research and evaluation data such as engagement with survey invitation emails (such as whether the email was opened, if you engaged with the hyperlinks and whether you have responded to the survey); correspondence data such as personal information provided by you in correspondence with us, including your request, our reply and your contact information in order to increase the efficiency of our business and to track our communications with you.
- For philanthropists interested in supporting our charitable work or similar causes, we may collect publicly available information which helps to ensure you are only approached with appropriate funding opportunities e.g. philanthropic interests, career and financial information; and
- any relationships relevant to such charitable support, e.g. a relationship to the organisation, its cause, or to another one of our supporters.
Special category data.
Under the UK GDPR, certain categories of personal information are recognised as sensitive, including health information and information regarding race, religious beliefs and political opinions. We will only collect and store such sensitive personal data in limited circumstances, eg if you are involved in a health and safety incident whilst visiting one of our sites or when you inform us about a disability (this information will be stored as a customer service case in our CRM).
Our legal basis for using your information
Where we have a contractual relationship with you
We will process your personal data where it is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract (e.g. in respect of ticket sales). In this respect, we use your personal data to carry out our obligations arising from any contracts entered into with you.
Legitimate interests
We also process your personal information because it is necessary for our or a third party’s legitimate interests. Our legitimate interests include the provision of services in relation to the conservation, restoration and maintenance of the palaces in our care and developing / providing an attractive visitor experience to the palaces in an efficient and sustainable manner, in accordance with all relevant legal rights and obligations. In this respect, we may use your personal data to:
- allow you to participate in our services (including membership) and to purchase our products;
- film or photograph events on our locations (notices will be clearly visible at relevant locations when filming is taking place) for marketing, press, educational and internal organisation purposes;
- advertise, promote and market our services, including providing suggestions and recommendations to you and other users regarding goods or services that may be of interest, where appropriate (unless we provide material directly to you under contract, or in situations where it is required or appropriate to gain your consent), and to measure the effectiveness of such activities;
- fundraise and promote our charitable objectives;
- administer membership accounts and records and any donations received;
- communicate information to you (if you are a member) including our membership magazine Inside Story and regular updates regarding the palaces and our charitable work. You will receive this information via post and email as part of your membership unless you ask us not to send it to you (you can opt-out or update your communication preferences at any time); maintain our own accounts and records, including the processing of donations and gift aid applications;
- notify you about changes to our services or to enable you to amend your bookings and orders;
- carry out identity checks if you are collecting a ticket at one of our palaces;
- process enquiries (e.g. for venue hire or requests for materials), complaints, survey comments, collect feedback, analyse our services and manage our internal record-keeping in relation to the same;
- carry out our internal processes, such as quality control, website performance, data analysis, troubleshooting, research, testing, security, system administration and to evaluate your use of our website, Apps and other services, so that we can provide you with enhanced services; and
- analyse and improve the services we provide, including improving our website, Apps and processing feedback.
Legal obligations
We may also process your personal information for our compliance with our legal obligations. In this respect and if required, we may use your personal data to:
- comply with legal and regulatory obligations;
- deal with legal claims and requests, including those made under data protection law, or requests for formal disclosure by competent authorities; and
- administer and maintain such records as may be required by UK regulations and legislation from time to time.
Consent
We may process your personal information where we have your specific consent to do so (for example, where we have sought and obtained your consent to send you direct marketing (including as detailed below) by email or to set non-essential cookies via our website). If you have given your consent and you wish to withdraw it, please contact us using the contact details set out above or click the “unsubscribe” link in the emails we send. You can also update your communication preferences at any time.
Information about other visitor attractions
As part of our email marketing communications we may include content from third parties such as corporate partners, sponsors and other visitor attractions. For example, this could include information regarding a new exhibition opening at a museum in London that we feel may be of interest. A list of the visitor attractions we may include content on in our emails can be found here: ALVA | Association of Leading Visitor Attractions. While we may include selected content from third parties in the emails that we send you, we will never share your personal details with other third party visitor attractions for marketing purposes, so you will not receive emails from them unless you provide specific consent to do so.
Profiling
We may use personal characteristics such as age, gender, address, role, your expressed interests, your previous interactions with us or geographical location to target our communications, advertising and promotions to a specific audience. However, we do not undertake any automated decision-making processes.
Sharing information with third parties
For the purposes referred to in this Notice and relying on the bases for processing as set out above, we may share your personal data with certain third parties, including within HRP or HRPE (as applicable), for legitimate purposes only, or to the following selected categories of third parties:
- suppliers, sub-contractors and business partners for the performance of any relevant contract we enter into with you or them;
- data analytics, data processing and aggregating platforms and search engine providers for legitimate purposes to assist us in the improvement and optimisation of our website, marketing strategy and visitor and member experiences;
- analytics providers and third-party suppliers that assist us in the improvement and optimisation of Apps;
- relevant third parties in connection with any internal / corporate reorganisation;
- internal and external auditors and our legal professional advisors; and
any regulatory or government body, court, law enforcement agency and other authority of competent jurisdiction if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use and other agreements, or to protect the rights, property, or safety of HRP or HRPE, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. This includes Layered Reality™ trading as Gunpowder Immersive Ltd strictly for the process of redeeming Vouchers for Tickets, for fraud prevention purposes.
Working with Meta and Google
Like many organisations, we use Meta and Google to help us achieve our marketing goals.
We use them to get our marketing in front of you, and to put it in front of new people who might be interested in our work and our places.
To use their services we share information with them. We share information with them. We share information.
1. generated by the cookies we use – i.e. information generated by your interaction with our websites, and
2. that you provide when interacting with us, such as when you buy tickets, become a member, make a purchase from our shops, and/or sign up to and open our newsletters.
We only share a minimum of identifying data, like name and email address, in order that Meta and Google can identify you within their data.
Is this secure?
Yes. The sharing is done securely. The data is “hashed” – i.e. scrambled, so it cannot be understood by anyone outside of Meta or Google – before it is shared with them.
Why do you work with them?
Their services enable us to provide tailored marketing to you and others about our goods and services. It also enables to measure the effectiveness of such activities.
It enables us to get what we consider to be appropriate adverts in front of you and others – and not to send adverts that we think will be less interesting to you.
Is this a legitimate interest of HRP?
Yes. This sharing of personal information has traditionally been done on the basis of it being in our legitimate interest, and our assessment that such sharing does not unduly affect your rights and freedoms.
-We are aware this area of data protection is currently subject to engagement by the Information Commissioner’s Office (ICO) and regulators in Europe.
-We are exploring ways of meeting the evolving expectation of our members, visitors and customers, of Meta and Google, and regulators.
-We wish to ensure you are informed, and that we also do not significantly affect your experience of using our website and engaging with us (for example, any need to obtain consent does not unduly affect the ease with which you can complete a task on our website).
You have the right to object to the use of your data for any marketing purposes – please contact [email protected].
International transfers of data
Your personal data is generally only processed within the UK and/or European Economic Area (EEA), to the extent required for business management purposes. There are adequacy regulations in respect of transfers between the United Kingdom and the EEA. This means that the countries in the EEA to which we transfer your data (if at all) are deemed to provide an adequate level of protection for your personal information.
As a matter of course, we do not transfer your data outside the EEA. We may, however, transfer your personal data around the world on an ad hoc basis, for example where this is necessary for our interaction with you, and you are located outside of the EEA. In such circumstances, we will consider whether any additional measures are required in order to give adequate protection for the information when it is transferred.
Data security
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using Secure Sockets Layer (SSL) technology. In circumstances where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data by imposing strict procedures and security features to prevent unauthorised access, we cannot guarantee the security of your data transmitted to our website. As such, any transmission is at your own risk.
How long your information is kept
We retain your personal data only for so long as is necessary to deliver our services to you, and to protect our legal interests or as otherwise stated to you when your data is collected.
To determine the appropriate retention period for personal data, we consider the volume, nature, and sensitivity of the personal data, the potential risk of harm from any unauthorised use or disclosure, the purposes for which we process your personal data, whether we can achieve those purposes through other means, and the applicable legal requirements. Details of retention periods for different aspects of your personal data are available in our Retention Schedule which you can request a copy of by contacting us at [email protected].
Your rights
Under the UK GDPR you have the following rights in relation to our processing of your personal data:
- to obtain access to, and copies of, the personal data that we hold about you;
- to require us to correct the personal data we hold about you if it is incorrect;
- to require us to erase your personal data in certain circumstances;
- to require us to restrict our data processing activities in certain circumstances (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
- to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for transmitting that personal data to another data controller;
- to object, on grounds relating to your situation, to any of our processing activities where you feel this has a disproportionate impact on your rights;
- to complain about the processing of your data to the UK data protection regulator – the Information Commissioner’s Office (ICO) (www.ico.org.uk). The ICO does though recommend that you first try and resolve the complaint with us.
Please note that the above rights are not absolute, and we may be entitled to refuse your requests where exceptions apply. For example, if we have reason to believe the personal data we hold is accurate or we can show our processing is necessary for a lawful purpose set out in this Notice.
Date of last update: February 2023
Cookie Policy
Information about our use of online identifying tools, including cookies
Your privacy
Our websites use online identifying tools – traditionally called “cookies.” We save information on your device or computer to distinguish you from other users of our website.
Cookies are used to store information about how you use the website such as the pages you visit. This helps us to provide you with a good experience and allows us to improve the website.
We use different types of cookies and you can choose which ones you want us to use. However, blocking some types of cookies may impact your experience of our website and the services we offer.
More information on giving consent to cookies and similar technologies
What cookies and similar technologies do we use?
The cookies and other track technologies we use fall into the following categories:
Performance cookies
We use Google Analytics to collect information about how you use our website so that we can improve the experience. For example, we collect information about how you got to the website, the pages you visit, time spent on pages and how you move around the website. If you do not allow these cookies we will not know when you have visited our site and cannot monitor its performance.
Targeting cookies
These cookies may be set by third party websites and our advertising partners. We use these cookies to do things like track views of YouTube videos on our website and to target and improve our advertising - for example, to avoid showing advertising you may have seen, or to enable us to display advertising that is relevant to you.
These cookies store information that enables us to distinguish you from other visitors to our website; however, they do not store any directly personally identifiable information like your name or email address. If you do not allow these cookies, you will experience less targeted advertising.
We use the Meta Pixel cookie and Meta Conversion API tool (that do not depend on browser technology like cookies) to collect and share personal information with Meta.
Functional cookies
Functional cookies allow us to remember preferences and settings to personalise a website visit.
Strictly necessary cookies
These cookies are necessary for the website to function and always need to be on. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
How to manage cookies
You can prevent the installation of cookies in your browser at any time by using our cookie management tool or managing the cookie settings in your browser. However, you may not be able to access all features or areas of our site if cookies are disabled.
Visit https://www.aboutcookies.org.uk/managing-cookies for information on how to manage cookies in popular browsers.
If you do not wish to be tracked by Google Analytics cookies, you can opt out by installing a browser plug-in here: https://tools.google.com/dlpage/gaoptout/
You can also find more information on managing the storage of cookies on the website www.youronlinechoices.eu
Contact
Questions or requests regarding this cookie policy should be addressed to [email protected].