This privacy notice (Notice) explains how Historic Royal Palaces (HRP) or, as applicable, Historic Royal Palaces Enterprises Limited (HRPE), collects, uses and shares your personal data through your use of our website, applications and other technologies outlined in this Notice, and your rights in relation to the personal data we hold.
In this Notice, us, we and our all refer to HRP and HRPE (as applicable), and you and your refer to our customers, application users, visitors to our website and all other users of our services and those who interact with us in any other way.
Consultants, employees, job applicants / candidates and Volunteers should review our Internal Privacy Notice.
About this Notice
We may modify this Notice at any time. Any major changes or updates will be notified directly to those affected wherever practicable.
Data controller and contact details
HRP is a registered charity (registered charity number 1068852) having its principal place of business at Hampton Court Palace KT8 9AU. HRPE is a registered company (company registration number 03418583) which is wholly owned by HRP. HRP and/or HRPE will be the ‘controller’ of your personal data and we are subject to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, Privacy and Electronic Communications Regulations 2003 and any successor legislation or regulations governing data protection and privacy in the UK.
If you have any questions about this Notice, or if you would like to exercise any of your legal rights in respect of your personal data, please contact our Data Protection Lead at [email protected].
How we collect your information
We may collect your personal information in a number of ways, including:
- when you purchase tickets, membership or other products and/or services (either at one of our locations or from our online store), or when you join one of our special public engagement programmes;
- from the information you provide us when you fill in one of our forms on our websites, or during a visit to one of our locations (if applicable);
- when you submit a comment on one our blog articles or other similar pieces;
- when you correspond with us by phone, email, or by other means;
- when you participate in one of our competitions which are run with third parties and social media platforms;
- when you use our Royal History Quiz App (Quiz App) or the Tower Superbloom AR App (Superbloom App), or any other apps that HRP may develop in the future (together, the Apps);
- through the due diligence we may conduct if you make a donation to HRP or conduct business with us;
- when you subscribe to our e-mail updates or newsletter;
- if you participate in one of our school initiatives such as the HRP Teacher Network or Access Fund;
- when you take part in a market research survey or evaluation exercise, including where we need your personal information in order to contact you about a project, respond to any of your comments recorded in a survey, or record your consent for the use of photographs or video content, or individually-attributable comments;
- from third party social media platforms when you engage with us in that way, depending
- on your privacy settings on that platform;
- from third parties with whom we work closely, including (but not limited to) business partners, professional advisers, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies and trade partners. Please note that we may combine and use this information we receive from third party sources with information that you provide us;
- from publicly available sources where necessary for providing bespoke approaches to philanthropists with an existing or potential interest in providing us with charitable support;
- during photography or filming taking place by, or on behalf of, HRP at one of our locations; and
- in various other ways in which you may interact with us.
The types of information we collect
Information you give us.
This may include your name, email address, postal address, billing address, telephone number (including any telephone number used to call our customer service number) and financial and credit card information.
Information we collect about you on the Historic Royal Palaces website. With regard to each of your visits to our website we may automatically collect the following information:
- technical data, including the Internet protocol (IP) address, cookie identifier, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system, platform and geographic information; and
- website data, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page.
Information we collect about you on the Apps.
With regard to each of your visits to our Apps, we may automatically collect the following information:
- technical data, including usernames (for the Quiz App) and a unique ID (for both Apps). All the data collected will be anonymous and for the purpose of administering the Apps only;
- in the case of an error when using the Apps, log data and information (through third party services) on your phone, which may include your device IP address, device name, operating system version, the time and date of your use of the Apps, and other statistics; and
- information about your visit (through third party services), including device model, geo-location, through and from our app (including date and time); length of time on certain screens, screen interaction information (such as scrolling and clicks), game statistics such as the pollinator collection and flowers spotted and number of captured images or videos when using the Superbloom App, and scores, levels and correct/incorrect answer rate, number of shares and challenges sent statistics when using the Quiz App.
Other personal information.
In addition to the above, we may collect, use, store and process the following personal information about you, where relevant:
- marketing data such as engagement with our direct marketing emails (such as whether the email was opened and if you opened hyperlinks within the email);
- market research and evaluation data such as engagement with survey invitation emails (such as whether the email was opened, if you engaged with the hyperlinks and whether you have responded to the survey); correspondence data such as personal information provided by you in correspondence with us, including your request, our reply and your contact information in order to increase the efficiency of our business and to track our communications with you.
- For philanthropists interested in supporting our charitable work or similar causes, we may collect publicly available information which helps to ensure you are only approached with appropriate funding opportunities e.g. philanthropic interests, career and financial information; and
- any relationships relevant to such charitable support, e.g. a relationship to the organisation, its cause, or to another one of our supporters.
Special category data.
Under the UK GDPR, certain categories of personal information are recognised as sensitive, including health information and information regarding race, religious beliefs and political opinions. We will only collect and store such sensitive personal data in limited circumstances, eg if you are involved in a health and safety incident whilst visiting one of our sites or when you inform us about a disability (this information will be stored as a customer service case in our CRM).
Our legal basis for using your information
Where we have a contractual relationship with you
We will process your personal data where it is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract (e.g. in respect of ticket sales). In this respect, we use your personal data to carry out our obligations arising from any contracts entered into with you.
We also process your personal information because it is necessary for our or a third party’s legitimate interests. Our legitimate interests include the provision of services in relation to the conservation, restoration and maintenance of the palaces in our care and developing / providing an attractive visitor experience to the palaces in an efficient and sustainable manner, in accordance with all relevant legal rights and obligations. In this respect, we may use your personal data to:
- allow you to participate in our services (including membership) and to purchase our products;
- film or photograph events on our locations (notices will be clearly visible at relevant locations when filming is taking place) for marketing, press, educational and internal organisation purposes;
- advertise, promote and market our services, including providing suggestions and recommendations to you and other users regarding goods or services that may be of interest, where appropriate (unless we provide material directly to you under contract, or in situations where it is required or appropriate to gain your consent), and to measure the effectiveness of such activities;
- fundraise and promote our charitable objectives;
- administer membership accounts and records and any donations received;
- communicate information to you (if you are a member) including our membership magazine Inside Story and regular updates regarding the palaces and our charitable work. You will receive this information via post and email as part of your membership unless you ask us not to send it to you (you can opt-out or update your communication preferences at any time); maintain our own accounts and records, including the processing of donations and gift aid applications;
- notify you about changes to our services or to enable you to amend your bookings and orders;
- carry out identity checks if you are collecting a ticket at one of our palaces;
- process enquiries (e.g. for venue hire or requests for materials), complaints, survey comments, collect feedback, analyse our services and manage our internal record-keeping in relation to the same;
- carry out our internal processes, such as quality control, website performance, data analysis, troubleshooting, research, testing, security, system administration and to evaluate your use of our website, Apps and other services, so that we can provide you with enhanced services; and
- analyse and improve the services we provide, including improving our website, Apps and processing feedback.
We may also process your personal information for our compliance with our legal obligations. In this respect and if required, we may use your personal data to:
- comply with legal and regulatory obligations;
- deal with legal claims and requests, including those made under data protection law, or requests for formal disclosure by competent authorities; and
- administer and maintain such records as may be required by UK regulations and legislation from time to time.
We may process your personal information where we have your specific consent to do so (for example, where we have sought and obtained your consent to send you direct marketing (including as detailed below) by email or to set non-essential cookies via our website). If you have given your consent and you wish to withdraw it, please contact us using the contact details set out above or click the “unsubscribe” link in the emails we send. You can also update your communication preferences at any time.
Information about other visitor attractions
As part of our email marketing communications we may include content from third parties such as corporate partners, sponsors and other visitor attractions. For example, this could include information regarding a new exhibition opening at a museum in London that we feel may be of interest. A list of the visitor attractions we may include content on in our emails can be found here: ALVA | Association of Leading Visitor Attractions. While we may include selected content from third parties in the emails that we send you, we will never share your personal details with other third party visitor attractions for marketing purposes, so you will not receive emails from them unless you provide specific consent to do so.
We may use personal characteristics such as age, gender, address, role, your expressed interests, your previous interactions with us or geographical location to target our communications, advertising and promotions to a specific audience. However, we do not undertake any automated decision-making processes.
Sharing information with third parties
For the purposes referred to in this Notice and relying on the bases for processing as set out above, we may share your personal data with certain third parties, including within HRP or HRPE (as applicable), for legitimate purposes only, or to the following selected categories of third parties:
- suppliers, sub-contractors and business partners for the performance of any relevant contract we enter into with you or them;
- data analytics, data processing and aggregating platforms and search engine providers for legitimate purposes to assist us in the improvement and optimisation of our website, marketing strategy and visitor and member experiences;
- analytics providers and third-party suppliers that assist us in the improvement and optimisation of Apps;
- relevant third parties in connection with any internal / corporate reorganisation;
- internal and external auditors and our legal professional advisors; and
International transfers of data
Your personal data is generally only processed within the UK and/or European Economic Area (EEA), to the extent required for business management purposes. There are adequacy regulations in respect of transfers between the United Kingdom and the EEA. This means that the countries in the EEA to which we transfer your data (if at all) are deemed to provide an adequate level of protection for your personal information.
As a matter of course, we do not transfer your data outside the EEA. We may, however, transfer your personal data around the world on an ad hoc basis, for example where this is necessary for our interaction with you, and you are located outside of the EEA. In such circumstances, we will consider whether any additional measures are required in order to give adequate protection for the information when it is transferred.
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using Secure Sockets Layer (SSL) technology. In circumstances where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data by imposing strict procedures and security features to prevent unauthorised access, we cannot guarantee the security of your data transmitted to our website. As such, any transmission is at your own risk.
How long your information is kept
We retain your personal data only for so long as is necessary to deliver our services to you, and to protect our legal interests or as otherwise stated to you when your data is collected.
To determine the appropriate retention period for personal data, we consider the volume, nature, and sensitivity of the personal data, the potential risk of harm from any unauthorised use or disclosure, the purposes for which we process your personal data, whether we can achieve those purposes through other means, and the applicable legal requirements. Details of retention periods for different aspects of your personal data are available in our Retention Schedule which you can request a copy of by contacting us at [email protected].
Under the UK GDPR you have the following rights in relation to our processing of your personal data:
- to obtain access to, and copies of, the personal data that we hold about you;
- to require us to correct the personal data we hold about you if it is incorrect;
- to require us to erase your personal data in certain circumstances;
- to require us to restrict our data processing activities in certain circumstances (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
- to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for transmitting that personal data to another data controller;
- to object, on grounds relating to your situation, to any of our processing activities where you feel this has a disproportionate impact on your rights;
- to complain about the processing of your data to the UK data protection regulator – the Information Commissioner’s Office (ICO) (www.ico.org.uk). The ICO does though recommend that you first try and resolve the complaint with us.
Please note that the above rights are not absolute, and we may be entitled to refuse your requests where exceptions apply. For example, if we have reason to believe the personal data we hold is accurate or we can show our processing is necessary for a lawful purpose set out in this Notice.
Date of last update: February 2023
What cookies do we use?
The cookies we use fall into the following categories:
We use Google Analytics to collect anonymous information about how you use our website so that we can improve the experience. For example, we collect information about how you got to the website, the pages you visit, time spent on pages and how you move around the website. If you do not allow these cookies we will not know when you have visited our site and cannot monitor its performance.
These cookies may be set by third party websites and our advertising partners. We use these cookies to do things like track views of YouTube videos on our website and to target and improve our advertising - for example, to avoid showing advertising you may have seen, or to enable us to display advertising that is relevant to you. These cookies do not store any personally identifiable information. If you do not allow these cookies, you will experience less targeted advertising.
Functional cookies allow us to remember preferences and settings to personalise a website visit.
Strictly necessary cookies
These cookies are necessary for the website to function and always need to be on. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
How to manage cookies
You can prevent the installation of cookies in your browser at any time by using our cookie management tool or managing the cookie settings in your browser. However, you may not be able to access all features or areas of our site if cookies are disabled.
Visit https://www.aboutcookies.org.uk/managing-cookies for information on how to manage cookies in popular browsers.
If you do not wish to be tracked by Google Analytics cookies, you can opt out by installing a browser plug-in here: https://tools.google.com/dlpage/gaoptout/
You can also find more information on managing the storage of cookies on the website www.youronlinechoices.eu