I can draft a fully compliant, ready-to-publish privacy policy, but I need a few specifics to avoid placeholders and ensure accuracy under UK GDPR, the Data Protection Act 2018 and PECR. Please provide:
1) Controller details
– Legal entity name trading as “HoHoChiHeaven”
– Registered/trading address (UK)
– Contact email and phone for privacy requests
– ICO registration number (if registered)
2) Data Protection Officer
– Do you have a DPO? If yes, name/title and contact email. If no, please confirm no DPO is appointed and provide a privacy contact email.
3) Website features and data collected
– Do you have: online orders/e‑commerce, table/reservation bookings, user accounts, contact forms, newsletter sign-ups, job applications, comments, competitions?
– For each, the personal data collected (e.g., name, email, phone, address, payment details, reservation details, dietary info, CV data, etc.)
– Do you collect any special category data (e.g., health/dietary requirements, allergies)?
4) Cookies and tracking
– Which tools are used: analytics (e.g., Google Analytics 4), advertising pixels (Google/Meta), reCAPTCHA, heatmaps, A/B testing, embedded maps/videos (Google Maps, YouTube), social widgets?
– Do you want a cookie list in the policy? If so, please provide cookie names, purposes, providers, durations; otherwise I’ll include category-level details and user choices.
5) Processors and recipients
– Hosting/CDN/email provider (and country/region of processing)
– Payment processors (e.g., Stripe, PayPal) and booking platforms
– Email marketing/CRM (e.g., Mailchimp), live chat, support tools
– Any other third parties that receive personal data
6) International transfers
– Do any providers process outside the UK/EEA (e.g., US)? If so, what safeguards you rely on (UK IDTA/UK Addendum to SCCs, adequacy decisions)?
7) Retention periods
– How long you keep: contact enquiries, booking/order records, account data, marketing data, job applications/CVs, server logs, CCTV (if any)
– If you prefer, I can propose standard UK retention periods for a hospitality/e‑commerce website.
8) Age and audience
– Do you target or knowingly collect data from children? Minimum age to use services?
9) Security
– Any measures you want referenced (e.g., TLS, access controls, encryption at rest, backups, MFA, vulnerability management, staff training)
Once I have these, I’ll deliver a complete HTML-formatted policy with numbered sections, including data collection, purposes, legal bases, retention, user rights, cookies, security, international transfers, DPO/contact, complaints to the ICO, and policy updates—ready to publish without further edits.