Salt Escapes Ltd · Company Number 11086084
We are Salt Escapes Ltd, a company registered in England and Wales (Company Number 11086084).
Registered address: 24 Chelsfield Gardens, London, SE26 4DJ, United Kingdom
Website: www.salt-escapes.com
Booking platform: book.salt-escapes.com
Email: support@salt-escapes.com
We are the data controller for the personal data described in this policy. That means we decide how and why your personal data is processed.
We operate under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). Our supervisory authority is the Information Commissioner's Office (ICO).
Note: Salt Escapes Ltd is registered with the ICO as required under the Data Protection Act 2018. If you wish to verify our registration, you can search the ICO's public register at ico.org.uk.
This policy explains how we collect, use, store, share, and protect your personal data when you:
It applies to everyone who interacts with Salt Escapes, whether you are a website visitor, prospective guest, confirmed guest, or past guest.
We collect different types of data depending on how you interact with us.
Website visitors:
Newsletter subscribers:
Enquiries and pre-registration:
Booking customers (everything above, plus):
On-retreat guests:
Contractors and suppliers:
This section is particularly important. As a fitness retreat company, we need to collect data about your health and physical condition to run our retreats safely. This includes:
Under UK GDPR, this information is classified as special category data (Article 9) because it relates to your health and may reveal religious or philosophical beliefs.
Our lawful basis for processing this data:
We process special category data on the basis of your explicit consent (Article 9(2)(a) UK GDPR).
We only share health data with retreat staff, fitness instructors, and catering providers who need it to deliver your retreat safely. We never use health data for marketing purposes.
| Method | Examples |
|---|---|
| Directly from you | Booking forms, enquiry forms, email correspondence, phone calls, chat messages, retreat registration paperwork |
| Automatically | Cookies, server logs, tracking pixels, session recording tools when you visit our website |
| From third parties | Payment confirmation from Stripe/Shopify, advertising platforms (Meta, Google, TikTok) matching your browsing to ad interactions |
| Purpose | Lawful basis | Details |
|---|---|---|
| Processing your booking and delivering your retreat | Contract (Art. 6(1)(b)) | Necessary to fulfil our contract with you |
| Processing health, dietary, and allergy data | Explicit consent (Art. 9(2)(a)) | Special category data — see Section 4 |
| Sending you marketing emails | Consent (Art. 6(1)(a) + PECR Reg. 22) | You can opt out at any time |
| Responding to your enquiries | Legitimate interest (Art. 6(1)(f)) | Our interest in responding to potential customers |
| Website analytics and performance monitoring | Legitimate interest (Art. 6(1)(f)) | Understanding how our website is used to improve it |
| Advertising and conversion tracking | Consent (Art. 6(1)(a)) | Via our cookie consent mechanism |
| Session recording (Microsoft Clarity) | Consent (Art. 6(1)(a)) | Via our cookie consent mechanism |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f)) | Protecting our business and customers |
| Legal compliance (tax records, etc.) | Legal obligation (Art. 6(1)(c)) | Required by law |
| Photographs and video on retreats | Consent (Art. 6(1)(a)) | You can opt out at any time |
| Emergency contact processing | Legitimate interest (Art. 6(1)(f)) | Vital interest fallback in genuine emergencies |
| Contractor and supplier management | Contract (Art. 6(1)(b)) | Necessary to fulfil our contract with them |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your rights. You can request details of these assessments by emailing us.
Email marketing:
We use Klaviyo to send marketing emails. We only send marketing emails where you have given consent (e.g., subscribing to our newsletter or ticking a marketing consent box during booking). Every marketing email includes an unsubscribe link. You can also email support@salt-escapes.com to opt out.
Profiling and targeted advertising:
| Platform | What happens |
|---|---|
| Meta (Facebook & Instagram) | The Meta Pixel and Conversions API track pages you visit on our site. Meta uses this to show you ads and to build "lookalike" audiences of similar people. |
| Google Ads | Google tracks conversions (e.g., completing a booking) and uses remarketing to show you ads on Google Search and partner sites. |
| TikTok | The TikTok Pixel tracks browsing behaviour for ad targeting and conversion measurement. |
| Klaviyo | Segments subscribers based on engagement, purchase history, and browsing behaviour to personalise email content. |
Your right to object:
You have the right to object to profiling at any time. You can:
We do not use automated decision-making that produces legal or similarly significant effects on you.
What are cookies?
Cookies are small text files stored on your device when you visit a website. They help websites work properly, remember your preferences, and understand how visitors use the site.
Our consent mechanism:
We use a cookie consent mechanism that operates using Google Consent Mode v2. When you first visit our site, a consent banner appears asking you to accept or decline non-essential cookies.
se_consent cookie for 1 year.se_geo_eea cookie.You can change your cookie preferences at any time by clearing your cookies or using the consent management option on our website.
Essential / Functional cookies:
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
se_consent | Salt Escapes | Stores your cookie consent preferences | 1 year |
se_geo_eea | Salt Escapes | Detects whether regional consent rules apply | 30 days |
intercom-id-* | Intercom | Identifies your chat session | 9 months |
intercom-device-id-* | Intercom | Identifies your device for chat continuity | 9 months |
intercom-session-* | Intercom | Maintains active chat session | 1 week |
Analytics cookies:
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
_ga | Google Analytics | Distinguishes unique visitors | 2 years |
_ga_* (x5 streams) | Google Analytics | Maintains session state per data stream | 2 years |
FPLC | Cross-domain measurement | Session | |
FPGSID | Session-level linking | Session | |
FPAU | First-party attribution | 30 days | |
_clck | Microsoft Clarity | Identifies returning visitors for session recording | 1 year |
Marketing cookies:
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
_fbp | Meta (Facebook) | Tracks visits for ad targeting | 3 months |
_ttp | TikTok | Tracks visits for ad targeting | 13 months |
_gcl_au | Google Ads | Attributes conversions to ad clicks | 3 months |
__kla_id | Klaviyo | Identifies visitors for email marketing | 2 years |
_dcid | DoubleClick (Google) | Ad conversion tracking | Session |
First-party tracking cookies:
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
se_visitor_id | Salt Escapes | Identifies visitors across sessions | Persistent |
se_ga_client_id | Salt Escapes | Mirrors Google Analytics client ID for server-side use | Persistent |
se_fbp | Salt Escapes | Mirrors Meta browser ID for server-side use | Persistent |
| Technology | What it does |
|---|---|
| Meta Conversions API (CAPI) | Sends conversion events (e.g., page views, bookings) from our server to Meta. This supplements the Meta Pixel and may include hashed email addresses, IP addresses, and browsing data. |
| Server-side Google Analytics | Sends analytics data from our server to Google. This supplements the browser-based GA4 tag. |
Server-side tracking is subject to the same consent rules as browser-based tracking. If you decline marketing or analytics cookies, we respect that choice for server-side data too.
| Processor | Purpose | Data shared | Server location |
|---|---|---|---|
| Vercel | Website hosting | Server logs, IP addresses, browsing data | US / Global CDN |
| Supabase | Database and backend services | All customer data (encrypted at rest) | Australia (Sydney) |
| Stripe | Payment processing | Payment card data, billing information | US |
| Shopify | E-commerce and order management | Order details, customer data | Canada / US |
| Klaviyo | Email marketing and automations | Email address, behaviour, purchase history | US |
| Analytics, advertising, tag orchestration | IP address, browsing data, conversions | US | |
| Meta | Advertising | Browsing behaviour, conversions, hashed identifiers | US |
| TikTok | Advertising | Browsing behaviour, conversions | Singapore / US |
| Microsoft Clarity | Session recording and heatmaps | Mouse movements, clicks, scrolling behaviour | US |
| Intercom | Customer chat and support | Chat transcripts, email address, browsing data | US |
| Typeform | Forms and surveys | Form responses | EU |
| PandaDoc | Contract management | Contractor personal data | US |
We may also share data:
We never sell your personal data.
| Country | Processors | Transfer mechanism |
|---|---|---|
| United States | Vercel, Stripe, Shopify, Google, Meta, TikTok, Klaviyo, Intercom, Microsoft, PandaDoc | UK-US Data Bridge / IDTA / Standard Contractual Clauses |
| Australia | Supabase | International Data Transfer Agreement (IDTA) |
| Canada | Shopify | UK adequacy decision |
| EU | Typeform | UK adequacy decision for EU/EEA |
| Singapore | TikTok | IDTA / Standard Contractual Clauses |
All international transfers are made in compliance with Chapter V of UK GDPR, using one or more of:
You can request a copy of the relevant transfer safeguards by emailing support@salt-escapes.com.
| Data type | Retention period | Reason |
|---|---|---|
| Website analytics data (aggregated) | 26 months | GA4 default retention; aggregated data kept for trend analysis |
| Cookie identifiers | Varies (see Section 8) | As per individual cookie durations |
| Newsletter subscriber data | Until you unsubscribe + 30 days | Needed to process your unsubscribe; then deleted |
| Enquiry and pre-registration data | 3 years from last contact | To follow up on interest and for business records |
| Booking and customer data | 7 years from retreat date | UK tax and accounting obligations (HMRC) |
| Health and special category data | 1 year after retreat completion | Retained briefly for post-retreat follow-up and safety records; then securely deleted |
| Passport details | 6 months after retreat completion | No longer needed once travel is complete |
| Payment records | 7 years from transaction | UK tax and accounting obligations (HMRC) |
| Emergency contact data | Deleted within 30 days of retreat completion | No longer needed |
| Photos and video | Indefinite (with consent) | Used for marketing; deleted on withdrawal of consent |
| Chat transcripts (Intercom) | 2 years from conversation | Customer service records |
| Contractor data | 7 years from end of contract | UK tax and accounting obligations |
| Session recordings (Clarity) | 30 days | Automatically purged by Microsoft Clarity |
When retention periods expire, data is securely deleted or irreversibly anonymised.
Under UK GDPR, you have the following rights over your personal data. These rights are free to exercise — we will not charge a fee unless a request is manifestly unfounded or excessive.
How to exercise your rights:
Email: support@salt-escapes.com
Please include enough information for us to verify your identity (your name and the email address you used with us). We will respond within one calendar month.
If we cannot fulfil your request (for example, if a legal obligation requires us to keep certain data), we will explain why.
Our retreats and services are designed for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18.
If we discover that we have collected data from a child, we will delete it promptly. If you believe we hold data about someone under 18, please contact us at info@salt-escapes.com.
We take the security of your personal data seriously. Our measures include:
No system is completely secure. If you have concerns about the security of your data, please contact us.
If we become aware of a personal data breach that poses a risk to your rights and freedoms:
We may update this policy from time to time. When we make significant changes, we will:
We encourage you to review this policy periodically.
If you have any questions about this policy or how we handle your personal data:
Email: support@salt-escapes.com
Post: Salt Escapes Ltd, 24 Chelsfield Gardens, London, SE26 4DJ, United Kingdom
If you are unhappy with how we have handled your personal data, we would like the chance to put things right. Please contact us first at support@salt-escapes.com.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Phone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Salt Escapes Ltd · Company Number 11086084 · Registered in England and Wales · support@salt-escapes.com