.png){kind=logo}
Evolve Escapes Ltd Privacy Policy
Last Updated: 02/05/2025
Introduction
Evolve Escapes Ltd (“Evolve Escapes”, “we”, “us”, or “our”) takes the privacy of our customers and website users very seriously. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and safeguard your personal data when you interact with our services or visit our website (www.evolve-escapes.com). It also outlines your rights under the UK General Data Protection Regulation (GDPR) and other applicable laws. We encourage you to read this Policy carefully, as it contains important information about your personal data and your rights.
By accessing or using our website or services (including booking a retreat or signing up for our newsletter), you acknowledge that you have read and understood this Policy. This Policy may be updated from time to time to reflect changes in law or our practices, and any updated version will be posted on our website with a new effective date. We encourage you to review this Policy periodically for any changes.
This Policy is governed by the laws of England and Wales. If you do not agree with any aspect of this Policy or any updates, please discontinue use of our services or website.
Who We Are (Controller Identity)
Evolve Escapes Ltd is a wellness and retreat company based in the South East, United Kingdom. For the purposes of data protection law, Evolve Escapes Ltd is the “data controller” of your personal data. This means we determine the purposes and means of processing your personal information. Our commitment is to process your data in accordance with applicable data protection laws, including the UK GDPR and the Data Protection Act 2018. We are dedicated to safeguarding and preserving your privacy.
Contact Details: You can find our contact information at the end of this Policy (see Contact Us section) if you need to get in touch regarding any privacy concerns or to exercise your rights.
Key Terms and Legal Grounds
For clarity, here are some key terms we use in this Policy and what they mean:
• Personal Data: Any information that relates to an individual who can be identified from that data (directly or indirectly). This includes information such as your name, contact details, and booking information, among other data points described below.
• Processing: Any operation performed on personal data, whether by automated means or not. This includes collecting, recording, organizing, storing, altering, using, disclosing, or deleting personal data.
• Legitimate Interests: Our legitimate business interests in conducting and managing our services to provide you with the best experience. When we rely on legitimate interests, we consider and balance any potential impact on you (both positive and negative) and your rights before processing your data. We do not use your personal data for activities where our interests are overridden by the impact on your rights (unless we have your consent or are otherwise required or permitted by law).
• Performance of Contract: Processing your data when it is necessary to fulfill a contract we have with you or to take steps at your request before entering into such a contract. For example, using your information to complete a retreat booking you have requested.
• Legal Obligation: Processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to (for instance, keeping records for tax purposes or responding to lawful requests by authorities).
We will only collect and process your personal data where we have a lawful basis to do so under data protection laws, which typically include one of the above grounds or your explicit consent (for example, when you sign up for marketing communications or provide health information, as described below).
What Data We Collect (Categories of Personal Data)
We may collect, use, store, and transfer different kinds of personal data about you. Below is an overview of the categories of data we handle:
• Identity Data: Information that identifies you, such as your first name, last name, title, date of birth, gender, passport or identification numbers, nationality, and, if you provide them, social media usernames or similar identifiers. We may also record next of kin or emergency contact details when necessary (for example, for emergency contact during a retreat).
• Contact Data: Your contact information, including postal address (home or billing address), email address, and telephone numbers. This also includes any contact details you provide when communicating with us via phone, email, contact forms, or messaging platforms.
• Financial Data: Payment information that you provide to us, such as your bank account details or payment card information, when making a booking or purchase. (Note: We do not store full card details on our own systems when you make payments through our secure payment gateway, but such data may be processed by our payment service provider.)
• Transaction Data: Details about the services we provide to you and payments to and from you. For example, records of retreat bookings, packages or products you have purchased from us, dates and amounts of payments, and any related transaction history.
• Profile Data: If you register an account on our website or engage with us, we may collect profile-related data such as your username and password (for account access), your past bookings or orders, your interests or preferences (e.g., preferred retreat types or activities), dietary preferences, feedback you have provided, and survey responses.
• Usage Data: Information about how you use our website and services. This includes details of your visits to our website, such as pages viewed, the route by which you navigate through the site, time spent on pages, links clicked, and any services or information that you search for. It may also include information about your interactions with our emails (e.g., whether you opened an email or clicked a link).
• Technical Data: Technical information collected when you use our website or online services. This can include your Internet Protocol (IP) address, your browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device type (such as mobile or desktop), and other technology on the devices you use to access our website. We also collect information about cookies (see Cookies section below) and other online identifiers.
• Marketing and Communications Data: Your preferences in receiving marketing from us and third parties, your communication preferences, and records of your consent for different types of communications. This category covers data such as whether you have subscribed to our newsletter, your preferences for how we contact you (e.g., email or phone), and your responses to marketing campaigns.
• Special Category Data (Sensitive Personal Data): In the context of our wellness and retreat services, we may ask for or receive health and lifestyle information that you choose to provide. For example, this might include information about your health conditions, injuries, disabilities, dietary requirements, or other lifestyle and wellbeing details that are relevant to your participation in our retreats (such as emergency medical information, allergy information, or fitness level). This type of information is considered sensitive personal data under data protection law. We only collect and use health or other sensitive data with your explicit consent and solely for the purposes of safeguarding your well-being and providing appropriate accommodations during our retreats or services. Aside from health or dietary data (which we handle as described), we do not intentionally collect other special category data about you (such as information revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, or information about your sex life or sexual orientation), unless you volunteer this information to us. We also do not collect any information about criminal convictions or offenses unless required by law (for example, if a visa or background check is needed for a specific retreat activity and you are informed in advance).
• Aggregated Data: We may also compile aggregated data, such as statistical or demographic data, for analytical purposes. Aggregated data may be derived from your personal data but once aggregated it does not reveal your identity and is not considered personal data in law. For example, we might aggregate usage data to calculate the percentage of users interested in a particular retreat destination. However, if we ever combine or connect aggregated data with your personal data such that it could identify you, we treat the combined data as personal data and protect it accordingly under this Policy.
Note: If you fail to provide personal data that we need to provide a service (for example, essential contact or identity information to finalize a booking), we may not be able to perform the contract we have or are trying to enter into with you (such as registering you for a retreat). In such cases, we will inform you that the provision of certain data is necessary and discuss possible consequences of not providing it.
How We Collect Your Data (Collection Methods)
We collect personal data from you through various methods, including:
• Direct Interactions: Most of the information we collect comes directly from you. You may give us your Identity, Contact, Financial, and health information by filling in forms or corresponding with us by post, phone, email, or otherwise. This includes personal data you provide when you:
• Make an inquiry or booking for a retreat or other services.
• Create an account on our website.
• Subscribe to our newsletter or other publications.
• Request information or marketing to be sent to you.
• Communicate with us via email, phone calls (which may be recorded for quality assurance or training), in person, or via messaging/chat features.
• Fill out forms on our website (such as registration forms, contact forms, or survey forms).
• Enter a competition, promotion, or survey run by us.
• Provide feedback, testimonials, or reviews about our services.
• Automated Technologies or Interactions: As you interact with our website, we may automatically collect Technical Data and Usage Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, server logs, and other similar technologies. (See the Cookies section for more details on what information is collected through cookies and how you can control it.) For example, when you visit our site, we may collect information about your device and how you use our site to improve your experience and for analytics.
• Third Parties or Public Sources: We may receive personal data about you from various third parties and public sources, such as:
• Service Providers: For example, analytics providers like Google Analytics may provide us with aggregated insights about how users interact with our website (though this data is typically anonymized). Payment processors might provide confirmation of payment transactions.
• Social Media Platforms: If you interact with us through social media (e.g., commenting on our Instagram or Facebook pages, or using a Facebook/Google single sign-on for our services), we may receive certain information from those platforms according to your privacy settings on those services. This could include your social media username, profile information, or content of your comments if you engage with our official pages.
• Business Partners and Referral Programs: If you were referred to us by a partner or book our retreats through a third-party travel agent or wellness platform, those third parties may provide us with your basic personal details and booking information.
• Publicly Available Sources: We could use public databases or platforms (for example, Companies House, social networks, or public websites) to verify information or for fraud prevention purposes, though this is not common in our regular processing.
• Others: On occasion, we might receive information about you from other individuals – for example, if a friend purchases a gift (such as a retreat gift voucher) for you and provides your contact details for delivery, or if someone includes you as an emergency contact.
We will only collect data from third parties if we have assurance that they have obtained it lawfully and that we have a valid legal basis to receive and use it.
Additionally, we may monitor and record communications with you (such as telephone conversations, emails, or online chats) for quality assurance, training, fraud prevention, and compliance purposes. You will be informed if a call is being recorded at the start of the conversation.
How We Use Your Data (Purposes of Processing)
We will only use your personal data when the law allows us to. Most commonly, we use your information in the following circumstances:
• To Provide Our Services (Perform Contracts): We use your information to carry out our obligations arising from any contracts entered into between you and us. Specifically:
• Registering you as a new customer or participant – for example, creating a user profile or account for you on our website or in our booking system, and verifying your identity when you book a retreat or service.
• Processing and fulfilling your bookings – this includes enabling you to make a retreat booking, handling payments (to pay for the retreat and any related services), issuing invoices and receipts, communicating with you about your booking (such as sending booking confirmations, itineraries, and pre-retreat information), and providing the products or services you have requested.
• Managing payments and collections – to manage payment transactions, fees, and charges, and where necessary, to recover money owed to us for services provided. (For example, if a payment is overdue, we might use your contact information to remind you or engage a payment processor or collections agency, if appropriate, under our legitimate interest to recover debts.)
• Providing customer support – to address any inquiries, requests, or issues you have raised, and to provide after-sales service such as resolving complaints or handling cancellations and refunds in line with our terms and conditions.
• To Manage Our Relationship with You: We use personal data to manage and improve our relationship with you as our customer, which includes:
• Communications about changes – notifying you of changes to our terms of service, this Privacy Policy, or other important updates. In some cases, we are legally required to inform you of changes (for instance, updates to privacy practices).
• Customer service and correspondence – communicating with you regarding any questions, feedback, or issues. This may include sending service-related emails or calling you in response to an inquiry.
• Asking for feedback – sending you requests to leave a review, provide a testimonial, or complete a survey about your experience with Evolve Escapes. This helps us improve our services and understand customer satisfaction.
• Maintaining records – keeping internal records of your bookings, correspondence, and interactions with us. We do this for administrative purposes and to ensure we have an accurate history of our dealings with you (which is in our legitimate interest for good business practice and necessary for handling any future queries or disputes). It also includes maintaining reasonable archives of inquiries, bookings, contracts, and complaints for our records.
• Personalizing your experience – using your past interactions and preferences to tailor our services or communications to you. For example, remembering your dietary requirements for future retreats, or tailoring the content on our website to be more relevant to your interests (this overlaps with our legitimate interest in improving our services).
• To Enable Participation in Events or Promotions: If you choose to enter a prize draw, contest, or complete a survey, we will use your personal data to administer these programs. For example, if you enter a competition we are running, we will use your contact information to register your entry, communicate with you regarding the competition, and deliver any prize if you are a winner. If you agree to participate in a customer survey or research interview, we will use your feedback for our business analysis and improvements. (The legal basis here may be performance of a contract when the competition entry is considered a contract, and our legitimate interest in using feedback to improve and grow our business.)
• To Provide and Improve Our Website and Services: We process certain data to operate, protect, and enhance our website and overall offerings:
• Website functionality – using cookies and similar technologies to remember your preferences (e.g., items in your booking cart or your login status) and provide core functionality such as secure login and navigation. (See Cookies below for details.)
• Administration and IT operations – troubleshooting technical issues, performing data analysis, testing, system maintenance, support, and hosting of data. This ensures our website and booking platforms are secure and running smoothly. For instance, we may process Technical Data and Usage Data to debug or improve the user interface of our site.
• Security and fraud prevention – protecting our business, website, and users by monitoring for suspicious activity and keeping our systems safe. This can include processing data to prevent hacking attempts, misuse of our services, or fraud (such as credit card fraud). We also may use personal data to verify identity when necessary for security purposes.
• Analytics and performance – using data analytics to understand how our customers use our website and services, which pages or retreats are most popular, what marketing campaigns are effective, and other insights. This helps us refine our marketing strategy and improve our product offerings, website, and customer experience. (This falls under our legitimate interests to study how customers use our services, to develop them and grow our business.)
• Service improvement – analyzing feedback, usage patterns, and market trends to make informed decisions on developing new retreats or modifying existing ones. For example, we might analyze survey responses or site usage data to determine if we should offer more of a certain type of wellness program.
• To Identify You and Manage Accounts: If you create an account on our website, we will use your Identity and Contact Data to set up and manage that account. This includes authenticating your login, resetting passwords when requested, and maintaining your account information. It also allows us to link any of your bookings or interactions to your profile, providing you with an overview of your history with Evolve Escapes. We may also use your information to identify you when you contact us (for instance, asking for some personal details to verify your identity on a customer support call).
• To Supply Products or Services You Requested: In addition to retreats, if we offer any merchandise, wellness products, or partner services through our platform and you purchase them, we use your personal data to fulfill those orders. This includes processing payments and arranging delivery or access to the product/service.
• To Send Service Communications: We will send you essential communications that are not for marketing purposes, such as:
• Booking confirmations and invoices.
• Information pre-departure (e.g., packing lists, itinerary details, meeting instructions for a retreat).
• Alerts or notices about your trip (e.g., changes in schedule, emergency notifications).
• Administrative emails (e.g., if our terms or privacy policy change, or security alerts regarding your account).
These communications are necessary for performing our contract with you and for keeping you informed about the services you have requested. You cannot opt out of receiving these service communications as they are essential to the service (except by deciding not to use our services).
• For Marketing Purposes (With Consent or Legitimate Interest): We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you, and to send you marketing communications accordingly. This is explained in more detail in the Marketing & Opt-Out section below. In summary, if you have given us your consent (for example, by subscribing to our newsletter or opting in when making a booking) or if we have another lawful basis, we will send you information about our retreats, special offers, new services, or events. You have the right to withdraw consent or opt out of marketing at any time.
• To Comply with Legal Obligations: In certain cases, we need to process personal data to comply with laws and regulations. For example, keeping financial transaction records for tax and accounting purposes, responding to lawful requests from authorities, or retaining information required by consumer protection laws. We may also process data when necessary to establish, exercise, or defend legal claims. This could include preserving emails or records that are relevant to a legal dispute or insurance claim.
• To Prevent Fraud and Ensure Security: As part of our commitment to security, we use personal data to prevent and detect fraud, money laundering, or other illegal activities. For example, we might use identity and transaction information to monitor for suspicious transactions or use technical data to protect against unauthorized access and cyber threats. If necessary, we will use and share data with appropriate third parties (like fraud prevention agencies or law enforcement) for this purpose.
• Change of Purpose: We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so. Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law (for example, if we are asked by law enforcement to provide information).
Legal Bases for Processing: For each of the purposes above, we make sure that we have a lawful basis under GDPR to use your data. The typical legal grounds are:
• Performance of a contract: when processing is necessary to provide the services you have requested (e.g., managing your retreat booking).
• Legitimate interests: when processing is needed for our legitimate business interests (or those of a third party) and your interests and fundamental rights do not override those interests. We rely on this ground for purposes like improving our services, securing our platform, or some marketing activities (where we have considered that sending you relevant information does not override your privacy rights).
• Legal obligation: when we need to process data to comply with a legal or regulatory obligation (e.g., financial record-keeping, responding to legal process).
• Consent: when you have given clear consent for us to process your personal data for a specific purpose (such as sending you certain marketing communications, or processing special category health data you provided for a retreat). Where we rely on consent, you have the right to withdraw it at any time (see below).
Generally, we do not rely on consent as a legal basis for processing your data where another lawful basis is available, except in the context of special category data (like health information) and certain types of marketing. If we ever need to process your data based on consent, we will make that clear to you at the point of collection.
Marketing and Opting Out
Our Marketing Practices: We aim to keep our customers up to date about our latest retreats, events, and special offers, but we will do so in a respectful and privacy-conscious manner. We may use your Identity, Contact, Usage, and Profile Data to form a view on what services or offers may interest you. This helps us to send you only relevant communications (often referred to as direct marketing).
Legal Basis for Marketing Communications: We will send you marketing communications (such as emails with news, offers, or retreat updates) in the following scenarios:
• With Your Consent: If you are a new customer or a website visitor, we will ask for your explicit consent to receive marketing emails, text messages, or newsletters. For example, when you fill out a form on our website to subscribe to our newsletter, we will ask you to tick a box indicating you agree to receive marketing messages from us. Similarly, if you provide your email for updates, we will use it only if you have opted in.
• Existing Customer Relationship: If you have already purchased a retreat or service from us, we may send you information about similar services or retreats that might interest you. This is based on our legitimate interests in promoting our business to those who have shown interest. However, we will always provide a clear opt-out in such communications, and we will honor any opt-out request. (This practice is in line with both GDPR and the Privacy and Electronic Communications Regulations (PECR) which allow what’s sometimes called a “soft opt-in” for existing customers, but we want to ensure you are comfortable with what you receive.)
Third-Party Marketing: We do not share or sell your personal data to unrelated third parties for their own marketing purposes without your explicit consent. If we ever collaborate with a partner (for example, a co-hosted retreat with a partner wellness company) and would like to allow them to send you marketing, we will only do so with your prior consent. Where you have given consent for us to share your details with specific partners for marketing, you are free to withdraw that consent at any time (by contacting us or the third party directly).
Opting Out of Marketing: You have the right to opt out of receiving marketing communications from us at any time. If you no longer wish to receive marketing communications, you can opt out in several ways:
• Unsubscribe Link: Emails that we send for marketing purposes will include an “unsubscribe” link at the bottom. Clicking this link will take you off our mailing list for future promotional emails.
• Contact Us: You can always contact us at info@evolve-escapes.com to inform us that you wish to stop receiving certain or all marketing messages. Please specify which communications you want to opt out of (for example, “email newsletters” or “all marketing”).
• SMS Opt-Out: If we send SMS/text messages (for example, for urgent updates or promotions), we will provide instructions on how to stop receiving texts, typically by replying with a keyword like “STOP”.
• Account Settings: If you have an online account with us, there may be a section in your profile or account preferences where you can manage your communication preferences, including opting out of marketing emails or mailings.
Please note that opting out of marketing communications does not affect service-related communications. We will still contact you regarding your bookings, important updates about your retreat, or other non-marketing purposes as described in the previous section.
Third-Party Marketing Cookies/Ads: Our website may use advertising cookies or pixels (such as Facebook Pixel or Google Ads) to deliver targeted advertisements to you on other platforms. These technologies help us show you retreats or content you might be interested in based on your past interactions with our website. You can control these through cookie settings on our site or via your browser (see Cookies below), and you can manage your ad preferences directly on platforms like Google or Facebook. This form of marketing is more indirect, but we still want to make you aware of it.
Profiling: We may analyze your personal data to create a profile of your interests and preferences so that we can tailor our marketing communications to be more relevant to you. For example, if you have shown interest in yoga retreats, we might prioritize sending you information about upcoming yoga or meditation retreats. This type of profiling for marketing is based on our legitimate interest to provide relevant content, but it does not involve any automated decision that has legal or significant effects on you. You have the right to object to this profiling for direct marketing at any time (see Your Rights below).
Withdrawal of Consent: If we are relying on your consent to send you marketing messages, you can withdraw that consent at any time (which will not affect the lawfulness of any marketing sent before you withdrew consent). Once you opt out or withdraw consent, we will stop using your information for direct marketing. There is no charge for opting out. Just be aware that opting out of marketing will not affect communications we send for other purposes (such as service emails about an upcoming retreat you are attending).
Cookies and Similar Technologies
Our website uses cookies and similar tracking technologies to enhance your experience, understand how our site is used, and assist in our marketing efforts.
What Are Cookies? Cookies are small text files that are placed on your computer or device when you visit a website. They are widely used to make websites work, or work more efficiently, as well as to provide information to the site owners or others. Cookies allow us to recognize your device and remember certain information about your visit (such as your preferred language, items in your cart, or whether you are logged in).
How We Use Cookies: We may use cookies to collect information about your computer or device for system administration, to report aggregate information to our advertisers, and to provide a more personalized experience. Specifically, our use of cookies includes:
• Essential Cookies (Strictly Necessary): These cookies are crucial for the basic functions of our website. For example, they keep track of the items you have selected for booking and carry you through the checkout process. They also help with security and ensuring the website functions correctly (e.g., maintaining your login session). Without these cookies, services you have asked for (like making a booking or staying logged in) cannot be provided. Importantly, these cookies do not gather information about you that could be used for marketing or remembering where you’ve been on the internet.
• Session Cookies: These are temporary cookies that remain on your device only for the duration of your visit to our website (until you close your browser). They enable various site features, such as remembering the fact that you are logged in as you navigate from page to page, or keeping track of selections in a multi-step booking process. Session cookies are deleted when you close your browser.
• Persistent Cookies: These cookies remain on your device after you have finished browsing our website, for a defined period or until you delete them. Persistent cookies allow our website to remember your preferences or actions across multiple visits. For instance, a persistent cookie might remember your login information so you don’t have to sign in every time, or it might remember your language or region selection. Persistent cookies can also help us understand your browsing habits over time so we can improve our site and provide content that interests you.
• Performance and Analytics Cookies: These cookies collect information about how visitors use our website, such as which pages are visited most often, and if users get error messages on certain pages. They do not collect information that directly identifies a visitor; rather, they gather aggregated data. We use these cookies to improve how our website works and to understand how users engage with it. For example, we might use Google Analytics or similar tools to track website usage. The information collected might include the pages you visit, what you click on, how long you stay, and if you experienced any issues. This helps us troubleshoot problems and design a better user experience. All information these cookies collect is used to improve the site’s performance and your experience.
• Functionality Cookies: (Sometimes grouped with strictly necessary cookies) These cookies allow our website to remember choices you make and provide enhanced, more personal features. For example, they might remember your username and preferences to automatically provide personalized features on future visits (like greeting you by name or pre-filling fields). They may also be used to provide services you have asked for, such as watching a video or commenting on a blog. The information these cookies collect may be anonymized and they cannot track your browsing activity on other websites.
• Targeting/Advertising Cookies: These cookies are used to deliver advertisements that are more relevant to you and your interests, both on our site and potentially on other sites (through retargeting). They remember that you have visited our website and may track your browsing habits and activity. We or our advertising partners (such as Google or Facebook) may use this information to show you ads that are more tailored to you. For example, if you looked at a particular retreat on our site, you might later see an advertisement for that retreat (or similar offerings) on another website. These cookies also help us measure the effectiveness of our advertising campaigns (e.g., whether people who see an ad for our retreats actually end up booking one). If we use such cookies, we do so in accordance with applicable law, and where required, we will obtain your consent before placing them.
Cookies in Emails: In addition to cookies on websites, we may include similar tracking mechanisms in our marketing emails to understand if you opened the email or clicked on certain links. This helps us gauge the effectiveness of our communications and tailor future messages. You can disable remote images in your email client if you do not wish to be tracked in this way, or simply opt out of marketing emails.
Your Choices About Cookies: On your first visit to our website, you will have seen a cookies notice or banner that informed you about the use of cookies and gave you options. By clicking “accept” or continuing to use the site after being presented with the notice, you consent to our use of cookies as described in this Policy. However, you do not have to accept all cookies. You can manage your preferences in the following ways:
• Browser Settings: Most web browsers allow you to control cookies through their settings preferences. You can set your browser to refuse all or some cookies, or to prompt you before accepting a cookie from websites you visit. You can also delete cookies that have already been set. Please note that if you block or delete cookies, some parts of our website (especially the essential features) might become inaccessible or not function properly (for example, you may not be able to maintain a logged-in session or complete a booking).
• Opt-Out Tools: For analytics and advertising cookies, you can often use specific opt-out tools provided by the third parties. For example, you can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on, and you can manage preferences for Google Ads at the Google Ad Settings page. For Facebook and other social media advertising, you can adjust your ad preferences on those platforms.
• Do Not Track Signals: Some browsers offer a “Do Not Track” (DNT) feature that lets you tell websites that you do not want to have your online activities tracked. Our website currently does not respond to DNT signals, because there is not yet a common industry standard for DNT. We will update our practices if a standard emerges.
More Information: For more detailed information about cookies and how to manage or disable them, you can visit www.allaboutcookies.org. If you have questions about the specific cookies we use or need assistance adjusting your preferences, feel free to contact us at info@evolve-escapes.com.
Data Security
We understand the importance of keeping your personal data secure. We have put in place appropriate technical and organizational measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered, or disclosed. These measures include:
• Access Controls: We limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality. For example, only staff responsible for customer services or bookings will have access to your booking details, and only our finance team (or payment processor) will handle payment information. We also impose confidentiality agreements on our contractors and service providers who may handle personal data.
• Secure Storage: We use secure servers and reputable hosting services to store your data. These servers have robust security measures (such as firewalls, encryption in transit, and regular security audits) to safeguard data. Whenever possible, we encrypt personal data at rest or in transit. For instance, our website uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) technology to encrypt data transmitted between your browser and our website (you can often see this as a padlock icon in your browser address bar).
• Encryption: For any sensitive transactions (like payment information), we use encryption and secure payment gateways. Payment card information is processed using industry-standard security (PCI-DSS compliance) via our payment providers. We do not store your full credit card details on our own systems.
• Regular Monitoring and Testing: We regularly monitor our systems for potential vulnerabilities and attacks, and we carry out penetration testing and security assessments on our website and IT infrastructure. Software and tools used in our business are kept up to date to protect against known security threats and vulnerabilities.
• Organizational Practices: Our team is trained on data protection best practices, and we have internal policies in place to handle data securely. We minimize the amount of physical paperwork containing personal data, and such documents are stored securely or shredded when no longer needed. Access to physical records (if any) is restricted. We also have procedures to deal with any suspected personal data breach, including notifying you and any applicable regulators when we are legally required to do so.
• Vendor Due Diligence: When we use third-party service providers (for example, cloud storage, booking software, or email marketing platforms), we choose reputable companies and ensure they have appropriate security measures. We also have contracts in place with them that require protection of personal data.
Despite our efforts, no method of transmission over the internet or method of electronic storage is completely secure. Therefore, we cannot guarantee absolute security. Transmission of information via the internet (for example, via email or web forms) is at your own risk. If you send us any information electronically, please be aware that no data transmission can be guaranteed to be 100% secure. Once we receive your information, we will apply our strict security procedures to try to prevent unauthorized access.
If you have been given (or have chosen) a password to access certain parts of our website, you are responsible for keeping this password confidential. Please do not share your password with anyone. We will never ask you for your password via unsolicited communication (such as unsolicited phone calls or emails).
Your Own Security Measures: We strongly encourage you to take additional steps to protect your personal data. Ensure that you use strong, unique passwords for your accounts, update your devices and software with the latest security patches, and use up-to-date anti-virus and anti-malware protection on your devices. Be cautious of phishing attempts or fraudulent messages pretending to be us; all official communications will come from our legitimate contact details. If you receive any suspicious correspondence claiming to be from Evolve Escapes (for example, asking for your personal details or passwords), please contact us to verify its authenticity. We cannot be responsible for breaches of security that are beyond our reasonable control, such as your own device being compromised or unsecured.
In the unlikely event of a data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant regulatory authority (such as the Information Commissioner’s Office in the UK) as required by law.
Data Retention (How Long We Keep Your Data)
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purpose of satisfying any legal, accounting, or reporting requirements. In general, this means:
• Active Use: We keep personal data that is necessary for us to provide you services or respond to inquiries while we are actively engaged with you. For example, if you are a customer who booked a retreat, we will retain your personal data at least until your retreat is completed and any follow-up services are provided.
• Retention for Legal/Business Purposes: After you have stopped using our services, we may still need to keep certain information for various reasons:
• Accounting and Tax Records: Financial transaction records (such as invoices, payment records, and related Identity/Contact Data) are typically retained for a required period (e.g., 6-7 years) to comply with UK tax law and HM Revenue & Customs requirements.
• Customer Service and Warranty: If you have interacted with us, we may retain correspondence (emails, support tickets) for a certain period in case you return to use our services or have follow-up questions. Also, if any aspect of our service came with a guarantee or follow-up (for example, a post-retreat support period), we would keep relevant data through that period.
• Legal Compliance: We will retain personal data as long as necessary to comply with legal obligations. For instance, we may keep records of consents and opt-outs (for marketing) as required by privacy laws, or retain data if instructed by law enforcement or a court order.
• Dispute Resolution: If you have lodged a complaint or if we reasonably believe there is a prospect of a dispute or claim regarding our relationship with you, we will retain relevant information until the issue is resolved and for a period thereafter as legally required (e.g., the statute of limitations for contract claims).
• Legitimate Business Needs: We might retain certain data to maintain business records, analysis, or for fraud prevention. For example, we may keep minimal information about past customers (like name and booking history) to identify repeat customers or to analyze booking trends, but we will pseudonymize or anonymize it if full detail is not needed.
• Anonymized Data: In some cases, rather than delete your data entirely, we may anonymize it so it can no longer be associated with you, and then retain it for research or statistical purposes without further notice to you. For example, we might retain aggregate statistics about how many people from various regions attended our retreats each year, but that data would not personally identify anyone.
Determining Retention Periods: To determine the appropriate retention period for personal data, we consider the nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it and whether we can achieve those purposes through other means, and all relevant legal requirements. We regularly review the data we hold and securely delete or anonymize information that is no longer needed.
End of Retention: When we no longer have a lawful reason to keep your data, we will securely destroy or delete it. This may involve erasing electronic files, securely shredding paper files, or using specialized software to ensure data cannot be recovered. If deletion is not immediately possible (for example, because the data is stored in backups), we will ensure that it is not accessed or processed further until deletion is possible.
If you have any specific questions about our data retention practices for a particular type of data, you can contact us for more information.
How We Share Your Data (Disclosure to Third Parties)
We treat your personal data with care and confidentiality. However, in order to run our business and provide our services to you, we sometimes need to share your information with third parties. We will never sell your personal data to unrelated third parties for their own use, but we may share data with the following categories of recipients under the circumstances described:
• Group Companies and Affiliates: If Evolve Escapes Ltd has any subsidiary or affiliated companies (for example, if we operate different brands or a parent company), we may share your information within our corporate group as needed to administer our services and provide you with offerings. Any such sharing will be on a need-to-know basis and under strict data protection obligations.
• Service Providers and Suppliers: We use trusted third-party service providers to perform certain functions on our behalf. This includes:
• IT and Hosting Services: Companies that provide hosting of our website, data storage, cloud services, or IT support.
• Payment Processors: Banks and payment gateways that handle credit card transactions and other payment processing.
• Booking and Travel Partners: For example, if our retreat includes accommodations, transportation, or activities provided by third parties, we may need to share your Identity and Contact Data (and potentially health information like dietary needs) with those partners so they can deliver the services (e.g., hotels, transport companies, tour operators, or instructors hosting parts of the retreat).
• Marketing and Analytics Providers: Agencies or platforms that assist in sending out newsletters, analyzing site traffic, or providing marketing services (like an email marketing platform or Google Analytics). They process data on our behalf to help us communicate with you or understand our business.
• Professional Advisors: We may disclose necessary information to our lawyers, accountants, auditors, or insurers where that is necessary for them to provide us with advice or to protect our legal rights.
• Employees and Agents: Our own staff and agents will have access to data as needed to perform their job duties (as described in Data Security above). This is an internal “sharing” within our organization.
These service providers act on our instructions and are contractually bound to keep your information confidential and secure. When third parties are processing data on our behalf, they are known as “data processors” and we remain responsible for protecting your data.
• Third Parties Involved in Your Transactions: When it’s necessary to fulfill a contract or booking you have made, we will share data with the relevant parties. For example:
• If you book a retreat that involves a third-party facilitator or a partner retreat center, we will share the minimum necessary information with them (e.g., your name, and possibly health info like allergies if they are providing meals).
• If you request a specific service through us that is actually provided by another company (such as travel insurance, a local excursion, or equipment rental), we will pass on the details required to arrange that service.
• If you enter a competition co-sponsored by another organization, and you consented to the rules of that competition, we might share entrant information with that co-sponsor for prize fulfillment.
• Business Partners (with your consent for Marketing): With your prior consent, we may share your information with certain partners for marketing or partnership purposes. For instance, if we host a retreat in collaboration with a fitness brand or a travel agency and you agree to receive information from them, we may share your contact information so they can send you relevant materials. This will only be done if you have explicitly opted in to such sharing, typically via a checkbox or similar consent mechanism. (See Marketing and Opting Out above regarding third-party marketing.)
• Insurance Providers: If the nature of our service or a specific situation requires, we may share information for insurance purposes. For example, if an incident occurs on a retreat and an insurance claim is involved, we might provide details to our insurance company (or to a travel insurance provider, if you purchased insurance through us or if they request information for a claim you make).
• Business Transfers (Sale or Restructuring): In the event that we consider selling, merging, or transferring parts of our business or assets, personal data held by us may be one of the assets transferred to a buyer or partner. If Evolve Escapes Ltd is involved in a merger, acquisition, or sale, your personal data may be disclosed to prospective or actual purchasers or merged entities as part of the transaction, under the terms of confidentiality and only for the purposes of evaluating or completing that transaction. If such a transfer occurs, the successor entity will be bound by this Privacy Policy in how it handles your personal data (unless or until the Policy is updated or replaced with notice to you).
• Legal Obligations and Law Enforcement: We may disclose your personal data to third parties when required to do so by law or if such action is necessary to:
• Comply with a legal obligation or regulatory requirement (for example, responding to a court order, subpoena, or lawful request by public authorities including to meet national security or law enforcement requirements).
• Enforce our terms and conditions or other agreements.
• Protect the rights, property, or safety of Evolve Escapes, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
• In connection with legal claims: If there are any legal proceedings or potential legal proceedings (e.g., if there is a dispute or you have violated the terms of a booking), we may need to disclose information to our legal advisors and to the courts or opposing parties.
• Fraud and Credit Checks: We may share personal data with third parties to conduct checks on your financial standing or to prevent fraud. For example, we might use or disclose your data to fraud prevention agencies, payment verification services, or credit reference agencies (if you are using a credit service) to ensure payment security and guard against fraudulent transactions. These third parties may keep a record of the search or information provided to them.
• Public Forums and Reviews: If our website offers the ability to post reviews, comments, or other content that is intended to be public (such as a testimonial section, blog comments, or a community forum), any personal data you include in those postings may be visible to other visitors. For example, if you post a review of a retreat and include your name or other personal info in it, that information will be published publicly on our site. You are in control of what information you disclose in these instances, and we advise you to exercise caution when sharing personal details in a public forum. We do moderate content to ensure that inappropriate or excessive personal data is not shared, but ultimately if a feature is meant to share information publicly, data you provide there will be visible to others.
We require all third parties to whom we disclose your data to respect the security of your personal data and to treat it in accordance with the law. Where those third parties act as “data processors” on our behalf, they must act only on our instructions and implement appropriate security measures. Where a third party is a “data controller” in their own right (for example, an airline providing a flight as part of a travel package, or a partner who co-hosts an event), they are responsible for handling your data in accordance with their own privacy policy and applicable laws. We are not responsible for the data practices of independent third-party controllers, but we will only work with reputable partners and will only share what is necessary.
If you would like more details about which specific third parties your data may be shared with (for example, the identity of a service provider we use), you can contact us for more information. Please note that such partners and service providers may change from time to time, but we remain committed to ensuring any transfer of data is done securely and lawfully.
International Transfers
Evolve Escapes is based in the United Kingdom. However, the personal data that we collect from you may be transferred to, stored at, or processed in other countries, including countries outside the UK or the European Economic Area (EEA). For example:
• We may use cloud-based servers or service providers located outside the UK/EEA for hosting data or for email communications.
• If you join a retreat or event outside of the UK/EEA, we might need to share your information with service providers or partners in that country (for example, hotels or transport companies abroad).
• Some of our third-party service providers (such as analytics or marketing platforms, or IT support services) might be based outside the UK/EEA.
Risks in International Transfers: When your data is transferred outside of the UK/EEA, it may be to a country that does not have the same level of data protection laws as the UK/EEA. However, we are legally required to ensure that any such transfers are safeguarded.
Our Safeguards: Whenever we transfer your personal data out of the UK or EEA, we will take steps to ensure it is afforded a similar degree of protection by implementing at least one of the following safeguards:
• Adequacy Decisions: We may transfer data to certain countries that have been deemed to provide an adequate level of protection for personal data by the UK government or European Commission. For instance, at the time of writing, countries in the EEA are considered adequate with respect to UK data (and vice versa), and there are other countries with adequacy decisions in place.
• Standard Contractual Clauses (SCCs): Where we use service providers outside the UK/EEA, we may use specific standard contractual clauses (legal contracts approved by the European Commission and/or the UK’s Information Commissioner) which give personal data the same protection it has in Europe. These SCCs oblige the recipient of the personal data to protect it to the standards required in the UK/EEA.
• Binding Corporate Rules: In the case of any intragroup transfers (if our company group spans multiple countries), we may rely on approved Binding Corporate Rules which ensure all companies in the group protect personal data according to GDPR standards.
• Other Lawful Mechanisms: We may rely on other valid transfer mechanisms or exemptions provided by applicable data protection laws, such as explicit consent from you in specific situations, or transfers necessary for the performance of a contract (for example, booking a stay at a hotel in a foreign country as part of a retreat you signed up for).
Consent for International Transfer: By providing your personal data to us and using our services, you acknowledge that your data may be transferred, stored, and processed outside of your country of residence, including in countries that may have different data protection rules. However, please rest assured that irrespective of where your data is processed, we will take all reasonable steps to ensure that your privacy is safeguarded as outlined in this Policy.
If we transfer your personal data out of the UK/EEA, we will on request provide you with further details concerning the transfer mechanism we have in place. You can contact us (see Contact Us section) if you would like more information about international data transfers or specific safeguards.
Your Rights Under Data Protection Law
Under UK data protection laws (and the EU GDPR if applicable), you have a number of important rights in relation to your personal data. These include:
• Right to Access: You have the right to request access to the personal data we hold about you, commonly known as a “data subject access request”. This allows you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. We will provide you with a copy of your data, usually free of charge. In rare cases, if your request is unfounded, repetitive, or excessive, we may charge a reasonable fee or refuse to comply, but we will explain why. We may need to ask for specific information from you to confirm your identity before releasing data, as a security measure to ensure data is not disclosed to the wrong person.
• Right to Rectification (Correction): If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. This is also sometimes called the right to rectification. You can request that we correct any errors in your data or complete any incomplete data we have. For example, if you change your phone number or notice we have your name spelled incorrectly, you can ask us to update it.
• Right to Erasure: You have the right to request the deletion or removal of your personal data in certain circumstances. This right, also known as the “right to be forgotten,” enables you to ask us to delete or remove personal data where there is no compelling reason for us to continue processing it. For instance, you can request erasure if:
• The data is no longer necessary for the purpose we originally collected or processed it for.
• You withdraw consent (where the processing was based on your consent) and we have no other legal basis to continue processing.
• You successfully exercise your right to object to processing (see below) and we have no overriding legitimate grounds to continue processing.
• We processed your data unlawfully or in breach of data protection laws.
• The data must be erased to comply with a legal obligation.
Please note that the right to erasure is not absolute. We may not be able to delete your data if certain exceptions apply. For example, we might need to keep some information to comply with a legal obligation (such as retaining transaction records) or to establish or defend legal claims. If we cannot honor an erasure request, we will inform you of the reasons.
• Right to Object: You have the right to object to our processing of your personal data where we are relying on a legitimate interest (or those of a third party) and you feel our processing impacts your fundamental rights and freedoms. You also have the absolute right to object if we process your personal data for direct marketing purposes. This means if you object to marketing, we will stop processing your data for those purposes immediately. For other objections (like those based on legitimate interests), we will comply unless we have compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if we need to continue processing for the establishment, exercise, or defense of legal claims.
• Right to Restrict Processing: You have the right to request the restriction or suspension of processing of your personal data in certain circumstances. This means we can continue to store your data but must limit how we use it. You can ask us to restrict processing of your data in the following scenarios:
• If you want us to verify the data’s accuracy after you have contested its accuracy.
• Where our use of the data is unlawful, but you do not want us to erase it (for example, you may prefer we restrict its use rather than delete it).
• Where you need us to keep the data even if we no longer require it, because you need it to establish, exercise, or defend legal claims.
• If you have objected to our use of your data (see the right to object above), but we need to verify whether we (or a third party) have overriding legitimate grounds to continue using it.
When processing is restricted, we are allowed to store the data but not use it further unless you consent or it’s needed for legal claims, to protect someone else’s rights, or for reasons of important public interest.
• Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services. Specifically, you can request that we provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format (where technically feasible). This right applies only to information you have provided to us, and that we process by automated means, and where our basis for processing is your consent or for the performance of a contract. For example, if you provided us with data and want to transfer it to a different travel provider, data portability would allow you to obtain your data from us in a usable digital format.
• Right to Withdraw Consent: Where we rely on your consent to process personal data (which is not often, but for example, for sending marketing emails or processing health data), you have the right to withdraw that consent at any time. If you withdraw consent, we will stop the specific processing that was based on your consent. However, please note:
• Withdrawal of consent does not affect the lawfulness of processing that was carried out based on your consent before it was withdrawn. In other words, processing done up to that point remains valid.
• If you withdraw consent for things like marketing, we will cease those communications (as described in Marketing and Opting Out).
• If you withdraw consent for us to use health or other special category data you provided, we will stop using it for the given purpose; however, if the use of that data is integral to providing a service (for example, if you withdraw consent for us to use allergy information, we might not be able to ensure your dietary needs on a retreat), we will inform you of any implications. In some cases, withdrawing consent for certain processing might mean we cannot continue to provide a service to you (if that processing is necessary for the service). We will advise you if this is the case.
• Right to Complain to a Supervisory Authority: In the UK, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. The ICO’s contact details can be found at www.ico.org.uk. If you are located in another country, you may have the right to lodge a complaint with your local data protection authority as well.
We aim to address all requests and concerns to your satisfaction before you feel the need to approach a regulator. Your trust is our priority, so we welcome you to contact us first to resolve any issue. (See Contact Us below.)
How to Exercise Your Rights: If you wish to exercise any of the rights outlined above, please contact us using the details provided in the Contact Us section. To help us process your request efficiently, please provide as much detail as possible about what you are seeking. For example, if it’s a subject access request (right of access), specifying the date range or nature of interactions you’ve had with us can be helpful (though not required).
Verification: We will need to verify your identity before fulfilling a rights request to ensure that we do not disclose personal data to the wrong person. We may ask you to provide certain information or identification (such as a copy of an ID) as a security measure. Any such information will be used only for verification purposes.
Response Time: We strive to respond to all legitimate requests within one month. If your request is particularly complex or if you have made a number of requests, it may take us longer (up to an additional two months). In such cases, we will notify you within the initial one-month period and keep you updated on the progress.
Fees: You will not have to pay a fee to exercise your rights or access your personal data. However, as mentioned, if a request is unfounded, repetitive, or excessive, we may charge a reasonable fee or refuse the request (and we will explain why).
Third-Party Links
Our website may contain links to third-party websites, plug-ins, and applications that are not operated by Evolve Escapes. For example, we might link to partner organizations, social media platforms (like Instagram or Facebook), or useful resources. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.
Please note: If you follow a link to any of these external websites, this Privacy Policy will no longer apply, and the privacy practices of those third parties will govern any data they collect from you. We do not have control over, and are not responsible for, the content, security, or privacy practices of third-party sites. We encourage you to read the privacy policies of every website you visit, especially if you provide personal data to them.
For instance, if you click a link to book travel insurance on a partner’s site or engage with us on social media, any data collected by that third party (such as your name, login information, or any content you provide) is governed by that third party’s privacy notice.
We do, however, seek to protect the integrity of our site and welcome any feedback about these third-party sites (including if a link is broken or if you have concerns about a site we link to).
Changes to This Privacy Policy
We may update or change this Privacy Policy from time to time. This might be done to reflect changes in our practices, to clarify our policies, or to ensure compliance with legal requirements. If we make changes, we will post the updated Policy on our website with a new “Last Updated” date at the top.
For significant changes (especially any that affect your rights or the way we use personal data), we may also provide a more prominent notice or notify you via email or other direct communication. For example, if we were to expand the types of personal data we collect or introduce new purposes for processing, we would inform you and, if necessary, obtain your consent.
We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of our website or services after any changes or revisions to this Policy indicates your agreement with the terms of the revised Policy.
If you do not agree with any updates to the Policy, you should cease using our services and you may contact us to remove your data as per your rights.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us. We are here to help and address any issues you may have.
Contact Information for Privacy Inquiries:
• Email: info@evolve-escapes.com
• Postal Address: Evolve Escapes Ltd, South East, United Kingdom. (Please mark correspondence as “FAO: Data Protection Officer” or “Privacy Inquiry” to ensure it is directed appropriately.)
(If you prefer to contact us by phone, please use any customer service number provided on our website or in our communications. Phone inquiries about privacy will be directed to the appropriate personnel.)
We will respond to your inquiries as soon as reasonably possible, typically within normal business hours.
If you need to contact the Information Commissioner’s Office (ICO) – the UK’s supervisory authority for data protection – you can find their details at www.ico.org.uk or call their helpline at +44 303 123 1113. We would appreciate the chance to address your concerns first, so please consider reaching out to us before contacting the ICO.
Thank you for trusting Evolve Escapes. Your privacy is paramount to us, and we are committed to ensuring that your personal data is handled safely and transparently.
