Privacy Policy
Last updated: February 2026
1. Introduction
Welcome to Back of House ("we", "us", "our"). We are committed to protecting and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
This Privacy Policy explains how we collect, use, store, and share your personal data when you visit our website, purchase tickets, or interact with Back of House Festival ("the Festival").
Back of House is the data controller responsible for your personal data. Our registered address is 145/147 Hatfield Road, St Albans, Hertfordshire, AL1 4JY.
2. Information We Collect
We may collect and process the following categories of personal data:
2.1 Information You Provide Directly
- Identity data: first name, last name, date of birth
- Contact data: email address, telephone number, postal address
- Financial data: payment card details (processed securely via our third-party payment processor)
- Transaction data: details of tickets, products, or services you have purchased from us
- Communications data: any correspondence you send to us including emails, contact form submissions, and social media messages
- Marketing preferences: your preferences for receiving marketing communications and your communication preferences
2.2 Information Collected Automatically
- Technical data: IP address, browser type and version, operating system, device type, screen resolution, time zone setting, and platform
- Usage data: pages visited, time spent on pages, click-through data, page interaction information, download errors, and browsing patterns
- Location data: approximate geographical location derived from your IP address
- Cookie data: information collected through cookies and similar tracking technologies (see Section 9)
2.3 Information from Third Parties
- Ticketing platforms: data from third-party ticketing services when you purchase tickets to the Festival
- Social media platforms: information from your social media profiles if you interact with us through these channels
- Analytics providers: aggregated data from services such as Google Analytics and Meta
3. How We Use Your Information
We process your personal data for the following purposes and on the following lawful bases under Article 6 of the UK GDPR:
| Purpose | Lawful Basis |
|---|---|
| Processing ticket purchases and managing your booking | Performance of a contract |
| Sending service-related communications (e.g. booking confirmations, event updates) | Performance of a contract / Legitimate interest |
| Sending marketing communications about the Festival | Consent |
| Improving our website, services, and user experience | Legitimate interest |
| Analysing website usage and audience demographics | Legitimate interest / Consent (for cookies) |
| Responding to enquiries and providing customer support | Legitimate interest / Performance of a contract |
| Complying with legal obligations (e.g. tax, licensing) | Legal obligation |
| Health and safety management at the Festival | Legal obligation / Vital interest |
| Fraud prevention and security | Legitimate interest |
4. Marketing Communications
We will only send you direct marketing communications where you have given your explicit consent (opt-in) or, for existing customers, where we are marketing similar products or services and you have not opted out (soft opt-in), in accordance with PECR.
You can withdraw your consent or opt out of marketing communications at any time by:
- Clicking the "unsubscribe" link in any marketing email
- Emailing us at hello@backofhousefestival.com
- Writing to us at our registered address
Opting out of marketing will not affect service-related communications necessary for the performance of our contract with you (e.g. ticket confirmations, essential event information).
5. Who We Share Your Data With
We may share your personal data with the following categories of recipients:
- Service providers: third-party companies that provide services on our behalf, including payment processing, email delivery, website hosting, and analytics
- Ticketing partners: platforms used to manage and distribute tickets for the Festival
- Professional advisers: lawyers, accountants, and insurers where necessary
- Law enforcement and regulators: where required by law, regulation, or legal proceedings
- Event partners: sponsors or collaborators, but only with your explicit consent
We require all third parties to respect the security of your personal data and to process it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your data for specified purposes and in accordance with our instructions.
6. International Transfers
Some of our third-party service providers (e.g. Google, Meta) are based outside the United Kingdom. When we transfer your personal data outside the UK, we ensure that adequate safeguards are in place as required by the UK GDPR, including:
- Transfers to countries that have been deemed to provide an adequate level of protection by the UK Secretary of State
- Use of the International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses
- Other appropriate safeguards as permitted under Article 46 of the UK GDPR
Please contact us if you would like further information about the specific safeguards applied to the export of your personal data.
7. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including to satisfy any legal, accounting, or reporting requirements.
In general, we apply the following retention periods:
- Ticket purchase data: 6 years from the date of the event (for tax and legal compliance)
- Marketing consent records: retained for as long as you remain opted in, plus 12 months after you opt out
- Website analytics data: anonymised and aggregated after 26 months
- Customer enquiries: 2 years from the date of your last correspondence
- CCTV and event security footage: 30 days unless required for an ongoing investigation
When your personal data is no longer required, we will securely delete or anonymise it.
8. Data Security
We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure access controls and authentication
- Regular security assessments and vulnerability testing
- Staff training on data protection and information security
- Incident response procedures for data breaches
While we take all reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your personal data.
9. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to distinguish you from other users. This helps us provide you with a good experience and allows us to improve our website.
Types of Cookies We Use
- Strictly necessary cookies: essential for the operation of our website. These do not require consent.
- Analytics cookies: allow us to recognise and count visitors and understand how they move around our site (e.g. Google Analytics). These require your consent.
- Marketing cookies: used to track visitors across websites to display relevant advertisements (e.g. Meta Pixel). These require your consent.
Third-Party Cookies
We use the following third-party services that may set cookies:
- Google Analytics (GA4): web analytics service provided by Google LLC. Google Privacy Policy
- Meta Pixel: conversion tracking and audience building tool provided by Meta Platforms, Inc. Meta Privacy Policy
You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.
10. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data:
- Right of access: you can request a copy of the personal data we hold about you (a "Subject Access Request")
- Right to rectification: you can ask us to correct inaccurate or incomplete personal data
- Right to erasure: you can ask us to delete your personal data in certain circumstances (the "right to be forgotten")
- Right to restrict processing: you can ask us to suspend the processing of your personal data in certain circumstances
- Right to data portability: you can request the transfer of your personal data to you or a third party in a structured, commonly used, machine-readable format
- Right to object: you can object to the processing of your personal data where we are relying on a legitimate interest, or for direct marketing purposes
- Rights related to automated decision-making: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects
- Right to withdraw consent: where we are relying on consent to process your personal data, you can withdraw that consent at any time
To exercise any of these rights, please contact us at hello@backofhousefestival.com. We will respond to your request within one month. In exceptional circumstances, we may extend this by a further two months, and we will inform you if this is necessary.
You will not normally have to pay a fee to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.
11. Children's Privacy
Our website and the Festival are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will take steps to delete such information.
Where tickets are purchased for attendees under 18, we require that the booking is made by a parent or legal guardian who accepts this Privacy Policy on their behalf.
12. Photography and Filming at the Festival
Please be aware that photography and filming may take place at the Festival for promotional, security, and operational purposes. By attending the Festival, you acknowledge that you may be photographed or filmed.
We process this data on the basis of our legitimate interest in promoting and documenting the Festival. If you have concerns about being photographed or filmed, please speak to a member of our event team on site.
Any professional photography or filming conducted by us or our authorised partners will be used in accordance with this Privacy Policy.
13. Links to Third-Party Websites
Our website may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Any changes will be posted on this page with an updated "Last updated" date.
Where changes are significant, we will make reasonable efforts to notify you (e.g. by email or a prominent notice on our website). We encourage you to review this Privacy Policy periodically.
15. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
16. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Back of House
145/147 Hatfield Road
St Albans, Hertfordshire, AL1 4JY