Coast Pool Privacy Policy
COAST POOL
Privacy Policy
Data Controller: Padstow Holiday Park Ltd
Contact: coast@padstowholidaypark.co.uk | 01841 532289
Last updated: April 2026
1. Introduction
Padstow Holiday Park Ltd (“we”, “us”, “our”) operates Coast Pool at Padstow Holiday Park, Cornwall. We are the data controller responsible for your personal information.
This Privacy Policy explains what personal data we collect, why we collect it, how long we keep it, and what rights you have. It applies to all Coast Pool members, including members registered on behalf of children under 16.
We are committed to handling your data lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What Personal Data We Collect & Why
The table below sets out each category of personal data we process, the purpose for which we process it, and the lawful basis under UK GDPR.
| Data type | Purpose | Lawful basis | UK GDPR reference |
| Name and contact details | Create and manage your membership; send booking confirmations and essential service communications | Performance of a contract | Art. 6(1)(b) |
| Date of birth | Verify age eligibility; determine membership category (adult, child, infant) | Performance of a contract | Art. 6(1)(b) |
| Address and postcode | Confirm eligibility for local membership (specific PL/TR postcodes); identify the member | Legitimate interests | Art. 6(1)(f) |
| Emergency contact details | Contact a nominated person in the event of a medical or safety incident | Vital interests | Art. 6(1)(d) |
| Health or medical information (optional, special category data) | Ensure your safety and wellbeing; enable appropriate emergency response | Explicit consent; vital interests in emergencies | Art. 9(2)(a) and Art. 9(2)(c) |
| Payment information | Process membership fees, swim credits, and packages securely | Performance of a contract | Art. 6(1)(b) |
| CCTV images | Monitor pool activity for safety; deter and detect crime; protect members, staff, and property | Legitimate interests | Art. 6(1)(f) |
| Children’s data (name, DOB, relevant health info) registered by a parent or guardian | Same purposes as above, applied to child members under 16 | Same bases as above; parent/guardian provides consent where required | Art. 6(1)(b), 8, 9(2)(a)/(c) |
Legitimate interests note: Where we rely on legitimate interests (address verification and CCTV), we have assessed that our interests in operating a safe, eligible-members-only facility do not override your privacy rights, given the limited and proportionate nature of the processing.
3. Children’s Data
We treat anyone under 16 as a child for the purposes of this policy.
A parent or guardian must register on behalf of any child member. By completing a child’s membership registration, the parent or guardian confirms they have parental responsibility and consent to the processing of the child’s personal data as described in this policy.
Children should use the same contact email address as their parent or guardian when registering. We do not send marketing communications to children’s accounts.
Health or medical information about a child must be provided by the parent or guardian and is treated with the same care as health information about adults.
If you believe we hold personal data about a child without appropriate parental consent, please contact us at coast@padstowholidaypark.co.uk so we can investigate and, if necessary, delete it.
4. CCTV
Coast Pool operates CCTV cameras in and around the pool facility, including the pool hall, reception area, and external areas of the building. CCTV is not operated in changing rooms or toilet facilities.
Why we use CCTV
- To monitor pool activity and respond to safety incidents in a non-lifeguarded environment
- To deter and detect crime, vandalism, and anti-social behaviour
- To protect the safety of our members, staff, and property
How long we keep CCTV footage
CCTV footage is retained for a maximum of 30 days, after which it is automatically overwritten unless it is required in connection with an incident, complaint, or legal matter, in which case it may be retained for longer.
Access to CCTV footage
CCTV footage is accessible only to authorised members of Coast Pool management and, where required by law, to the police or other relevant authorities.
Your rights regarding CCTV
You have the right to request access to CCTV footage in which you appear (a Subject Access Request). We will respond within one month. We may redact footage that contains images of third parties. Please contact us at coast@padstowholidaypark.co.uk to make a request.
CCTV is clearly signposted within and at the entrance to the facility.
5. Who We Share Your Data With
We do not sell your personal data. We share it only as described below.
EZFacility (data processor)
We use EZFacility, Inc. (a subsidiary of Gary Jonas Computing Ltd) to run our booking and membership management system. EZFacility acts as our data processor — they process your data only on our instructions and for the purposes set out in this policy. They do not use your data for their own purposes.
If you contact EZFacility directly with a query about your data, they will pass your request to us as data controller.
Other third parties
- Payment processors: to handle secure payment transactions
- Police and law enforcement: where we are required to do so by law, or to prevent or investigate crime
- Our professional advisers (solicitors, accountants): where necessary, under confidentiality obligations
We do not share your data with any third party for marketing purposes.
6. International Data Transfers
EZFacility stores and processes your personal data on servers located in the United States. To ensure your data receives the same level of protection as in the UK, EZFacility relies on the following UK-approved transfer safeguards:
- The UK–US Data Bridge (an extension of the EU–US Data Privacy Framework recognised by the UK Government), and/or
- Standard Contractual Clauses approved by the European Commission and recognised under UK GDPR.
You can find further details in EZFacility’s Privacy Policy at www.ezfacility.com/privacy-policy.
7. How Long We Keep Your Data
| Data category | Retention period | Reason |
| Membership data (name, contact, DOB, address) | Duration of membership + 24 months | To resolve queries and manage potential legal claims |
| Health information (if provided) | Duration of membership + 24 months | Safety records; potential legal liability |
| Payment records | 6 years from transaction | HMRC and Companies Act requirements |
| CCTV footage | Up to 30 days (unless retained for an incident) | Operational security; overwritten automatically |
| Children’s membership data | Duration of membership + 24 months | Same as adult membership data |
After the applicable retention period, your data will be securely deleted or anonymised. Our agreement with EZFacility requires them to delete or return your data on our instruction.
8. Your Rights
Under UK GDPR, you have the following rights. Most requests will be responded to within one calendar month.
| Right | What this means |
| Access | Request a copy of the personal data we hold about you (a Subject Access Request). |
| Correction | Ask us to correct inaccurate or incomplete data. |
| Deletion | Request that we delete your data where there is no compelling reason for us to continue processing it. |
| Restriction | Ask us to restrict processing of your data in certain circumstances — for example, while we verify its accuracy. |
| Objection | Object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests. |
| Portability | Request your data in a structured, machine-readable format where processing is based on consent or contract. |
| Withdraw consent | Where we process data on the basis of your consent (including explicit consent for health data), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Complain to the ICO | You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113. |
To exercise any of these rights, please contact us at coast@padstowholidaypark.co.uk or write to: Coast Pool, Padstow Holiday Park, Padstow, Cornwall, PL28 8LB.
We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.
9. Data Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include:
- Secure, access-controlled systems managed by EZFacility with encryption in transit and at rest
- Staff access to personal data limited to those who need it to perform their role
- CCTV footage accessible only to authorised management personnel
- Regular review of data handling practices
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform affected individuals without undue delay.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The current version will always be available at coastpool.co.uk and at Coast Pool reception. The date at the top of this document shows when it was last updated.
Where changes are material, we will notify active members by email.
11. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact:
Data Controller
Coast Pool, Padstow Holiday Park Ltd
Padstow Holiday Park, Padstow, Cornwall, PL28 8LB
coast@padstowholidaypark.co.uk
01841 532289
Data Processor (booking system)
EZFacility, Inc. (a subsidiary of Gary Jonas Computing Ltd)
www.ezfacility.com/privacy-policy
UK Supervisory Authority
Information Commissioner’s Office (ICO)
ico.org.uk | 0303 123 1113
Padstow Holiday Park Ltd is registered in England and Wales. Company No. 03520127.