Privacy Policy
Last updated: February 2026
1. Who We Are
The Bear Inn (“we”, “us”, “our”) is the data controller for the personal data collected through this website. We are located at 12 Market Place, Wincanton, Somerset, BA9 9LP. You can contact us about data protection matters at hello@thebearwincanton.co.uk or by calling 01963 202708.
2. Information We Collect
We collect personal data in the following ways:
Information you provide directly
- Account registration: name, email address, phone number, and password
- Room and table bookings: name, email, phone, dietary requirements, accessibility needs, and booking details
- Profile information: date of birth, preferences, and special occasions (optional)
- Two-factor authentication: phone number or TOTP secret and backup codes
- Contact form: name, email, phone, and your message
- Newsletter sign-up: email address and marketing preferences
Information collected automatically
- Analytics data: pages visited, interactions, device type, browser, and approximate location (via Google Analytics, with your consent)
- Error monitoring: error details and performance metrics (via Sentry). Session replays and user-identifiable information are only collected with your consent.
- Session data: IP address, user agent, and device information for security and site functionality
- Cookies: see our Cookie Policy for details
Loyalty programme data
- Points balance, tier status, and transaction history
- Reward redemptions and promotional code usage
3. How and Why We Use Your Data
We process your personal data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Process and manage your bookings | Contract |
| Create and maintain your account | Contract |
| Administer the loyalty programme | Contract |
| Send transactional emails (booking confirmations, password resets) | Contract |
| Send marketing communications | Consent |
| Analytics and conversion tracking | Consent |
| Session replays and user-identifiable error context | Consent |
| Store your display preferences (theme) | Consent |
| Basic error monitoring and site stability | Legitimate interest |
| Security logging (IP, user agent, device info) | Legitimate interest |
| Two-factor authentication | Legitimate interest |
| Respond to your contact form enquiries | Consent |
4. Who We Share Your Data With
We share personal data with the following third-party processors, who act on our instructions:
- Supabase (database hosting and authentication) — EU-based, GDPR DPA in place
- Vercel (website hosting) — US-based, EU Standard Contractual Clauses
- Google Analytics (website analytics, with your consent) — US-based, EU Standard Contractual Clauses
- Sentry (error monitoring) — US-based, EU Standard Contractual Clauses
- Resend (transactional email delivery) — US-based, EU Standard Contractual Clauses
We do not sell your personal data to anyone.
5. International Data Transfers
Some of our processors are based in the United States. Where data is transferred outside the UK/EEA, we rely on EU Standard Contractual Clauses or equivalent safeguards to ensure your data is protected to the same standard.
6. How Long We Keep Your Data
- Account data: retained while your account is active. Deleted within 30 days of account closure.
- Booking records: retained for 6 years after the stay for legal and accounting purposes.
- Marketing preferences: retained until you unsubscribe or withdraw consent.
- Analytics data: Google Analytics data is retained for 14 months. Custom analytics data is retained for 12 months.
- Error logs: Sentry retains error data for 90 days.
- Contact form messages: retained for 12 months, then deleted.
7. Your Rights
Under the UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (right to be forgotten)
- Restriction — ask us to limit how we process your data
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, you can withdraw it at any time
To exercise any of these rights, contact us at hello@thebearwincanton.co.uk. We will respond within one month.
8. Cookies
Our website uses cookies and similar technologies. You can manage your cookie preferences at any time using the “Cookie Settings” link in the footer. For full details, see our Cookie Policy.
9. Children's Privacy
Our website and services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be highlighted on this page with an updated revision date. If changes affect how we use cookies, the consent banner will reappear so you can review your preferences.
11. Complaints
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
12. Contact Us
If you have any questions about this privacy policy or how we handle your personal data, please contact us:
- Email: hello@thebearwincanton.co.uk
- Phone: 01963 202708
- Address: 12 Market Place, Wincanton, Somerset, BA9 9LP