1. Introduction

This Privacy Policy explains how Corenucopia by Clare Smyth (“Corenucopia”, “we”, “us”, “our”) collects, uses, discloses and protects your personal data when you visit our website corenucopia.com or otherwise interact with us (for example, by making a reservation, signing up to our newsletter or contacting us).

We are committed to protecting your privacy and handling your personal data in a fair, transparent and lawful way in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using our website or providing your personal data to us, you acknowledge that it will be processed as described in this Privacy Policy.

2. Who is the data controller?

For the purposes of data protection law, the data controller is:

Corenucopia by Clare Smyth

18–22 Holbein Place

London

SW1W 8NL

United Kingdom

You can contact us at info@corenucopia.com.

If we use third-party service providers who process your data on our behalf (for example, email marketing or web hosting providers), they act as data processors and we remain responsible for your data.

For certain activities (e.g. reservations on OpenTable, gift vouchers on a third-party platform), those third parties may be independent data controllers of the personal data you provide directly to them. In those cases, their own privacy notices will apply.

3. The personal data we collect

The types of personal data we may collect and process about you include:

a. Identity and contact data

Name, title, email address, telephone number, postal address.

b. Booking and dining information

Date and time of reservation, party size, special requests or notes (e.g. allergies, dietary requirements, accessibility needs), occasion details and related communications.

Some of this information may be collected through third-party platforms such as OpenTable, which then share relevant booking details with us.

c. Marketing and communications data

Your preferences in receiving marketing from us, including newsletter subscriptions and records of consent or opt-out.

Information about whether you open, click or interact with our marketing emails (via our email marketing provider).

d. Gift voucher information

If you buy or redeem a gift voucher via a third-party voucher platform, we may receive information such as your name, contact details, voucher details and redemption information from that provider.

e. Job application and careers data

If you apply for a role through our website or by email, we may collect your CV and covering letter, employment history, qualifications, reference details and any other information you include in your application.

f. Website and technical data

IP address, device identifiers, browser type and version, time zone setting and location (approximate), operating system and platform, and other technology on the devices you use to access our site.

Information about your visit, including the pages you view, clickstream data, length of visit and how you interact with page elements. This may be collected via cookies and similar technologies (see our Cookie Policy above).

g. Social media data

If you interact with us via social media (e.g. Instagram), we may see your public profile and any messages you send to us through those platforms.

h. Correspondence and enquiries

Any information you choose to provide when you contact us by email, phone or through contact forms (for example, general enquiries, feedback, private dining requests, event enquiries).

We do not intentionally collect special categories of personal data (such as health or religious data), except where you choose to provide, for example, information about allergies or dietary requirements. Where this is necessary to look after you as a guest, we will handle it with extra care and only share it with staff who need to know.

4. How we collect your personal data

We may collect personal data in the following ways:

• Directly from you

When you make a reservation, join a waiting list or amend/cancel a booking.

When you dine with us and speak to our team or complete comment cards / feedback forms.

When you sign up for our newsletter or marketing updates.

When you contact us by email, phone or via our website forms.

When you apply for a job or send us your CV.

• Through third-party services

From our reservation partner (e.g. OpenTable) when you make a booking through their platform.

From gift voucher providers when you buy or redeem a voucher.

From email marketing and analytics providers who help us understand engagement with our communications.

• Automatically when you use our website

Via cookies and similar technologies (see our Cookie Policy).

Through our web hosting and security tools (including logs used for security and error diagnostics).

• Public sources

Publicly available information from social media platforms, review sites or directories where you choose to post content that mentions us.

5. How we use your personal data and legal bases

We will only use your personal data where we have a legal basis for doing so. The main purposes and legal bases are:

a. To manage reservations, private dining and restaurant operations

Processing your booking, managing waiting lists, handling changes or cancellations.

Recording special requests, allergies and dietary requirements so we can look after you safely.

Communicating with you about your booking (confirmations, reminders, updates).

Legal basis:

• Performance of a contract (or steps at your request before entering into a contract).

• Legitimate interests (to operate and manage our restaurant and provide good customer service).

b. To provide customer service and respond to enquiries

Responding to emails, calls and messages you send.

Handling complaints, feedback and requests.

Legal basis:

• Legitimate interests (to respond to and manage customer contact).

c. To send you marketing communications (where permitted)

Sending newsletters and updates about news, events, menus, special offers and other information related to Corenucopia.

Tailoring our communications to your interests where possible.

Legal basis:

• Consent (for electronic marketing where required).

• Legitimate interests (in some cases, where you are an existing customer and we are permitted to send limited marketing about similar services, subject to your right to opt out at any time).

d. To operate and improve our website

Ensuring the website functions properly and is secure.

Troubleshooting, data analysis, testing, research and statistical purposes.

Understanding how visitors use the site so we can improve its design and content.

Legal basis:

• Legitimate interests (to operate our business, keep our website updated and relevant, and develop our services).

• Consent (for non-essential cookies, analytics and similar technologies).

e. To manage our relationship with third-party providers

Receiving and reconciling information from booking platforms, voucher providers and payment processors.

Sharing necessary information so these third parties can provide services to you or us.

Legal basis:

• Performance of a contract.

• Legitimate interests (to run our business efficiently).

f. To process job applications

Reviewing your application, assessing your suitability, arranging interviews and contacting you about your application.

Legal basis:

• Legitimate interests (to recruit staff).

• Performance of a contract (where we enter into an employment contract with you).

g. To comply with legal and regulatory obligations

Keeping appropriate business records.

Complying with tax, accounting, health and safety and other legal obligations.

Responding to lawful requests from public authorities or law enforcement.

Legal basis:

• Compliance with a legal obligation.

h. To protect our rights, property and safety

Preventing and detecting fraud or misuse of our website.

Establishing, exercising or defending legal claims.

Legal basis:

• Legitimate interests.

• Establishment, exercise or defence of legal claims.

Where we rely on consent, you can withdraw it at any time by contacting us or using the unsubscribe/opt-out options provided.

6. Who we share your personal data with

We may share your personal data with:

a. Service providers (data processors)

Website hosting and maintenance providers.

IT support and security providers.

Email marketing and newsletter platforms.

Reservation management and customer relationship tools.

Payment processing providers (for example, in relation to deposits, vouchers or event payments).

Professional advisers such as lawyers, accountants and insurers.

These providers are only allowed to process your personal data on our instructions and must keep it secure and confidential.

b. Third-party controllers

In some cases, other parties will process your personal data as independent controllers, including:

• Reservation platforms (e.g. OpenTable) when you use them to make a booking; they share relevant reservation data with us but also use your data for their own purposes under their own privacy policy.

• Gift voucher platforms when you buy or redeem a voucher; they share limited data with us to allow us to honour the voucher.

• Social media platforms when you interact with our profiles or embedded content.

You should review those third parties’ privacy notices for more detail on how they use your personal data.

c. Public authorities and law enforcement

Where required or permitted by law, we may disclose personal data to regulators, courts, law enforcement agencies or other public bodies (for example, in relation to tax, regulatory reporting, or legal disputes).

d. Business transfers

In the event of a reorganisation, merger, or other corporate transaction, your personal data may be transferred as part of that process, subject to appropriate confidentiality protections.

We do not sell your personal data to third parties.

7. International transfers

Some of our service providers or their servers may be located outside the UK (for example, certain analytics or email providers). If your personal data is transferred outside the UK, we will ensure that appropriate safeguards are in place, such as:

• Using countries that the UK Government has decided provide an adequate level of data protection; or

• Putting in place approved standard contractual clauses and additional security measures where necessary.

You can contact us for more information about international transfers and the safeguards used.

8. How long we keep your personal data

We will retain your personal data only for as long as reasonably necessary for the purposes described in this policy, including to meet any legal, regulatory, tax, accounting or reporting requirements.

In general:

• Reservation and dining records – kept for up to [e.g. 3–5 years] after your last interaction with us, unless a longer period is required by law.

• Marketing data – kept until you withdraw your consent or opt out, or after a period of inactivity, following which we may retain a record of your opt-out.

• Job applications – unsuccessful applications are usually kept for up to [e.g. 6–12 months] from the end of the recruitment process, unless you consent to a longer period.

• Website and technical logs – retained for a shorter period necessary for security, troubleshooting and analytics, typically [e.g. up to 12–24 months].

Where possible, we will anonymise or aggregate personal data so that it can no longer identify you, in which case we may use that information without further notice.

9. How we protect your personal data

We take appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

These measures include:

Limiting access to your personal data to staff and service providers who need it to perform their duties.

Using secure systems, encryption where appropriate, password protection and access controls.

Regularly reviewing our security practices and training staff on data protection and confidentiality.

While we do our best to protect your personal data, no system can be completely secure, and we cannot guarantee the security of information transmitted to our website over the internet.

10. Your rights

Under the UK GDPR, you have certain rights in relation to your personal data. These include:

a. Right of access

To obtain confirmation as to whether we process your personal data and, if so, to receive a copy of the data and certain information about how we use it.

b. Right to rectification

To have inaccurate personal data corrected, or to have incomplete data completed.

c. Right to erasure

To request that we delete your personal data in certain circumstances (for example, if it is no longer needed for the purposes for which it was collected, or if you withdraw consent and there is no other legal basis for processing).

d. Right to restrict processing

To ask us to restrict the processing of your personal data in certain circumstances (for example, while we verify its accuracy or consider an objection you have raised).

e. Right to data portability

To receive personal data you provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another controller where technically feasible.

f. Right to object

To object to our processing of your personal data where we rely on legitimate interests, including profiling based on those interests.

You also have an absolute right to object at any time to your personal data being used for direct marketing.

g. Right to withdraw consent

Where we rely on your consent, you can withdraw it at any time (for example by using the unsubscribe link in marketing emails, adjusting your cookie preferences, or contacting us).

h. Right to lodge a complaint

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection (see ico.org.uk).

We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

To exercise any of these rights, please contact us using the details in section 12.

11. Children

Our website and services are not intended for children under 16 and we do not knowingly collect personal data relating to children via the website. If you believe that a child has given us personal data without appropriate consent, please contact us and we will delete that information where required.

12. Contact details

If you have any questions about this Privacy Policy, or if you wish to exercise any of your rights, please contact us at:

Email: info@corenucopia.com

Postal address:

Data Protection

Corenucopia by Clare Smyth

18–22 Holbein Place

London SW1W 8NL

United Kingdom

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements or other factors. Any updates will be posted on this page with an updated “Last updated” date.

We encourage you to review this policy periodically to stay informed about how we handle your personal data.