Legal
Privacy
Last updated: 9 May 2026
Two roles to keep separate
Innkept processes personal data in two distinct capacities, governed by different documents:
- This marketing site — we are the controller for personal data you give us when you sign up for an account, contact our support team, or subscribe to our newsletter or sub-processor change notifications. This page is the privacy notice for those activities.
- The embedded quote widget — we are the processor; the operator (the venue or caterer running the widget) is the controller. The terms of that relationship are in our Data Processing Agreement. The visitor's privacy notice is the operator's responsibility.
What we collect on this site
- Account: name, work email, password (hashed).
- Billing: handled by Stripe; we don't see card numbers.
- Support: messages and any attachments you send to hello@innkept.com.
- Sub-processor change notification subscribers: email address and a verification flag.
We do not run third-party analytics, advertising, or cross-site tracking on this marketing site. The dashboard sets a session cookie and a CSRF cookie; both are strictly necessary.
Lawful bases
- Performance of contract (Article 6(1)(b) UK GDPR) for delivering the service to operators.
- Consent (Article 6(1)(a)) for the newsletter and sub-processor change notifications.
- Legitimate interests (Article 6(1)(f)) for security logging and abuse prevention.
Sub-processors
The third parties we engage to deliver the service are listed at /legal/sub-processors. You can subscribe to change notifications from that page.
International transfers
Where personal data is transferred outside the United Kingdom we rely on the UK Data Bridge (UK Extension to the EU-US Data Privacy Framework), the UK Addendum to the EU SCCs, or the IDTA, depending on the recipient. The transfer mechanism for each sub-processor is identified in the list linked above.
Your rights
Under UK GDPR you have the right to access, rectify, erase, restrict, port, or object to processing of your personal data. To exercise any of these rights write to dpo@innkept.com.
You also have the right to complain to the Information Commissioner's Office (ico.org.uk), the UK's supervisory authority for data protection.
Retention
We keep account data for as long as your account is active and for 12 months after closure, then delete or anonymise it. Backup copies are pruned within the backup retention window (currently 35 days). Subscriber emails are kept until unsubscribe.
Contact
Innkept, United Kingdom. Data protection contact: dpo@innkept.com.