Legal

Privacy Policy

Last updated 23 February 2026

01 /Who we are

Longbow Management SRL, with registered office at Via Adamo Del Pero 38, Como, Italy, Tax Code and VAT No. 03996170134 ("us" and "we"), is based in Italy and is the controller responsible for your personal data. We are responsible for your personal information and remain committed to protecting your privacy. Pursuant to Regulation (EU) 2016/679 (the "Regulation"), we have a legal duty to respect and protect any personal information we collect from you, and we will abide by such duty. This privacy policy sets out how we collect and process your personal data when you use this website, make any purchases, register for any events, promotions or newsletters or otherwise correspond with us.

If you have any questions about this privacy policy or our privacy practices, please contact info@greyheath.com. Should you have any concerns with the way we have dealt with your personal data, you have the right to make a complaint at any time to the Data Protection Authority (www.garanteprivacy.it) or with the supervisory authority of the EU Member State in which you reside or work or in which the alleged infringement occurred.

02 /The data we collect about you

Personal data means any information about an individual from which that person can be identified. We may collect, use and store different kinds of personal data about you including:

  • Identity and Contact Data such as your full name, gender, date of birth, country of residence, physical address, contact information (e.g., email address and phone number), passport and visa information, service preferences and any other personal data, including special category data (such as allergies and medical assistance, only with your consent), which you may provide us when you make a reservation, or contact us.
  • Marketing and Communications Data such as your preferences in receiving marketing from us and your communication preferences.
  • Technical and Usage Data such as system log information about your use of the website, including the type of browser you use, browser plug-ins, access times, pages viewed, IP address, time zone setting and the page you visited before navigating to our website.
  • Device Information including the hardware model, operating system and version, unique device identifiers (such as IP address, IMEI number, the address of the device's wireless network interface, or mobile phone number used by the device) and mobile network information.
  • Cookies Data including the information set out under the section entitled 'Cookies'.
  • Financial Data such as your credit card, mobile payment and other payment details when you make a reservation or purchase goods and services from us.

We may also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' usage data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our product and service offering.

03 /How your data is collected

We use different methods to collect data from and about you, including through your interactions with us. You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you purchase our products or services, subscribe to our service or publications, request marketing to be sent to you, enter a competition, promotion or survey, or give us feedback or contact us.

Through automated technologies or interactions: as you interact with our website, we will automatically collect Technical and Usage Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.

Third party tools embedded in our website will only collect your data with your express consent, which can be provided through the cookie banner shown on your first visit. Technical Data is collected from analytics providers such as Google Analytics only after you have given consent. Your ability to give, refuse and withdraw consent is described in more detail under the section entitled 'Cookies'.

04 /How we use your personal data

We only use your personal data when the law allows us to. We rely on one or more of the following legal bases: performance of a contract with you (to fulfil contractual obligations, analyse and improve our services and communications, marketing purposes, provide access to website content and respond to your enquiries, and administer events conducted by us or on our behalf); legitimate interests (to conduct our business and provide a high-quality tailored customer experience, for example, to monitor and analyse use of our website, administer debt recovery, and provide for the safety and security of guests, premises and services, including handling incidents and claims, investigations, audits, CCTV surveillance and security clearances); and legal obligation (where necessary for compliance with a legal obligation we are subject to). We balance any potential impact on you and your rights before processing your data for our legitimate interests.

We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example, to send direct marketing, promotional and customer management communications or special offers where you have consented to receive them, and for any other purposes for which we have obtained your consent in accordance with applicable law. You have the right to withdraw consent at any time by contacting us at info@greyheath.com. Providing consent is not mandatory, and if you decide not to provide it you will still be able to use the requested services.

05 /Third party marketing & opting out

We will always get your express opt-in consent before we share your personal data with any third party for marketing purposes.

In addition to revoking your consent through the methods mentioned above, you can also ask us to stop sending you marketing communications at any time by following the opt-out links on any marketing message sent to you, or by contacting us at any time at info@greyheath.com.

06 /Links to third party websites

Our website may provide links to third party websites, including social networking websites. If you click on a third party link, you will be directed to that third party's website. We strongly advise you to review the privacy policy of every website you visit. We have no control over and assume no responsibility for the content or privacy policy of any third party websites or services.

Our website may contain third party tools such as Google reCAPTCHA in order to protect our website from spam software and misuse by non-human visitors. reCAPTCHA is engaged when you submit your information on any forms on the website.

07 /Children and minors

Except where required by local laws, we do not knowingly collect personal data relating to minors, unless such personal data was submitted by the minors' parent or guardian. If you are a minor, you may only use our website and services with the permission of your parent or guardian.

08 /Cookies

A cookie is a small file of letters and numbers stored on your browser or the hard drive of your computer. We only set non-essential cookies with your prior consent, which you can give through the cookie banner shown on your first visit. Until you provide consent, no analytics or marketing cookies are installed and no data is sent to the third parties listed below.

  • Necessary — technical elements required for the website to function and to remember your cookie choices. Always active; they do not track you.
  • Analytics (only with your consent) — Google Analytics 4, provided by Google Ireland Limited, collects statistics on how visitors use the website (pages viewed, browser type, approximate location, date and time of visit).
  • Marketing (only with your consent) — Google Ads conversion and remarketing tags, served through Google Tag Manager (Google Ireland Limited), and the Meta Pixel (Meta Platforms Ireland Limited), used to measure and personalise advertising on Facebook and Instagram.

Your choice is stored for six months, after which the banner will ask you again. You can change or withdraw your consent at any time through the "Cookie Preferences" link in the footer of every page, or set your browser to refuse all or some cookies. You can also opt out of Google Analytics by installing the Google Analytics opt-out browser add-on. For more information on the privacy practices of these providers, please see the Google Privacy Terms and the Meta Privacy Policy. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

09 /Disclosures of your personal data

As an essential part of being able to provide our services to you, we share your data with the following categories of third parties:

  • Group companies which are members of the Longbow group that provide logistics and administrative services to us. We will only share your personal data with group companies that are based in the UK and EU.
  • Agencies that assist us with marketing management and newsletter distribution such as HubSpot, provided we have received your express opt-in consent.
  • Advertising and analytics partners such as Google and Meta, only where you have consented to analytics or marketing cookies as described in the section entitled 'Cookies'.
  • Service providers that help us run our business, such as property management software providers, SEO agencies, website hosting providers and developers, providers of Wi-Fi access at our venues, and companies that provide us with legal, administrative, financial and other professional services.
  • Professional advisers including lawyers, bankers, auditors and insurers who provide advice to us when we require it.
  • Law enforcement agencies in connection with any investigation to help prevent unlawful activity.
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets, or with whom we may seek to merge or whom we may acquire. If a change happens to our business, the new owners may use your personal data in the same way as set out in this privacy policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.

10 /International transfers

We do not disclose your personal data outside of the UK, EEA and Switzerland. We use third-party providers such as HubSpot which may store your personal data in servers located in the U.S. In this case, the transfer will take place in compliance with the provisions of the GDPR; in particular, the data will be transferred only after signing the Standard Contractual Clauses approved by the EU Commission by Decision No. 2021/914/EU.

11 /Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

Please be aware that where information is transmitted via the internet, such transmission is not completely secure. Although we take appropriate and proportionate steps to manage the risk posed, we cannot guarantee the security of your information transmitted to our online services.

12 /Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for longer in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you. For instance, data collected in the event of requests for information are stored 30 days after the date of collection, unless a contractual relationship is established. The retention periods are based on the requirements of applicable data protection laws and the purpose for which the information is collected and used, taking into account the amount, nature and sensitivity of the personal data, and legal and regulatory requirements to retain the information for a minimum period.

By law we have to keep basic information about our customers (including Contact, Identity and Financial Data) for 10 years after they cease being customers for tax purposes. If you would like to know more about the retention periods, please contact info@greyheath.com.

13 /Your legal rights

You have the right to exercise the following rights referred to in Articles 15 to 22 of the Regulation at any time, free of charge and without formalities: the right to request access to your personal data and to obtain a copy of it; the right to rectification of inaccurate data or to have incomplete data completed; the right to erasure of your data in the circumstances set out in Article 17; the right to restriction of processing in the cases set out in Article 18; and the right to data portability in the cases set out in Article 20, to receive your data in a structured, commonly used and machine-readable format and to transmit it to another data controller without hindrance. You also have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you pursuant to Article 6(1)(e) or (f) of the Regulation, including profiling based on those provisions.

If you wish to exercise any of the rights above, please email info@greyheath.com.

14 /Updates to this policy

We reserve the right to update and change this privacy policy from time to time in order to reflect regulatory changes or changes to the way we process your personal data. In case we make such changes, we will post the amended privacy policy on our website. The changes will come into effect upon publication.

15 /Contact us

If you have any questions about this privacy policy, our privacy practices, or wish to exercise your rights, please contact us at privacy@greyheath.com.