Security and Privacy Notice

Ghyll Manor Hotel & Restaurant

The privacy and security of your personal information is extremely important to us. Please read this privacy notice carefully, as it explains how and why we use your personal data, to make sure you stay informed, so you can be confident when you share your information with us.

The purpose of this privacy notice is to inform you on how your personal data is used here by us at Ghyll Manor when you are a guest at our hotel.

1) Who We Are

We are Ghyll Manor Hotel & Restaurant, High Street, Rusper, Horsham RH12 4PX, which is owned by Boundless by CSMA.

In this policy whenever you see the words ‘we’, ‘us’, ‘our’, ‘Boundless’ or ‘Ghyll Manor Hotel & Restaurant’, it refers to Boundless by CSMA, a trading name of Motoring & Leisure Services, a subsidiary of the Civil Service Motoring Association Limited (registered company number 02813598) and we are authorised and regulated by the Financial Conduct Authority.

If you have any questions in relation to this Privacy Policy or how we use your personal data, you can contact us in any of the following ways:

·       Email:

·       Post: Guest Services, Boundless, Britannia House, 21 Station Street, Brighton BN1 4DE

·       Telephone: 03301 230 371

Our Data Protection Officer is also very happy to answer any questions or concerns you might have and can be emailed directly at

2) Our commitment to you

The security of personal information is extremely important to us and we are committed to protecting and respecting your privacy. In this notice we aim to be honest and clear about how we handle the information we collect from you or create about you. We will detail how we collect, use and safeguard your personal information and any conditions under which we may need to share personal information. 

We will also cover how information may be used for marketing and communication activities, your choices in this regard, your privacy rights and how the law protects you.

We’ll never sell your personal data and will only share it with organisations we work with when it’s necessary and the privacy and security of your data is assured.

We will keep this Privacy Policy updated to show you all the things we do with your personal data.

3) What personal data do we collect?

Personal data is any information that can be used to identify an individual personally, that is collected, stored and used by us. We’ll only collect the personal data that we need, and when we do we are subject to the General Data Protection Regulation (GDPR) which applies across the European Union (including the United Kingdom). We are responsible for your data as a ‘controller’ of any personal data we collect for the purposes of those laws.

3a) Personal data provided by you

This includes information you give when interacting with us, for example when you make a booking, create an online account, make an enquiry or stay at our hotel. Data we collect includes:

·       Name, address, telephone number, email address, credit / debit card details when you either making a booking or create an online account.

·       Your comments, views and opinions regarding your experience or stay

·       Name and contact details when making an enquiry

·       Name and contact details when booking for afternoon tea or to use the restaurant

There maybe be other times that we process your information when you engage with us for different reasons – we will inform you through different privacy notices at the time.

3b) Personal data we automatically collect

We may automatically collect the following information from your use of the hotel website:

3c) Personal data collected by your involvement with us

Our hotel uses CCTV cameras in a number of public locations for safety and security monitoring purposes. All guests and visitors will therefore have their images captured by these cameras, but the information is deleted after a short period in line with our CCTV policy.

In certain cases, some third parties may share details of your purchase with us if you make a booking through a third party. You should check their privacy notice at the time of booking.

4) How we use your personal data

We’ll only use your personal data on relevant lawful grounds as permitted by the Data Protection Act 2018, GDPR and the Privacy of Electronic Communication Regulations 2003, and any successor legislation to these.

Under these data protection laws, we can only use your personal data if we have a proper reason for doing so, such as:

  • to comply with our legal and regulatory obligations;
  • for the performance of our contract with you or to take steps at your request before entering into a contract;
  • for our legitimate interests or those of a third party; or
  • where you have given consent.

If we are asked by the police, law enforcement agency or any other regulatory or government authority investigating suspected illegal activities, we may need to disclose and exchange information with that authority to comply with our legal and regulatory obligations.

Below are the key reasons we may process your data:


Personal Data

Point of Collection

Purpose of processing

Lawful Basis


Contact details:

Name, address, email address, telephone number

When making a booking

Creating an online account

Checking in

-       Communicate with you in regard to a booking, manage reservations, accommodation requests and other hotel services

-       Manage your stay with us

Carrying out our contractual obligations


Payment details:

Credit / Debit card details

Making a reservation

Use of facilities

-       Manage your reservation, accommodation requests

-       Complete your check-in/check-out, process payments

Carrying out our contractual obligations


Booking details:

Arrival / departure dates, room details

When making a booking

-      Manage your booking and your stay with us

-      Manage your use of the restaurant

Carrying out our contractual obligations


Contact Details

Name, email address

Your questions and comments or complaints you make about our hotel

-       Collect feedback about the service we have provided

-      Make improvements and monitor customer experience

Legitimate Interest


Contact Details

Name, contact information

Making a reservation at the hotel restaurant (eg for Afternoon Tea)

-      Provision of services

Carrying out our contractual obligations


Name, contact details

Making a general enquiry

-      To respond to your requests

Legitimate Interests


Boundless membership number

At time of booking

-       To validate membership

Carrying out our contractual obligations


Name, email address

At time of booking or when checking in

-       To send you details of offers and news

Consent – you can change your mind and opt out at any time.


Email address, Password

Creating a profile to save your details for any future booking (only available on our website)

-       To save your information for any future bookings

Carrying out our contractual obligations

Making an enquiry about business travel

Guests travelling on business are invited to complete a short form to apply for potential business rates. The information provided will be used to contact the business to discuss the business rate application. Once this has taken place, the form is destroyed.


Personal Data

Point of Collection

Purpose of processing

Lawful Basis


Contact details:

Name, company name and address, email address, telephone number.

Through application form for rates for business travel or from the hotel wifi.

To reply to the named person / company regarding the application.

Legitimate Interest

There maybe be other times that we process your information or collection other personal data about you – will we inform you of this at the time.

5) Updating your data and marketing preferences

We want to keep our customers up to date with information about special offers, benefits and improvements to our facilities and services.

When you engage with our marketing activities, either electronically on line via website or social media, or in person at the hotel, we will ask you if you want to opt-in to receive this type of promotional information. If you provide your consent to this, you may opt out at any time.

If you decide you do not want to receive this marketing information, you have the right to ask us to not process your personal information for marketing purposes.

We reserve the right to contact our hotel customers as necessary to fulfil the obligations and administration of our services. We will also communicate as deemed appropriate by boundless any changes to the product, services or facilities of the hotel which we feel you should be aware of.

6) Cookies and our Website

Cookies are small text files stored on your computer when you visit certain websites. We use first party cookies (cookies that we have set, that can only be read by our website) to personalise your online experience. We also use third party cookies (cookies that are set by an organisation other than the owner of the website) for the purposes of website measurement and targeted advertising. You can control the use of cookies inside your browser settings. Further information can be found in our cookie policy.

The hotel website is developed and maintained by Guestline, who we have contracted as a Data Processor to run the website on our behalf.

If you purchase gift vouchers for the hotel, please refer to the privacy notice provided for information.

7) Keeping your personal data

We will only use your information for as long as it is required for the purpose it was collected for.  If we collect your personal information, the length of time we retain it is determined by a number of factors, including the purpose for which we use that information and our obligations under other laws.

We will retain your data for 7 years in accordance with the Limitation Act 1980. This acts states either you or we may bring a claim for breach of contract within six years of the event giving rise to a breach. In order that we may defend or bring a breach of contract claim (and to comply with disclosure requirements) we keep your account record for 7 years. This period takes into account the 4-month period during which a claim form, issued on the last day of the limitation period, remains valid for service and for any extension for service which may be granted by the court.

When it is no longer necessary to retain your personal data, we will delete or anonymise it.

If you have an online account that has not been used for more than 18 months, the account will be deleted.

CCTV images are not kept for more than 30 days.

8) How we secure your data

We maintain physical, electrical and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable information.  We have taken technical and organisational measures to secure your data, including:

·       This website has a secure https:// address (URL). This means that a SSL certificate is in place so that if you submit any data via the website, then your information is encrypted whilst it is being transmitted to the applicable database or email server

·       We limit access to your personal data to those who have a genuine business need to access it. Only employees who need the information to perform a specific job are provided with access to your data. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality.

·       All our staff complete mandatory information security and data protection training on employment and annually thereafter to reinforce responsibility and requirements set out in our information security policies.

·       We conduct Privacy Impact Assessments in accordance with Data Privacy guidelines

·       We implement appropriate measures and controls, including monitoring and physical measures, to the processing and storage of data.

·       We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

·       We require, through the use of contract and security reviews, our third party vendors and providers to protect any personal information with which they are entrusted in accordance with our own policies and procedures

9) Disclosing your information to third parties

When we allow third parties acting on behalf of Boundless to access your information, we will always have complete control of what they see, how long they see it and what they are allowed to do with it by imposing strict contractual obligations on them such as data sharing agreements. We do not sell or share your personal information for other organisations to use.

Personal data collected and process by us may be shared with the following groups where necessary:

Also, under strict controlled conditions:

  • Contractors
  • Service providers providing services to us
  • Advisors
  • Agents
  • Auditors

We may also disclose your personal information to third parties if we are under the duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use or cookie policy and other agreements; or to protect the rights, property, or safety of Boundless, our members, volunteers and employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

10) Where your personal data is held

Your personal data is primarily held in our hotel booking system, which is provided by Guestline and is called Rezlynx Property Management System. If you are a member of boundless some of your booking information may be held in our Microsoft Dynamics CRM system also. Your data may also be held at our hotel, third party agencies, services providers, representatives and agents as described above. All systems are cloud based with servers located within the EEA.

11) Your rights

You have the following rights, which you can exercise free of charge:


The right to be provided with a copy of your personal information (the right of access)


The right to require us to correct any mistakes in your personal information

To be forgotten

The right to require us to delete your personal information—in certain situations

Restriction of processing

The right to require us to restrict processing of your personal information—in certain circumstances, for example, if you contest the accuracy of the data

Data portability

The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations

To object

The right to object:

—at any time to your personal information being processed for direct marketing (including profiling);

—in certain other situations to our continued processing of your personal information, for example, processing carried out for the purpose of our legitimate interests.

Not to be subject to automated individual decision-making

The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

Right to withdraw consent

If you have given us your consent to use your personal information, you can withdraw your consent at any time. This might impact our ability to provide goods and services to you


For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:

  • Send a written request by either email or letter to our Data Protection Officer (please see ‘who are we’)
  • email, call or write to our Data Protection Officer (please see ‘who are we’)
  • let us have enough information to identify you;
  • let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
  • let us know what right you want to exercise and the information to which your request relates.

12) How to complain

We hope that our Data Protection Officer can resolve any query or concern you raise about our use of your information.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at or telephone: 0303 123 1113.

Changes to this privacy notice

We’ll amend this privacy notice from time to time to ensure it remains up to date and reflects why we collect and use your personal data. Please visit our website to keep up to date with any changes. The current version will always be posted on our website –

This privacy notice was last updated in April 2019

Do you need extra help?

If you would like this notice in another format (for example, large print or braille), please contact at or telephone: 0330 123 0781


Stunning 17th century country house hotel in picturesque gardens. The perfect wedding venue in Sussex.

Stunning 17th century country house hotel in picturesque gardens. The perfect wedding venue in Sussex.



A unique selection of 29 individual rooms with some offering a variety of four poster beds, garden views and original features.

A unique selection of 29 individual rooms with some offering a variety of four poster beds, garden views and original features.



Checkout our selection of accommodation packages and hotel special offers in the picturesque Sussex countryside.

Checkout our selection of accommodation packages and hotel special offers in the picturesque Sussex countryside.