Privacy Policy

Home / Privacy Policy


We are Flatrock Group (trading as The Cliff Hotel & Spa, The Gwbert Hotel & Flatrock Bistro, The Harbourmaster, The Grosvenor, The Angel Hotel and Gwbert Holidays) and trade from The Cliff Hotel & Spa, Gwbert, Cardigan SA43 1PP.

Flatrock Group is committed to protecting and respecting your privacy in accordance with General Data Protection Regulations and the Data Protection Act 2018. Please read the following policy to understand how we will ensure that your personal information is handled in a safe and responsible way.

By providing your personal information, you agree to the collection, storage and processing of your personal information by Flatrock Group in the manner set out in this Privacy Policy.

Information we hold

Information you provide which may include: • title • name • e-mail, home or work address • passport information • age or date of birth • billing information and any bank details or credit card details you have provided in order to process payments electronically • telephone number • company name • dietary requests and requirements • marketing preferences • marketing responses (where applicable) • survey responses • general descriptions and details about your interests • medical information • employment details, education, salary history and other information gathered via the recruitment process such as that entered into a CV or included in a CV cover letter when applying for a job and • when employed: name and contact details of your next of kin, your gender, marital status, information of any disability you have or other medical information, right to work documentation, information on your race and religion for equality monitoring purposes, National Insurance numbers, bank account details, tax codes, driving licence • information relating to your employment with us, including: job title and job descriptions, your salary, your wider terms and conditions of employment, details of formal and informal proceedings involving you such as letters of concern, training records and qualifications, disciplinary and grievance proceedings, your annual leave records, appraisal and performance information, internal and external training modules undertaken, information on time off from work including sickness absence, family related leave etc.

Information we collect about you which may include: • device type (e.g. mobile, computer, laptop, tablet) • cookies • operating system • IP address • browser type • browser information (e.g., type, language, and history) • domain names • access times • location information and time-zone setting • settings • referring website addresses • traffic data • information we receive from other sources which includes information we receive about you from third party booking sites such as (but not limited to) Expedia, and Resdiary • employment reference checks when applying for a job • CCTV footage • building access card records • IT equipment use including telephones and internet access.

We do not knowingly collect information from or direct any of our content specifically to children under 16. We do not collect any sensitive information for which stronger legal protection may apply.  Any personal information collected by visiting our website including, but not limited to, traffic data, location, operating system and browser type, are not held by the Company, and are purely utilised by website systems to anonymously monitor trends in online traffic.

When we collect the data?

We collect information from a variety of different sources which include:

  • When you correspond with us by phone, e-mail or otherwise
  • When you make an enquiry or search for a product
  • When you make a booking or subscribe to our service
  • When you visit in person
  • When you purchase products or services from our website
  • When you purchase products or services in person
  • When you become a subscriber to our marketing campaigns
  • Via explicit data capture measures, for example by entering competitions and completing surveys
  • When you complete forms such as spa consultation, event sheets, feedback, registration or pre-orders, electronically or otherwise
  • During the recruitment process

In any of the above cases the data we collect could be personal data by which we mean any data that relates to an identifiable person who can be directly/indirectly identified from that data.

Purposes for which we hold and use your information

Our collection and use of your personal data will always have a lawful basis, either because it is necessary to satisfy our contractual obligations to you in connection with your purchase of any of our services, products or otherwise; because you have consented to our use of your personal data (e.g. by subscribing to emails); or because it is strictly justified, required and necessary in our legitimate business interests.

We require the information outlined in the previous section to:

  • ensure that we adhere to HMRC and industry requirements and legal practices
  • understand your needs and provide you with good service
  • send you correspondence in relation to contractual obligations
  • perform our obligations arising from any contracts entered into between you and us
  • assist with internal record keeping
  • to provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes
  • to collect and use selected data, with the use of Cookies, to monitor the effectiveness of our website in order to help us improve our service

Disclosure of your information

All personal information is treated as highly confidential and we do not sell, distribute or lease your data to third parties for marketing purposes or any other reason.

Any personal information we request from you will be safeguarded under current legislation. We will only share your information with companies if necessary to deliver services on our behalf. For example service providers (e.g. ResDiary for the provision of online bookings), third-party payment processors, and other third parties to provide our Sites and fulfil your requests, and as otherwise consented to by you or as permitted by applicable law.

We may share your information in certain circumstances including:


  • We may disclose your personal information to any member of our group, which means our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
  • When necessary in relation to any supply of products and/or services by us to you or in order to protect against fraud or any other crime (usually by providing such information to a reputable information reporting organisation).
  • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
  • If Flatrock Group or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or requested to do so by a legal authority such as the police or a Court of Law.
  • In order to enforce or apply our terms of use and other agreements.
  • When necessary in order to protect the rights, property, or safety of Flatrock Group, our customers, or others.
  • Your information is disclosed to our employees, agents and representatives on “a need to know” basis only and we confirm that all such persons understand the importance of client confidentiality and privacy.

We have in place a level of security appropriate to the nature of the data and the harm that might result from a breach of security. However, all publicly accessible websites are susceptible to malicious practices, and we accept no liability if security is breached. We further undertake that we will not hold information about you which is excessive in respect of the purposes for which it is processed. We only keep your personal data for as long as we need to in order to use it as described in this privacy policy, and/or for as long as we have your permission to keep it.

Your Rights

You have certain rights under the Data Protection Act in relation to the information that we hold about you. These rights are set out below:

  • A right to know what information we hold about you
  • A right to request access to, deletion or correction of your personal data
  • A right to request your personal data be transferred to another person
  • A right to complain to the Information Commissioner’s Office if you are unhappy with how your information is being used
  • A right to control how and when your information is used.

Where you have given consent to services such as direct marketing emails, our use of cookies and location data you can revoke your consent at any time by following the ‘Unsubscribe’ link attached to our emails.

You can also change manage preferences regarding disclosure of your information to third parties and the frequency and/or subject and/or format of our communications by emailing us your requirements.

Should you wish to request access to the data we hold about you, please email: or write to us at The Cliff Hotel & Spa, Gwbert, Cardigan SA43 1PP. Should you contact us, our security procedures mean that we may request proof of identity before we are able to disclose any information to you.

If you believe that Flatrock Group has not adhered to this Privacy Policy, please e-mail . We will aim to use commercially reasonable efforts to promptly determine and remedy the problem.

Changes to this Privacy Policy

We reserve the right to periodically change this Privacy Policy at any time to reflect company and customer feedback.  Any amended Privacy Policy will be posted on our websites.  Flatrock Group encourages you to periodically review this statement to keep informed of how it is protecting your information.