Effective date: 26 March 2026 | Last updated: 26 March 2026
This policy applies to: The GroupBooker consumer booking platform (B2C), the GroupBooker business platform (B2B), and the GroupBooker public website. GroupBooker is a trading name of Son of Will Ltd.
This is the privacy policy for GroupBooker, a trading name of Son of Will Ltd. In this policy, “we”, “us”, and “our” refer to the organisations responsible for your personal data as set out below.
| Detail | Information |
|---|---|
| Platform operator | Son of Will Ltd, trading as GroupBooker |
| Company number (Son of Will Ltd) | 10328311 |
| Data controller | Meta Cannect Ltd |
| Company number (Meta Cannect Ltd) | 09295106 |
| Privacy contact email | gdpr.groupbooker.com@meta-cannect.com |
| ICO registration number | ZB037106 (Meta Cannect Ltd) |
Meta Cannect Ltd acts as the data controller for the personal data described in this policy, on behalf of Son of Will Ltd, the operator of the GroupBooker platform. This means Meta Cannect Ltd decides how and why your personal data is processed in connection with the GroupBooker services.
We are not required to appoint a Data Protection Officer under UK GDPR Article 37, as our core activities do not involve large-scale monitoring of individuals or processing of special category data. For any data protection queries, please contact us at gdpr.groupbooker.com@meta-cannect.com.
This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have. It covers the GroupBooker consumer booking platform, business-to-business services, and public website, all of which are operated by Son of Will Ltd with Meta Cannect Ltd acting as data controller.
We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and the Data (Use and Access) Act 2025.
If you believe we are not handling your data in accordance with this policy, please contact us at the details above. You also have the right to complain to the Information Commissioner’s Office (ICO) — see Section 11.
| Category | Examples | When Collected |
|---|---|---|
| Identity data | First name, last name, title | Account registration, booking |
| Contact data | Email address, phone number | Account registration, enquiries |
| Account data | Username, password (encrypted), account preferences | Account registration |
| Authentication data (B2B) | Email address used as your username for platform authentication via AWS Cognito | When you register for a B2B account |
| Booking data | Booking details, dates, group size, special requirements | When you make or manage a booking |
| Financial data | Payment card details (processed by our payment provider — we do not store full card numbers) | When you make a payment |
| Communications data | Emails, messages, feedback, and support requests you send us | When you contact us |
| Business data (B2B) | Company name, job title, business contact details, contract information | When you register as a business client or enter a contract |
| User-generated content | Reviews, comments, forum posts, and profile information you choose to publish | When you post content on our platform |
| Category | Examples | How Collected |
|---|---|---|
| Technical data | IP address, browser type and version, device type, operating system | Automatically when you visit our site |
| Usage data | Pages visited, time on page, click patterns, referring URL | Cookies and similar technologies (see Section 8) |
| Location data | Approximate location derived from IP address | Automatically when you visit our site |
We treat IP addresses and device identifiers as personal data in accordance with UK GDPR.
| Source | Data Categories | Purpose |
|---|---|---|
| Service providers listed on our platform | Booking confirmations, availability, service details relating to your booking | To fulfil your booking |
| Payment processors | Transaction confirmation, fraud screening results | To process payments and prevent fraud |
| Business partners (B2B) | Business contact details provided by your employer or organisation | To manage our B2B relationships |
| Publicly available sources | Business registration information, publicly listed contact details | To verify business clients |
Where we receive your data from a third party, we will provide you with this information within one month of obtaining it, or at the point of first communication with you, whichever is sooner.
Under UK GDPR, we must have a lawful basis for each way we use your personal data. The table below sets out our processing purposes and the corresponding lawful basis.
| Purpose | Lawful Basis | Applies To |
|---|---|---|
| To create and manage your account | Performance of a contract with you (Article 6(1)(b)) | B2C and B2B |
| To authenticate B2B users via AWS Cognito | Performance of a contract with you (Article 6(1)(b)) | B2B |
| To process and fulfil bookings | Performance of a contract with you (Article 6(1)(b)) | B2C and B2B |
| To process payments | Performance of a contract with you (Article 6(1)(b)) | B2C and B2B |
| To communicate with you about your bookings or account | Performance of a contract with you (Article 6(1)(b)) | B2C and B2B |
| To respond to your enquiries and provide customer support | Performance of a contract, or our legitimate interest in providing good service (Article 6(1)(f)) | B2C, B2B, Public |
| To send you marketing emails about our services (B2C consumers) | Your consent (Article 6(1)(a)), obtained via opt-in at registration or booking | B2C |
| To send marketing communications to business contacts | Our legitimate interest in promoting our services to existing and prospective business clients (Article 6(1)(f)). We have conducted a legitimate interest assessment and concluded that this processing does not override your rights. You can opt out at any time. | B2B |
| To send transactional and marketing emails via SendGrid | Performance of a contract (Article 6(1)(b)) for transactional emails; your consent (Article 6(1)(a)) for B2C marketing emails; legitimate interest (Article 6(1)(f)) for B2B marketing | All |
| To improve our website and services | Our legitimate interest in understanding how our services are used and improving them (Article 6(1)(f)) | All |
| To detect and prevent fraud | Our legitimate interest in protecting our business and users (Article 6(1)(f)) | All |
| To comply with legal obligations (e.g., tax, accounting) | Legal obligation (Article 6(1)(c)) | All |
| To display user-generated content you have posted | Our legitimate interest in operating a platform that includes user contributions (Article 6(1)(f)) | B2C, Public |
| To share data with service providers to fulfil your booking | Performance of a contract with you (Article 6(1)(b)) | B2C |
Where we rely on consent, you can withdraw your consent at any time by contacting us at gdpr.groupbooker.com@meta-cannect.com or by using the unsubscribe link in any marketing email. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
Where we rely on legitimate interest, you have the right to object (see Section 11). We will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests.
We do not sell your personal data. We share your data only as described below:
| Recipient Category | What We Share | Why |
|---|---|---|
| Service providers listed on our platform | Your booking details, name, contact information, and any special requirements you provide | To fulfil the booking you have requested (contract performance) |
| Payment processors | Payment transaction data | To process your payment securely. They act as independent controllers for fraud prevention. |
| Amazon Web Services (AWS) — hosting and infrastructure | All platform data is hosted on AWS infrastructure in the UK (eu-west-2, London). Data is encrypted at rest and in transit. AWS does not have access to our unencrypted data and processes it solely on our instructions as a data processor under a data processing agreement. | To host and operate our services securely. AWS acts as our data processor. |
| Amazon Web Services (AWS) — Cognito authentication | Email address used as B2B account username only. This data is not linked to any other personal data we hold about you within the Cognito service. Hosted in the UK (eu-west-2, London). | To provide secure authentication for B2B platform users. AWS Cognito acts as our data processor. |
| SendGrid (Twilio Inc.) — email delivery | Email addresses, names, email content. SendGrid processes this data via API solely to deliver emails on our behalf and does not use it for their own purposes. | To send transactional emails (e.g., booking confirmations, account notifications) and, where you have consented or we have a legitimate interest, marketing communications. SendGrid acts as our data processor under a data processing agreement. |
| Analytics providers | Anonymised/pseudonymised usage data | To help us understand how our site is used and improve it. Subject to your cookie consent. |
| Professional advisers | Data relevant to the advice sought | Legal, accounting, and insurance purposes (legitimate interest or legal obligation) |
| Law enforcement or regulators | Data as lawfully requested | To comply with legal obligations or to protect our legal rights |
| Credit reference agencies | Identity and transaction data, only where you have initiated a chargeback without first contacting us to resolve the issue | Fraud prevention (legitimate interest). See Section 5.1 below. |
Where a customer instructs their payment provider to reverse a charge (chargeback) without first contacting us to resolve the matter, we may share limited information with credit reference agencies for the purpose of fraud prevention. We rely on our legitimate interest for this processing and have conducted a balancing test. We recognise your consumer rights, including your right to initiate chargebacks in appropriate circumstances. We will only share data where we have reasonable grounds to believe a transaction was fraudulent or abusive. You have the right to object to this processing (see Section 11).
When you use our platform to book a service provided by a third party, we need to share certain personal data with that service provider so they can fulfil your booking. This sharing is necessary for the performance of your contract with us and with the service provider.
We will share only the data that is necessary for the booking (typically your name, contact details, booking dates, group size, and any requirements you have specified). The service provider becomes an independent data controller for the data we share with them, and their own privacy policy will apply to their use of your data.
We require our listed service providers to handle your data in accordance with applicable data protection law, but we are not responsible for their processing once the data has been shared.
We keep your personal data only for as long as necessary for the purposes for which it was collected. The retention periods below apply:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account and identity data | Duration of your account plus 2 years after closure | To allow you to reactivate and to handle any post-closure enquiries |
| B2B authentication data (Cognito) | Duration of your B2B account; deleted from Cognito upon account closure | Required for platform authentication |
| Booking and transaction records | 6 years from the date of the transaction | Legal and regulatory requirements (tax, accounting, potential claims) |
| Marketing consent records | Duration of consent plus 1 year after withdrawal | To evidence that consent was given and when it was withdrawn |
| Customer support communications | 3 years from resolution | To handle follow-up queries and improve our service |
| Website analytics data | 26 months (anonymised data may be kept longer) | To analyse trends. Anonymised data is no longer personal data. |
| Business client records (B2B) | Duration of the contract plus 6 years | Contractual and legal obligations |
| User-generated content | Until you delete it, or we remove it in accordance with our terms, or account closure | To operate the platform |
| Credit reference data shared | 6 years from the date of sharing | Fraud prevention records |
| Email delivery logs (SendGrid) | 30 days for delivery/bounce logs; marketing suppression lists retained as long as necessary to honour opt-outs | Email delivery and compliance |
When we no longer need your personal data, we will securely delete or anonymise it.
Our website uses cookies and similar technologies (such as JavaScript-based analytics and pixel tags). A cookie is a small file placed on your device that helps us provide and improve our services.
| Cookie Type | Purpose | Lawful Basis | Duration |
|---|---|---|---|
| Strictly necessary | Essential for the website to function (e.g., session management, security) | Exempt from consent (PECR Regulation 6(4)) | Session / up to 1 year |
| Analytics | Help us understand how visitors use our site (e.g., pages visited, time on site) | Your consent | Up to 26 months |
| Functionality | Remember your preferences (e.g., language, region) | Your consent | Up to 1 year |
| Marketing / Advertising | Used by third-party advertisers to deliver relevant ads and measure ad performance | Your consent | Varies by provider |
When you first visit our site, we will ask for your consent before placing any non-essential cookies on your device. You can change your cookie preferences at any time using the cookie settings in our website footer.
If you choose not to accept non-essential cookies, the core functionality of our website will still work, but some features (such as personalised recommendations or analytics-driven improvements) may be limited.
Third-party advertisers and analytics providers may place cookies on your device when you visit our site. We require consent before enabling these cookies.
We audit the third-party cookies on our site regularly.
We are based in the United Kingdom. Our primary hosting infrastructure (AWS) and authentication service (AWS Cognito) are both located in the UK (eu-west-2, London region), so the majority of your personal data remains within the UK. However, some of our service providers process your data outside the UK. The following transfers apply:
| Provider | Data Transferred | Transfer Destination | Safeguard |
|---|---|---|---|
| Amazon Web Services (AWS) | All platform data (encrypted at rest and in transit) | UK — AWS eu-west-2 (London). AWS does not have access to unencrypted data. | No international transfer — data remains in the UK. Data processing agreement with AWS in place. |
| AWS Cognito | B2B user email addresses only | UK — AWS eu-west-2 (London) | No international transfer — data remains in the UK. Data processing agreement with AWS in place. |
| SendGrid (Twilio Inc.) | Email addresses, names, email content | United States | UK International Data Transfer Agreement (IDTA) with Twilio Inc.; Twilio also participates in the EU-US Data Privacy Framework |
Where we transfer personal data outside the UK, we ensure it is protected by one or more of the following safeguards:
You may request a copy of the safeguards we have in place by contacting us at gdpr.groupbooker.com@meta-cannect.com.
We do not currently use your personal data for automated decision-making (including profiling) that produces legal effects or similarly significant effects on you.
Under UK GDPR, you have the following rights in relation to your personal data:
| Right | What This Means |
|---|---|
| Right of access | You can request a copy of the personal data we hold about you (a “Subject Access Request”). |
| Right to rectification | You can ask us to correct inaccurate or incomplete personal data. |
| Right to erasure | You can ask us to delete your personal data in certain circumstances (e.g., when it is no longer necessary for the purpose it was collected). |
| Right to restrict processing | You can ask us to limit how we use your data in certain circumstances (e.g., while we verify accuracy). |
| Right to data portability | You can request your data in a structured, machine-readable format and have it transferred to another controller, where processing is based on consent or contract and carried out by automated means. |
| Right to object | You can object to processing based on legitimate interest (including profiling) and to direct marketing at any time. |
| Right to withdraw consent | Where we process your data based on your consent, you can withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal. |
| Rights related to automated decisions | You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, unless specific conditions apply. |
To exercise any of these rights, please contact us at gdpr.groupbooker.com@meta-cannect.com. We will respond within one month. In complex cases we may extend this by a further two months, but we will let you know within the first month if this is necessary.
We will not charge a fee for handling your request unless it is manifestly unfounded or excessive.
If you are not satisfied with how we handle your personal data or respond to your request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:
We do not store full payment card details. Payments are processed securely by our payment provider, who is PCI DSS compliant.
Our services are not directed at children under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate parental consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at gdpr.groupbooker.com@meta-cannect.com.
Our platform may allow you to post reviews, comments, forum posts, and other content. Any personal data you include in content you post will be visible to other users of the platform and may be indexed by search engines.
We moderate content in accordance with our Terms of Use. We use user-generated content for the following specific purposes:
If you would like content you have posted to be removed, you can delete it from your account or contact us at gdpr.groupbooker.com@meta-cannect.com. We will consider removal requests in line with your right to erasure under Article 17 UK GDPR, balancing this against any rights of others (such as freedom of expression) where applicable.
Third parties may advertise on our website. Where those advertisers use cookies or similar tracking technologies to deliver or measure advertisements, we will obtain your consent before those technologies are activated (see Section 8).
We audit the advertising partners who operate on our site. While we take reasonable steps to ensure our advertising partners comply with applicable data protection law, they are independent data controllers for the personal data they collect through their own technologies.
We will only send you marketing communications by email, SMS, or other electronic means if you have given us your explicit opt-in consent, or in limited circumstances where you are an existing customer and the marketing relates to similar products or services (the “soft opt-in” under PECR Regulation 22). You can opt out of marketing at any time by:
All marketing emails are delivered via SendGrid, which processes your email address and name solely for the purpose of email delivery on our behalf (see Section 5).
We may send marketing communications to business contacts at their corporate email addresses, relying on our legitimate interest in promoting our services. We have conducted a legitimate interest assessment and provide an opt-out in every communication. Corporate subscribers can unsubscribe at any time using the same methods listed above.
Some personal data is necessary for us to provide our services to you. Where providing data is a contractual requirement (e.g., your name and contact details to process a booking), we will make this clear at the point of collection.
For B2B users, providing an email address is a contractual requirement for account authentication via AWS Cognito. Without this, we cannot provide access to the B2B platform.
If you choose not to provide data that is necessary for a booking or account registration, we may not be able to provide the relevant service. You are never required to consent to marketing as a condition of using our services.
In accordance with the Data (Use and Access) Act 2025, we maintain a formal complaints procedure for data protection matters.
If you are dissatisfied with how we have handled your personal data, you can submit a data protection complaint to us by emailing gdpr.groupbooker.com@meta-cannect.com.
We will acknowledge your complaint within 5 working days and aim to provide a full response within 28 days. If we cannot resolve your complaint to your satisfaction, you may escalate it to the ICO (see Section 11.1).
We may update this policy from time to time. Where changes are significant, we will notify you by email (if we have your email address) or by a prominent notice on our website. The “last updated” date at the top of this policy shows when it was last revised.
We encourage you to review this policy periodically.
If you have any questions about this policy, your personal data, or wish to exercise your rights, please contact the data controller, Meta Cannect Ltd, by email at gdpr.groupbooker.com@meta-cannect.com.
You can also view our Terms and Conditions.