Privacy Policy

At Spencer House Limited (“we”, “us” or “our”) we are committed to safeguarding and preserving the privacy of our visitors. This Privacy Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

For the purpose of the EU General Data Protection Regulation (“GDPR”) and complementary UK legislation, we are the data controller for any personal information gathered by this website or by other sources. Our registered address is 27 St. James’s Place, London, SW1A 1NR.

We do update this Policy from time to time so please do review this Policy regularly.

How we collect and use information

We may collect and process data about you for the following reasons:

Visitors to the website – if you visit the Spencer House website we, the third party that runs the website on our behalf, and a third-party analytics service, may collect information relating to your visit including, but not limited to, traffic data, location data, weblogs and other communication data, and the resources that you access. The analytics information is only processed in a way which does not identify anyone. We do not make, and do not allow the analytics service provider to make, any attempt to find out the identities of those visiting our website. Please also see our Terms and Conditions and our Cookies Disclaimer for further information about the use of the website.

Persons booking events at Spencer House – if you book an event at Spencer House then we will hold any personal data that is collected as part of the booking process, such as name, email address, telephone address and other contact details. We will process personal financial data if you make payments from a personal account (rather than a business account). If payment is taken using a personal credit or debit card, then Lloyds Bank, the provider of the card payment device, will also process your data. We may also receive personal data about you or your guests if you provide any in the context of the event. Should you provide us with personal data on individuals other than yourself, you confirm that you have their consent to do so. Correspondence and booking information in respect of your event will be retained for up to two years after your event for accounting purposes and to address any queries that arise following your event. After this time your personal data will be deleted, unless (i) it is required for a legal reason, or (ii) you have requested to receive information about future Spencer House events, in which case we will retain your contact information, which will be used only for this purpose.

Persons booking tours at Spencer House – if you book a tour at Spencer House then we will hold any personal data that is collected as part of the booking process, typically your name, but also including any other information that you provide such as email address, telephone number or other contact details. We will process personal financial data if you make payments using a personal debit or credit card (rather than a business card); if payment is made through the website, collection of this payment is taken via PayPal, who will also process your personal data; if payment is taken over the phone then Lloyds Bank, the provider of the card payment device, will also process your data. Debit and credit card details will be kept for 3 months after your tour for accounting purposes and to address any queries that may arise. Name and any other personal data is deleted shortly after your tour unless you have requested to receive future information about Spencer House, in which case we will retain your contact information, which will be used only for this purpose.

Persons making enquiries about Spencer House – if you contact us with an enquiry by filling in forms on our website or by emailing us, we will keep a record of that correspondence and the personal contact details that you provide with your query, for two years. If you contact us through completing a form on our website, you will be asked whether you would like to opt-in to our mailing list for information about future events. If you do not opt-in, we will only use your data in order to respond to your query. If you do opt-in, or if you ask in email correspondence to be added to our mailing list, from time-to-time we may also use your contact information to send you information about future events at Spencer House.

If you do join our mailing list and subsequently decide that you would like to be removed, you can unsubscribe by emailing us at tours@spencerhouse.co.uk or events@spencerhouse.co.uk.

If your enquiry relates to the collections at Spencer House, your correspondence will be directed to and answered by our curator, The Rothschild Foundation, rather than by Spencer House Limited. The Rothschild Foundation will keep a record of that correspondence and the personal contact details that you provide with your query.

Visitors to our buildings – in order to protect the security of our buildings, staff, tenants and visitors, it is in our legitimate interest to record security footage within our buildings and in the direct surroundings of our buildings. CCTV security footage is deleted after 30 days and is only shared with third parties if a lawful request is made by a legitimate body, for example by the Metropolitan Police, Counter Terrorism Unit or London Fire Brigade.

People we do business with – we hold personal data in respect of persons with whom we have business relationships, or potential business relationships. This data is typically limited to basic personal information such as name, email address, telephone number, as well as details related to the nature of the business relationship. Information is processed in accordance with any contractual agreement in place or in the legitimate interests of our business activities.

Our staff – we hold personal data in respect of our employees, directors, contractors and other persons who work with us from time-to-time. We have a separate privacy policy for our staff. If a person wishing to work with us sends us their details, for example through a recruitment process, we will do our best to gain their consent to hold onto their details for future roles with us, or, we will aim to delete the records once the recruitment process has concluded, although it may not be possible to remove all personal details; for example, it may not be possible to remove all references to a person’s name in our internal email system.

Lawful basis for processing

Under the GDPR there must be a lawful basis for processing your personal data. As outlined above, we will only do so for the purpose of running our business, to provide information to you that you request from us relating to our products or services, to fulfil contractual obligations, or to provide information to interested parties making reasonable enquiries. In terms of the GDPR, we will be processing either on the lawful basis of fulfilling a contractual obligation, or the lawful basis of being in the legitimate interests of our business or customers. Finally, we may process on the lawful basis of fulfilling a legal obligation if this is applicable.

We also process your personal data on the lawful basis of consent where you have opted to receive information about future events at Spencer House. You may withdraw this consent at any time by unsubscribing from our mailing list as described above. We do not ever sell or pass personal data to third parties for marketing purposes.

Finally, we also rely on the lawful basis of consent if you apply for a job at Spencer House and agree for us to retain your details for potential future positions.

We never give your details to third parties to use your data to enable them to provide you with information regarding unrelated goods or services.

Who we do share information with

We will only share your personal data with other third parties where it is necessary for the purposes outlined above and in accordance with the relevant lawful basis for processing. Examples of the third parties that may process personal data on our behalf are: suppliers that you agree will be part of your event at Spencer House, our professional advisers, our auditors, the companies that help us administer this website and any payment taken on it, organisations that provide other services that are required in the provision of our services to you. Third parties that process data on our behalf are also subject to all of the requirements of the GDPR and owe us a contractual obligation to only use your personal data for the applicable purpose and to keep your data secure.

We may also disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

We may disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect our rights, property, or the safety of our staff, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Finally, in the event that we sell or buy any business or assets, we may disclose personal data to the prospective seller or buyer of such business or assets. If we are acquired by a third party, personal data will be one of the transferred assets.

How information is kept secure

We take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. Where personal data is held electronically we store information on our secure servers and employ security procedures and features to try to prevent unauthorised access.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect personal data in our possession, we cannot guarantee the security of data when being transmitted; any transmission of your personal data to us at our site or via email or other transmission method is at your own risk.

On occasion we include links to third parties on this website. Where we provide a link it does not mean that we endorse or approve that site’s policy towards visitor privacy. You should review their privacy policy before sending them any personal data.

Transfers of data outside of the EEA

Personal data that we collect from you will only be transferred to or stored at a destination outside the European Economic Area (“EEA”) or processed by staff operating outside the EEA who work for us or for one of our suppliers if the organisation or country has data protection measures that have been deemed equivalent to those in the EEA or if we have put adequate safeguards in place to ensure equivalent treatment of your personal data. By submitting your personal data, you agree to this transfer, storing or processing for the purpose indicated, provided one of the conditions above is met.

Your individual rights

The GDPR gives you rights in respect of your personal data. For more information about your rights please see.

We would draw your attention to the following procedures that we have in place in respect of your rights:

Right to access – you may request that we provide you with confirmation on whether we are processing your data and, if applicable, a copy of your personal data (not personal data in respect of any other individual) and other relevant processing information such as that provided in this privacy notice. To make a request, please email the contact address provided below. There will be no charge for requests that are reasonably made. We will aim to respond to you in writing within one month.

Right to rectification – if personal data that we hold on you is incorrect, please email the contact address below, and we will update our records (or let you know if we believe our records are accurate, if appropriate).

Right to erasure – you may request that personal data that we hold on you be deleted, however, we are only obliged to erase your data if we no longer have a lawful basis for processing it. Please email the contact address below providing the reason for your request and sufficient detail to accurately identify your records, and we will write to you to let you know the action we have taken.

Right to object – you may object to the processing of your personal data. You must give specific reasons for your objection and we are not obliged to comply with your request if we have a compelling reason to continue processing your personal data in accordance with a lawful basis. Please email the contact address below and we will write to you to let you know the action we have taken. If we do not agree with your objection we will explain why and, if you wish, how you may raise a complaint with the Information Commissioner’s Office.

Contacting Us

Please do not hesitate to contact us regarding any matter relating to this Privacy Policy via email at tours@spencerhouse.co.uk or events@spencerhouse.co.uk according to your query