Privacy Policy

Balham Lodge | Privacy Notice | Version 01/2026

Balham Lodge

1. Overview

Balham Lodge is a short-stay guest accommodation business operated by Astra Homes Ltd, a company registered in England and Wales (Company Number 04660818), with its registered office at 21 Mount Ephraim Lane, London, England, SW16 1JF (“the Company”, “Astra Homes”, “Balham Lodge”, “we”, “us” or “our”). The Company operates the website www.balhamlodge.uk (the “Website”) in connection with the operation of the lodge.

The Company takes the security and privacy of personal data seriously and is committed to complying with its legal obligations under the Data Protection Act 2018 (the “2018 Act”), the Data (Use and Access) Act 2025 (the “DUAA”), the UK GDPR, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). We respect your personal data, and our use of your personal data is subject to the relevant legislation.

2. Who this notice is for

This privacy notice applies to all users of the Website and to all guests of Balham Lodge, including:

• visitors who browse the Website without making a booking;
• enquirers who submit an enquiry or request information through the Website;
• guests who book directly through the Website or by telephone or email;
• guests who book through online travel agents (“OTAs”), such as Booking.com, Airbnb, Expedia, Lastminute.com, Hotels.com, or other third-party booking platforms;
• persons booking on behalf of others (for example, a person booking a room for a colleague, family member or friend);
• persons named on a booking as additional guests sharing the accommodation;
• guests during their stay at the lodge;
• former guests, including in connection with reviews, repeat bookings, and any marketing communications they have opted in to receive.

3. Controller

The Company is the data controller in respect of personal data submitted through the Website and personal data otherwise processed in connection with your stay. This means that the Company is responsible for deciding how it holds and uses personal information about you. The Company is registered with the Information Commissioner’s Office (“ICO”). The Company’s registration number is Z8457189.

Where you have made your booking through an OTA, that OTA will be a separate data controller in respect of the personal data it collects from you directly. We have no control over the OTA’s processing of your data, which is governed by the OTA’s own privacy policy. The OTA will share with us the personal data necessary to fulfil your booking; once we receive that data, we process it as a data controller in accordance with this notice.

4. Cookies

The Website uses cookies and similar technologies to operate, to improve the user experience, and (where you have given your consent) for analytics and functional purposes. The use of cookies on the Website is governed by a separate Cookies Policy, which can be accessed from the footer of every page of the Website. The Cookies Policy explains what cookies are, what cookies the Website uses, and how you may give, withdraw, or change your consent to non-essential cookies.

5. What personal data we collect

Depending on how you interact with us, we may collect the following categories of personal data:

Identity Data — your title, first name, last name, date of birth (where required), nationality, and (where required by law) details from your passport or other identity document. We are required by the Immigration (Hotel Records) Order 1972 to record certain identity information about guests aged 16 or over. Further detail is set out in section 7 below.

Contact Data — your home or billing address, email address, and telephone number.

Booking Data — the details of your booking, including the dates of your stay, the room booked, the number of guests, the booking channel through which you made the booking (Website, telephone, email, or OTA), the booking reference, any special requests, and the names of any additional guests sharing the accommodation.

Payment Data — the financial information necessary to process your payment, including (depending on the booking channel) card details, the billing address associated with your card, the amount and currency of the payment, and the payment reference. Payment card data is processed through PCI-DSS compliant payment service providers and is not retained by us in full beyond the limited period necessary to process refunds or recoveries.

OTA Data — the booking information passed to us by the OTA through which you have booked, which typically includes your name, contact details, booking dates, room type, total price, OTA reference number, the cancellation policy applicable to your booking, and any preferences or special requests you have communicated through the OTA platform.

Stay Data — information generated during your stay, including check-in and check-out times, any services or charges incurred during your stay, any incidents or complaints arising, and any communications between you and our staff.

Marketing Data — if you opt in to receive marketing communications from us (for example, a newsletter, special-offer updates, or loyalty programme information), we will collect the information necessary to send you those communications and to record your consent. You may withdraw your consent at any time using the unsubscribe link in any communication, or by contacting us using the details in section 16.

Loyalty and Repeat-Guest Data — where you are a repeat guest, or where you have signed up to any loyalty programme we may operate, we will retain a record of your previous stays, your preferences (for example, room type, dietary preferences, accessibility requirements, special occasions), and any loyalty benefits or recognition to which you are entitled.

Review and Feedback Data — where you provide a review or feedback about your stay (whether to us directly, through an OTA, or through a review platform), we may process the information you submit. Where we publish testimonials or reviews on the Website or in marketing materials, we will do so with your consent and (unless you have indicated otherwise) on an anonymised or first-name-only basis.

Technical Data — your IP address, browser type and version, operating system, the pages of the Website you visit, and the duration of your visit. This data is collected automatically through Website server logs and (where you have consented) through cookies.

Correspondence Data — the records of any correspondence between you and us by email, through Website contact forms, by telephone, or through an OTA’s messaging system.

Special Requirements Data — where you choose to inform us of any dietary requirements, accessibility needs, allergies, medical conditions relevant to your stay, or any other particular requirements, we will process this information for the purpose of providing the relevant accommodations during your stay. Some of this information may be “special category data” under Article 9 UK GDPR (in particular, information relating to health), and we will rely on the special-category lawful bases set out in section 6 below.

6. Lawful bases for processing your data

We process the personal data set out in section 5 above on the following lawful bases:

Performance of a contract or taking steps prior to entering into a contract — where you are booking (or have booked) accommodation with us, we process your personal data to perform our contract with you (including taking your booking, processing your payment, communicating with you about your stay, providing your stay, and dealing with any post-stay matters).

Compliance with legal obligations — we are required by law to process certain categories of personal data. In particular, we are required to record identity information about guests aged 16 or over under the Immigration (Hotel Records) Order 1972, and we may be required to disclose personal data to law enforcement agencies, tax authorities or other regulators where properly required to do so.

Legitimate interests — where it is necessary for our legitimate interests (including the proper management of the lodge, the prevention of fraud, the protection of our property and our staff, the operation of our website, and the analysis and improvement of our service) and your interests and fundamental rights do not override those interests.

Consent — where you have given your consent for a specific purpose (for example, by opting in to receive marketing communications, by consenting to the use of non-essential cookies on the Website, or by agreeing to the publication of a review or testimonial). Where we rely on your consent, you may withdraw your consent at any time.

Where we collect special category data (in particular, health-related information you have chosen to disclose in connection with dietary, accessibility or medical requirements for your stay), we will rely on one or more of the following further lawful bases under Article 9 UK GDPR:

Article 9(2)(a) — explicit consent, where you have voluntarily provided the information for the specific purpose of accommodating your requirements during your stay;

Article 9(2)(c) — vital interests, where the processing is necessary to protect your life or someone else’s (for example, in a medical emergency during your stay);

Article 9(2)(f) — the establishment, exercise or defence of legal claims.

7. Identity records — the Immigration (Hotel Records) Order 1972

We are required, under the Immigration (Hotel Records) Order 1972, to keep records of all guests aged 16 or over staying overnight at the lodge. The information we are required to record is:

• the full name and nationality of each such guest;
• for guests who are not British, Irish, or otherwise Commonwealth nationals: details from your passport or other identity document, including its number and the place of issue;
• the next destination of each such guest, including (where known) the address; and
• the date of arrival and departure.

These records are required to be kept for a minimum of 12 months from the date of your stay, and must be made available for inspection by an immigration or police officer if requested. The lawful basis for this processing is our legal obligation under the Order.

8. Bookings through Online Travel Agents (OTAs)

Many of our guests book through Online Travel Agents such as Booking.com, Airbnb, Expedia, Lastminute.com and Hotels.com. The relationship between you, the OTA, and Balham Lodge in respect of your personal data is as follows:

The OTA’s role. When you book through an OTA, the OTA is a data controller in its own right in respect of the personal data it collects from you. The OTA collects your data under its own privacy policy, which governs how that data is used by the OTA. Please refer to the OTA’s privacy policy for further information about the OTA’s data processing.

What is shared with us. The OTA will share with us the personal data necessary to fulfil your booking. This typically includes your name, contact details (often a masked email address routed through the OTA’s messaging system), booking dates, room type and price, any preferences or requests you have communicated, and the OTA reference number for the booking.

Our role. Once the OTA shares your data with us, we become a data controller in respect of that data for the purposes of fulfilling your booking, providing your stay, complying with our legal obligations (including the Immigration (Hotel Records) Order 1972), and any other purpose set out in this notice. We process that data in accordance with this notice.

Messaging through the OTA. Some OTAs operate a messaging system through which you and we communicate about your booking. The messages are routed through the OTA platform and are accessible to the OTA. If you would prefer to communicate with us directly (for example, by telephone or by email), please use the contact details set out in section 16.

Reviews on OTA platforms. OTAs typically invite guests to leave a review of their stay. Reviews submitted to an OTA are published on the OTA’s platform under the OTA’s review policy. We may read and respond to those reviews; any response we publish on the OTA platform is subject to the OTA’s terms.

Payment through OTA. Depending on the OTA, payment may be processed by the OTA directly (in which case we do not see your card details), or it may be processed by us at check-in or check-out (in which case we will process your card details through a PCI-DSS compliant payment service provider). Please check the booking confirmation from the OTA for the applicable payment arrangement.

9. Direct bookings

Where you book directly with us (through the Website, by telephone, or by email), we collect your personal data directly from you. We may also collect data from third parties involved in your booking — for example, your card issuer or our payment service provider, in connection with payment processing; and (where you have asked a colleague, family member or friend to book on your behalf) the person making the booking, in respect of the additional guests.

Payment for direct bookings is processed through a PCI-DSS compliant payment service provider. We do not retain full card details. Where we hold a card on file for the purposes of a future stay (for example, to secure a booking against cancellation or to charge for damage), the card is tokenised by the payment service provider and we hold only the token, not the underlying card details.

10. Why we use your personal data

We use the personal data set out in section 5 for the following purposes:

• to take and confirm your booking;
• to process your payment, deal with refunds, and pursue recoveries (for example, in respect of damage, late cancellation, or no-show fees);
• to communicate with you before, during and after your stay;
• to provide your accommodation, including any special requirements you have notified to us;
• to comply with our legal obligations, including under the Immigration (Hotel Records) Order 1972;
• to manage the lodge, including by recording check-in and check-out times, services and charges, and any incidents arising;
• to deal with reviews, complaints and feedback;
• to send you marketing communications you have opted in to receive, including newsletters and special-offer information;
• to operate any loyalty or repeat-guest programme;
• to recognise repeat guests and to apply known preferences to future stays;
• to operate, secure and improve the Website;
• to investigate and prevent any misuse of the Website or the lodge, including fraud;
• to protect our property and our staff;
• to comply with our tax, accounting and audit obligations;
• to establish, exercise or defend legal claims;
• for any other lawful purpose disclosed to you at the point of collection.

11. Who we share information with

We share personal data only where it is necessary to do so and only with parties who have a proper basis to receive it. The principal categories of recipient are:

Our staff — the members of our staff who need access to your data in order to deal with your booking, your stay, your payment, or any post-stay matter.

Our service providers — the providers of the technical infrastructure that supports the lodge and the Website (including booking management software, channel management software, payment service providers, IT support providers, website hosting, and email infrastructure). Where these providers process personal data on our behalf, they do so as processors under written agreements which require them to comply with the UK GDPR.

Online Travel Agents — where you have booked through an OTA, we will communicate with the OTA about your booking. The detail of this relationship is set out in section 8.

Payment service providers and banks — in connection with the processing of payments, refunds and recoveries.

Our professional advisers — including our solicitors, accountants, auditors and insurers, where their involvement is necessary in connection with the operation of the business or with a specific matter.

Law enforcement and other authorities — where we are required to disclose personal data by law, including under the Immigration (Hotel Records) Order 1972 (which expressly contemplates inspection by an immigration officer or a police officer).

HMRC and other tax authorities — in connection with our tax, accounting and audit obligations.

Insurers — where it is necessary in connection with an insurance claim relating to your stay (for example, in connection with damage, theft, or personal injury).

In the event of a sale, transfer or restructuring of the business — we may share data with prospective purchasers or transferees. The recipient would be bound by confidentiality obligations before any data is shared.

We do not sell your personal data to any third party, and we do not share personal data with any third party for that third party’s own marketing purposes without your explicit consent.

12. International transfers

Some of the service providers we use (in particular, OTAs and payment service providers) operate internationally. As a consequence, personal data may, in some circumstances, be processed, stored or accessed from outside the United Kingdom.

Where we transfer personal data outside the UK, we will only do so where we are satisfied that appropriate protections are in place and the transfer is lawful under the UK GDPR. This will include one or more of the following:

Adequacy regulations: transfers may be made to countries or territories that the UK has determined provide an adequate level of protection for personal data (including, where applicable, EEA countries and other countries recognised as adequate under UK law).

UK–US Data Bridge: where we transfer personal data to the United States, we may do so to organisations that are certified under the UK Extension to the EU–US Data Privacy Framework (the UK–US Data Bridge), where applicable.

Appropriate safeguards: where adequacy does not apply, we will use appropriate safeguards, such as the UK Information Commissioner’s International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses (as applicable), together with any additional measures required.

Derogations: in rare cases, we may rely on a limited statutory exception (derogation) permitted by the UK GDPR (for example, where the transfer is necessary for the performance of a contract with you, or to protect vital interests).

Where you have booked through an OTA, the OTA’s own privacy policy will govern the OTA’s international transfers of your data. Please refer to the OTA’s privacy policy for further information.

13. Data security

We have put in place appropriate technical and organisational measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include:

• the use of secure (HTTPS) connections across the Website;
• encryption of personal data in transit and (where appropriate) at rest;
• processing of card data through PCI-DSS compliant payment service providers;
• limited access to personal data on a need-to-know basis;
• the use of vetted service providers who themselves operate appropriate security measures.

We have put in place procedures to deal with any suspected data security breach and will notify you, the Information Commissioner’s Office, and any other applicable regulator of a suspected breach where we are legally required to do so.

Despite these measures, the transmission of information through the internet is not entirely secure. We cannot guarantee the security of personal data transmitted to or through the Website, and any transmission is at your own risk to that extent. Once we have received your information, we apply the security measures described above.

14. Data retention

We will not retain your personal data for longer than necessary for the purposes set out in this notice. Different retention periods apply to different categories of data:

• Identity records under the Immigration (Hotel Records) Order 1972 are retained for at least 12 months from the date of your stay, as required by that Order.
• Booking and stay records are retained for as long as is necessary in connection with the booking, plus a reasonable period thereafter for the purposes of accounting, tax, audit, and the defence of any potential legal claim.
• Payment records are retained for the period required by our tax, accounting and audit obligations (typically a minimum of six years).
• Marketing data is retained for as long as you remain opted in to receive marketing communications, plus a limited period thereafter to record your withdrawal of consent.
• Loyalty and repeat-guest data is retained for as long as the loyalty arrangement is in place and for a reasonable period thereafter.
• Reviews are retained for the period over which they remain useful for the operation of the business; they may be retained in archived form thereafter.
• Technical data is retained for the period necessary to operate and secure the Website.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure; the purposes for which we process the personal data and whether we can achieve those purposes through other means; and the applicable legal requirements.

15. Your rights

Under the UK GDPR (as amended by the Data (Use and Access) Act 2025), you have a number of rights in respect of the personal information we hold about you.

Right to be informed about the collection and use of your personal data. This Privacy Notice, together with the documents referred to in it, provides you with this information.

Right to access (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. You will not have to pay a fee, unless your request is unfounded, repetitive or excessive. We try to respond to all legitimate requests within one month; occasionally it may take us longer if your request is particularly complex or you have made a number of requests. Please note that we may need to stop the clock while we are awaiting ID or clarification needed to locate the data.

Right to request correction of the personal information that we hold about you, where it is incomplete or inaccurate.

Right to request erasure of your personal information. In certain circumstances you have the right to ask for some (but not all) of the information we hold and process to be erased. The right may not apply where we are required by law to retain the data (in particular, for the Immigration (Hotel Records) Order 1972 and our tax and accounting records).

Right to object to processing of your personal information where we are relying on a legitimate interest. You also have the right to object where we are processing your personal information for direct marketing purposes.

Right to request restriction of processing of your personal information in certain circumstances, for example if you want us to establish its accuracy.

Right to request the transfer of your personal information to another party in certain circumstances (in particular, where we are processing the data on the basis of consent or the performance of a contract).

Right to withdraw consent at any time, where we are processing your personal data on the basis of your consent. The withdrawal of consent does not affect the lawfulness of any processing carried out before the consent was withdrawn.

Rights in relation to automated decision-making and profiling — you will not be subject to decisions that have a significant impact on you based solely on automated decision-making.

If you want to exercise any of these rights, please contact the DPO using the details in section 16. We will respond to your request within one calendar month.

16. Your queries and complaints

Our Data Protection Officer, James Freeman, is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, or wish to exercise any of your rights, please contact him by emailing james@astra-homes.co.uk or by writing to 21 Mount Ephraim Lane, London, England, SW16 1JF.

If you have any concerns about how your data is being processed, or in relation to any of your rights, you may raise a data protection concern or complaint with us by contacting James Freeman. We will acknowledge your concern or complaint within 30 days and respond without undue delay.

We hope that our DPO can resolve any query or concern you raise about our use of your information. However, if you feel that we have failed to address your concerns appropriately, you can contact the Information Commissioner at ico.org.uk/concerns/ or by telephone on 0303 123 1113 for further information about your rights and how to make a formal complaint.

17. Children

The Website is not directed at children, and we do not knowingly collect personal data about children through the Website. Where children are accompanying a parent or guardian as part of a booking, we may collect limited identity information about them (typically their name and age) for the purposes of complying with our obligations to the parent or guardian and (where applicable) the Immigration (Hotel Records) Order 1972.

18. Changes to this notice

We will review and update this notice regularly in accordance with our data protection and regulatory obligations. The current version of this notice is always available on the Website. The date on which this notice came into force is shown in the document footer.

Schedule