The General Data Protection Regulation 2018 (GDPR) requires every organisation to control how it uses the personal data it holds, and to inform the people concerned of this.

Gupshill Manor is committed to protecting your privacy and security and keeping personal details of our customers safe. This policy explains how and why we use your personal data. 

Who we are

Our website address is:

Organisation/ Business name: Epulo Ltd t/a Gupshill Manor

Company registration number: 5529393

Point of contact: Naomi Reynolds


Telephone: 01684 292278

Address: Gupshill Manor, Gloucester Road, Tewkesbury, Gloucestershire, GL20 5SG

What personal data we collect and why we collect it

Personal Data  –  we use your personal data when,

  • You use our website
  • You book a table
  • You make a payment or request a refund
  • You submit queries, compliments or complaints
  • We record CCTV images
  • An accident occurs
  • We impose a ban on visiting our pub

We don’t keep your data for any longer than we need it, we also have retention periods for more details.


When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: After approval of your comment, your profile picture is visible to the public in the context of your comment.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

This website uses Quandoo forms to make online table booking

Quandoo UK Ltd Manage bookings

Quandoo UK Ltd. The Lightwell, Second Floor 12-16 Laystall Street, Holborn, London EC1R 4PF

Name, age, email address, gender, mobile number

When you book a table or function

We will ask for your name, gender, address, telephone number and email address. We use this information to make and confirm your booking. If you book online, we will also record your IP address. We use this information to check that the booking is genuine.

If you’re making a booking on behalf of a work colleague, we will ask for information about your company and the guest, so that we can invoice and bill the correct party and welcome your colleague when they arrive at our venue.

Please also tell us about any preferences or specific needs anyone in your party has, especially dietary preferences, food allergies or access needs. We will use this information to make preparations for your visit and look after you whilst you are at Gupshill Manor.

When we need to verify your age

We are required by law to ensure we do not sell alcohol to anyone under the age of 18 so we carry out age checks whenever they are necessary. We log some age verification checks anonymously so that we can check and prove that they are being carried out in accordance with the licensing rules which apply to the venue you are visiting.

The Challenge 21 and Challenge 25 schemes seek to discourage underage drinking by encouraging hospitality businesses to ask anyone lucky enough to look like they are under 21 (or 25) for proof of their age before they are served. If you’re one of the lucky ones, please don’t be offended if we ask you for proof of your age. A photo-card driving license, passport or military ID are valid proof of age for both schemes: if you don’t have these documents, please check the relevant Challenge scheme website to see what else we can accept.

 When we need to verify or record information about your identity

The UK government has asked pubs, hotels and restaurants to register information about their visitors during the Covid-19 pandemic. Therefore, the identity information you provide when making a booking or registering your visit, together with the date, time and name of the venue you are visiting, will be recorded for this purpose.

If NHS Test and Trace or NHS Scotland Test and Protect request information from us about our visitors, we will share the information they require, to help them to identify people who are at risk of infection. Personal information collected via our SMS-based guest visit registration scheme will not be used for any other purpose or shared with any other organisation.

Occasionally, a licensing authority may require the licensed premises in their area to verify or record information about their visitors, in particular information about their identity. If we are required to carry out such activities during your visit, further information will be provided at the venue.

When you submit queries, compliments or complaints

We will ask for your title, name, address telephone number and email address so that we can identify you and discuss your enquiry with you. We will also ask for any other relevant information, such as further information about you, other members of your party, restaurant reservation or function detail information when you visited and when, or your purchases. We will use this information to take your enquiry and respond appropriately to it.

When you use a gift card or participate in a loyalty scheme

When you buy a gift card, we will use the information you provide to personalise, activate and send the gift card to you or the person you bought it for.

If you join one of our loyalty schemes, we will use the information you provide to enrol you and to provide confirmation of this and other necessary information about your membership.

When you redeem your gift card and whenever you present your loyalty scheme membership number during payment, we will use information about your visit, purchases and use of our services to update your gift card balance, credit your account with any loyalty points you have earned and update your profile.

When we record CCTV images

We use CCTV to help keep our guests and staff safe, so your image may be recorded when you visit us. We display signs at our venues to tell you when CCTV is being used. If no incidents take place, the CCTV images will not be looked at before they are deleted. However, if an incident occurs, we will review the CCTV images to see if they contain footage that relates to the incident.

In the event of an emergency. Depending on the incident and the information that is recorded, these recordings may be used in any legal or insurance claim-related proceedings that follow.

When an accident occurs

If you are unfortunate enough to be involved in an accident on our premises, we will ask for your name, address, phone number, age and any other details that relate to the accident, such as information about any relevant health conditions you have or any injuries or treatments you received.

When you make a request to exercise your data protection rights

Information about your request and our response will be kept for 12 months from the date of our final response to you.


If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

We also use the below cookies

cookielawinfo-checkbox-necessary This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category “Necessary” and lasts for one year

Necessarycookielawinfo-checkbox-non-necessary This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category “Non-necessary” and lasts for 1 year.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.


Currently this website is not using analytics services

Who we share your data with

The site is hosted by Siteground and you can view how they process data on the site using the following link

Data sharing, we may need to share your information with

Greene King The holding company in the Greene King Group,

Westgate Brewery, Bury st Edmonds, Suffolk IP33 1QT

Langley Business Systems Provides CCTV

Langley House, Brandon Way, West Bromwich, B70 8JN.

Name address, Membership card information, managing and maintaining CCTV images

Quandoo UK Ltd Manage bookings

Quandoo UK Ltd. The Lightwell, Second Floor 12-16 Laystall Street, Holborn, London EC1R 4PF

Name, age, email address, gender, mobile number

Sky UK Limited Provides the Wifi service at Gupshill Manor

Grant Way, Isleworth, Middlesex, TW7 5QD

Name, age, address, email address, gender and mobile number

World Pay Uk Making card based payments/refunds

The Walbrook Building, 25 Walbrook, London, EC4N 8AF

Name, address, card information

Other situations that may require us to share your personal data

We will share your personal data if we are required to do so by law or by a regulatory authority. For example, we may have to share your personal data for the detection or prevention of crime, fraud or money laundering, or to allow a regulator or ombudsman to investigate a complaint you have submitted to them.

We will share your personal data if we need to do so to protect our business interests, such as to enforce the terms of a contract, pursue an overdue debt or defend our legal rights.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Data retention

When you use our website, data is kept 25 months from your last known interaction with us

When you book a table or function

Booking information that you provide directly to a venue is normally held for 1 year from the end date of the booking. However, we also use a booking diary and these diaries are kept for 2 years after they have been withdrawn from use. Contractual paperwork relating to bookings is kept for 2 years after the contract has concluded. When you make a booking online, we keep booking information for 13 months from the date of your last booking. However, if you ever opt in to receive direct marketing, this period is extended.

When you make a payment or request a refund

6 years from the date of the transaction. Payment card details are not retained unless they are emailed to us, in which case they are held until the booking has been completed and paid for.

When you submit queries, compliments or complaints

Data is kept 1 year from the date of the last correspondence on the matter.

When we record CCTV images

CCTV is kept for 31 days, measured from the date of the recording. However, in some situations, these periods may be extended.

When an accident occurs

Data is kept 6 years from the date of the accident, or 3 years from the age at which a child becomes an adult, or 3 years from the date of settlement of a claim, whichever occurs last.

When we impose a ban on visiting our venue

Please refer to the information sent to you when the ban was imposed.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

When you make a request to exercise your data protection rights

Information about your request and our response will be kept for 12 months from the date of our final response to you.

Data protection law provides you with certain rights and as a responsible data controller, we are committed to uphold these.


You have the right to be informed what we will use your personal information for, where we obtain it, who we share it with and how long we keep it for. This is the primary reason for publishing this notice.


You have the right to access a copy of your personal data and an explanation of what we are using it for. This is also known as a ‘subject access request’, ‘SAR’ or ‘DSAR’.


You have the right to ask us to correct or stop processing inaccurate personal data.

Erasure (‘right to be forgotten’)

You have a right in certain situations to ask us to delete your personal data.

Restriction of processing

You have a right in certain situations to ask us not to process your personal data.

Object to processing

You have the right in certain situations to object to the fact that we are processing some of your personal data.


You have the right in certain situations to ask us to pass some of your personal data to another data controller on your behalf.


You have a right to submit a complaint to the UK Information Commissioner’s Office (ICO).

Withdraw Consent

Most of the personal data processing we do is not dependent on your consent but any consent that we are relying on can be withdrawn if you wish to do so.

Responding to your request

If you notify us that you want to exercise your rights, we will acknowledge your request promptly. if we don’t already know who you are, we may need to ask you to provide us with additional information to enable us to verify your identity. The information we would need depends on the nature of your request.

Once we have confirmed your identity, we will validate your request and gather the information we need to be able to respond to it. We will carry out this work as quickly as possible but it may take up to 30 days to respond in full. If your request is particularly complex, we may ask you for further information to help us respond more quickly, or ask you if there is some information that you want particularly urgently. We may also respond to your request in phases, as relevant information becomes available.

If we cannot satisfy your request within 30 days, we will write to you to tell you why, and when we expect to be able to provide you with a full response.

Some of these rights are subject to conditions. If for any reason we decide that we cannot satisfy your request, we will provide you with our decision and our reasons for reaching it within 30 days.

Where we send your data

This website is built using WordPress servers store personal data on servers located both in the US and in the EU. It is not possible to restrict the data associated with your site to a single geographic location. respects EU law related to the proper handling of data being transferred elsewhere. We include the Standard Contractual Clauses for such data transfers in our Data Processing Agreement.

Visitor comments may be checked through an automated spam detection service.

International data transfers

Before your personal data is transferred outside the UK, we implement at least one of the following safeguards:

Check whether the personal data is being transferred to a country that has been deemed to provide an adequate level of protection by the UK government. More information about this is available on the UK government website.

Where we use third parties based in the United States, check if they have signed up to the Privacy Shield framework. This framework requires signatories to provide a similar level of protection to personal data as would be the case if the personal data remained within the UK.

Use contractual clauses approved by the UK government which give personal data equivalent protection to that which it would have if processed in the UK.

If we are unable to apply any of the first three safeguards, we will try to contact you to ask for your consent before we transfer your personal data.

Your contact information

Contact Information

If you want to discuss how we use your personal data, opt out of profiling, exercise your data protection rights or contact our data protection officer, you may write to: Gupshill Manor, Gloucester Road. Tewkesbury, Gloucestershire, GL20 5SG or send an email to:

How we protect your data

Protecting your data

It is in our legitimate interests to provide a fully-functioning, accessible and useful website to our customers.

We process this data to satisfy our legal obligation to not sell alcohol to anyone under the age of 18. It is in our legitimate interests to ensure that we do not market alcohol to anyone under the age of 18.

This is sometimes due to a legal obligation imposed under the Licensing Act, or in the case of assisting NHS Test and Trace and NHS Scotland Test and Protect, their legitimate interest of being able to act quickly during the pandemic.

We process data to set up the contract, provide the services to you and notify you of any important changes to them.

We send marketing information to people who consent to receive it.

We may also send marketing to customers who, when informed that we want to do so, choose not to opt out (soft opt-in).

It’s a legitimate interest to send direct mail marketing to let our customers know about our products, brands, services and any special offers we are running.

Customers who no longer want to receive marketing can opt out at any time (please follow the instructions in the marketing messages we send you).

What data breach procedures we have in place

Data Breach Procedures

We protect the personal data we hold from theft, accidental loss, corruption and other threats that would have a negative impact on our customers. Our protective measures include:

Not collecting personal data that we don’t really need

Securely destroying or anonymising personal data when we don’t need it any more

Only allowing our employees and our suppliers to process the personal data they need to carry out their duties

Encrypting personal data to render it useless to anyone who is not authorised to access it

Making sure that staff are trained on how to handle personal data safely and securely and are fully aware of their personal responsibilities

Binding our suppliers and partners to the same standards and duty of care that we hold ourselves to

Protecting our websites, networks and IT systems from unauthorised access and from threats such as denial of service attacks, viruses and malware

Making periodic checks that these safeguards are working well and making improvements to them when we think we can do better

Industry regulatory disclosure requirements

Greene King The holding company in the Greene King Group,

Westgate Brewery, Bury st Edmonds, Suffolk IP33 1QT

British Institute of Innkeeping

Infor House. 1 Lakeside Road, Farnborough, GU14 6XP