EOH Privacy Policy

1. Introduction

Echoes of Heritage Ltd. (“we,” “our,” or “us”) values the privacy of our clients, visitors, employees, partners and all other individuals (“you” or “data subjects”) whose personal data we process. This Privacy Policy explains how we collect, use, share and protect personal data across our business operations, including exhibitions, membership programmes, e‑commerce activities, digital platforms and corporate functions.

By using our services, purchasing tickets or memberships, visiting our venues or interacting with us online, you acknowledge that you have read and understood this policy.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual.
  • Processing: Any operation performed on personal data, such as collection, storage, use, disclosure or deletion.
  • Controller: The entity that determines the purposes and means of processing personal data. Echoes of Heritage Ltd. is the controller for the personal data we collect.
  • Processor: A third party that processes personal data on behalf of the controller.
  • UK GDPR/EU GDPR: The UK General Data Protection Regulation and the EU General Data Protection Regulation, respectively.
  • Data Subject Rights: Rights granted to individuals under applicable data‑protection laws, including the rights of access, rectification, erasure, restriction, objection, data portability and complaint.

3. Scope

This policy applies to all personal data that we process in connection with our operations, including:

  • Visitors to our exhibitions, events and venues
  • Subscribers and members of our programmes
  • Users of our websites, mobile apps, VR/AR platforms and digital services
  • Customers purchasing merchandise or experiences online or offline
  • Business partners, vendors, contractors and prospective clients
  • Job applicants and employees (additional internal policies may apply)

4. Categories of Personal Data Collected

We collect and process the following categories of personal data, depending on your interactions with us:

  1. Contact Information: Names, addresses, email addresses, phone numbers, country of residence and preferred language.
  2. Account and Membership Data: Username, password, membership tier, subscription details, preferences, purchase history and communications.
  3. Identification Documents: Passport or ID information for events or travel requiring identity verification (e.g., heritage tours).
  4. Payment Information: Credit/debit card details and billing address, processed securely through our payment providers.
  5. Transaction Data: Order details, ticket purchases, receipts, loyalty point balances and refund records.
  6. Technical and Usage Data: IP addresses, device identifiers, browser type, operating system, access times, referring URLs, interaction logs, cookie data and performance metrics.
  7. Location Data: GPS or approximate location derived from IP addresses when using mobile apps or location‑enabled services, with your consent.
  8. Visual and Audio Data: CCTV footage at venues, photographs or videos captured during events or with consent, and user‑generated content (e.g., testimonials).
  9. Marketing and Communication Preferences: Records of your consent or opt‑out choices for newsletters, promotional emails, SMS or direct mail.
  10. Employment Data: CVs, qualifications, references, background checks, payroll and performance data (for employees and applicants).
  11. Sensitive Personal Data (Special Category Data): We generally avoid collecting sensitive data (e.g., health, race, or religious beliefs) unless required and permitted by law (e.g., accessibility arrangements). We will request explicit consent or rely on a legal basis where applicable.

5. Sources of Personal Data

We collect personal data from the following sources:

  • Directly from you: via ticket purchases, membership registration, online account creation, surveys, job applications, customer support interactions or event participation.
  • Automatically: through cookies, analytics tools and log files when you visit our websites or use our digital services.
  • Third Parties: including marketing partners, payment processors, identity verification services, travel agents, affiliate museums, social media platforms and recruitment agencies.
  • Publicly Available Sources: such as professional networking sites or public records, where permitted by law.

6. Purposes and Legal Bases for Processing

Echoes of Heritage Ltd. processes personal data for the following purposes and under the corresponding legal bases:

  1. Service Provision and Contract Fulfilment
    • Processing your ticket or membership orders, handling payments, delivering digital content, organising travel experiences, and providing customer support.
    • Legal basis: Performance of a contract or steps taken at your request before entering into a contract (UK GDPR Art. 6(1)(b)).
  1. Membership and Loyalty Programmes
    • Managing membership tiers, loyalty points, discounts, and personalised offers.
    • Legal basis: Legitimate interests or performance of a contract (Art. 6(1)(f)/(b)).
  1. Marketing and Communications
    • Sending newsletters, event announcements, promotions, surveys and targeted advertising. We may tailor content based on your preferences and interactions.
    • Legal basis: Consent (Art. 6(1)(a)) for email/SMS marketing; legitimate interests (Art. 6(1)(f)) for certain direct marketing, subject to opt‑out rights.
  1. Analytics and Personalisation
    • Analysing website/app usage, measuring performance, detecting trends, and improving content and services.
    • Legal basis: Consent for non‑essential cookies (Art. 6(1)(a)); legitimate interests for aggregated analytics (Art. 6(1)(f)).
  1. Security and Fraud Prevention
    • Monitoring activity to detect and prevent fraud, unauthorised access, and other security threats.
    • Legal basis: Legitimate interests (Art. 6(1)(f)), and legal obligations (Art. 6(1)(c)).
  1. Legal and Regulatory Compliance
    • Complying with applicable laws, court orders, tax obligations, and regulatory requirements (e.g., health and safety, accessibility).
    • Legal basis: Compliance with legal obligations (Art. 6(1)(c)).
  1. Employment and Recruitment
    • Managing employment relationships, payroll, benefits, performance reviews, and hiring processes.
    • Legal basis: Performance of an employment contract (Art. 6(1)(b)); legal obligations and legitimate interests.
  1. Mergers, Acquisitions and Corporate Transactions
    • Evaluating or facilitating corporate restructuring, mergers, acquisitions or sales.
    • Legal basis: Legitimate interests (Art. 6(1)(f)).

If we process personal data for new or unrelated purposes, we will seek your consent or rely on another legitimate basis as required by law.

7. Data Sharing

Echoes of Heritage Ltd. may share personal data in the following circumstances:

  • Internal Group Sharing: With our affiliates, subsidiaries and joint ventures for operational, administrative and management purposes, subject to internal agreements and applicable laws.
  • Service Providers (Processors): With trusted third parties who perform services on our behalf, such as payment processors, IT hosting providers, analytics platforms, marketing agencies, security contractors and travel partners. These processors are bound by contractual obligations to process data only as instructed by us and to safeguard personal data.
  • Business Partners and Sponsors: With partner museums, event organisers, curators, educational institutions or corporate sponsors when co‑hosting exhibitions or programmes. Data shared is limited to what is necessary for collaboration and subject to confidentiality agreements.
  • Regulatory Authorities and Law Enforcement: When required by law, court order or to respond to legal requests, defend our rights, or protect our users and staff.
  • Corporate Transactions: In connection with mergers, acquisitions, divestitures, financing or sale of assets. In such cases, personal data may be transferred to the acquiring entity under confidentiality restrictions.
  • Other Users: In community forums, social media interactions or public events, information you voluntarily share may be visible to others.

We do not sell or rent your personal data to third parties for their own marketing purposes.

8. International Data Transfers

As a global organisation, we may transfer personal data to countries outside the UK or European Economic Area (“EEA”) where data protection laws may differ. When we transfer personal data internationally, we implement appropriate safeguards, such as:

  • Adequacy Decisions: Transfers to countries deemed to provide an adequate level of protection by the UK or European Commission.
  • Standard Contractual Clauses (SCCs): We enter into SCCs approved by the relevant authorities with recipients located outside of adequate jurisdictions.
  • Binding Corporate Rules or Other Mechanisms: Where available, we may rely on additional legal mechanisms to ensure protection.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, to resolve disputes and to enforce agreements. Retention periods vary depending on the nature of the data and the context of processing (e.g., tax records may be retained longer than marketing data). When personal data is no longer required, we will securely delete or anonymise it.

10. Data Security

We employ robust organisational and technical measures to protect personal data, including:

  • Encryption of data at rest and in transit where appropriate.
  • Access controls, authentication mechanisms and role‑based permissions.
  • Regular security audits, penetration testing and vulnerability assessments.
  • Staff training in data protection and information security.
  • Incident response procedures to mitigate breaches and notify authorities and affected individuals as required by law.

Despite our efforts, no system is completely secure. You are responsible for protecting your account credentials and promptly notifying us of any suspected unauthorised activity.

11. Your Rights

Depending on your location and applicable law, you may have the following rights:

  1. Right of Access: Obtain confirmation of whether we process your personal data and request a copy.
  2. Right to Rectification: Correct inaccurate or incomplete personal data.
  3. Right to Erasure (“Right to be Forgotten”): Request deletion of personal data when it is no longer needed, subject to certain exceptions.
  4. Right to Restrict Processing: Request that we limit the processing of your personal data under certain circumstances.
  5. Right to Object: Object to processing based on legitimate interests or direct marketing.
  6. Right to Data Portability: Receive personal data you provided to us in a structured, commonly used, machine‑readable format and transmit it to another controller.
  7. Right to Withdraw Consent: Withdraw any consent you previously granted, without affecting the lawfulness of processing prior to withdrawal.
  8. Right to Lodge a Complaint: If you are dissatisfied with how we handle your personal data, you can lodge a complaint with your local data-protection authority (e.g., the UK Information Commissioner’s Office).

To exercise your rights, please contact us using the details provided in Section 15. We may need to verify your identity before responding to your request, and some requests may be subject to exceptions or legal obligations.

12. Children’s Privacy

Our services are not primarily directed at children under the age of 13 (or the relevant age of consent in your jurisdiction). We do not knowingly collect personal data from children without parental consent. If you believe we have collected personal data from a minor without proper consent, please contact us so that we can investigate and take appropriate action.

13. Marketing Communications

  • Opt‑In Consent: Where required by law, we send marketing communications only if you have opted in.
  • Opt‑Out: You can unsubscribe from marketing emails and newsletters at any time by following the instructions in the communication or by contacting us.
  • Direct Mail and Telephone Marketing: We comply with national opt‑out registers and self‑regulatory codes. You can opt out of these communications by contacting us.

Please note that administrative communications (e.g., service updates, transaction confirmations, policy changes) are not marketing communications and may continue even if you opt out of marketing.

14. Cookies and Similar Technologies

We use cookies, pixels, and other tracking technologies on our websites and apps. For detailed information about the types of cookies we use and how to manage your preferences, please refer to our separate Cookie Policy.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes, we will update the “Last Updated” date and, where required, provide prominent notice or obtain your consent. We encourage you to review this policy periodically to stay informed of how we process personal data.

16. Contact Us

If you have questions, requests or concerns regarding this Privacy Policy or your personal data, please contact:

Echoes of Heritage Ltd.
Attention: Data Protection Officer
Echoes of Heritage Ltd.
35 Berkeley Square, Berkeley Suite, Mayfair
Email: info@echoesofheritage.com
Phone: