Privacy & Cookie Policy
Last updated: April 2026
This Privacy & Cookie Policy explains how we collect, use, store, and protect your personal data when you visit orkneystays.com ("the Website"). It also describes your rights under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
1. Data Controller
For the purposes of UK data protection law, the data controller responsible for your personal data is:
Orkney Stays is an independent travel guide and affiliate publisher. For data protection purposes, you can contact us at: [email protected]
We are not required to appoint a Data Protection Officer (DPO) under the UK GDPR. However, you may direct any data protection questions to the email address above.
2. Personal Data We Collect
We collect and process the following categories of personal data:
a) Data you provide directly
- Contact form submissions: name, email address, phone number (if provided), and message content.
- Admin account data: email address and authentication credentials (site administrators only).
b) Data collected automatically
- Technical data: IP address, browser type and version, operating system, device type, screen resolution, and referring URL.
- Usage data: pages visited, time spent on pages, navigation paths, and interaction events (collected via server logs).
- Cookie data: as described in the Cookie Policy section below.
We do not collect any special category data (e.g. health, racial or ethnic origin, political opinions) through this Website.
3. Lawful Basis for Processing
Under Article 6 of the UK GDPR, we must have a valid legal reason (lawful basis) for each way we use your personal data. The table below sets out each processing activity and the lawful basis we rely on:
| Processing Activity | Lawful Basis |
|---|---|
| Responding to contact form enquiries | Legitimate interest(Art 6(1)(f)) — to respond to prospective visitors who have contacted us |
| Admin authentication and account management | Legitimate interest(Art 6(1)(f)) — to secure site administration and prevent unauthorised access |
| Setting essential (strictly necessary) cookies | PECR exemption(Regulation 6(4)) — strictly necessary for the website to function; no consent required |
| Affiliate and marketing cookies (CJ Affiliate, Booking.com) | Consent(Art 6(1)(a)) — set only after you give explicit consent via our cookie banner |
| Complying with legal obligations | Legal obligation(Art 6(1)(c)) — where required by UK law |
Where we rely on legitimate interest, we have carried out a Legitimate Interest Assessment to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.
4. How We Use Your Data
We use your personal data for the following purposes:
- To respond to enquiries you submit through our contact form
- To operate, maintain, and improve the Website
- To authenticate site administrators
- To generate aggregated, non-identifying usage statistics
- To facilitate affiliate referrals to accommodation booking partners (when you click an affiliate link)
- To comply with applicable legal obligations
5. Third-Party Recipients
We share personal data only where necessary to operate the Website or to provide our services. We do not sell your personal data. The following third parties may receive or have access to your data:
| Third Party | Role | Location | Purpose |
|---|---|---|---|
| Vercel Inc. | Data processor | San Francisco, US | Website hosting, edge delivery, and server log storage |
| Supabase Inc. | Data processor | San Francisco, US | Database hosting and authentication services |
| CJ Affiliate (Commission Junction) | Third-party controller | US | Affiliate click tracking and commission attribution when you click accommodation links |
| Booking.com B.V. | Third-party controller | Amsterdam, Netherlands | Accommodation booking services and referral tracking |
Vercel and Supabase act as our data processors under written data processing agreements. CJ Affiliate and Booking.com are independent data controllers for data they collect when you interact with their services.
When you click an affiliate link and are redirected to Booking.com, your interaction with that site is governed by Booking.com's Privacy Policy. We do not collect or process any payment or booking information.
6. International Data Transfers
Some of our third-party service providers are located outside the United Kingdom. When your personal data is transferred internationally, we ensure appropriate safeguards are in place as required by UK GDPR Articles 44–49:
- Vercel Inc. (US): Covered by the UK Extension to the EU-US Data Privacy Framework (DPF). Vercel is a certified participant in the DPF.
- Supabase Inc. (US): Protected by Standard Contractual Clauses (SCCs) incorporating the UK International Data Transfer Addendum (IDTA).
- CJ Affiliate (US): Protected by Standard Contractual Clauses (SCCs) incorporating the UK International Data Transfer Addendum (IDTA).
- Booking.com B.V. (Netherlands): Based in the EEA; transfers covered by the UK adequacy decision for the EEA.
You may request copies of the relevant safeguard documents by contacting us at [email protected].
7. Data Retention
We keep personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are:
| Data Type | Retention Period |
|---|---|
| Contact form submissions | 12 months from submission, then securely deleted |
| Cookie consent records | 6 months |
| Server logs (Vercel) | Per Vercel's data retention policy (typically 30 days) |
| Admin authentication data | Duration of the admin account; deleted upon account removal |
After the applicable retention period, personal data is securely deleted or anonymised so that it can no longer be linked to you.
8. Your Rights Under the UK GDPR
You have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions under applicable law:
- Right of access (Article 15): Request a copy of the personal data we hold about you, along with information about how we use it.
- Right to rectification (Article 16): Ask us to correct any inaccurate or incomplete personal data.
- Right to erasure (Article 17): Request deletion of your personal data where there is no compelling reason for us to continue processing it.
- Right to restrict processing (Article 18): Ask us to temporarily stop processing your data in certain circumstances (for example, while we verify its accuracy).
- Right to data portability (Article 20): Receive the personal data you have provided to us in a structured, commonly used, machine-readable format, or ask us to transmit it directly to another controller.
- Right to object (Article 21): Object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Rights related to automated decision-making (Article 22): We do not carry out any solely automated decision-making or profiling that produces legal or similarly significant effects on you.
- Right to withdraw consent: Where we process your data based on consent (such as marketing cookies), you may withdraw your consent at any time. This does not affect the lawfulness of any processing carried out before you withdrew consent. You can withdraw cookie consent using the cookie settings on this Website.
To exercise any of these rights, please email us at [email protected]. We will respond to your request within one calendar month. If your request is complex or we receive a large number of requests, we may extend this by up to two further months, in which case we will inform you.
There is no fee for exercising your rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive.
9. Right to Complain
If you believe we have not handled your personal data properly, or you are unhappy with our response to any request you have made, you have the right to lodge a complaint with the UK supervisory authority:
- Information Commissioner's Office (ICO)
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Live chat: ico.org.uk/global/contact-us/live-chat
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first.
10. Is Providing Your Data Obligatory?
You are under no statutory or contractual obligation to provide personal data to us. Providing your data is entirely voluntary. However, if you choose not to provide the information requested on our contact form (such as your name and email address), we will be unable to respond to your enquiry. Certain website features, such as admin login, require authentication data to function.
11. Data Security
We have implemented appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or destruction. These include:
- Encrypted data transmission (HTTPS/TLS) across the entire Website
- Database access restricted by role-based authentication
- Admin access limited to a single authorised email address
- Regular security updates to hosting infrastructure and software dependencies
- Data processor agreements in place with Vercel and Supabase requiring them to maintain appropriate security measures
No method of electronic transmission or storage is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security.
12. Children's Privacy
This Website is not directed at children under 13 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.
13. Cookie Policy
Cookies are small text files placed on your device when you visit a website. Under the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK GDPR, we must explain what cookies we use and, where they are not strictly necessary, obtain your consent before setting them.
a) Strictly Necessary Cookies
These cookies are essential for the Website to function. They are exempt from consent requirements under PECR Regulation 6(4) and are set without needing your permission.
| Cookie Name / Pattern | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
sb-*-auth-token | Supabase | Authentication session for admin users | Session / 1 year | First party |
sb-*-auth-token-code-verifier | Supabase | PKCE code verifier for secure authentication flow | Session | First party |
cookie-consent | Orkney Stays | Stores your cookie consent preference | 6 months | First party |
__next-* | Next.js / Vercel | Framework routing and build identifiers | Session | First party |
b) Marketing / Advertising Cookies
These cookies are used for affiliate tracking when you click an accommodation link. They are only set after you give consent through our cookie banner.
| Cookie Name / Pattern | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
cje, cjLiveRampLastCall | CJ Affiliate | Tracks affiliate referrals for commission attribution | Up to 120 days | Third party |
bkng, pcm_* | Booking.com | Booking referral tracking and session management | Up to 2 years | Third party |
c) Managing Your Cookie Preferences
You can manage or withdraw your cookie consent at any time by clicking the "Cookie Settings" link in the footer of the Website. The cookie consent banner will also reappear if you clear your browser cookies.
You can additionally control cookies through your browser settings:
Blocking strictly necessary cookies may prevent parts of the Website from functioning correctly.
14. Changes to This Policy
We may update this Privacy & Cookie Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.
15. Contact Us
If you have questions about this Privacy & Cookie Policy, wish to exercise any of your data subject rights, or have a concern about how we handle your personal data, please contact our data protection point of contact:
- Email: [email protected]
- Contact form: orkneystays.com/contact
We aim to respond to all legitimate enquiries within one calendar month.