Privacy Notice

We respect your privacy and are committed to protecting your personal data. This privacy notice will tell you how we look after your personal data and about your privacy rights. It supplements any other notices and is not intended to override them.

We have tried to be brief and clear. We are happy to provide any additional information or explanation.

This version was last updated on 30th September 2021.

It is important that the personal data we hold about you is accurate and current. Please keep us informed of any changes.

Click a heading to expand and read the section. Expand All, Collapse All

Who we are

The Data Controller (the legal entity which makes decisions about how your personal data is used) is Norfolk Broads Direct Limited, The Bridge, Wroxham, Norfolk, NR12 8RX registered company number 923416. 

Broads Tours is a trading name of Norfolk Broads Direct Limited.

Tel: 01603 782 207

How we collect your personal data

We collect personal data in the following ways:

  • Directly from you – in person, in writing or over the phone
  • You enter your personal information on to our website, for example when making a booking
  • You provide your information to one of our agents for the purposes of making a booking.
  • You provide your information to a website which processes data on our behalf – for example by opting to receive marketing information
  • You provide information when logging into our WiFi Portal.
  • You provide your information to an information website or directory which forwards your request to us

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.


With your permission (obtained when you first enter our website) our website utilises conversion tracking pixels and tags including those from Facebook and Google. These tools allow us to follow the actions of users after they are redirected to our website by clicking on an advert. This helps us to record the effectiveness of advertisements for statistical and market research purposes. The collected data remains anonymous, which means that we cannot see your personal data. A cookie is saved to your computer for these purposes.

We also use cookies in order to save the contents of your shopping cart and allow you to book.

How we use your data

We will only use your personal data when the law allows us to.

We have set out below how and why we plan to use your personal data.

Booking contracts

We process your personal data for the purposes of:

  • Creating bookings for boats, river trips, and other services provided by us
  • Providing quotations for a possible booking
  • Contacting you in relation to your booking – for example to confirm check in arrangements, to inform you of changes, or to check that you were satisfied after you depart.
  • Ensuring that we are able to recover monies for providing services, in the event of non-payment
  • Ensuring compliance with our booking terms and conditions

The legal basis for processing your data in relation to bookings is that it is necessary for the performance of the booking contract, or because you have asked us to take specific steps before entering into a contract.


We process your personal information for the purposes of marketing our services in the form of email newsletters and/or printed brochures. We only send you marketing materials when you have given clear and verifiable consent for us to do so, and you can withdraw this consent at any time (see ‘right to withdraw consent’).

The legal basis for processing your data in relation to marketing is that you have given your consent for this purpose.

Wi-Fi Access

We process your personal information when you connect to our WiFi network, so that we can ensure that our internet connection is used in accordance with the law, and with our terms & conditions. The legal basis for processing your data in relation to WiFi access is that it is in our legitimate interest.

You will also be offered the opportunity of receiving marketing information when you connect to our WiFi network, but you may decline.

Customer service

In the interests of good customer service, we retain your personal information after your booking has ended, so that:

  • the information is available when making future bookings
  • we can make suggestions and recommendations to you about goods or services that may be of interest to you
  • we can deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
  • we can use data analytics to improve our website, products/services, marketing, relationships and experiences
  • you can be eligible for referral awards and entry to prize draws

The legal basis for processing your data in relation to customer service is that it is in our legitimate interest. You may opt out of marketing communications at any time.

Legal obligations

We will also process your personal information if we are specifically required to do so in order to comply with a legal obligation imposed upon us.

Categories of personal data

The categories of personal data which we process are:

  • Your name
  • Your address including postcode
  • Your landline and mobile phone numbers
  • Your email address
  • Email communications with you
  • Written notes of conversations with you
  • Recordings of conversations with you (we will always inform you if we are recording a conversation)
  • Records of your bookings including payments made
  • Records of quotations requested
  • Complaints or other feedback made by you
  • Information about your on-site purchases (for example, what you have bought, when and where you bought it and how you paid for it)

We do not process any special categories of information as defined by the EU General Data Protection Regulation. This is data which is considered to be more sensitive, such as race, politics or religion, sexual orientation or biometric data.

We do not knowingly collect data relating to children.

CCTV operates throughout the park for the purposes of crime detection and the safety of our staff and guests. CCTV coverage is retained for between 7 & 14 days, but we do not operate any facial recognition or other technology which would automatically identify individuals.

Disclosure of your personal data

We never sell or pass on your personal data to any other organisation without your express consent, other than for processing data on our behalf in accordance with this policy.

We use the following external organisations for processing data on our behalf and may add others without updating this policy:

  • Opayo (SagePay) and Barclayard Merchant Services – for processing debit and credit card payments on our website, in person and over the phone.
  • Mailchimp– for sending newsletters by email and managing the opt-in/opt-out process (consent).
  • Cloud-based services are used for the backup of company data, which includes personal data.

It may also be necessary to share your personal data with our professional advisors (including lawyers, bankers, auditors and insurers) and with HRMC, regulators and other statutory authorities, in order to comply with our legal obligations.

We may also share your personal data with any third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We do not explicitly pass personal data to any organisations outside the European Economic Area. However, organisations processing data on our behalf, such as cloud-based marketing or backup services, may store data on servers based outside the EEA.

Contractual obligations

When you create a booking, and when you connect to our WiFi network, we require you to provide personal information which allows us to identify you and contact you. Failure to provide this information, or deliberately giving incorrect details, is a breach of our terms and conditions and may result in cancellation of our contract with you.

Automated decision making

We do not carry out automated decision making or customer profiling in relation to contracts.

We may use address profiling to target opted-in marketing information, in order to provide you with more relevant information.

We use third party information processing companies, such as Facebook and Google, to target marketing information based on personal information which you have provided to those organisations. We do not have access to your personal information, unless you have expressly granted consent for your information to be passed on to us.

Retention period

All data obtained by consent (for example for marketing purposes) is retained until you withdraw your consent. We may also remove your information if we no longer need it.

Personal data relating to bookings is retained for a period of 7 years after your last booking, unless you ask us to remove it sooner.

Personal data is always retained for a period of 6 months after the end of a booking, even if you ask us to remove it, in order to protect ourselves from payment card chargebacks, and to enable the information to be provided by the police or another statutory authority in relation to any incident during your booking.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Your rights

The General Data Protection Regulation gives you a number of rights to help protect your personal data.

Requesting access

You have the right to see all personal data which we hold on you. This is commonly known as a Subject Access Request.

If you make a Subject Access Request we will provide you with all the personal information which we hold relating to you. We can only provide your own personal information, unless we are satisfied that you are entitled to act on behalf of another person. It is your responsibility to provide evidence of this entitlement.

Requesting corrections

You have the right for any inaccurate personal data about you to be rectified, or completed if it is incomplete.

Requesting erasure

You have the right for your personal data to be erased (sometimes known as ‘the right to be forgotten’).

This right is not absolute, but we will erase your personal information at your request as long as it is no longer necessary for the purpose for which we originally collected or processed it and there is no other overriding legitimate interest for us to continue retaining your personal data.

When we delete your personal information, we do not delete details of bookings which you have made, but we ‘anonymise’ them so that they cannot be linked back to you.

Restriction of processing

You may also ask us to restrict processing of your data, for example whilst we correct inaccurate personal information, or to stop processing it altogether (the right to object).

Transfer of information

You have the right to data portability, which means that you can ask us to pass your data on to a third party. We will use all reasonable means to comply with such a request and will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.

Withdrawing consent

Where the legal basis for processing your data is consent (for example a marketing opt-in) you have the right to withdraw consent at any time.

How to make a request

All requests relating to provision of information, data removal or other rights can be made verbally, in writing, or by emailing

We will process your request within 28 days of the date when we receive it.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Making a complaint

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) ( We would, however, appreciate the chance to deal with your concerns first.