Last updated: 20th August 2025
At Avva Experience we respect your privacy and take it extremely seriously. We will always endeavour to make clear at the point we collect personal data from you why we need it and how it will be used.
This privacy policy outlines how we use and treat personal data and has been prepared in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you are located in the European Union and we process your personal data, we will also comply with the EU General Data Protection Regulation (EU GDPR).
If you would like to get in touch about anything in this policy or about your Personal Information then please contact us directly.
Email: [email protected]
Information we collect
What personal data do we collect?
During the course of our operation we may collect the following personal data:
- Your name
- Your email address
- Your phone number
- Your payment details
- Other information you actively send to us (for example if you contact our customer support)
- Contact details of event attendees (for example in the course of delivering a Booking)
When and how do we collect this data:
We only collect the data we need to deliver the best Avva experience we can to you. This includes:
–> When you submit an enquiry
→ When you make a Booking
–> In the process of fulfilling a Booking for example when you provide us with personal details of staff or clients so that they can be sent Event Packages
–> When you sign-up to receive our communications (such as our newsletter)
–> When you purchase an experience directly from our website
–> When we engage in conversation with you (for example via email or on the phone) to answer queries or respond to comments and feedback
Cookies and Tracking Technologies
We use cookies and similar technologies to make our website work, to understand how you use it, and to improve our services.
Some cookies are essential for the site to function and are set automatically. Others are non-essential, including:
- Analytics cookies – help us understand how visitors use our website so we can improve it.
- Marketing cookies – allow us and our partners (such as Google Ads, Microsoft Advertising and Meta) to deliver relevant adverts to you and measure the effectiveness of campaigns.
We will only place non-essential cookies on your device if you give us your consent via our cookie banner.
When you first visit our website, a cookie banner will appear allowing you to:
- Accept all cookies
- Manage your preferences
- Reject non-essential cookies
You can change or withdraw your consent at any time using the Cookie Settings widget on our Website.
What legal basis do we rely on to process your data?
We only process your personal data where we have a valid legal basis under UK GDPR. The table below sets out the purposes for which we process your data, the type of data involved, and the legal basis we rely on:
| Purpose of Processing | Examples of Data Processed | Legal Basis |
| To respond to enquiries and provide quotes | Name, email address, phone number, enquiry details | Legitimate interests – to respond to requests and grow our business |
| To process and fulfil a booking | Name, contact details, payment details, attendee details | Performance of a contract with you |
| To send you updates | Name, email address | Consent (you can withdraw at any time) |
| To process payments | Name, payment details | Performance of a contract |
| To analyse website use and improve our services | IP address, device type, browser type, location | Consent for analytics cookies (see “Cookies and Tracking” section) |
| To meet legal and regulatory obligations | Transaction records, contact details | Compliance with a legal obligation |
Why do we share Personal Information with third parties and who are they?
We never sell, rent or otherwise give away your data to anyone.
We do share personal data with a select group of third parties in order to fulfill a Booking you have made with us.
We share Personal Information with the following third parties
| Organisation | Purpose | Is data shared outside of the EEA? | Organisation’s privacy policy |
| MailChimp / Mandrill | To send and deliver emails | Yes, Mailchimp is based in the US as are its servers. MailChimp is covered by standard contractual clauses | https://mailchimp.com/legal/privacy/ |
| To provide us with web analytics so we can monitor and improve our website’s performance | Yes, Google is based in the US as are its servers.
Google is covered by standard contractual clauses |
https://policies.google.com/privacy | |
| Stripe | To process payments for us | Yes, Stripe is based in the US as are its servers. Stripe is covered by standard contractual clauses | https://stripe.com/gb/privacy |
| Nimbus Hosting | To provide us with hosting services | No. | https://www.nimbushosting.co.uk/wp-content/uploads/2022/08/Privacy-Policy.docx.pdf |
There are certain situations in which we may share access to your personal data outside of the situations outlined above. For example, we may be required by law, to protect someone’s life, or to comply with any valid legal process, government request, rule or regulation.
Why do we share data outside the UK and EEA?
Some of our service providers are based outside the UK and the European Economic Area (EEA). Where we transfer your personal data outside these regions, we ensure appropriate safeguards are in place to protect it, including:
- Standard Contractual Clauses (SCCs) approved by the UK or EU, and
- Transfer Risk Assessments to evaluate whether additional technical and organisational measures are needed.
Details of the countries and safeguards used are listed in the Third-Party Providers section of this policy.
What we don’t do with your Personal Information
We do not sell, rent or otherwise give away your personal data to anyone.
How do we keep your Personal Information secure?
We work very hard to keep your data secure. We will take all reasonable steps to ensure that appropriate technical and organisational measures are carried out in order to safeguard the information we collect from you and protect against unlawful access and accidental loss or damage.
Our website is SSL certified and personal data is encrypted in transit and at rest. All of the third parties we work with are also assessed to ensure they follow the highest security standards.
We follow industry standards on information security management. This means we don’t just secure your data technologically but we make sure that everyone who works for us and the processes they follow are continually monitored to ensure there are no vulnerabilities.
In the unlikely event of a breach of our security we will inform the relevant regulatory body as soon as we can and at a minimum, within 72 hours and, if your personal data was involved in the breach and the breach could impact you, we would also inform you.
Changes to our privacy policy and control
We may change this privacy policy from time to time. But when we do, we’ll let you know either by changing the date or when significant changes happen by directly notifying you. By continuing to access or use our Services after those changes become effective, you agree to be bound by the revised Privacy Policy.
Retention
We keep personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal, accounting, or reporting requirements.
- Contract-related records – 7 years from the end of the contract or last order (to meet legal and tax obligations)
- Marketing records – 3 years from the last interaction (to manage marketing preferences and keep records of consent)
- Event attendee records (non-contract) – 1 month after event delivery (to fulfil booking administration and manage follow-up queries)
- Other data – 7 years unless otherwise required by law
Where different retention periods apply, we will make this clear at the point of collection.
Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access – to request a copy of the personal data we hold about you
- Right to rectification – to have any inaccurate or incomplete personal data corrected
- Right to erasure – to request we delete your personal data (“right to be forgotten”)
- Right to restrict processing – to request we stop processing your data in certain circumstances
- Right to object – to object to processing, including for direct marketing
- Right to data portability – to request a copy of your data in a structured, machine-readable format, or to have it transferred to another organisation
- Right to withdraw consent – where processing is based on your consent, you can withdraw it at any time
You can exercise your rights by contacting us at [email protected]. We will respond within one month of receiving your request, unless the request is complex or numerous, in which case we may extend this timeframe by up to two further months.
All requests or notifications in respect of your above rights may be sent to us in writing at the contact details listed below. We will endeavour to comply with such requests as soon as possible but in any event we will comply within one month of receipt (unless a longer period of time to respond is reasonable by virtue of the complexity or number of your requests).
If personal data we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to the Information Commissioner’s Office (ICO) and/or our data protection manager.
If a breach is likely to result in a risk to your data rights and freedoms, we will notify you as soon as possible.
We are open and transparent about our use of data so if you are unclear about how we use data or think we could improve how we deal with Personal Information, let us know!
Ava Experience Limited trading as Avva Experience
Email: [email protected]
1 Duchess Street, London, W1W 6AN
Complaints
If we are unable to resolve any issues you may have or you would like to make a further complaint, you can contact the Information Commissioner’s Office by visiting http://www.ico.org.uk/ or calling 0303 123 1113 for further assistance.
