Privacy Notice

  1. Introduction
  2. What is the GDPR?
  3. What are the legal bases for data collection?
  4. What personal data does City Apartments collect?
  5. How does City Apartments store your data?
  6. How long do we keep your data?
  7. Who do we share your data with?
  8. Where your personal data may be processed
  9. Your Rights
  10. Contacting the regulator
  11. Any Questions


City Apartments is dedicated to ensuring that personal information is handled with care and securely, to protect our guests and clients. This page aims to help you understand what information we may collect, how we will use it, and how it is stored and protected.

We know there is a lot of information here to digest, however, we want to ensure you are fully informed about your rights, and how City Apartments uses your data. Hopefully, this page answers any questions you may have, but if you require further assistance please do not hesitate to contact us using the information at the bottom of this page.

What is the GDPR?

The General Data Protection Regulations come into force on 25th May 2018. These regulations replace the Data Protection Act 1998 and enforce stricter rules on how companies within the European Economic Area (EEA) are able to process and store data. The regulations also give individuals more rights to access and manage the data that companies hold.

The rules not only apply to all companies that are based within the EU, but also companies that offer products or services to individuals within the EU. The UK government have also already written the new GDPR rules into UK Law, so they will still apply once the UK leaves the EEA.

The GDPR outlines 6 legal bases that a company may use to collect data from individuals. All data collected and processed must fall under one of these categories, otherwise, the data may not be collected in the first place.

At City Apartments, we only use 4 of the legal bases to collect information. We explain these below, however, if you would like to read about the other legal bases you can find more information on the Information Commissioner’s Office website.

Contractual Obligations

We need to collect and process personal data to perform our contractual obligations with you. This legal basis is normally used when you purchase one of our services.

For Example
We need to collect your Name, Address, Contact Information when creating bookings so that we can send you information on how to access your apartment and our check-in procedure.

Legal Compliance

We may be required by law to collect and process your personal data.

For Example
We can pass details of people involved in fraud or other criminal activity affecting City Apartments to law enforcement.

Legitimate Interest

We may collect and process personal data for our own legitimate interests in ways that are reasonably expected to run our business.

For Example
We use booking data to monitor trends in demand to help our marketing and setting our rates.

We monitor repeat bookings to offer our guests exclusive discounts and offers.


We may collect and process your personal data with your consent.

For Example
You tick a box to accept receiving our newsletter.

What personal data does City Apartments collect?

City Apartments collects data at all stages of the customer journey. This is to ensure that we can provide the best customer service and fulfil all our contractual obligations.

Data collected

How we use the data

When you visit our website we anonymously collect data on which pages you visit and how you use our website.

We use this data to make improvements to our website and ensure that users are able to easily book our apartments online. You are shown a cookie banner for us to obtain consent to this.

When you make a booking either through the website or via the phone we collect the following information:

  • Your name
  • Your address
  • Your contact number
  • Your email address
  • Names of all guests
  • Vehicle Registration Number
  • Payment card details

We use this data to fulfil our contractual obligation to you in booking a serviced apartment. We use this information to create your check-in back and provide you with information on what to do on arrival.

We may pass your vehicle registration onto the apartment management company to ensure you can access the car park on arrival.

During busy times we may also pass the guest names onto our security team for the safety of our guests.

When you add extras to your booking. If you are using a different payment method to when you created the booking we may collect:

  • Your payment card details

We use this data to fulfil our contractual obligation to you.

When you make an enquiry through the website contact form we collect:

  • Your name
  • Your contact number
  • Your email address
  • Booking information

We use this data to respond to your enquiry and monitor the performance of our reservation team.

When you enter competitions we may collect:

  • Your name
  • Your contact number
  • Your email address

We use this data to pick a winner and keep entries updated on the competition.

When you sign up for our newsletter.

We use this data to send out our monthly newsletter to individuals who have consented to direct marketing.

When you sign up for a corporate rate and the corporate portal.

We use this data to fulfil our contractual obligation to you.

When you access our apartments, key safe, or office.

Some of the apartment buildings we operate in have CCTV which will record your image on entering and exiting the building.

When you are a landlord and you enter into a rental agreement with City Apartments.

We use this data to fulfil our contractual obligation to you.

We may collect data from publicly-available sources (such as Land Registry) when you have given your consent to share information or where information is made public as a matter of law.

We use this data to check if a landlord is legally permitted to rent their property to us for the use of serviced apartments.

When you interact with us on social media.

We use this data to monitor our customer service performance.

Data use for legitimate interests

We may also process all data that we hold for legitimate interests of the company. This may include the following activities:

  • Monitoring website performance
  • Monitoring customer service performance
  • Monitoring social media performance
  • Reporting on demand trends within the market to better help plan promotions and rates
  • Occupancy and revenue reporting
  • Monitoring corporate client spend and credit
  • We may use your booking history to offer exclusive discounts

How does City Apartments store your data?

We know how much security matters to all of our customers, therefore, we always treat your data with the utmost care and take all appropriate steps to protect it.

We ensure all of our websites are secured using ‘https’ technology to ensure data in transit is encrypted and secure.

Where possible we do not store any personal data locally on company premises. All data is stored in our third-party systems and any local copies are immediately destroyed. We have strict data security policies in place that all our staff understand and agree to. This is to ensure that all data is processed and stored correctly and in a secure manner.

We ensure all our third-party systems meet the General Data Protection Regulations and are PCI compliant where required, which enforces even stricter rules. Access to these systems is only given to staff members who require it to complete their daily tasks. Each system is secured via a ‘https’ connection and only accessible via a password-protected portal.

All sensitive data such as payment card details are secured and tokenised outside of the systems our staff can access to ensure they are protected.

We regularly monitor our systems for possible vulnerability and attacks, and we carry out penetration testing to identify ways to further strengthen security.

How long do we keep your data?

When we collect or process your personal data we will only keep it for as long as necessary for the purpose for which it was collected.

After this retention period, your personal data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for business statistical analysis and planning

Some example retention periods are:

When you make a booking, we will keep any personal data you provide us for ten years so we can comply with our contractual and legal obligations.

Online Enquiries
When you make an enquiry through our website, we will keep any personal data you provide us whilst we deal with the enquiry. Once the enquiry has been dealt with, all personal information will be deleted, however, we will keep the enquiry messaging for customer service performance monitoring, ensuring that it is non-identifiable.

Who do we share your data with?

We sometimes share your data with trusted third-parties. We have a very strict policy on what information can be shared with third-parties to keep your data safe and to protect your privacy.

We always ensure:

  • We only provide the information they require to perform their specific services
  • They may only hold the data we provide for the exact purposes specified in our contract with them
  • We ensure that they hold your data in a secure manner and that your privacy is protected at all times
  • If we stop using their services, any data that they may hold will be deleted.

For Example
Our security team may be provided with a list of guest names and the apartments they are staying in to ensure they can identify guests whilst on their patrols.

We may share information with law enforcement bodies on request and where fraudulent or potentially fraudulent activity is suspected in our premises or systems.

To help fulfil our contractual obligations with you and to help personalise and improve your journey through our websites we currently use the following companies, who will process your personal data as part of their contracts with us:

Seekom Facebook
Twitter Google
Digital Ocean Xero
MailChimp Payment Sense
Payment Express

Where your personal data may be processed

Sometimes we need to share your personal data with third parties outside of the European Economic Area (EEA), such as New Zealand and the USA.

If you are based outside of the UK and make a booking we will transfer the personal data that we collect from you to the company in the UK.

The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway. We may transfer personal data that we collect from you to third-parties outside of the EEA.

If we do this, we have procedures in place to ensure that all your data receives the same protection as if it were being processed inside the EEA. If you wish to receive more information about these contracts please contact us using the information at the bottom of this page.

Any transfer of your personal data will follow applicable laws and we will treat all information under the guiding principles of this privacy notice.

Your Rights

The GDPR gives individuals more rights to how companies collect and process their personal data. Under the guidelines you have the following rights:

  • You should always be informed how personal data will be used at the point of collection
  • You have the right to request access to any and all personal data that a company holds
  • You should be able to instruct a company to update and correct any information that they hold on you
  • You have the right to request a company deletes any personal data that they may hold
  • You can instruct a company how they can and cannot process your personal data
  • You have the right to request a copy of all data a company hold on you in an easily usable electronic format

Right to access personal information

Under the new guidelines, you have the right to request a copy of any information City Apartments currently holds about you at any time and also to have that information corrected if it is inaccurate. To ask for your information please contact Data Protection, City Apartments, Studio A, Witan Studios, 300 Witan Gate West, Milton Keynes, MK9 1EJ or email To ask for your information to be updated please contact a member of the team.

Right to withdraw consent

Whenever you have given us consent to process your personal data, you have the right to change your mind and withdraw that consent at any time.

Where we rely on our legitimate interest

In cases where we are processing your personal data for legitimate business interests, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your data.

Direct marketing

You have the right to stop the processing of your data for any and all direct marketing activity through all channels, or selected channels. We must always comply with your request.

You can either contact us directly to stop direct marketing or click the unsubscribe button on any marketing email you may receive from us to stop all future marketing campaigns being sent.

Checking your identity

To protect the confidentiality of all personal data we hold, we will ask you to verify your identity before proceeding with any request for information. If you have instructed a third-party to make the request on your behalf, we will ask them to prove they have your permission to do so.

Contacting the regulator

If at any point you feel that your data hasn’t been handled correctly, or you are unhappy with any response to requests you have the right to lodge a complaint with the Information Commissioner's Office.

You can contact them on 0303 123 1113 or go to

If you are based outside of the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country.

Any Questions

We hope that this privacy notice is helpful to understand how and why we process your personal data when using our services.

If, however, you have any questions or concerns about the information provided in this notice, or about how we process your data, please feel free to contact us.

You can email us at or write to us at Data Protection, City Apartments, Studio A, Witan Studios, 300 Witan Gate West, Milton Keynes, MK9 1EJ.

This notice was last updated on 14/05/2018