Cheltenham Festivals ("we") are committed to protecting and respecting your privacy in accordance with the Data Protection Act 2018 (DPA 2018), UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). 

The purpose of this policy (together with our terms and conditions and any other documents referred to in it) is to set out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.  

Please revisit this document on a regular basis to see any updates or changes to our privacy policy. 

Who are we?

Cheltenham Festivals is a charity that aims to create a world where everyone can explore and create culture by bringing joy, sparking curiosity, connecting communities, and inspiring change year-round with four world-class Festivals in Jazz, Science, Music and Literature, and charitable programmes for education, community, and talent development. With programming that features the very best international artists, performers and speakers; unique experiences; and showcases up and coming talent, Cheltenham Festivals is at the centre of the UK’s cultural scene and boasts an enviable international reputation as leaders in our field. 

The Cheltenham Festivals website,, is owned and operated by Cheltenham Festivals (We, Us, Our) of trading address: Hub8, The Brewery Quarter, Cheltenham, GL50 3FF 

– registered charity no. 251765.  

We have an appointed Data Protection Controller who is responsible for overseeing questions relating to this privacy policy. Any queries should be addressed to

What information do we collect about you?

We may collect and process the following data about you: 

• Identity Data includes first name, maiden name, last name, title, date of birth and gender. 

• Contact Data includes billing address, delivery address, email address and telephone numbers]. 

• Financial Data includes bank account and payment card details. 

• Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us. 

• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. 

• Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses. 

• Usage Data includes information about how you use our website, products and services. 

• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences. 

How is your personal data collected?

• Direct interactions. You may give us your identity, contact and financial Data] by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you 

• Buy our products or services; 

• Filling out forms on this website; 

• Create an account on our website; 

• Subscribe to our mailing and emailing lists; 

• Request marketing to be sent to you; 

• If you correspond with us; 

• Enter a competition, promotion or survey; or 

• Give us some feedback. 

• Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, [server logs] and other similar technologies. [We may also receive Technical Data about you if you visit other websites employing our cookies.] Please see our cookie policy above for further details. 

• Third parties or publicly available sources. We may receive personal data about you from various third parties as set out below: 

(a) Technical Data from the following parties: 

o analytics providers such as Google based outside the EU; 

o advertising networks based inside or outside the EU and 

o search information providers based inside or outside the EU. 

(b) Contact, Financial and Transaction Data from providers of technical, payment and delivery services based inside or outside the EU. 

How we use this information 

We may use your data to provide you with information about services which you have requested. 

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. 

Where we need to comply with a legal or regulatory obligation. 

We may contact you about services which may be of interest to you but only if you opted to allow this at the time you provided us with your details. 

If you no longer want us to use your data in this way please update your details by logging in to your online account or by emailing us.

Disclosure of your personal information 

We will only share your personal data with third parties where we are legally obliged to or for operational efficiency (e.g. dietary requirements) with a venue where we are holding an event. 

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. 

How we protect your personal information 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

The transmission of information over the internet is not completely secure. We will do our best to protect your personal data, but we cannot guarantee the security of the data transmitted to this site and any transmission is at your own risk. 

This website has security measures in place to protect against the loss, misuse and alteration of the information you provide us. We confirm to the Payment Card Industry (PCI) Data Security Standard. Our secure server software SSL (Secure Sockets Layer) is the industry standard and among the best software available today for secure online transactions. SSL has cryptographic protocols that provide secure communications on the Internet for such things as web browsing, email, Internet faxing, instant messaging and other data transfers. It encrypts all of your personal information including credit card number, name and address so that it cannot be read as the information travels over the internet. 

How long do we keep your personal information? 

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

In some circumstances, you can ask us to delete your data. 

In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. 

How do we store your personal data? 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

Third Party Services 

We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006. 

We will not share any personal details with any other third parties without your agreement, unless required in order to fulfil our contract with you, or allowed by law. 

Instances where we may share your personal information with selected third parties include: 

  • Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you. In general, the third-party providers used by us to fulfil our contract with you will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us. These providers include our ticketing and events systems provider, and our email and mail distribution services. We have agreements in place with each to ensure that your data is secure at all times, and cannot be accessed or used for any other purpose. 
  • Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we may provide them with aggregate information about our users (for example, we may inform them that 500 men aged under 30 have clicked on their advertisement on any given day). We may also use such aggregate information to help advertisers reach the kind of audience they want to target (for example, women in GL50). We may make use of the personal data we have collected from you to enable us to comply with our advertisers' wishes by displaying their advertisement to that target audience. 
  • Social media sites for the purposes of data analytics and targeted advertising. 
  • Analytics and search engine providers that assist us in the improvement and optimisation of our site. 
  • Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you. 

We may disclose your personal information to third parties: 

  • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. 
  • If Cheltenham Festivals or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets. 
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply terms of use or terms and conditions of supply and other agreements; or to protect the rights, property, or safety of Cheltenham Festivals, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. 
  • Please note that Sensitive Personal Data will not be shared with third parties without your consent.   


Website Third Party Services 

Our service utilises a number of third-party services to provide access and functionality to this website. Cheltenham Festivals has no control over these third-party services or their availability and encourages you to consult the respective privacy and cookie policy of those services. You acknowledge and agree that Cheltenham Festivals are not responsible for third-party services and that Cheltenham Festivals makes no representations or warranties regarding third-party services. Cheltenham Festivals will not be responsible or liable, directly or indirectly, for any actual or alleged damage or loss caused by or in connection with use of or reliance on any third-party services. A list of these services, along with their associated privacy information can be found below. 

Formstack -  

Google Analytics -  

Queue It -  

Tessitura -  

Windcave - 

Wordfly -  

Wufoo -  

Stay in control of your information 

We respect the fact that your personal information is your information, and we’ll make it easy for you to update or change your personal details or marketing permissions. Please help us to help you by letting us know if your contact details change or if you spot any errors in the information we hold about you. 

Keeping your details up to date 

Please help us to keep your information up to date by logging in to your online account or by emailing us at if your personal information changes (i.e. if you move house or change your email address) or if you wish to correct it. We will endeavour to correct, update or delete the information you have provided to us as quickly as possible. 

Access to your information 

You also have the right to request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. You will not have to pay a fee to access your personal data. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. 

Opting out 

You can ask us to stop sending you marketing messages at any time by logging into your account on the website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or by contacting us at any time. 

Where you opt-out of receiving marketing messages, this will not apply to personal data provided to us as a result of purchasing a product, membership, gift voucher or other transactions. 

Right to be forgotten 

This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. 

Changes to this privacy policy 

We reserve the right to amend this privacy statement in the future. Any changes we make to this privacy policy will be posted on this page and where appropriate, notified to you by email.