Skip to content
Return to homepage

Privacy Policy

Lattitude

1. Introduction

Festival Extras Ltd, trading as Pink Moon Presents (“we”, “us”, or “our”), is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and the rights you have over it.

It applies to everyone who interacts with us — including customers who book VIP upgrades, accommodation or experiences through pinkmoonpresents.co.uk; guests attending festivals at which we provide services; visitors to our office, yard or event sites; staff and temporary workers; and business contacts, suppliers and contractors.

This policy is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR) where it applies (for example at our Irish events), and the Privacy and Electronic Communications Regulations 2003 (PECR).

It should be read alongside our Cookie Policy, which covers how we use cookies and similar technologies on our website.

2. Who we are

We are the “controller” of your personal data, which means we decide how and why your data is processed.

Our details:

  • • Festival Extras Ltd, trading as Pink Moon Presents
  • • Registered office: The Arena, Blind Lane, Tockwith, York YO26 7QJ
  • • Company number: 07114362
  • • ICO registration number: ZA624211
  • • Email: info@pinkmoonpresents.co.uk
  • • Telephone: 01423 575 696

We have not appointed a statutory Data Protection Officer, as we are not legally required to. Day-to-day data protection matters are handled by our Head of HR & Finance, who can be contacted via the email address above.

3. Your supervisory authority

If you are based in the United Kingdom, your supervisory authority is the Information Commissioner’s Office (ICO).

If you are based in the European Union (including customers attending our Irish events, such as Electric Picnic), your supervisory authority is the Data Protection Commission of Ireland (DPC).

Contact details for both are in section 13.

4. Where we get your data

We collect personal data from the following sources:

  • • Directly from you — when you book through our website, contact us by phone or email, attend one of our events, fill in a form (for example our Typeform customer feedback surveys), apply for a job, or interact with us on social media.
  • • From third parties acting on your behalf — for example, a lead booker who provides details of other people in their party.
  • • From our partners — such as festival organisers and ticketing platforms who pass us customer details so that we can deliver the VIP upgrade, accommodation or experience you have booked.
  • • From publicly available sources — such as Companies House, LinkedIn, and social media, where relevant for business contacts.
  • • Automatically — when you visit our website (via cookies and similar technologies — see our Cookie Policy) or pass through our event sites (via CCTV and access systems).

5. The data we collect and why

We collect different categories of data depending on your relationship with us. The tables below set out what we collect, why we collect it, and the lawful basis we rely on under UK GDPR Article 6.

5.1 Customers and festival guests

Data we process

Why we process it

Our lawful basis

Name, address, email, phone number, booking reference

To manage your booking, deliver your chosen VIP package, accommodation or experience, and contact you about your booking.

Performance of a contract (Art. 6(1)(b))

Names and ages of others in your party, including children

To allocate accommodation and wristbands correctly and to meet age-related obligations for alcohol and event access.

Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c))

Emergency contact details

To contact your next of kin in the event of a medical or safety emergency at site.

Vital interests (Art. 6(1)(d))

Accessibility and dietary requirements

To provide appropriate facilities, accommodation and catering.

Performance of a contract (Art. 6(1)(b)); explicit consent for health-related data (Art. 9(2)(a))

Payment card details (processed by Stripe; we do not store full card numbers)

To take payment for your booking and to prevent fraud.

Performance of a contract (Art. 6(1)(b)); legitimate interests — fraud prevention (Art. 6(1)(f))

Marketing preferences and engagement data

To send you information about future events, offers and experiences where you have asked us to, and to measure the effectiveness of our marketing.

Consent (Art. 6(1)(a)); legitimate interests for existing customers (Art. 6(1)(f))

Feedback, survey responses and reviews

To improve our service and publish aggregated insights.

Consent (Art. 6(1)(a)); legitimate interests (Art. 6(1)(f))

Incident, complaint and medical records (at site)

To deliver a safe event, manage incidents and respond to complaints.

Legitimate interests (Art. 6(1)(f)); vital interests (Art. 6(1)(d)); legal obligation (Art. 6(1)(c))

5.2 Photos, video and marketing content

At our events we sometimes take photos and video for marketing and social media. Where an image clearly identifies an individual and is the main focus, we rely on consent. For wider crowd and atmosphere shots, we rely on our legitimate interests in promoting our services, and we make it clear on site (via signage and booking terms) that photography is taking place. You can ask us to remove an image of yourself at any time by contacting us.

5.3 On-site data (CCTV, wristbands, access control)

Data we process

Why we process it

Our lawful basis

CCTV images at our yard, offices and event sites

To protect people and property, prevent crime, and manage incidents.

Legitimate interests (Art. 6(1)(f))

Wristband scans and access control data

To verify ticket holders, manage capacity, and provide VIP access to the correct areas.

Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f))

Incident and accident reports, including any health information collected

To meet health and safety obligations and respond to incidents.

Legal obligation (Art. 6(1)(c)); vital interests (Art. 6(1)(d)); substantial public interest for health data (Art. 9(2)(g))

5.4 Staff, temporary workers and job applicants

Data we process

Why we process it

Our lawful basis

Name, contact details, date of birth, right-to-work documents, bank details, National Insurance number

To manage recruitment, employment and payment of staff and temporary workers.

Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c))

Emergency contact details

To contact next of kin in the event of a workplace emergency.

Vital interests (Art. 6(1)(d))

Health information (for example accessibility needs, dietary requirements, incident records)

To meet our duties as an employer, including health and safety.

Legal obligation (Art. 6(1)(c)); employment law (Art. 9(2)(b))

Performance, training and disciplinary records

To manage our workforce and develop our team.

Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))

Application, CV and interview records

To assess applications and keep a record of recruitment decisions.

Legitimate interests (Art. 6(1)(f)); pre-contractual steps (Art. 6(1)(b))

5.5 Business contacts, suppliers and contractors

Data we process

Why we process it

Our lawful basis

Business name, contact name, job title, email, phone number

To manage supplier and contractor relationships and to deliver our events.

Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f))

Invoicing, banking and company information

To pay suppliers and meet accounting and tax obligations.

Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c))

Insurance, accreditation and compliance documents

To ensure suppliers meet our health and safety, insurance and accreditation requirements.

Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))

6. Marketing

We send marketing communications (for example emails, SMS and WhatsApp messages) only where we have a lawful basis to do so.

  • • If you are a new customer or enquiry, we will only send you marketing if you have given us consent (for example by ticking an opt-in box).
  • • If you are an existing customer, we may send you information about similar events and experiences under the PECR “soft opt-in” rule, unless you have opted out.
  • • Every marketing message includes a clear way to opt out (for example an “unsubscribe” link or instructions to reply STOP).

We may use segmentation and audience tools provided by Meta (Facebook and Instagram) to show our adverts to people who have booked with us before, or to people with similar interests (“lookalike audiences”). This is based on hashed email addresses uploaded to Meta. You can control this by adjusting your cookie preferences on our website and your ad preferences on Meta.

You can withdraw consent or opt out of marketing at any time by emailing info@pinkmoonpresents.co.uk or using the unsubscribe link in any message. Withdrawing consent will not affect the lawfulness of any processing before withdrawal.

7. Who we share your data with

We do not sell your personal data. We share it only where we need to in order to run our business, deliver your booking, or meet a legal obligation. The main categories of recipient are set out below.

7.1 Our service providers (processors)

We use trusted third parties to help us run pinkmoonpresents.co.uk and deliver our services. They process data on our behalf under written contracts that require them to keep it secure and use it only for the purposes we agree.

Provider

Service

Location of processing

Stripe

Payment processing and fraud prevention

UK, EEA and USA

Google (Google Workspace and Google Analytics 4)

Email, file storage, productivity tools and website analytics

UK, EEA and USA

Microsoft

SharePoint, Teams and office productivity

UK, EEA and USA

Meta (Facebook and Instagram)

Advertising and social media engagement

Ireland and USA

Jotform and Typeform

Forms and customer surveys

UK, EEA and USA

Mailchimp or equivalent email platform

Marketing and transactional email

EEA and USA

Xero

Accounting and bookkeeping

UK and EEA

Our IT, hosting and website providers

Website hosting and IT support

UK and EEA

Anthropic (Claude)

Customer service chatbot and internal tooling

UK, EEA and USA

7.2 Our partners and other controllers

  • • Festival organisers and promoters (for example Festival Republic, Cuffe & Taylor, MCD, Silverstone, Ryder Cup Europe), who may need access to guest lists in order to admit you to their event.
  • • Ticketing providers, where you have booked through them and your booking details need to be reconciled with ours.
  • • Licensed venues and site owners, where required by their licence or site regulations.
  • • Insurers, loss adjusters and legal advisors, where we need to handle a claim, complaint or dispute.
  • • Professional advisors (for example our accountants and solicitors).
  • • Emergency services, medical teams and public authorities where there is a safety, legal or regulatory reason to do so.

7.3 Business transfers

If we ever sell or restructure our business, or enter into a joint venture, partnership or similar arrangement, personal data may be transferred as part of that transaction. We will only transfer personal data where it is lawful to do so, and we will make sure any recipient is bound by equivalent data protection obligations.

8. International data transfers

Some of the service providers listed above are based outside the UK and EEA, most commonly in the United States. Where personal data is transferred outside the UK or EEA, we rely on one of the following safeguards under UK GDPR Chapter V:

  • • An adequacy decision by the UK government or European Commission (for example the UK-US Data Bridge);
  • • Standard Contractual Clauses approved by the UK government or European Commission, together with the UK International Data Transfer Addendum; or
  • • Another lawful transfer mechanism recognised under UK GDPR.

You can ask us for a copy of the safeguards in place by emailing info@pinkmoonpresents.co.uk.

9. How we protect your data

We take the security of your personal data seriously. Our technical and organisational measures include:

  • • Role-based access controls so staff only see the data they need for their job;
  • • Encryption in transit (HTTPS/TLS) for our website and email;
  • • Multi-factor authentication on our core business systems;
  • • Regular backups and tested disaster recovery procedures;
  • • Written contracts with all processors, requiring equivalent protections;
  • • Staff training on data protection and information security.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required by law, inform you directly without undue delay.

10. How long we keep your data

We keep your personal data only for as long as we need it for the purposes we collected it, or for as long as the law requires. Typical retention periods are set out below.

Data category

Retention period

Booking and customer service records

Up to 7 years after the event (to meet tax and accounting obligations and to handle disputes).

Marketing data

Until you withdraw consent or opt out, and then no longer than 12 months in a suppression list.

Customer feedback and survey responses

Up to 3 years in identifiable form; anonymised and aggregated data may be kept indefinitely.

CCTV footage

Typically 30 days, unless retained for a specific investigation, claim or incident.

Incident and accident reports

Minimum 3 years from the date of the incident (longer where the person involved is a minor or where legal proceedings are foreseeable).

Staff employment records

6 years after the end of employment (to meet employment, tax and limitation-period obligations).

Unsuccessful job applications

12 months from the date of decision, unless you ask us to keep them longer.

Supplier and contractor records

7 years after the end of the contract (to meet tax and accounting obligations).

Website analytics and cookie data

As set out in our Cookie Policy.

We review retention periods regularly and securely delete or anonymise data when we no longer need it.

11. Your rights

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

  • Right to be informed — to know what we do with your data (that’s what this policy is for).
  • Right of access — to ask for a copy of the personal data we hold about you.
  • Right to rectification — to have inaccurate or incomplete data corrected.
  • Right to erasure — to have your data deleted in certain circumstances (“right to be forgotten”).
  • Right to restrict processing — to limit how we use your data in certain circumstances.
  • Right to data portability — to receive your data in a common, machine-readable format and have it transferred to another controller where technically feasible.
  • Right to object — to object to processing based on our legitimate interests, and an absolute right to object to direct marketing.
  • Right to withdraw consent — where we rely on consent, you can withdraw it at any time.
  • Rights relating to automated decisions — see section 12.

To exercise any of these rights, please email info@pinkmoonpresents.co.uk. We will respond within one month and this service is free of charge, except in cases where a request is manifestly unfounded or excessive.

We may need to verify your identity before we can respond, to make sure we’re not releasing data to the wrong person.

12. Automated decision-making and profiling

We do not make decisions that produce legal or similarly significant effects about you purely by automated means. We do use some automated tools to help us — for example to detect payment fraud (through Stripe), to segment marketing audiences, and to surface recently viewed products on our website. Where these tools involve profiling, they do not make decisions that significantly affect you without human involvement.

13. Complaints

If you are unhappy with how we have handled your personal data, please contact us first at info@pinkmoonpresents.co.uk so we can try to resolve the issue.

You also have the right to complain to your supervisory authority:

United Kingdom — Information Commissioner’s Office (ICO):

  • ico.org.uk/concerns
  • • Helpline: 0303 123 1113
  • • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

European Union (including Ireland) — Data Protection Commission:

  • dataprotection.ie
  • • Post: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

14. Cookies and our website

Our website uses cookies and similar technologies. Some are strictly necessary for the site to work; others (analytics, functional and advertising cookies) are only set with your consent. When you first visit the site, our cookie banner lets you choose your preferences, and you can change them at any time using the “Cookie Settings” link in the footer. For full details of the cookies we use, please see our Cookie Policy.

15. Children’s data

We do not direct our services at children, and our website is not designed to be used by children without the involvement of a parent or guardian.

We do collect information about children in two main situations:

  • • As part of a family booking (for example, names and ages of children attending a festival with a parent or guardian). This information is provided by the lead booker on behalf of their party, and we use it only to manage the booking, allocate accommodation and wristbands, and meet safeguarding and licensing obligations.
  • • At events where minors may be present (for example Camp Bestival). Where we collect information directly from a child (for example at a registration desk), we do so only with a parent or guardian present.

We do not use children’s data for marketing or profiling. If you believe a child has provided us with personal data without parental consent, please contact us and we will delete it.

16. Links to other websites

Our website and communications may contain links to third-party websites (for example festival organisers, ticketing providers, payment providers and social media platforms). We are not responsible for the privacy practices of those websites, and we recommend you read their own privacy policies before providing any personal data.

17. Changes to this policy

We review this Privacy Policy regularly and may update it from time to time to reflect changes in the way we use data, the services we offer, or the law. The “Last updated” date at the top of this policy shows when it was last revised. Material changes will be brought to your attention through our website or by email.

18. How to contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

  • • Festival Extras Ltd, trading as Pink Moon Presents
  • • The Arena, Blind Lane, Tockwith, York YO26 7QJ
  • • Email: info@pinkmoonpresents.co.uk
  • • Telephone: 01423 575 696


Creating Exceptional