book online

Privacy Policy

This Policy explains when, why and how we collect personal information from you. Any information collected is confidential and kept on a secure sever that fully complies with Data Protection laws. We will protect the privacy of our visitors when visiting our site, speaking directly with us or communicating electronically with us.

We may change this Policy from time to time so please check this page occasionally to make sure that you are okay with any changes. By using our website, you’re agreeing to be bound by this Policy.

Any questions regarding this Policy and our privacy practices should be sent by email to Alternatively, you can telephone 01288 362900.

Who are we?

OA Surf Club Limited (“OA”) registered in England with company number 9855923  and whose registered office address is 32 The Tything, Worcester WR1 1JL.

Throughout this policy, ‘we’ and ‘us’ means OA Surf Club Limited and ‘You’ and ‘your group’ means you and your party members or anyone for whom you are making a booking.

How we collect information from you?

We obtain information about you when you use our website, for example, when you contact us about, Holidays and non-residential activities, if you directly give us any information via forms, if you make booking or purchase or if you sign up to receive email communication.

Website Contact Form

Information submitted through the contact forms on our site is sent to our company email, hosted by Microsoft. Find out more: Microsoft Privacy Policy

These submissions are only kept for customer service purposes they are never used for marketing purposes or shared with third parties.

What personal data is collected from you?

In operating this website, we may collect and process certain data and information relating to you and your use of this site. Your privacy is important to us and we confirm that we will never release your personal details to any third party for their mailing or marketing purposes. The data that we collect is detailed below:

  • Details of visits to our website and the pages and resources that are accessed, including but not limited to, traffic data, location data and other communication data that may assist us in understanding how visitors use our website. This may also include the resources that you access, and information about where you are on the internet including the domain type, IP address and URL that you came from. This information is collected and used for our internal research purposes and to improve our customer service.
  • Information you provide to us by sending us a message through our website and information provided to us when you communicate with us electronically for any reason. If you contact us, we may keep a record of your email and other correspondence.
  • Information that you provide us as a result of filling in forms on our website, such as registering for information or making a purchase.
  • If you make a purchase from us, your card information is not held by us, it is collected by our third-party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions, as explained below.

How and why your information is used?

Special Category Data

When OA provides its service to you we often request to collect information that could reveal, details of physical or mental health, ethnic origin or religious beliefs. This information is considered “sensitive personal data” under GDPR and other data protection laws. We only collect this information where it is necessary to deliver our services to you. For example, if you inform us about specific dietary requirements, this could indicate specific religious beliefs. If you request special assistance, use of an accessible room or facilities; or provide medical information for you and/or your group, this could reveal information about health. By providing any sensitive personal data you explicitly agree that we may collect and use it in order to provide our services and in accordance with this Privacy Policy. If you do not allow us to process any sensitive personal data, this may mean we are unable to provide all or parts of the services you have requested from us.

Requesting information or a quote

Your name, contact details and query will be recorded when you fill out a contact form. We will use your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.

Making an Enquiry or Booking

If you have made booking with us we may have records of your name, gender, date of birth, email and telephone number(s). For your security, we’ll also keep an encrypted record of your login password.

We hold details of your interactions with us through conversations with our sales and support teams, or online. For example, we collect notes from our conversations with you, details of any complaints or comments you make, details of bookings you made, items added to your basket (Surf Lessons and Coasteering booked on-line), voucher redemptions and how and when you contact us. We hold payment (credit or debit card) information

Under 16’s

We are concerned to protect the privacy of children aged 16 or under. If you are aged 16 or under‚ please get your parent/guardian’s permission beforehand. Whenever you provide us with personal information. We collect children’s names, gender and ages as part of our booking process

If you use our services while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.

Visiting OA

  • Web Cam. Your image and/or those of your group could be recorded on our webcam which records and displays views from Atlantic Court onto our website. These will be distant views. The webcam is situated in our office window facing the sea above the dining room patio. Your car number plate may be recorded on the webcam.
  • In the event of any accidents or incidents on centre – your data may be recorded and shared with third parties as part of our duty of care.

After Your Visit

  • We retain your comments and feedback
  • We hold your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.

SUMMARY – We may use your information:

  • to make sure we can deliver you the best possible course.
  • to assist us looking after the physical and emotional well being of our customers.
  • to ensure that the content on our website is presented in the most efficient way for you and the computer that you are using and to enable you to participate in interactive features of the site.
  • to provide you with information relating to our website, product or our services that you request from us.
  • to provide you with information on other products that we feel may be of interest to you in line with those you have previously expressed an interest in via our website.
  • to process a booking you have made.
  • to meet our obligations arising from any contracts entered into by you and us.
  • to seek your views or comments on the services we provide.
  • to notify you about any changes to our website, including improvements, and service or product changes.
  • to send you communications about products or services that you have requested and that may be of interest to you.
  • for our internal purposes including statistical or survey purposes, quality control, site performance and evaluation in order to improve our website.

We review our retention periods for personal information on a regular basis. We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract you hold with us.

Who has access to your information?

OA and third Party Service Providers working on our behalf utilises the services of third party organisations (Matchfront, Pandadoc, Paypal etc.) to process your personal data. We may pass your information to our third-party service providers, agents subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example to process payments and send you email). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes. Please be reassured that we will not release your information to third parties for them to use for their own direct marketing purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.

We may transfer your personal information to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation, or if we’re under a duty to disclose or share your personal data in order to comply with any legal obligation or to enforce or apply our terms of use or to protect the rights, property or safety of our supporters and customers. However, we will take steps with the aim of ensuring that your privacy rights continue to be protected.

Data Controller

OA is the data controller and determines the purposes and means of the processing of your personal data. Where your data is processed by any third party on behalf of OA we will ensure the third party is a processor under the GDPR laws. We confirm that we take steps in order to ensure that this data is processed lawfully under the law in accordance with each agreement that we have in place with each processor.

If you wish to see all third-party processors, please email and we will send you a current list.

How Can I opt out?

You have a choice about whether or not you wish to receive information from us. We will not contact you for marketing purposes by email, phone or text message unless you have given your prior consent (opting in). We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted. If you no longer want to receive direct marketing communications from us, then you can change your preferences or completely unsubscribe in one of two ways:

  • Click the ‘unsubscribe’ at the bottom of marketing emails sent to you
  • Email or telephone 01288 362900 and we will process your request within 7 days

Your Rights

You have the right to ask us for a copy of the information OA hold about you. This can be done by emailing us at:

The accuracy of your information is important to us. If you change email address, or any of the other information we hold is inaccurate or out of date please contact by the above methods. From the date that we receive ALL the required Information, we have one month to process your request. If the request is complex or numerous we may require an additional two months and will contact to explain why the extension is necessary within the first month of your request.

Security precautions in place to protect the loss, misuse or alteration of your information. When you give us personal information, we take steps to ensure that it’s treated securely. Any sensitive information (such as credit or debit card details) is encrypted and protected with 128 Bit encryption on SSL across the entire website. When you are on a secure page, a lock icon will appear in the address bar of modern web browsers such as Microsoft Edge and Google Chrome.

Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.


We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you. This automated processing is intended to evaluate certain personal aspects of an individual. We may also use your personal information to detect and reduce fraud and credit risk

Use of ‘cookies’

Like many other websites, OA website uses cookies. ‘Cookies’ are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. Cookies are sometimes used to improve the website experience of a visitor to a website. They collect statistical data about your browsing actions and patterns and do not identify you as an individual. For example, we use cookies to pre-fill some information on forms and to enable us to see what people view on the website and for how long. The use of cookies enables us to improve our website, deliver effective marketing and offer a more personalised service.

We may also use the cookies to gather information about your general internet use to further assist is in developing our website. Where used, these cookies are downloaded to your computer automatically. This cookie file is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive and then stored there and transferred to us where appropriate to help us to improve our website and the service that we provide to you.It is possible to switch off cookies by adjusting your browser preferences or using a dedicated browser extension.

For more information about what cookies our website uses, check out or Cookie Policy

Securtiy Measures

We use the SSL/HTTPS protocol throughout our site. This encrypts our user communications with the servers so that personal identifiable information is not captured/hijacked by third parties without authorization.

In case of a data breach, system administrators will immediately take all needed steps to ensure system integrity, will contact affected users and will attempt to reset passwords if needed.

Links to other websites

Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access those using links from our website.

In addition, if you were referred to our website from a third-party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third-party site and recommend that you check the policy of that third party site.

Embedded Content

Pages on this site may include embedded content, like Vimeo videos, for example. Embedded content from other websites behaves in the exact same way as if you visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged-in to that website.


The Instagram page plugin is used to display our instagram photos on our site. Instagram has its own cookie and privacy policies over which we have no control. There is no installation of cookies from Instagram and your IP is not sent to a Instagram server until you consent to it. See their privacy policy here: Instagram Privacy Policy

Google Analytics

We use Google Analytics on our site for anonymous reporting of site usage. So, no personalized data is stored. If you would like to opt-out of Google Analytics monitoring your behavior on our website please visit Cookie Policy where you can manage your cookie preferences.

The Legal bases we rely on

The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:


In specific situations, we can collect and process your data with your consent. For example, when you tick a box to receive email newsletters. When collecting your personal data, we can always make clear to you which data is necessary in connection with a particular service.

Contractual obligations

In certain circumstances, we need your personal data to comply with our contractual obligations. For example, if you book a course or stay with us, we will collect your address details in order to send you booking information.

Legal compliance

If the law requires us to, we may need to collect and process your data. For example, we can pass on details of people involved in fraud or other criminal activity to law enforcement. We may also have to pass data to regulatory or governing bodies.

We may use your data to send you communications required by law such as updates to our Privacy Policy or to comply with any legal obligation to provide data to police.

Requesting access to your personal data

We respect your right to control your data. Your rights include:

Right of access – you have the right to access and obtain a copy of the personal data that we hold about you. We will only charge you for making such an access request where we feel your request is unjustified or excessive.

Right to rectification – you have the right to request that we correct any inaccuracies in the personal data stored about you.

Right to erasure – in certain circumstances, you have the right to request that we erase your personal data. For example, you may exercise this right in the following circumstances:

  • your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by us
  • where you withdraw consent and no other legal ground permits the processing
  • where you object to the processing and there are no overriding legitimate grounds for the processing
  • your personal data have been unlawfully processed
  • your personal data must be erased for compliance with a legal obligation

Where we store your personal data for statistical purposes, we may not be able to comply with such a request where it would likely impair such statistical purposes or where we require your personal data for compliance with a legal obligation or in connection with legal proceedings.

Right to restriction – you have the right to restrict our processing of your personal data where any of the following circumstances apply:

  • where you feel that the personal data which we hold about you are not accurate. This restriction will be in place for a period to enable us to verify the accuracy of your personal data
  • where the processing is unlawful and you do not want your personal data to be erased and request the restriction of its use instead
  • where we no longer need to process your personal data (e.g. any of the purposes outlined above have been completed or expire), but we require it in connection with legal proceedings
  • where you have objected to our processing of your personal data pending the verification of whether or not our legitimate business interests override your interests, rights and freedoms.

How long will we keep your personal data?

Whenever we collect or process your personal data, we’ll only keep it for as long as necessary for the purpose which it was collected. At the end of that period your data will either be deleted or anonymised, for example by aggregation with other data – so it can be used in a non-identifiable way for statistical analysis or business planning.

Type of data Examples – Period retained

Analytics data. Anonymised web traffic data in Google analytics and Hotjar systems:  50 months

Query data. Name, email address:  3 years

Lead booker data. Name, contact details:  3 years

Adults data. Party members Name, D.O.B, gender, dietary requirements, medical information:  12 months after visit.

Children’s data. Party members Name, D.O.B, address, gender, dietary requirements, medical information:  12 months after visit

Email correspondence.  Name, contact details, other info as provided by group leader:  3 years

Feedback post trip.  Feedback forms:  3 years

Payment information. Credit/Debit card information:  Not retained

Complaints and issues raised:  3 years

Incident data. Accident reports, witness statements:  Adults 5 years, Children 18 years

Insurance claims. Notification of claim, details of hearings:  Until claim is resolved or expires

Booking info. Dietary/medical requirement:  3 years

Cookies IP address:  See cookie policy

Contacting the Regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. You can contact them by calling 0303 123 1113. Or go online to (opens in a new window; please note we can’t be responsible for the content of external websites). If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.


We may amend this Privacy Policy from time to time. When we amend this Privacy Policy, we will update this page accordingly and require you to accept the amendments in order to be permitted to continue using our services.