Privacy Policy
Last updated: January 2026
1. Who I am
Munro Microadventures provides guided mountain walking in Scotland's mountains. I am Iain Watson, trading as Munro Microadventures, and I am the data controller for information you provide.
Contact details:
Iain Watson
Trading as: Munro Microadventures
30 Miller Street
Winchburgh, West Lothian
EH52 6WP
For data protection queries, contact me at contact@munromicroadventures.uk.
2. Information I collect
When you make a booking, I collect:
- Name, email address, and phone number (if provided)
- Emergency contact details
- Booking dates and service details
- Health and medical information (with your explicit consent) to assess suitability for mountain activities
When you contact me via the website form or email, I collect:
- Name and email address
- Phone number (if provided)
- Your enquiry message and any details you choose to share
3. How I use your information
| Purpose | Legal basis |
|---|---|
| Process and manage your booking | Contract performance |
| Communicate about your booking | Contract performance |
| Assess your suitability for activities (health data) | Explicit consent |
| Contact emergency contacts during activities | Contract performance |
| Respond to enquiries | Legitimate interests |
| Comply with legal obligations | Legal obligation |
Legitimate interests explanation: When responding to enquiries, my legitimate interest is to communicate with people who have contacted me requesting information. I consider this aligned with your reasonable expectations.
4. Who I share your data with
I share your data with these third parties when necessary:
Service providers (data processors)
- Google Workspace (Gmail) — email communications, storing correspondence including booking details and enquiries
- Google Drive — secure cloud storage of booking records, health forms, and business documents
- Amazon Web Services (AWS) — website hosting infrastructure and contact form processing (exclusively in EU region)
These service providers process data on my behalf in compliance with UK GDPR requirements. Google services are based in the USA and covered by data processing agreements. AWS services for contact form processing are hosted exclusively in the EU (Ireland) region to ensure GDPR compliance, with no data transfer outside the EU.
Professional advisers and regulators
- Professional advisers — accountants, insurers, legal advisers when required
- HMRC and regulators — when legally required
- Emergency services — only if required during a medical emergency on a trip
I do not sell your data or share it for third-party marketing.
5. International transfers
Some of my service providers are based outside the UK, including in the USA. When your personal data is transferred internationally, it is protected by:
- Google (Gmail and Google Drive) — certified under the EU-US Data Privacy Framework (recognised by the UK) and uses Standard Contractual Clauses (SCCs)
These mechanisms ensure your data receives the same level of protection as it would in the UK.
Contact form processing: Contact form submissions are processed using AWS services hosted exclusively in the EU (Ireland) region. This data never leaves the EU and is immediately forwarded to my email inbox. No data is stored by the contact form system.
6. How long I keep your data
| Data type | Retention period |
|---|---|
| Booking and payment records | 6 years (tax/legal requirements) |
| Health and medical information | Deleted after your trip |
| Enquiries (non-bookings) | Up to 3 months from last contact, after which enquiries are deleted |
| Emergency contact information | Deleted after your trip |
7. Your rights
Under UK data protection law, you have the right to:
- Access your personal data — request a copy of the information I hold about you
- Correct inaccurate data — ask me to update or correct your information
- Delete your data ("right to be forgotten") — request deletion of your personal information
- Restrict processing in certain circumstances
- Object to processing based on legitimate interests
- Data portability — receive your data in a portable format
- Withdraw consent at any time (for health data or photography)
To exercise these rights, email contact@munromicroadventures.uk. I will respond within one month.
8. Cookies
My website does not use cookies for analytics, advertising, or tracking purposes. I only use strictly necessary session cookies that are essential for the website to function properly (such as form submission). These do not track you and do not require your consent.
9. Health and medical information
I collect health information to assess your suitability for mountain activities and ensure your safety. This is "special category" data under UK GDPR and requires your explicit consent.
How I collect your health information
After you make an initial enquiry, I will send you a booking form by email. This form will ask you to disclose any medical or personal issues that may affect your participation in the activity. By completing and returning this form, you are providing your explicit consent for me to process this health data for the purposes described below.
How I use your health information
I use your health data to:
- Assess whether the planned activity is suitable for your fitness and health level
- Make reasonable adjustments to the trip if needed
- Respond appropriately in case of a medical emergency during the trip
- Share with emergency services if required in a medical emergency
Your rights regarding health data
You can withdraw your consent at any time by contacting me. However, providing relevant health information is a condition of booking, as I need this to assess whether I can safely provide the service. If you withdraw consent or do not provide necessary health information, I may need to cancel your booking.
Retention
I keep health information from when you provide it through to the completion of your trip, then securely delete it.
10. Photography and images
During activities, I may take photographs for use on my website, social media channels (Instagram, Facebook), and marketing materials.
I obtain your consent for photography use through the booking form, where you can either consent to photography for all these purposes or opt out of being photographed entirely.
You can:
- Withdraw consent at any time by contacting me at contact@munromicroadventures.uk
- Request that I remove specific images from my website or social media
Your photography preferences do not affect your ability to book trips with Munro Microadventures.
If you withdraw consent, I will remove photos featuring you from my website and social media within 14 days of your request.
11. Data security
I take appropriate technical and organisational measures to protect your personal data, including:
- Password-protected devices and storage
- Two-factor authentication on all accounts handling personal data
- Secure deletion of data when no longer required
- Limited access to personal data (only Iain Watson has access)
12. Changes to this policy
I may update this policy periodically to reflect changes in my practices or legal requirements. Significant changes will be communicated through a notice on my website.
13. Complaints
If you're unhappy with how I handle your data, please contact me first at contact@munromicroadventures.uk.
You also have the right to complain to the Information Commissioner's Office:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF