Our privacy policy

The Malvern

The Malvern Privacy Policy

We are committed to safeguarding and preserving the privacy of all our visitors.

This Privacy Policy explains what happens to any personal data that you provide to us, or that we collect from you whilst you visit our site.

We understand that privacy online is important to users of our Site, especially when conducting business. This statement governs our privacy policies with respect to those users of the Site who visit without transacting business and Visitors who register to transact business on the Site and make use of the various services offered by Harbour Hotels.

Who we are

Your personal information is collected by The Spa at Malvern LLP trading as The Malvern Spa. Registration Number:

The Spa at Malvern LLP 0C383364

What information do we collect about you?

At various times, we will be obliged to ask you, as a Malvern Spa customer, for information about you and/or members of your party, such as:

  • Contact details (for example, full name, telephone number, email)
  • Personal information for example, date of birth (The Malvern is an adult only establishment)
  • Your credit card details (for transaction and reservation purposes)
  • Your arrival and departure dates
  • Medical history for the purpose of carrying out your treatments and using our spa facilities and thermal suite
  • Your preferences and interests (for example, preferred floor, type of bedding, type of newspapers/magazines, sports, cultural interests)

We also collect web statistics automatically about your visit to our site. This information is used to help us follow browsing preferences on our site so that we can regularly improve our website. These statistics do not contain personal data and cannot be traced back to an individual.

We do not use cookies to store personal data or link non-personal information stored in cookies with personal data about specific individuals.

We will only disclose your information if it is lawful to do so in accordance with the principles of the Data Protection Act 2018 or the General Data Protection Regulation.

How will we use the information about you?

We use your information in a number of different ways, primarily to fulfil a contract and also provide excellent service to our customers — what we do depends on the information. The tables below set this out in detail, showing what we use the information we collect for, and the lawful basis we rely on to process it.


Personal InformationWhat we use it forLawful basis
Contact detailsTo manage your reservation, accommodation requests and other hotel services


To manage your stay at the hotel, room lists, restaurant bookings, special requests, and services


To manage invoicing and payment records


Personal informationTo improve our hotel services, to assist in promotional servicesLegitimate interest consent
Medical HistoryTo ensure we can safely carry our spa treatments

To ensure there are no risks to the customer when using the spa facilities

Credit Card detailsTo guarantee bookings and/or make paymentsContract
Arrival and departureTo manage hotel bookingContract
Preferences and interestsTo enhances customer experience during their stay, improve services we offerLegitimate interest
Questions / commentsTo collect feedback to improve our service and monitor guests experienceLegitimate interest
Browsing InfoImproving website performance and retargeting advertisementsConsent


Your Rights

You have rights relating to your personal information:

  • The right to be informed about how your personal information is being used
  • The right to access the personal information we hold about you
  • The right to request the correction of inaccurate personal information we hold about you
  • The right to request that we delete your data, or stop processing it or collecting it, in some circumstances
  • The right to restrict direct marketing messages, and to withdraw consent for other consent-based processing at any time
  • The right to request that we transfer or port elements of your data either to you or another service provider
  • The right to complain to your data protection regulator — in the UK, the Information Commissioner’s Office

If you want to exercise your rights, have a complaint, or just have questions, please contact us, details in the contact us section at the end of this document. The Data Protection Act 2018 also gives you the right to lodge a complaint with the supervisory authority in the UK. This is Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: 0303 123 1113.

Keeping Your Information

We’ll hold on to your information for as long as you have a booking with us, and for as long as is necessary to provide support-related reporting.

We’ll also hold on to your information, if reasonably necessary or required, to meet legal or regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions. We may also keep hold of some of your information as required, even if it is no longer needed to provide the services to you.

How we secure your information

The Malvern takes data security seriously, and we use appropriate technologies and procedures to protect personal information. Personal information is stored on our PMS locally on our servers onsite. Our information security policies and procedures are aligned with widely accepted international standards; we apply the controls detailed in the Payment Card Industry Data Security Standard to all environments storing personal data.

For example:

  • We have a Business Continuity and Disaster Recovery strategy that is designed to safeguard the continuity of our service to our clients and to protect our people and assets (backups)
  • We place appropriate restrictions on access to personal information (authorised personal, password protection)
  • We implement appropriate measures and controls, including monitoring and physical measures, to store and transfer data securely

Training for employees and contractors

  • We require privacy, information security, and other applicable training on a regular basis for our employees and contractors who have access to personal information and other sensitive data
  • We take steps to ensure that our employees and contractors operate in accordance with our information security policies and procedures and any applicable contractual conditions

Vendor risk management

  • We require, through the use of contracts and security reviews, our third-party vendors and providers to protect any personal information with which they are entrusted in accordance with our security policies and procedures


We would like to send you information about products and services of ours. If you have consented to receive marketing, you may opt-out at any time.

You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, you may unsubscribe from any marketing email, or adjust your marketing preferences on your preferences page on our website. You may also contact us directly to reception@themalvernspa.com


We use cookies when you visit our site. There are four main types of cookies – here’s how and why we use them:

  1. Site functionality cookies. These cookies allow you to navigate the site and use our features
  2. Site analytics cookies. These cookies allow us to measure and analyse how our customers use the site, to improve both its functionality and your user experience. We use Google Analytics to collect information about visitor behaviour on our website. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. This Analytics data is collected via a JavaScript tag in the pages of our site and is not tied to personally identifiable information. We therefore do not collect or store your personal information (e.g. your name or address) so this information cannot be used to identify who you are. The Google Analytics tracking cookie also allows us to access aggregates demographic and audience data from online behavioural advertising services. This information is only available to us at a group level, with no personal or identifiable information contained within it. It is used only for us to evaluate the effectiveness of the website and see how different groups of users use and respond to the site, and in no way allow us to track people individually. You may opt out of this tracking by disabling cookies within your browser.
  3. Customer preference cookies. When you are browsing, these cookies will remember your preferences (like your language or location), so we can make your experience as seamless as possible, more personalised to you, and save you time specifying them again
  4. Targeting or advertising cookies. These cookies are used to deliver ads relevant to you. They also limit the number of times that you see an ad and help us measure the effectiveness of our marketing campaigns.

By using our site, you agree to us placing these sorts of cookies on your device and accessing them when you visit the site in the future. If you want to delete any cookies that are already on your computer, the “help” section in your browser should provide instructions on how to locate the file or directory that stores cookies. Further information about cookies can be found at Cookies and similar technologies | ICO Please note that by deleting or disabling future cookies, your user experience may be affected, and you might not be able to take advantage of certain functions of our site.

Your name, address, telephone number or email address may also be used to find you on Facebook [and Instagram], for the purposes of targeting you with advertising of our products and services on Facebook [and Instagram].

This site uses the Lucky Orange and Hotjar analytics systems to help improve usability and customer experience. These systems anonymously record mouse clicks, mouse movements and scrolling activity, and keystroke information that you voluntarily enter on this website.

Changes to how we protect your Privacy

We may change this page from time to time, to reflect how we are processing your data. If we make significant changes, we will make that clear on our website, or by some other means of contact such as email, so that you are able to review the changes before you continue to use our services.

How to contact us

If you:

  • Have any questions or feedback about this notice
  • Would like us to stop using your information
  • Want to exercise any of your rights as set out above, or have a complaint

You can contact our Deputy General Manager by emailing amy.downton@themalvernspa.com

Or if you’d like to, you can write to us at: The Malvern Spa, Grovewood road, Malvern, Worcestershire, WR14 1GD

Group Policy

The Malvern has a maximum group size policy of 8 people.

Our aim is to ensure all of our guests enjoy their visit using our wonderful facilities and that you leave relaxed, refreshed and with a favourable impression of our hotel and staff.

As a hotel, it is our responsibility to consider all of our guests' needs to ensure everyone has a positive and safe experience with us. The following policy will ensure this always happens.

Guests are requested to conduct themselves appropriately at all times and to comply with Company procedures and/or requests with regard to conduct, wellbeing and respect for the property of the Hotel, its employees and guests. You are requested not to disrupt the comfort and enjoyment of other guests, the smooth running of the Hotel, or cause offence to other guests or members of staff. We reserve the right to refuse accommodation or services or remove you and members of your party from the Hotel if, in our reasonable opinion, we consider this provision to have been breached. Where this is the case we shall have no obligation to refund you for lost accommodation, other services or any other loss or expense incurred.

Our spa

Our restaurant

About us