Last updated: 11 May 2026.
This Privacy Policy explains how we collect, use and protect your personal data when you visit www.visits.london or book one of our tours. It applies to data processed by Abstract27 LTD trading as visits.london.
1. Who is the data controller
Abstract27 LTD, a company registered in England and Wales (company number 07504698) with its registered office at 167-169 Great Portland Street, 5th Floor, London W1W 5PF, is the “data controller” under the UK GDPR and the Data Protection Act 2018.
To contact us about your data, use https://www.visits.london/contact/ and mention “Privacy” in your message.
2. What data we collect
We collect only the data we need to operate the tours and the website.
- Booking data: name, email address, phone number (if you provide it), number of adults and children, tour date and time, special requirements you tell us about (accessibility, dietary etc.), payment confirmation reference from the booking processor.
- Payment data: handled by TicketingHub and its underlying payment provider. We never see or store your full card number — only a transaction reference and the last 4 digits where displayed.
- Contact form submissions: name, email, message content. Submitted via Tally.
- Newsletter subscriptions: email address only, plus the date you subscribed and the date of unsubscription if applicable. Sent via Ghost & Mailgun.
- Comments & member accounts (if you create one): email address and any display name you set, via Ghost Members.
- Technical data: IP address, browser type, pages visited, referrer, approximate location derived from IP (city level). Used in aggregate for security and to understand which content is useful.
- Cookies: a small number of strictly necessary cookies set by Ghost (session, member auth, search) and any analytics cookies you consent to (see section 8).
3. Why we use it and the legal basis
| Purpose | Legal basis (UK GDPR Art. 6) |
|---|---|
| Process and deliver your tour booking | Contract |
| Send booking confirmation, joining instructions and post-tour follow-up | Contract |
| Comply with our tax, accounting and consumer-protection obligations | Legal obligation |
| Send our newsletter (only if you subscribed) | Consent — you can withdraw it at any time |
| Respond to your contact-form message | Legitimate interest (responding to your own request) |
| Run the website, prevent fraud and abuse, improve content | Legitimate interest |
| Display ratings, anonymised reviews and quotes | Legitimate interest, with your consent for identifiable details |
4. Who we share it with (data processors)
We do not sell your personal data, and we do not share it with advertisers. We use the following service providers (“processors”) that handle data on our behalf:
- Ghost — CMS and Members backend. Hosts the website, member accounts, comments and the newsletter list.
- TicketingHub — booking engine and payment gateway. Handles your booking transaction and card payment.
- Tally — contact form on /contact/.
- Mailgun — transactional and newsletter email delivery.
- Senja — collects and displays customer reviews you choose to leave publicly.
- Cloudron — the server infrastructure on which Ghost runs.
Each processor is bound by a data-processing agreement with us, and only uses your data to provide the service.
5. International transfers
Some of our processors are based outside the United Kingdom or the European Economic Area (in particular the United States). When this is the case, the transfer is protected by appropriate safeguards: the UK International Data Transfer Agreement, or Standard Contractual Clauses (UK Addendum) as approved by the ICO, or transfer to a country covered by an adequacy decision.
6. How long we keep your data
| Type of data | Retention |
|---|---|
| Booking records (incl. invoices) | 6 years from the end of the relevant tax year (HMRC requirement) |
| Newsletter subscription | Until you unsubscribe, then 30 days for suppression-list purposes |
| Contact form messages | 24 months from your last message, then deleted |
| Comments and member accounts | Until you delete the account or ask us to |
| Server logs (IP, requests) | Up to 90 days, then deleted or aggregated |
| Analytics data | Up to 26 months in aggregate form |
7. Your rights
Under the UK GDPR you have the right to:
- be informed about how we use your data (this page);
- request access to the data we hold about you;
- have it corrected if it is inaccurate;
- request erasure (“right to be forgotten”), subject to legal obligations such as tax records;
- request restriction of processing in certain cases;
- obtain a portable copy of the data you provided to us, in a structured machine-readable format;
- object to processing based on legitimate interest;
- withdraw consent at any time (in particular for the newsletter, via the unsubscribe link in every email);
- not be subject to a solely automated decision that has legal or similarly significant effects on you (we do not perform such automated decision-making).
To exercise any of these rights, contact us at https://www.visits.london/contact/. We will respond within one month.
8. Cookies
The website uses a small number of cookies:
- Strictly necessary: set by Ghost for session, signed-in member state, search, and theme preference (light/dark). Cannot be switched off without breaking the site.
- Functional: set when you sign up to the newsletter or comment, to remember you on the device.
- Analytics (if and when enabled): used to count visits and understand which content is useful. Set only with your consent.
- Booking: the TicketingHub embed and Tally form may set their own cookies on the pages where they appear, governed by their own privacy policies.
You can clear cookies at any time from your browser settings.
9. Children
Our service is not directed at children under 13. We do not knowingly collect personal data from children under 13 directly. Bookings that include children are made by an adult, who is responsible for the child’s data they provide to us. If you believe a child under 13 has given us personal data, contact us and we will delete it.
10. Security
Personal data is stored on managed infrastructure with TLS in transit, daily encrypted backups, role-based access control, and least-privilege access by Abstract27 staff. Card payment data is handled by the booking processor (TicketingHub) on PCI-DSS compliant infrastructure — it never touches our servers.
11. Complaints
If you are unhappy with how we handle your data, please contact us first via https://www.visits.london/contact/ so that we can try to resolve it.
You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner’s Office (ICO): https://ico.org.uk/make-a-complaint/.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The version in force is the one published on this page. Material changes will be communicated by email to customers and subscribers where appropriate.
13. Contact
Abstract27 LTD trading as visits.london
167-169 Great Portland Street, 5th Floor, London W1W 5PF, United Kingdom
Company number: 07504698 (Companies House, England and Wales)
Contact form: https://www.visits.london/contact/
