Privacy Policy

Effective Date: 15 November 2025

1. Introduction

MS Touring Productions (“we”, “us”, “our”, or “Company”) operates the Gay Sauna Guide website located at https://www.gaysaunaguide.co.uk (the “Website”). We are committed to protecting your privacy and handling your personal data in an open and transparent manner.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Website. It also describes your rights regarding your personal data and how you can exercise those rights.

By using the Website, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein. If you do not agree with this Privacy Policy, please do not use the Website.

2. Data Controller

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:

3. Information We Collect

3.1 Information You Provide Directly

We collect personal information that you voluntarily provide to us when you:

• Create an Account: Username, email address, password (stored in hashed form), and any optional profile information you choose to provide;
• Claim a Venue: Name, email address, phone number, business name, business address, proof of ownership or management authority, and verification documents;
• Subscribe to Premium Services: Billing name, email address, and payment information (processed and stored by Stripe, our payment processor);
• Submit Venue Content: Venue descriptions, photographs, opening hours, amenity information, pricing, FAQs, event details, and scheduled closures;
• Use Community Features: Messages, forum posts, comments, and any information shared in community discussions;
• Contact Us: Name, email address, and any information included in your correspondence;
• Complete Forms: Any information you provide through contact forms, enquiry forms, or other interactive features.

3.2 Information Collected Automatically

When you access and use the Website, we automatically collect certain information:

• Usage Data: Pages visited, time spent on pages, links clicked, search queries, referral sources, and browsing patterns;
• Device Information: Browser type and version, operating system, device type, screen resolution, and language preferences;
• IP Address (Hashed): Your IP address is collected and immediately hashed using the SHA-256 algorithm before storage. We do not store your actual IP address. The hashed value cannot be reversed to reveal your original IP address;
• Session Data: Session identifiers stored in cookies with a 24-hour expiration;
• Location Data: Approximate geographic location (city/region level only) derived from your hashed IP address;
• Analytics Events: Page views, search interactions, contact form submissions, booking link clicks, photo views, map interactions, and venue interactions.

3.3 Information from Third Parties

We may receive information about you from third-party services integrated with our Website:

• Stripe: Payment confirmation, subscription status, payment method details (last four digits of card), and billing information;
• Google Maps: Location data when you interact with maps on venue pages;
• Fluent Community: Community participation data, messages, and forum activity (if you subscribe to community features);
• Social Media: Publicly available information if you interact with our social media channels.

3.4 Sensitive Personal Data

The Website is focused on gay sauna venues and LGBTQ+ spaces. Your use of the Website may reveal your sexual orientation, which is considered a special category of personal data under UK GDPR. By using the Website, you explicitly consent to the processing of this information for the purposes described in this Privacy Policy.

4. How We Use Your Information

We process your personal data for the following purposes:

4.1 To Provide and Maintain the Service

• Create and manage your Account;
• Process venue claims and verify ownership;
• Display venue Listings and User Content;
• Facilitate Premium Services subscriptions;
• Process payments through Stripe;
• Provide access to community features;
• Respond to your enquiries and support requests;
• Send transactional emails (account verification, password resets, payment confirmations, subscription notifications).

4.2 To Improve and Personalise the Service

• Analyse usage patterns and user behaviour;
• Understand which features are most popular;
• Improve search functionality and relevance;
• Optimise Website performance and user experience;
• Test new features and functionality;
• Personalise search results and recommendations.

4.3 To Provide Analytics to Venue Owners

• Generate aggregated, anonymised analytics reports for Premium and Premium Plus subscribers;
• Provide insights into page views, visitor geography, search terms, and engagement metrics;
• Help venue owners understand their audience and improve their Listings.

4.4 For Security and Fraud Prevention

• Detect and prevent spam, abuse, and fraudulent activity;
• Identify patterns of suspicious behaviour using hashed IP addresses;
• Protect against unauthorised access and security threats;
• Enforce our Terms and Conditions;
• Verify venue claims and prevent fraudulent claims;
• Monitor for bot activity using Cloudflare Turnstile.

4.5 For Legal Compliance

• Comply with legal obligations and regulatory requirements;
• Respond to lawful requests from law enforcement or government agencies;
• Establish, exercise, or defend legal claims;
• Maintain audit trails and records for accounting and compliance purposes.

4.6 For Marketing and Communication (With Consent)

• Send newsletters and promotional emails about new features, venues, or special offers (only with your explicit consent);
• Notify you of important updates or changes to the Website;
• Invite you to participate in surveys or feedback opportunities.

5. Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following legal grounds:

• Consent: When you explicitly consent to processing of sensitive personal data (sexual orientation inferred from Website use), marketing communications, and certain optional features;
• Contractual Necessity: To perform our contract with you when you create an Account, claim a venue, or subscribe to Premium Services;
• Legitimate Interests: To improve the Website, prevent fraud and abuse, conduct analytics, and maintain security, provided these interests do not override your rights and freedoms;
• Legal Obligation: To comply with applicable laws, regulations, and lawful requests from authorities.

6. Cookies and Tracking Technologies

6.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. They help the website remember information about your visit, such as your preferences and login status.

6.2 Types of Cookies We Use

Essential Cookies (Strictly Necessary):

• Session management and authentication;
• Security and fraud prevention;
• Website functionality and navigation;
• These cookies are necessary for the Website to function and cannot be disabled.

Analytics Cookies:

• Track page views, user interactions, and navigation patterns;
• Session cookies expire after 24 hours;
• Help us understand how visitors use the Website;
• Used to generate aggregated analytics reports.

Preference Cookies:

• Remember your settings and preferences;
• Store search filters and display options;
• Enhance your user experience.

6.3 Third-Party Cookies

We use third-party services that may set their own cookies:

• Google Maps: To display venue locations and maps;
• Stripe: For secure payment processing;
• Cloudflare: For security, performance, and bot detection;
• Fluent Community: For community messaging and forums (if applicable).

These third parties have their own privacy policies governing their use of cookies.

6.4 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to:

• View and delete cookies;
• Block third-party cookies;
• Block cookies from specific websites;
• Delete all cookies when you close your browser.

Please note that disabling cookies may affect the functionality of the Website and your user experience.

7. IP Address Hashing and Privacy Protection

To protect your privacy while maintaining our ability to detect abuse and provide analytics, we employ irreversible IP address hashing:

• Immediate Hashing: When you visit the Website, your IP address is immediately hashed using the SHA-256 cryptographic algorithm before being stored;
• Irreversible Process: The hashing process is one-way and cannot be reversed to reveal your original IP address;
• Privacy by Design: We never store your actual IP address in our database;
• Pattern Detection: Hashed IP addresses allow us to detect patterns of abuse, suspicious activity, and bot traffic without identifying individual users;
• Geographic Insights: We derive approximate geographic location (city/region level) before hashing for analytics purposes;
• GDPR Compliance: This approach ensures compliance with UK GDPR data minimisation principles.

8. How We Share Your Information

We do not sell your personal data to third parties. We may share your information in the following circumstances:

8.1 Service Providers

We share personal data with trusted third-party service providers who assist us in operating the Website:

• Stripe: Payment processing and subscription management. Stripe processes and stores payment card details. See Stripe’s Privacy Policy at https://stripe.com/privacy;
• Google: Mapping services (Google Maps) for venue location display;
• Cloudflare: Content delivery, security, and DDoS protection;
• Fluent Community: Community messaging and forum platform (if applicable);
• Hosting Providers: Web hosting and server infrastructure;
• Email Service Providers: Transactional and marketing email delivery.

These service providers are contractually obligated to protect your personal data and use it only for the purposes we specify.

8.2 Venue Owners

When you use contact forms or submit enquiries through a venue’s Premium Plus Listing, your name, email address, and message content are shared with the venue owner to facilitate your enquiry.

8.3 Publicly Displayed Information

Certain information is publicly displayed on the Website:

• Venue information, descriptions, and photographs submitted by venue owners;
• Community forum posts and messages (if you participate in community features);
• Usernames (if displayed in public areas of the Website).

8.4 Legal Requirements

We may disclose your personal data if required to do so by law or in response to:

• Valid legal processes (subpoenas, court orders, search warrants);
• Requests from law enforcement or government agencies;
• Investigations of suspected illegal activity;
• Protection of our rights, property, or safety, or that of others.

8.5 Business Transfers

In the event of a merger, acquisition, reorganisation, sale of assets, or bankruptcy, your personal data may be transferred to the successor entity, subject to the same privacy protections described in this Privacy Policy.

8.6 Aggregated and Anonymised Data

We may share aggregated, anonymised data that does not identify you personally with:

• Venue owners (analytics reports about their Listings);
• Business partners;
• Researchers and analysts;
• The public (for statistical or research purposes).

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom and the European Economic Area (EEA), including the United States and Ireland, where our servers and service providers are located.

When we transfer your personal data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use SCCs approved by the UK Information Commissioner’s Office for transfers to countries without adequacy decisions;
• Adequacy Decisions: We may transfer data to countries recognised by the UK Government as providing adequate data protection;
• Service Provider Commitments: Our service providers (such as Stripe and Google) maintain comprehensive data protection and security measures.

10. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy and to comply with legal obligations:

• Active Accounts: Personal data is retained while your Account remains active;
• Account Deletion: When you delete your Account, we use a “soft deletion” process where data is marked as deleted but retained for a limited period (typically 90 days) for audit trail and legal compliance purposes;
• Venue Claims: Verification documents and claim records are retained for 7 years for audit and legal compliance purposes;
• Payment Records: Billing and payment records are retained for 7 years to comply with accounting and tax regulations;
• Analytics Data: Aggregated, anonymised analytics data may be retained indefinitely as it does not identify individuals;
• Hashed IP Addresses: Retained for 12 months for security and abuse prevention purposes;
• Marketing Consents: Retained until you withdraw consent or for 2 years after your last interaction with us;
• Legal Claims: Data necessary to establish, exercise, or defend legal claims is retained until the claim is resolved and any appeal period has expired.

After the retention period expires, personal data is securely deleted or anonymised.

11. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights regarding your personal data:

11.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge within one month of your request.

11.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly through your Account settings.

11.3 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data in certain circumstances:

• The data is no longer necessary for the purposes for which it was collected;
• You withdraw consent and there is no other legal basis for processing;
• You object to processing and there are no overriding legitimate grounds;
• The data has been unlawfully processed;
• Deletion is required to comply with a legal obligation.

This right is not absolute and may be limited by legal obligations to retain certain data.

11.4 Right to Restrict Processing

You have the right to request that we limit the processing of your personal data in certain circumstances:

• You contest the accuracy of the data (while we verify accuracy);
• Processing is unlawful but you oppose deletion;
• We no longer need the data but you require it for legal claims;
• You have objected to processing (while we verify whether our legitimate grounds override yours).

11.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as CSV or JSON) and to transmit that data to another controller.

11.6 Right to Object

You have the right to object to processing of your personal data:

• Direct Marketing: You can object to marketing communications at any time by clicking the unsubscribe link in emails or contacting us;
• Legitimate Interests: You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights.

11.7 Right to Withdraw Consent

Where processing is based on your consent (such as processing of sensitive personal data or marketing communications), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

11.8 Right Not to Be Subject to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

11.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: [email protected]
• Subject Line: “Data Protection Request”
• Include: Your name, email address associated with your Account, and a description of your request

We will respond to your request within one month. In complex cases, we may extend this period by two months and will inform you of the extension.

We may require additional information to verify your identity before processing your request.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration:

12.1 Technical Measures

• Encryption: All data transmitted between your browser and our servers is encrypted using SSL/TLS protocols (HTTPS);
• Password Security: Passwords are hashed using industry-standard algorithms (bcrypt) and never stored in plain text;
• IP Address Hashing: IP addresses are irreversibly hashed using SHA-256 before storage;
• Access Controls: Role-based access controls limit who can access personal data;
• Secure Payment Processing: Payment card data is processed and stored by Stripe, a PCI DSS compliant payment processor. We do not store complete card details on our servers;
• Regular Security Updates: We regularly update and patch our systems and software;
• Firewall Protection: Network firewalls protect against unauthorised access;
• DDoS Protection: Cloudflare provides protection against distributed denial-of-service attacks.

12.2 Organisational Measures

• Staff Training: Our staff receive training on data protection and privacy;
• Access Limitation: Access to personal data is limited to employees and contractors who need it to perform their duties;
• Confidentiality Agreements: All personnel with access to personal data are bound by confidentiality obligations;
• Incident Response: We have procedures in place to detect, report, and respond to data breaches;
• Third-Party Oversight: We carefully vet service providers and require them to implement appropriate security measures.

12.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the UK Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach;
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms;
• Provide information about the nature of the breach, likely consequences, and measures taken to address it.

13. Children’s Privacy

The Website is not intended for use by persons under 18 years of age. We do not knowingly collect personal data from children under 18.

If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information as soon as possible.

If you believe we have collected information from a child under 18, please contact us immediately at [email protected].

14. Third-Party Links and Services

The Website may contain links to external websites, booking systems, ticketing platforms, and other third-party services operated by venue owners or other third parties.

We are not responsible for the privacy practices of these third-party websites and services. We encourage you to review the privacy policies of any third-party sites you visit.

When you click on external links or use third-party services (such as booking systems), you leave our Website and this Privacy Policy no longer applies.

15. Marketing Communications

15.1 Marketing Emails

We may send you marketing emails about new features, venue updates, special offers, or other promotional content if you have:

• Explicitly opted in to receive marketing communications;
• Created an Account and not opted out of marketing communications (where permitted by law).

15.2 Transactional Emails

We will send you transactional emails necessary for the operation of the Website, including:

• Account verification and password reset emails;
• Payment confirmations and receipts;
• Subscription notifications (renewal, cancellation, payment failure);
• Venue claim approval or rejection notices;
• Important updates about the Website or changes to our Terms or Privacy Policy.

You cannot opt out of transactional emails as they are necessary to provide the Service.

15.3 How to Opt Out

You can opt out of marketing communications at any time by:

• Clicking the “unsubscribe” link at the bottom of marketing emails;
• Updating your email preferences in your Account settings;
• Contacting us at [email protected] with “Unsubscribe” in the subject line.

16. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes to this Privacy Policy, we will:

• Update the “Effective Date” at the top of this Privacy Policy;
• Post a notice on the Website homepage;
• Send an email notification to the address associated with your Account (if applicable);
• Obtain your consent if required by law.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

Your continued use of the Website after changes to this Privacy Policy constitutes your acceptance of the updated Privacy Policy.

17. Complaints and Regulatory Authority

17.1 Complaints to Us

If you have any concerns about how we handle your personal data, please contact us first at [email protected]. We will investigate and respond to your complaint within a reasonable timeframe.

17.2 Supervisory Authority

You have the right to lodge a complaint with the relevant data protection supervisory authority:

For UK residents:

For EU residents:

You may contact your local data protection authority in your EU member state.

For Irish residents:

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

We will respond to your enquiry as soon as possible and within one month of receipt.

19. Acknowledgement

BY USING THE WEBSITE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY, UNDERSTAND IT, AND AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR PERSONAL INFORMATION AS DESCRIBED HEREIN. IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, PLEASE DO NOT USE THE WEBSITE.

---

Last Updated: 15 November 2025