Privacy Policy


Norton Park SCIO (“We”, “Us”, “Our”) is committed to protecting the privacy and personal data of our users, customers, and stakeholders.
This privacy policy outlines how we collect, use, disclose, and manage personal data in accordance with the UK GDPR

Data Controller

Norton Park SCIO is the data controller for the personal data collected and processed through our activities, services, and operations.  If you have any questions about this privacy notice, please contact us by emailing

The data we hold about you

We currently collect and process the following information:

  • Identity data, such as title, name and user ID.
  • Contact data, such as your address, billing address, email address and telephone numbers.
  • Transactional data, such as payments made by and to you, and details of services provided to you.
  • Technical data, including your IP address, login information, browser type and version, time zone setting and location, browser plug-ins and other technology on the devices used to access our website.
  • Usage data, including how you use our website, products and services.
  • Marketing and communications data, including your preferences in relation to marketing from us and from any third parties, and your preferences for methods of communication.
  • Special categories of personal data: owing to the products and services that we offer, Norton Park SCIO sometimes needs to process sensitive personal information (known as ‘special category data’) to ensure your health and safety, e.g. personal emergency evacuation plan. Where we collect such information, we will only request and process the minimum data necessary for the specified purpose and will identify a compliant legal basis for doing so.
  • CCTV images are used for the prevention, detection and investigation of criminal activity and to keep our guests and staff safe. It is our policy not to disclose images to anyone other than the police.

 Personal data of third parties

If you act on behalf of or book a viewing for another person, we will also collect their data for the purposes outlined in this Notice.

Failure to provide personal data.

In some cases, we may need to collect your personal data by law, or in order to perform our side of a contract we have entered into with you, or with a view to entering into such a contract.

If you fail to provide the requested data, we may not be able to perform under the contract we have with you, or to enter into the contract with you. In such circumstances we may have to cancel the contract, or be unable to fulfil the contract, which means we would not be able to provide the product or service to you. If that is the case, we will notify you of this at the time.

Your Duty to Inform us of Changes.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

 How we collect personal information and why we have it

We use different methods to collect personal data from and about you. We have set out below a description of the personal data we collect, how and why it is collected and which of the legal bases we rely on to do so (including a description of the legitimate interest pursued). Note that we may process your personal data for more than one basis depending on the specific purpose for which we are using your data:

Personal Data Type Collection Method Basis of Use Purpose
Identity Data

Contact Data

Marketing & Communications Data

Direct Interactions with you e.g. in person, by phone, via our website (including via the Messaging function), via social media

Data capture forms/documents.



Legitimate Interests: to run our business

To process an enquiry.

To contact you

To provide you (or your employer) with a service

To provide you with marketing material




Marketing and Communications

Special categories of personal information

Direct Interactions with you.

Data capture forms/documents.

Entry into contract to which you are party,

Required for our legitimate interest to ensure your safety while on our premises.

Consent (if required)

Vital interest

To process a booking, whether made directly with us or via an external agency.

To process payment and to invoice



Data capture forms/documents. Legal obligation

Legitimate interest

Under UK legislation we are legally obliged to collect specific information from you to verify your identity, e.g. for setting up contracts and renting space.
Identity Sign-in forms

Incident forms

Vital interests Security and Fire
Identity Data

Contact Data

CCTV systems Legitimate Interests:  to protect us, the security of our assets and other building users. To ensure security and to investigate responsibility in the event of any crime, damage or injury.   If using car park, registration plates may be captured.



Data capture forms/documents. Performance of a contract to which you are party

Legitimate interest

Norton Park aims to keep the data we store secure on our premises and on our IT systems and platforms. We do this by means of encryption, passwords, access controls, physical security, company policies and IT support. Personal data may be processed in this context by Norton Park SCIO.
Technical Data

Usage Data

Marketing and Communications Data

Interactions with our websites and booking portal

Use of cookies

Legitimate interests: to administer our IT systems, run our business and website To keep our online resources working, up to date and effective

To monitor and ensure effective operation of our products and services

Identity Data

Contact Data

From you or third parties such as your employer, our members whose offices you are entering or contacting, analytics providers, electronic payment providers or data aggregators Legitimate Interest (to run our business) To contact you (or allow you to be contacted by relevant third parties) To take and verify payments from you To efficiently run our website, app and social media pages


When we rely on “Legitimate Interest” we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.

We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

 Sharing of your personal data

Norton Park will not sell your information to any third party.

If required, we will share your personal data with the parties (all established in the UK or European Economic Area unless otherwise stated) set out below:

  • HM Revenue & Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.
  • Professional advisers including lawyers, auditors and insurers based in the European Union or United Kingdom who provide consultancy, banking, insurance, and accounting services.
  • Online payment provider.
  • Police, OSCR or ONS investigating a complaint.
  • In event of an emergency the Fire Service will have access to manual and electronic sign-in data.

If you need further information on who your data may be transferred to or any measures in place between us and the recipient of that data, contact us at the above email address to discuss this.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.


Information collected on our website

We use Google Analytics and Cookies to improve our service user experience and analyse how our website is used.  You can choose whether or not these cookies are used. A full list of the cookies we use is on our website.

Google Analytics will anonymise part of your IP address before storing it.  The IP address will still give us an approximate location for you.  Otherwise, most of the information collected is anonymous traffic data, including browser information, device information and language.   The information provides an overview of how visitors reach the website and how they use it.  We do not use the information for any additional purpose.

If you use our booking form, we will record personal information that you complete in the registration form.  We will use the email address you provide to send you confirmation emails related to bookings .

International transfers

Unless noted above, we do not transfer your personal data outside the United Kingdom or European Economic Area (which has been deemed to be a jurisdiction of adequate protection for personal data received from the United Kingdom).

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.

Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.  This is set out in Norton Park’s retention guidelines.

You can request that your data is deleted at any time, and we will action this request unless we are required to hold on to data for legal reason.

Your rights to access data

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or we receive several requests. In this case, we will notify you and keep you updated.

Other websites

Our websites contain links to other websites not run by Norton Park. This privacy policy only applies to Norton Park’s website so when you link to other websites you should read their own privacy policies.

Changes to our privacy policy

We keep our privacy policy under regular review, and we will place any updates on this web page. This privacy policy was last updated on October 2023.

Your rights

Data protection regulations give you clear rights over how your data is used by us. You can find out more detail about your rights by visiting the Information Commissioner’s Office website’s section on individual rights.

Your right to complain

If you are concerned about the way Norton Park is processing your personal data, you have the right to complain. You may do this by contacting us using the following details:

  • Email
  • write to Norton Park, 57 Albion Road, Edinburgh

Or you may complain to the regulator of information rights in the UK the Information Commissioner’s Office (ICO). You can find more details on their website.