Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more

Data Usage


This document lays out the procedures and principles of data protection that will be followed by all employees at Off Peak Week Ltd.

You can view our Cookie policy here.

Key Definitions:

GDPR: General Data Protection Regulation

Controller: A Controller determines the purposes and means of processing personal data.

Processor: A Processor is responsible for processing personal data on behalf of a Controller.

Personal Data: The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Off Peak Week

As defined above, Off Peak Week acts as a Processor of data and a Controller of data. As a Processor and Controller of personal data we are required under the GDPR to provide information on the following key data protection areas:

  • Lawful basis for processing
  • Data Types Stored
  • Data Storage - Security
  • Data Subject Access
  • Data Breach procedures
  • Data Retention
  • Data Protection Officer
  • As a Controller of personal data we are required under the GDPR to provide information on the following key data protection areas:

    Lawful Basis for Processing

    GDPR requires that a processor must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing:

    REF: Information Commissioner
  • 1 Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  • 2 Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • 3 Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  • 4 Vital interests: the processing is necessary to protect someone’s life.
  • 5 Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • 6 Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
  • Off Peak Week processes data under the lawful bases of point 1 - consent, point 2 - contract and point 6 - legitimate interest.

    Point 1 - Consent - Site users give their consent to process data when they utilise the site.

    Point 2 - Contract - Chalets enter into a contract with Off Peak Week Ltd. to process their data.

    Point 6 - Legitimate Interest - We use site usage data in ways that site users can reasonably expect and with minimal privacy impact.

    Legitimate Interests Assessment

    Point 1 - We process data to ensure that site users receive the best service possible.

    Point 2 - The data we collect helps further this interest as it allows us to develop the best product for holiday makers and owners. Collecting this data is very unintrusive

    Point 3 - This site data is not particularly sensitive or private and it is reasonable to expect to use the data in this way with minimal impact on the user.

    Data Types Stored

    Off Peak Week Ltd requires the following personal data as a minimum to use the site:


    Full Name

    If you wish to advertise a property then a more extensive list surrounding details about the property can be found in Appendix A.

    Data Storage and Security

    Off Peak Week Ltd. will not supply any of your data to any third party unconnected to Off Peak Week, and will only use the data you provide to help develop our business and meet the needs of customers and property owners.

    It will be necessary, if bookings are made, to share information with the user to ensure that both property owner and holiday maker are aware of what they have booked

    Off Peak Week Ltd. is registered with the Information Commissioner’s Office (No.) in accordance with the Data Protection Act of 1998 and the code of practice issued by the regulators of England, Wales and Northern Ireland.

    The personal data stored within the Off Peak Week site includes Names, Contact details (email and phone) and the property details which can be found in Appendix A.

    The data will only be used within the context of the Off Peak Week business and will only be used to identify the site behaviour and marketing of products site wide. When using the site you will be using a Secure Hyper Text Transfer Protocol (HTTPS) along with Secure Sockets Layer (SSL) Protection. This provides encrypted access to our servers protecting you from others accessing the data. All data is hosted using Amazon S3 Servers, which are secure and encrypted.

    We do not store any payment information on our servers, payment information is stored securely in Stripe and is encrypted.

    Security information from host website, Heroku. Data Centres

    Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centres and utilize the Amazon

    Web Service (AWS) technology. Amazon continually m anages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data centre operations have been accredited under:

    ISO 27001

    SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

    PCI Level 1

    FISMA Moderate

    Sarbanes - Oxley (SOX)

    Physical Security

    Heroku utilizes ISO 27001 and FISMA certified data centres managed by Amazon located in Ireland (EU- West - 1) Amazon has many years of experience in designing, constructing, and operating largescale data centres. This experience has been applied to the AWS platform and infrastructure. AWS data centres are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection.

    Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

    Amazon only provides data centre access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centres by Amazon employees is logged and audited routinely.

    Data Subject Access

    Under the right of subject access, an individual is entitled to request a copy of the personal data held about them. You can view the majority of this data from your Dashboard under 'Account Settings' in the 'Your Data' section. You can also email us at We will require proof of a persons identify and legitimacy to make the request. Should any request be made, our Data Protection Officer will fully confirm the legitimacy of a request. We will then move forward in providing the data in an appropriate format.

    Request Procedure / Format

    Under GDPR legislation an organisation is not allowed to require an individual to complete a subject access request in a certain format; therefore Off Peak Week Ltd. does not require an individual to complete a specific form to make the request. It is recommended that any request should be sent by email to so that we can deal with your request as quickly as possible. Should a subject access request be made to another member of staff or in a different format such as a written letter, all staff are fully aware of GDPR procedures and will take any request and pass them on to the data protection officer.

    Response Format

    Off Peak Week Ltd. will meet the GDPR requirements that state the information provided to the individual is in an intelligible form. Any response made by Off Peak Week Ltd. will be sure to include a glossary of terms should any technical information be included that may not be understood by the average person.

    Subject Access Request Cost

    The GDPR legislation states companies can charge up to £10 for a subject access request. Off Peak Week Ltd. will not require any charge for any request made.

    Data Breach Policy

    A data breach occurs when personal information is lost or subject to unauthorised access.

    Definition of personal data breach

    A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

    Data Breach Response Team

    The Data Breach Response Team has been set up to deal with any form of data breach which can occur.

    ICO provides examples of data breaches which range from an email being sent to the incorrect individual through to stolen data from a breach of the database. Off Peak Week Ltd. takes data protection extremely seriously encrypting all data at rest, however if a breach were to occur Off Peak Week Ltd. will contact all users with the following information:

    The name and contact details of the data protection officer or the contact point where more information can be obtained;

    A description of the likely consequences of the personal data breach

    A description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

    When a data breach occurs, Off Peak Week Ltd. will establish whether the breach needs to be reported to ICO. This is only the case if there is likely to be a risk to people’s rights and freedoms.

    Off Peak Week Ltd. will record any breaches that occur even if they don’t need to be reported to ICO.

    Data Retention

    Any useer that terminates their account with Off Peak Week will have all data removed from Off Peak Week's live database within 1 week of the end of the subscription.

    Data will still exist within backups for 3 months after the end of the subscription after which it will be destroyed.

    Your Data

    We collect data on how users use the site; this is stored securely in Google Analytics, Stripe, and on our Heroku servers. If you create an account with us then you can view the data that we hold on you by visiting the 'Your Data' page in Account Settings from your Dashboard. If you do not have an account with us then the data that we collect is simply from your behaviour on the site, to allow us to create the best service possible when booking your holiday. Any data saved to your profile may be used to help ensure that any offers sent are hand picked for you. If you would like to remove your profile from Off Peak Week please email us at and we will delete your profile, alongside any data you have supplied.

    If you wish to update the data we hold on you and are unable to do so from the dashboard then please email us at

    If you object to the processing of your data or wish to restrict it, then please email us at to discuss your site usage and data.

    Contacting You

    We'd love to send you information about discounts, exclusive offers, and the latest info about Off Peak Week by email. We'll always treat your personal details with the utmost care and we will never sell them on to any other companies for marketing purposes. You can opt out at any time.

    Appendix A

    This lists the information held on properties listed on Off Peak Week:

    Property name

    Property Type

    Property Let Type

    How many beds at your property

    How many bedrooms at your property

    How many bathrooms at your property

    A summary of your property

    Your property's address

    Type of property



    Type of board

    A description of the cuisine you offer

    What's included with food?

    What is included with breakfast?

    What is included with afternoon tea?

    What is included with dinner?

    How many days catering?

    Your property's location

    What country is your property in?

    What resort is your property in?

    Your property's distance from slopes

    What town is your property in?

    Your property's 'Best Bits'

    A description of your property

    Your property's star rating

    Price per person/property

    Minimum length of stay

    Whether your property has/is:

    Steam room


    Hot Tub


    Swimming Pool


    In house childcare

    Transfers included

    Lift pass included

    Flights included

    Alcohol included

    Wine with dinner

    Open fire

    Chauffeur service




    Linen included

    All rooms ensuite

    Ski in

    Ski out

    Ski in and ski out

    Family friendly

    What's included with accommodation?

    What's included with transfers?

    Any extras?

    What is the checkout time?

    What are your booking policies?