Legal
Privacy Policy
Last updated: 28 April 2026
1. Who we are
The Worm's Head Hotel is a trading name of CMI (Wales) Ltd, registered in England and Wales. Our registered address is Druslyn House, De La Beche Street, Swansea, SA1 3HJ. VAT registration number: GB 801 007 104.
CMI (Wales) Ltd is the data controller responsible for your personal data collected through this website. For any questions or to exercise your rights, contact us at info@thewormshead.co.uk.
2. What data we collect and why
Table bookings
When you book a table we collect your name, email address, and phone number to manage your reservation and send a confirmation email. Your booking details (date, time, party size, dining area) and a deposit payment record are also stored. The legal basis is contract performance (Article 6(1)(b) UK GDPR) — processing is necessary to complete your booking.
Payment processing is handled entirely by Dojo Payments via their hosted checkout page. We never see, store, or transmit your card details. Dojo's privacy policy is available at dojo.tech/legal/privacy-policy.
Job applications
When you apply for a vacancy we collect your name, email address, phone number, cover letter, and CV. We use this data solely to assess your suitability for the role. The legal basis is legitimate interests (Article 6(1)(f) UK GDPR) — our interest in recruiting suitable staff. CVs and application data are deleted after six months.
Website analytics
With your consent we use two Google services to understand how visitors use this site:
- Firebase Analytics (Google Analytics 4) — records page views, session duration, device type, browser, and approximate geographic region (country level). No name, email, or payment data is ever sent to Google Analytics.
- Firebase Performance Monitoring — measures page load times and network request durations to help us identify and fix performance issues.
The legal basis for both services is consent (Article 6(1)(a) UK GDPR). Neither service is loaded until you accept cookies. You may withdraw consent at any time via the cookie banner or by clearing this site's local storage in your browser settings, which resets your preference on your next visit.
Embedded maps
With your consent, a Google Maps embed is displayed on the Visit page. Google may set cookies when this map is loaded. If you reject non-essential cookies the map is replaced with a plain text link.
3. Third parties we share data with
| Recipient | Purpose | Location |
|---|---|---|
| Google (Firebase / Firestore) | Secure storage of booking, application, and site data | EU / EEA |
| Google (Firebase Storage) | Secure storage of uploaded CVs | EU / EEA |
| Google (Firebase Analytics / GA4) | Aggregated usage analytics — page views, sessions, device type (consent-gated) | USA (Standard Contractual Clauses) |
| Google (Firebase Performance) | Page load and network performance monitoring (consent-gated) | USA (Standard Contractual Clauses) |
| Google Maps | Location map on the Visit page (consent-gated) | USA (Standard Contractual Clauses) |
| Dojo Payments | Processing table booking deposits via hosted checkout | UK |
| EmailJS | Sending booking confirmation emails to customers | EU / EEA |
We do not sell your personal data to any third party.
4. How long we keep your data
- Table bookings — retained for 7 years for accounting and dispute purposes, then deleted.
- Job applications (unsuccessful) — deleted 6 months after the position is filled.
- Job applications (successful) — retained as part of the employment record in accordance with employment law.
- Firebase Analytics data — event-level data is retained by Google for 14 months; aggregated reports are retained indefinitely.
- Firebase Performance data — retained by Google for up to 30 days.
5. Your rights under UK GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data where there is no legitimate reason to retain it.
- Restriction — ask us to restrict processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests.
- Withdraw consent — where processing is consent-based, withdraw at any time without affecting the lawfulness of prior processing.
To exercise any right, email info@thewormshead.co.uk. We will respond within one calendar month. If you are unsatisfied, you may lodge a complaint with the Information Commissioner's Office (ICO).
6. Cookies & local storage
| Technology | Purpose | Retention | Essential? |
|---|---|---|---|
| wh_cookie_consent (localStorage) | Stores your cookie preference so we don't ask again | Until cleared | Yes |
| _ga (cookie) | Firebase Analytics / GA4 — distinguishes unique users | 2 years | No — consent required |
| _ga_SQFE9YPR5J (cookie) | Firebase Analytics / GA4 — maintains session state | 2 years | No — consent required |
| Firebase Performance (IndexedDB) | Caches performance trace data before uploading | Session | No — consent required |
| Google Maps cookies | Embedded location map on the Visit page | Various | No — consent required |
You can change your preference at any time by clearing this site's local storage in your browser settings, which will show the consent banner on your next visit.
7. Security
Application data is stored in Google Firebase, which encrypts data at rest and in transit using TLS. Access to application data is restricted to authorised staff only via authenticated admin accounts.
8. Changes to this policy
We may update this policy from time to time. The date at the top of this page will reflect the most recent revision. Continued use of the site after changes constitutes acceptance.
9. Contact
CMI (Wales) Ltd t/a The Worm's Head Hotel
Rhossili, Gower, Swansea, SA3 1PP
info@thewormshead.co.uk