Skip to Content

Privacy Policy

Last updated: 3 December 2025

1. Who we are

This Privacy Policy explains how we, Jason Stone, sole trader, trading as StoneofScot.land (“we”, “us”, “our”), collect and use your personal data when you visit our website, book a workshop or otherwise interact with us.

  • Trader / Controller: Jason Stone, sole trader, trading as StoneofScot.land

  • Geographic address: Fort William, United Kingdom

  • Email: Wooliam.Wallace@gmail.com

  • Telephone: +44 073 0033 5802

For the purposes of data protection law, we act as the data controller for personal data we collect and process about you.

We are subject primarily to UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For individuals in the European Economic Area (EEA), the EU GDPR may also apply in certain circumstances.

2. Scope of this Privacy Policy

This Privacy Policy applies when you:

  • visit or use our website www.stoneofscot.land;

  • book or participate in our workshops or activities;

  • contact us by email, phone or social media;

  • purchase or enquire about our goods (for example, traditional clothing or equipment).

It does not cover websites or services of third parties we link to. Those have their own policies.

3. What personal data we collect

We collect the following categories of personal data.

"Personal data" means any information that identifies, or can reasonably be used to identify, a living individual. In some cases, providing certain personal data is necessary in order for us to provide our services (for example, to process a booking, respond to an enquiry or comply with legal obligations).

3.1 Information you provide directly

  • Contact details: name, email address, phone number, postal address (where relevant).

  • Booking details: chosen workshop, date and time, group size, names or number of participants, special requests, language preferences.

  • Participant information: relevant information you choose to share about participants (for example age ranges, accessibility needs, dietary considerations for planning breaks).

  • Communication content: information contained in emails, forms or other messages you send us.

  • Billing data: billing name and address, purchase details, and other invoicing information.

3.2 Payment information

We use Stripe or other secure payment providers to process payments.

  • We do not store or have access to your full card number, CVC or PIN.

  • We receive limited payment information from our provider: successful/failed transaction, last 4 digits, card brand, transaction ID, amount, currency, and status (for accounting and fraud-prevention purposes).

3.3 Technical and usage data

When you visit our website, we may collect:

  • IP address, approximate location (city/region level);

  • device type, operating system, browser type and settings;

  • pages visited, links clicked, session time, referring pages;

  • basic error and performance logs.

This data is collected through standard server logs and cookies (see our Cookie Policy for details).

3.4 Photos and media

During workshops and activities, we may take photos or other media:

  • for participants’ personal memories (shared privately where agreed);

  • for our own marketing and communication channels only where explicit consent has been given.

If you do not wish to appear in photos or media, you can tell us in advance and on the day, and we will respect your choice.

3.5 Data about children

Our workshops are generally aimed at individuals aged 16 and above, and minors must be accompanied and supervised by a parent or other responsible adult designated by the customer.

Where we process personal data about minors (e.g. names or images):

  • we do so through the booking adult (parent/guardian/school/organisation);

  • for photos used in marketing, we will only proceed with appropriate consent from the responsible adult.

4. How and why we use your personal data (purposes and legal bases)

We always process your personal data on the basis of at least one lawful ground under UK GDPR (and, where applicable, EU GDPR). Below is an overview of our main purposes and legal bases.

Where we rely on legitimate interests as a legal basis, we assess whether the processing is necessary for the stated purpose and whether your interests, rights and freedoms are not overridden. If we cannot ensure an appropriate balance, we will not rely on legitimate interests for that processing and will instead seek another legal basis (for example, your consent) or stop the processing.

4.1 Managing bookings and providing workshops

What we use: contact details, booking details, participant information, communication content, payment status.

Why:

  • to register and manage your booking;

  • to communicate about dates, times, meeting points, equipment and safety;

  • to run the workshop or activity;

  • to deal with changes, cancellations or rescheduling.

Legal bases:

  • Performance of a contract (Article 6(1)(b) UK/EU GDPR) – to deliver the services you booked;

  • Legitimate interests (Article 6(1)(f)) – to manage our schedule, resources and group safety.

4.2 Taking and using payments

What we use: limited payment information, billing details, transaction records.

Why:

  • to take and verify payments;

  • to prevent fraud and misuse;

  • to keep proper accounts.

Legal bases:

  • Performance of a contract;

  • Legal obligation (Article 6(1)(c)) – accounting, tax and recordkeeping;

  • Legitimate interests – fraud prevention and safeguarding.

4.3 Communication, support and enquiries

What we use: contact details, communication content.

Why:

  • to respond to questions or enquiries;

  • to provide customer support;

  • to follow up about bookings or potential collaborations.

Legal bases:

  • Performance of a contract or pre-contractual steps;

  • Legitimate interests – to run and grow our business, and maintain good relationships with our customers and partners.

4.4 Safety, risk management and liability

What we use: booking details, participant information, communication content, internal notes about incidents or near misses.

Why:

  • to ensure health and safety during workshops (e.g. working with knives, axes, bows, other tools);

  • to record and analyse safety incidents or concerns;

  • to manage legal claims or disputes.

Legal bases:

  • Legitimate interests – to maintain a safe environment for participants and instructors, to protect our legal rights;

  • Legal obligation – where we must record or report certain events.

4.5 Photos and marketing

What we use: photos, videos and related information (name or tag, where relevant).

Why:

  • to share images with participants for their personal use;

  • to promote our workshops and ethos (e.g. on our website or social media), but only where you have agreed.

Legal basis:

  • Consent (Article 6(1)(a)) – we only use identifiable images for marketing with your clear consent, which you can withdraw at any time.

If you withdraw consent, we will stop using the media going forward. We may not always be able to remove material already printed or published, but we will do what is reasonable in the circumstances.

4.6 Website operation, security and improvement

What we use: technical and usage data, logs, cookie information.

Why:

  • to keep our website secure and functioning;

  • to detect and prevent abuse or technical issues;

  • to understand how visitors use our site and to improve its structure and content.

Legal bases:

  • Legitimate interests – operating a secure, reliable and user-friendly website;

  • For any non-essential analytics or tracking cookies, consent (Article 6(1)(a)), obtained via our cookie banner.

5. Sharing your personal data

We do not sell your personal data. We only share it where necessary and lawful, for example with:

  • Service providers and processors, such as:

    • website hosting and platform providers (e.g. Odoo);

    • payment providers (e.g. Stripe);

    • email and communications services;

    • IT and security providers.

  • Professional advisers, such as accountants, insurers or legal advisers, where necessary to protect our rights or comply with legal obligations.

  • Authorities, regulators or law enforcement, where we are under a legal obligation or where it is reasonably necessary to protect our rights, safety or property or that of others.

If we are involved in a reorganisation, merger, acquisition or sale of all or part of our business or assets, your personal data may be transferred to the relevant third party as part of that transaction, in accordance with applicable data protection law.

Where we engage service providers to process personal data on our behalf, we do so under written contracts requiring them to:

  • only process your data as instructed by us;

  • keep it confidential and secure;

  • comply with applicable data protection laws.

6. International transfers

We are based in the United Kingdom. Personal data may be stored and processed in the UK and, in some cases, in other countries.

Some of our service providers may be located outside the UK and/or the European Economic Area (EEA). Where this leads to transfers of your personal data to countries without an adequacy decision, we take appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK authorities;

  • ensuring the recipient offers adequate technical and organisational measures to protect your data.

Where required by law, we may also carry out a transfer impact assessment to evaluate whether the laws or practices of the destination country could affect the effectiveness of those safeguards.

You can contact us if you would like more information about international transfers and the safeguards in place.

7. How long we keep your data (retention)

We keep personal data only as long as reasonably necessary for the purposes set out in this policy, including to meet legal, accounting or reporting requirements. Indicative periods:

  • Bookings and workshop records: generally up to 7 years after the end of the financial year in which the booking took place (for tax and accounting purposes, and in case of legal claims).

  • Communication and enquiries (no booking): typically up to 3 years after we last hear from you.

  • Technical logs and security data: usually a few months up to 1 year, unless needed longer for security or legal reasons.

  • Photos and marketing material: until you withdraw consent or until the material is no longer in use.

We may keep anonymised or aggregated data (which no longer identifies you) for research or statistical purposes without further notice.

8. How we protect your data

We take appropriate technical and organisational measures to protect your personal data, including:

  • limiting access to personal data to those who need it for their role;

  • using secure passwords and access controls;

  • using reputable hosting and payment providers with strong security practices;

  • keeping our systems and software reasonably up to date.

No system is ever completely secure. If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will inform you and the relevant supervisory authority where required by law.

9. Your rights

Under UK data protection law, and where applicable EU law, you may have the following rights:

  • Right of access: to obtain confirmation whether we process your personal data and to receive a copy.

  • Right to rectification: to have inaccurate or incomplete data corrected.

  • Right to erasure: to request deletion of your personal data in certain circumstances.

  • Right to restriction: to request that we limit the processing of your personal data in specific situations.

  • Right to data portability: to receive personal data you provided to us in a structured, commonly used format and to have it transmitted to another controller where technically feasible.

  • Right to object:

    • to processing based on our legitimate interests, on grounds relating to your particular situation;

    • at any time, to processing for direct marketing (we would then stop such processing).

  • Right to withdraw consent: where we rely on your consent (for example, for using photos in marketing or certain cookies), you can withdraw your consent at any time. This does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us using the details in section 1. We may ask you for proof of identity where reasonable to protect your data.

You will not normally have to pay a fee to exercise your rights. However, we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive (for example, due to its repetitive character), as permitted by law.

10. Complaints

If you are unhappy with how we handle your personal data, we would encourage you to contact us first so we can try to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK:

If you live in the EEA, you may also have the right to complain to the data protection authority in your country of residence.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our services or in the law. The date at the top of this page shows when it was last updated.

Substantial changes will be highlighted on our website or notified to you where appropriate (for example, by email if we have your address).