Privacy Policy

This policy explains how and why Epsom BID (trading as Go Epsom) uses and protects personal information.

When we refer to “we”, “us” or “Go Epsom” in this policy we are referring to Epsom BID Limited. We are a Business Improvement District (BID) and a registered company with company number 11319899. Our registered office is Ashley House Annexe, The Ashley Centre, Ashley Road, Epsom, Surrey, KT18 5AB.

For the purposes of the Data Protection Act 2018, the General Data Protection Regulation (GDPR) and any applicable replacement legislation, we are the data controller.

We may change this policy from time to time by updating this page so you should check back regularly. This policy is effective from 2nd December 2020.

In this policy we use the term personal information to mean any information you give us from which you can be identified. This might include your name, your home address, your personal email, contact details, or your telephone number. Personal information does not include information where your identity has been removed (i.e. anonymous data).


BID members

We use information from Epsom & Ewell Borough Council’s non-domestic ratings list, together with publicly available information such as company websites or the phone book, to contact businesses within our BID area. We do this to comply with our legal obligation to collect levy payments from these businesses and to allow businesses to exercise their statutory BID voting rights.

When a business becomes a BID member, we collect personal information from key contacts (name, business address, email address, telephone number). We use this information:

to enter into, or perform, the BID membership contract;

where we need to comply with a legal obligation;

for our own (or a third party’s) legitimate interests.

We send information to BID members about their membership (e.g. how to access member offers and benefits or information about membership changes or updates). We send communications about service updates, voting and levy payments direct to BID members, unless the member asks us to send this information to their appointed management agent or ratepayer.

Property owners

We use publicly available information from the Land Registry to collect and store contact details of business property owners in the Epsom area (name, business name, address, email address, telephone number). We may also keep a record of information about their rateable value, leases and tenants, and/or management agents.

We use this information to invite property owners to events and to send marketing information that we think may be of interest to them. We have a legitimate interest to send these communications to our corporate contacts, who can update their communication preferences or opt-out or receiving these emails at any time.

We only send these communications to individual contacts if we have their consent (consent can be withdrawn at any time).

Marketing and Competitions

When people sign up to a Go Epsom mailing list they give their consent to receive email marketing communications from us. We collect their name and email address so that we can keep in touch. All communications include an unsubscribe link and people can contact us at any time to update their communication preferences or withdraw consent.

We may, from time to time run competitions. When people fill out a form to enter a competition they give their consent to receive communications from us about the competition. We ask entrants to give us their name, place of work, business address, email address and telephone number. Competition entrants can withdraw consent to us storing and using their personal information at any time but this might mean that they can no longer take part in the competition.

Visitors to our website

We collect personal information when people fill in forms on our website

We will only collect and use personal information if:

it is necessary to enter into, or perform, a contract; or

if we are satisfied that we have a legitimate interest for internal record-keeping, to provide information or services that the person has requested, to improve our website or to customise the website according to an individual’s interests.

Our website may contain links to enable you to visit other websites. If you use these links, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information, which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

People who contact us via LinkedIn

If you send us a message via our LinkedIn page: (, we may share this information with other Go Epsom personnel if we are satisfied that we have a legitimate interest to do so, for example, in order to respond to a specific query or to pass on information. We will not share any personal information that you provide in a LinkedIn message with any other organisations without your consent.

Queries and complaints

If you send a query or complaint to us, we will use the personal information you provide (for example, your name and the name(s) of any other individuals involved) in order to process your query or complaint and respond to you. Where we consider it necessary or appropriate, we will share this information with third parties such as the police or the ICO.


We have appropriate security measures in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We only ever use your personal data if we are satisfied that it is lawful and fair to do so. We will never sell your personal data or share it with third parties who might use it for their own commercial purposes.

We will only disclose your personal information to third parties:

where you have given us consent to share the information with the specific third party;

where information is accessed by IT Services who provide technical support to us;

where we pass information to third party suppliers such as Mailchimp to send communications on our behalf;

if we are under a legal duty to disclose or share your personal information, for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime;

where we need to share your personal information with a regulator, for example, making returns to HMRC;

in order to enforce any terms and conditions or agreements between us;

as part of a sale of some or all of our business and assets to any third party, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, sale, merger, reorganisation, change of legal form, dissolution or similar event (we will always aim to ensure that your privacy rights will continue to be protected); or

to protect our rights, property and safety, or the rights, property and safety of others (this includes exchanging information with other companies, organisations and regulators for the purposes of fraud protection and credit risk reduction).

In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.


We may transfer the personal information you give us to countries outside the European Economic Area (EEA). We use suppliers who store information in the USA including Google and Mailchimp.

When personal information is transferred outside of the EEA in this way, we ensure that our supplier has in place appropriate safeguards (for example, certification under the EU-US Privacy Shield) and we will be responsible for ensuring your privacy rights continue to be protected as outlined in this notice.


We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

The retention periods set out below may be extended or reduced if we deem it necessary, for example, to defend legal proceedings or if there is an ongoing investigation relating to the information.

Retention Period:

BID members

Duration of BID membership or until the end of our BID term or until the contact unsubscribes (whichever is earlier)

Property Owners

Until the end of our BID term or until the contact unsubscribes (whichever is earlier)

Marketing and Competitions

Until the end of our BID term or until the contact unsubscribes (whichever is earlier)


Under certain circumstances, by law you have the right to:

Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

Ask us to correct personal information that we hold about you which is incorrect, incomplete or inaccurate.

Ask us to erase your personal information from our files and systems where there is no good reason for us continuing to hold it.

Object to us using your personal information to further our legitimate interests (or those of a third party) or where we are using your personal information for direct marketing purposes.

Ask us to restrict or suspend the use of your personal information, for example, if you want us to establish its accuracy or our reasons for using it.

Ask us to transfer your personal information to another person or organisation.

If you have given your consent to us processing your personal information, you have the right to withdraw your consent at any time. To withdraw your consent, please contact: Once we have received notification that you have withdrawn your consent, we will no longer process your personal information and, subject to our retention policy, we will dispose of your data securely.

If you want to exercise any of these rights, please contact Go Epsom in writing.


If you have any questions about this privacy notice or how we handle your personal information, please contact

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.