This document constitutes the official Privacy Policy of Quintessence Services Ltd and is published on the website quintessence.club. It may be updated periodically in accordance with Section 14 hereof.
1Introduction
This Privacy Policy (the “Policy”) is issued by Quintessence Services Ltd (the “Controller” or “Quintessence”) pursuant to Article 13 of the UK General Data Protection Regulation (“UK GDPR”), as incorporated into UK law by the European Union (Withdrawal) Act 2018, and supplemented by the Data Protection Act 2018 (“DPA 2018”).
Where Quintessence processes personal data of individuals habitually residing in the European Union, the EU General Data Protection Regulation (Regulation (EU) 2016/679 — “EU GDPR”) applies concurrently, in accordance with Article 3(2) thereof. References in this Policy to “GDPR” shall be construed as referring to both the UK GDPR and the EU GDPR, as applicable.
This Policy governs all personal data processing activities carried out by Quintessence in connection with:
the browsing and use of the website quintessence.club (the “Website”);
communications submitted via the Website contact form, by email, via the Telegram channel, or through Quintessence's network of authorised agents;
the delivery of Quintessence's private concierge and luxury lifestyle management services (the “Services”).
The Website operates exclusively as an informational showcase. It does not incorporate user registration, account creation or online payment functionality. No personal data is collected beyond what is voluntarily submitted through the contact form or provided directly in communications addressed to the Controller.
The Controller is committed to processing personal data in full compliance with the principles set out in Article 5 GDPR: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
2Identity of the Data Controller
The data controller within the meaning of Article 4(7) GDPR is:
As Quintessence is established in the United Kingdom and offers services to data subjects habitually residing in the European Union, it is required to designate a representative in the Union pursuant to Article 27 EU GDPR. The Controller is in the process of formalising such appointment; details will be published in an updated version of this Policy upon completion.
3Categories of Personal Data Processed
3.1 Data Provided Directly by the Data Subject
Quintessence collects personal data that the data subject voluntarily provides through the Website contact form, by email, via Telegram or through an authorised agent, including:
Identification data: first name and last name;
Contact data: email address and, where provided, telephone number;
Communication content: the text of messages, requests and stated preferences;
Identity documents: passport or national identity card details, where required for the performance of specific Services (e.g. private aviation bookings, access to exclusive venues);
Fiscal and billing data: VAT number, company name or other data required for invoicing and tax compliance, collected outside the Website;
Personal preferences: travel, hospitality, aesthetic and lifestyle preferences communicated in the course of service delivery.
3.2 Special Categories of Data (Article 9 GDPR)
In the course of delivering certain Services — in particular travel itinerary management, hospitality and catering arrangements — it may be necessary to process data falling within the special categories defined in Article 9(1) GDPR, including:
dietary requirements related to health conditions or religious convictions;
accessibility or mobility requirements related to physical conditions.
Such data shall be processed exclusively on the basis of the data subject's explicit consent pursuant to Article 9(2)(a) GDPR, obtained through a dedicated consent instrument prior to processing, and strictly limited to what is necessary for the performance of the requested Service.
3.3 Data Collected Automatically
When a user visits the Website, the hosting infrastructure automatically collects certain technical data, including:
IP address of the user's device;
browser type and version, operating system;
date, time and duration of the visit;
pages visited and navigation path within the Website;
referral URL.
These data are collected as a natural consequence of Internet communication protocols and are used solely for technical and security purposes.
4Methods of Data Collection
Personal data is collected through the following channels:
(a) Website contact form
The user who completes the form in the ‘Contact’ section of the Website voluntarily provides their name, email address and message content.
(b) Email correspondence
The user who writes directly to the Controller's email address provides the data contained in the message and any attachments.
(c) Telegram channel
The user who contacts Quintessence via the official Telegram channel provides the data included in communications. Please note that communications via Telegram are processed by Telegram Messenger Inc., a third-party service subject to its own privacy policy, over which the Controller has no control. The use of this channel is optional and the email channel remains available as an alternative.
(d) Authorised agents
Data may be communicated to the Controller by authorised agents who act as intermediaries in collecting client requests. All agents are contractually bound by confidentiality and data protection obligations.
5Purposes and Legal Bases of Processing
The Controller processes personal data for the following purposes, each grounded on the legal basis indicated:
Purpose
Description
Legal Basis
5.1 Contact Requests
Responding to enquiries submitted via the Website, email, Telegram or agents; conducting pre-contractual activities at the data subject’s request.
Art. 6(1)(b) — pre-contractual measures
5.2 Service Delivery
Performing private concierge and luxury lifestyle management services, including planning, booking, coordination and operational management.
Art. 6(1)(b) — performance of contract
5.3 Billing & Tax Compliance
Processing billing data and complying with applicable accounting and fiscal obligations.
Art. 6(1)(b) + Art. 6(1)(c) — legal obligation
5.4 IT Security
Ensuring the security, integrity and continuity of the Website and IT systems; preventing fraudulent or unlawful activity.
Art. 6(1)(f) — legitimate interest
5.5 Client Relationship Management
Personalising service delivery based on stated preferences and interaction history, in line with Quintessence’s standards of excellence.
Art. 6(1)(b) / Art. 6(1)(f) — legitimate interest
5.6 Special Category Data
Processing health-related or religious dietary/accessibility data for specific Services.
Art. 9(2)(a) — explicit consent
5.7 Marketing
Sending commercial communications regarding Services, exclusive offers or reserved events, where the data subject has given consent.
Art. 6(1)(a) — consent (freely revocable)
5.8 Legal Claims
Establishing, exercising or defending legal rights in judicial, arbitral or administrative proceedings.
Art. 6(1)(f) — legitimate interest
Legitimate interest assessment. Where processing is based on Article 6(1)(f) GDPR, the Controller has conducted a legitimate interest assessment (LIA) and is satisfied that its interests are not overridden by the interests, rights or freedoms of data subjects, having regard to the limited and technical nature of the data processed and the reasonable expectations of the data subjects. Data subjects retain the right to object to such processing pursuant to Article 21 GDPR (see Section 11).
6Processing Methods and Security Measures
Personal data is processed by electronic and paper-based means, with logic strictly related to the purposes set out in this Policy, in a manner that guarantees security and confidentiality.
Pursuant to Article 32 GDPR, the Controller implements appropriate technical and organisational measures to ensure a level of security proportionate to the risk, including:
Encrypted transmission: all communications between the user's browser and the Website are secured via HTTPS/TLS protocol;
Access controls: access to personal data is restricted to authorised personnel on a need-to-know basis;
Contractual safeguards: data processing agreements (DPAs) pursuant to Article 28 GDPR are concluded with all processors handling personal data on behalf of the Controller;
Confidentiality obligations: staff and collaborators handling personal data are bound by contractual or statutory confidentiality obligations and receive appropriate data protection training;
Periodic review: security measures are reviewed and updated periodically in light of technological developments and evolving risk profiles.
In the event of a personal data breach presenting the conditions set out in Articles 33 and 34 GDPR, the Controller will notify the competent supervisory authority within 72 hours of becoming aware of the breach and, where required, will communicate the breach to the affected data subjects without undue delay.
7Recipients of Personal Data
Personal data may be communicated or made accessible to the following categories of recipients, for the purposes and within the limits described in this Policy:
Category of Recipient
Role
Basis for Disclosure
Internal personnel and collaborators
Authorised persons
Internal authorisation; need-to-know
Technology service providers (hosting, email infrastructure, operational tools)
Data Processor (Art. 28 GDPR)
DPA concluded
Operational partners (airlines, charter operators, hotels, galleries, luxury goods suppliers)
Independent Controllers
Necessary for service performance
Authorised agents
Processors or independent Controllers (as applicable)
Contractual obligations including data protection clauses
Legal, fiscal and accounting advisors
Processors or independent Controllers
Professional secrecy
Judicial and public authorities
Independent Controllers
Legal obligation or legitimate request
Personal data is not sold, transferred or disclosed to third parties for third-party commercial profiling or marketing purposes.
8Data Processors
Pursuant to Article 28 GDPR, the Controller has appointed data processors who carry out processing operations on personal data on behalf of the Controller. Such appointments are formalised through written data processing agreements that impose adequate guarantees regarding technical and organisational security measures and compliance with the GDPR.
An up-to-date list of appointed data processors is available upon written request to the privacy contact set out in Section 15 of this Policy.
9International Transfers of Personal Data
Given the global nature of Quintessence's operations (active in more than 40 countries), personal data may be transferred to countries outside the United Kingdom, the European Union or the European Economic Area.
9.1 Transfers from the EEA
Transfers of personal data from the EEA are conducted in accordance with Chapter V of the EU GDPR, by means of one or more of the following safeguards:
Adequacy decision (Art. 45 EU GDPR): where the destination country benefits from a decision of the European Commission recognising an adequate level of protection. The United Kingdom is currently the subject of an adequacy decision;
Standard Contractual Clauses (Art. 46(2)(c) EU GDPR): in the version adopted by the European Commission under Decision 2021/914 of 4 June 2021, for transfers to countries lacking an adequacy decision;
EU-US Data Privacy Framework (Art. 45 EU GDPR): for transfers to US-based operators certified under the Framework, where applicable.
9.2 Transfers from the United Kingdom
Transfers of personal data from the UK are conducted in compliance with the UK GDPR and ICO guidance, including through the International Data Transfer Agreement (IDTA) and/or the Addendum to the EU Standard Contractual Clauses, as applicable.
9.3 Telegram
Communications transmitted via Quintessence's Telegram channel are subject to processing by Telegram Messenger Inc., which acts as an independent controller with infrastructure potentially located in third countries. The Controller has no control over such processing. Data subjects are encouraged to review Telegram's privacy policy at telegram.org before using this channel. The email channel remains available as a fully controlled alternative.
10Data Retention Periods
Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, in accordance with the storage limitation principle under Article 5(1)(e) GDPR. Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised.
Category of Data
Purpose
Retention Period
Contact data — enquiries not resulting in contract
Request management
12 months from receipt
Contractual relationship data
Contract performance; legal claims
10 years from contract termination
Fiscal and accounting data
Legal obligation
10 years (applicable tax legislation)
Server logs and technical data
IT security
12 months from collection
Navigation/analytics data
Website improvement
13 months from collection
Marketing data (with consent)
Commercial communications
Until consent withdrawal or 24 months from last interaction
Special category data (health/dietary)
Service delivery
Duration of specific service + 24 months
Identity documents
Service delivery; legal obligations
5 years from service completion
Where retention is extended by reason of legal obligations, pending legal proceedings or overriding legitimate interests of the Controller, data subjects will be informed to the extent permitted by law.
11Rights of Data Subjects
Data subjects whose processing falls within the scope of the GDPR are entitled to exercise the following rights by submitting a written request to the privacy contact set out in Section 15:
Right of access (Art. 15)
The right to obtain confirmation as to whether personal data concerning the data subject is being processed and, if so, to access such data and related processing information.
Right to rectification (Art. 16)
The right to obtain the rectification of inaccurate personal data and the completion of incomplete data.
Right to erasure — ‘right to be forgotten’ (Art. 17)
The right to obtain the erasure of personal data where one of the grounds in Article 17 GDPR applies (e.g. data no longer necessary, withdrawal of consent, successful objection), unless a legal obligation or overriding ground for retention exists.
Right to restriction of processing (Art. 18)
The right to obtain restriction of processing in the cases provided for by Article 18 GDPR (e.g. contested accuracy, pending objection).
Right to data portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, the right to receive personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.
Right to object (Art. 21)
The right to object at any time, on grounds relating to the data subject's particular situation, to processing based on Article 6(1)(e) or (f) GDPR. Where the objection concerns direct marketing, the Controller shall cease processing without requiring justification.
Rights in relation to automated decision-making (Art. 22)
The right not to be subject to a decision based solely on automated processing, including profiling, producing legal or similarly significant effects. The Controller does not engage in such automated decision-making.
Right to withdraw consent (Art. 7(3))
Where processing is based on consent, the right to withdraw such consent at any time without prejudice to the lawfulness of processing carried out prior to withdrawal.
Requests will be processed by the Controller within one month of receipt, extendable by a further two months in cases of complexity or volume, with prior notice to the data subject. The service is provided free of charge, save in cases of manifestly unfounded or excessive requests, in which case the Controller reserves the right to charge a reasonable fee or to decline compliance, pursuant to Article 12(5) GDPR.
12Right to Lodge a Complaint
Without prejudice to any other administrative or judicial remedy, data subjects who consider that the processing of their personal data infringes the GDPR have the right to lodge a complaint with the competent supervisory authority.
AddressWycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Websiteico.org.uk
Telephone+44 (0)303 123 1113
For data subjects resident in the European Union
Data subjects may address a complaint to the supervisory authority of the Member State in which they habitually reside, work or in which the alleged infringement occurred. In Italy: Garante per la protezione dei dati personali — garanteprivacy.it.
13Cookies and Tracking Technologies
The Website may use cookies and similar tracking technologies to ensure its correct functioning and to collect aggregated information on browsing behaviour.
Strictly necessary cookies
Essential for the operation of the Website. They do not require the data subject's consent as they do not entail the processing of personal data beyond what is technically necessary.
Analytical cookies
Where the Website uses traffic analysis tools, such cookies may collect aggregated data on user navigation. Where such cookies involve the processing of personal data, the Controller will request prior consent via an appropriate cookie banner.
Marketing/profiling cookies
Where applicable, profiling or advertising cookies will only be placed upon prior, freely given and specific consent of the data subject.
Data subjects may manage their cookie preferences at any time via the consent management panel (CMP) available on the Website and through their browser settings. For detailed information on the cookies used, their duration and deactivation methods, please refer to the Cookie Policy available on the Website.
14Amendments to this Policy
The Controller reserves the right to amend this Policy at any time to reflect changes in applicable law, regulatory guidance, technological developments or processing activities.
Material changes will be communicated to data subjects through one or more of the following means: publication of the updated version on the Website with a prominent summary of changes; email notification to data subjects who have provided their contact details for marketing or support purposes.
The updated Policy shall bear a revised version number and effective date at the top of the document. The current version of this Policy is v.1.0, effective as of 2 March 2026. Continued use of the Website or communication channels following publication of an updated Policy shall constitute acceptance of the revised terms.
15Privacy Contact
For any enquiry relating to this Policy, the exercise of rights under Section 11, or any other matter concerning the processing of personal data by Quintessence, data subjects may contact the Controller at: