Privacy
Notice.

How we handle personal data on this website, including bookings, the Untappd check-in display, and your rights under GDPR.

1. Who we are

The data controller is Third Barrel Brewing / The Christchurch, 13 High Street, Merchants Quay, Dublin 8.

For privacy queries, rights requests, or complaints about how we handle your personal data:

2. How we collect personal data

Directly from you

When you submit a booking request through the form on this website, you provide your name, email address, phone number (optional), preferred date and time, party size, occasion (optional) and any notes you choose to include.

From a third-party source

The Untappd check-in display on our On Tap page shows selected information from public check-ins made at our venue on the Untappd platform. This data is obtained from the Untappd for Business API, not directly from the individuals concerned. The information was made public by those individuals when they checked in on Untappd.

Automatically through technical services

When you submit a booking, Cloudflare Turnstile processes a technical verification token and your IP address to protect the form from spam. This data is transient and is not stored by us.

3. What we use and why

ActivityPersonal DataPurposeLawful Basis
Booking requests Name, email, phone (where provided), party size, date/time, occasion, notes, status To receive and respond to your booking request, manage event or large-table bookings, and contact you to confirm details and arrange a deposit Article 6(1)(b) — steps taken at your request prior to entering into a contract
Staff notifications The same booking details, sent to a restricted staff chat So the team can act on new requests promptly Article 6(1)(b) — part of the same booking process
Untappd check-ins Public username, beer name, rating, comment (where provided), check-in date, profile link To show genuine customer engagement with our beers Article 6(1)(f) — legitimate interests
Anti-spam Verification token, IP address (transient) To protect the booking form from automated abuse Article 6(1)(f) — legitimate interests

4. Untappd — our legitimate interest

We display a limited number of recent public Untappd check-ins to promote our beers and show genuine customer engagement. The data is already public on the Untappd platform and was made public by the individual. We deliberately exclude real names, email addresses, avatar images, device data, and social interactions (toasts, badges, friends). No more than 8 recent check-ins are shown. The data is not stored — it is fetched live and cached for no more than 5 minutes. We maintain a removal mechanism (see section 9 below).

5. Sensitive information

The booking form includes a free-text notes field. Please do not include unnecessary medical or other sensitive personal information. If you need to tell us about dietary requirements, food allergies, or accessibility needs so we can accommodate you, we will use that information solely for your booking. We encourage you to share this by phone if you prefer.

6. Who receives your information

RecipientWhatWhyWhere
Our staffBooking detailsTo manage and confirm bookingsIreland
SupabaseBooking records (stored); Untappd data (transient)Database hostingWest EU (Paris) — within the EEA
TelegramBooking details sent as a staff notificationOperational alertingGlobal (HQ Dubai, UAE)
CloudflareVerification data (transient); website hostingAnti-spam and hostingGlobal (US-based)
Website visitorsLimited Untappd check-in details onlyPublic display on On Tap pageGlobal

We do not sell, rent, or trade personal data to any third party.

7. International transfers

Supabase — our database is hosted in West EU (Paris), within the EEA. No international transfer mechanism is required for stored data.

Cloudflare — US-based with a global CDN. Cloudflare relies on Standard Contractual Clauses and its published Data Processing Addendum.

Telegram — headquartered in Dubai, UAE. Telegram relies on Standard Contractual Clauses executed internally across its corporate network. The European Data Protection Office (EDPO) acts as Telegram's designated Article 27 representative in Brussels, Belgium.

8. How long we keep your information

DataRetentionWhat happens after
Completed bookings12 months after the booking dateDeleted from the database
Cancelled enquiries3 months after cancellationDeleted from the database
Staff notificationsReviewed quarterly; deleted when no longer neededManually deleted
Untappd display dataNot retained — fetched live, cached up to 5 minutesNothing to delete
Anti-spam dataTransient — not stored by usGoverned by Cloudflare's own policy

9. Untappd — your right to object

If your public Untappd check-in appears on our website and you would like it removed, contact us using the details above. We will assess your objection under Article 21 GDPR and action it promptly.

When a check-in is suppressed, only its Untappd check-in ID is recorded so it will not appear again. The removal mechanism fails closed: if the exclusion list cannot be read for any reason, the entire check-in section is suppressed rather than risk showing a removed check-in.

10. Cookies

This website does not use analytics cookies, advertising cookies, or tracking cookies. No audience measurement tools are installed.

No first-party cookies are set by this website. Any cookies present are strictly necessary and exempt from consent under the ePrivacy Directive. No cookie banner is required.

11. Automated decision-making

We do not use automated decision-making or profiling. Booking requests are reviewed and confirmed by staff. Cloudflare Turnstile determines whether a submission appears to be from a human — a failed check prevents the form submission but does not affect you in any other way.

12. Your rights

RightWhat it means
Access (Art. 15)Ask for a copy of the personal data we hold about you.
Rectification (Art. 16)Ask us to correct inaccurate data.
Erasure (Art. 17)Ask us to delete your data where there is no compelling reason to keep it.
Restriction (Art. 18)Ask us to restrict processing in certain circumstances.
Portability (Art. 20)Ask for your data in a structured, commonly used format.
Objection (Art. 21)Object to processing based on legitimate interests. For Untappd, see section 9.

To exercise any right, contact us at hello@thechristchurchpub.ie. We will normally respond within one calendar month.

13. Complaints

If you are unhappy with how we have handled your data, you have the right to complain to the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28 — www.dataprotection.ie — phone +353 (0)1 765 0100 / 1800 437 737.

We would appreciate the chance to address your concerns first — please contact us using the details above.

14. Children

This website is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has submitted data through the booking form, please contact us and we will delete it.

15. Changes to this notice

We may update this notice from time to time. The current version is always available on this page.

Version 2.0 · Effective 2 July 2026