Privacy Policy

Last Updated: 28 April 2025

Information relating to how we use your data on enormouscrocodilemusical.com

Introduction

This Privacy Policy (together with our Cookies Policy and any other document referred to in it) describes the way we collect your personal data (whether collected from you or otherwise provided to us), how we use your personal data and why. 

Please read the following information carefully to understand our practices regarding your personal data and how we will treat it.

Your privacy is important to us. We take the security of your personal data seriously and we have strict policies and processes in place to ensure it remains safe.

Contents
  • Who we are
  • Information you provide to us
  • Information we collect about you
  • How your information is collected
  • Who we share your information with
  • How we use your information
  • Marketing
  • How long we keep your personal data
  • Security
  • Transferring your personal data outside of the UK
  • Your rights
  • Links
  • Cookies
  • How to contact us about your privacy
Who we are

In this Privacy Policy, "we", "us" and "our" means Croc Prod 1 Limited. We are a company limited by shares and registered in England and Wales under company number 16140620 and have our registered office at 30 Berners Street, London, W1T 3LR.

We are a wholly owned subsidiary of The Roald Dahl Story Company Limited, a company limited by shares and registered in England and Wales under company number 11099347. The Roald Dahl Story Company’s privacy policy is available here.

When we refer to the Roald Dahl Group we mean us, Croc Prod 1 Limited, our parent company The Roald Dahl Story Company Limited, other subsidiaries of The Roald Dahl Story Company Limited (and each of their subsidiaries), as well as any of our own subsidiaries from time to time.

If you provide us with personal data via or through using our website, enormouscrocodilemusical.com (our “Site") or by otherwise communicating with us, we are the controller and are responsible for your personal data. We will process your personal data in accordance with this privacy policy and all applicable data protection laws, including the UK GDPR and UK Data Protection Act 2018.

We may make changes to the policy from time to time so please be sure to check regularly. If we make a material change to this policy and we have your contact details, we may contact you before we make the change. We will also post a notice at the start of the policy.

Information you provide to us when you contact us

When you contact us by email, we may collect and store records of our contact with you, which may include notes on our systems, emails or electronic communications and written correspondence and any email address used by you.

Information we collect about you when you visit our Site

When you visit our Site, we collect:

  • Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type (e.g. Safari or Internet Explorer) and version, time zone setting, browser plug-in types and versions, operating system and platform. We use this information to carry out internal operations such as troubleshooting and resolving technical issues, to improve your experience on our Site, and as part of our efforts to keep our Site safe and secure;
  • Identity information including first name and last name;
  • Contact information including email address;
  • Usage information including information about how you interact with and use our Site; and
  • Marketing and Communications information including your preferences in receiving marketing from us and your communication preferences.
How your information is collected

You may give us information about you as described above, by filling in forms on our Site or by corresponding with us by e-mail or otherwise communicating with us. This includes information you provide when you:

  • use our Site;
  • subscribe to receive newsletters and marketing (via email);
  • enter a competition, promotion or survey; and/or
  • when you contact us to report a problem with our Site.

We will also receive technical information and usage information about how you use and interact with our Site, from Google Analytics.

If you have subscribed to our email updates, EMG Media & Marketing Ltd (“EMG”), our marketing agency and data processor, may also provide us with information about whether or not you have received and read our email updates, and will gather information which allows us and other entities in the Roald Dahl Group to measure and understand the effectiveness of the email communications sent to you.

Who we share your information with

We may share your personal data with any member of the Roald Dahl Group, which is defined at the start of this privacy policy.

We use EMG Media & Marketing Ltd (“EMG”), our marketing agency and data processor, to support us with operating the Site and managing our database of contacts who sign up on the Site to receive email updates from us. As a result, we also share your personal data with EMG.

We may also disclose your personal data:

  • to our other services providers that we use to run our business, for example our IT infrastructure and other marketing tools;
  • in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
  • if Croc Prod 1 Limited or substantially all of its assets are acquired by a third party, in which case personal data held by us will be one of the transferred assets;
  • if we need to get legal advice or answer a legal request from law enforcement bodies;
  • if we are under a duty to disclose or share your personal data with law enforcement agencies or regulatory bodies in order to comply with any court order or legal obligation;
  • our external auditors and other professional advisors (such as accountants); and/or
  • in order to enforce or apply our Site’s Terms and Conditions of Use, or to protect the rights, property, or safety of Croc Prod 1 Limited or any entity in the Roald Dahl Group.
How we use your information

Under data protection law, we can only use your personal data if we have a lawful basis to do so. Our lawful basis will depend on the reasons for which your personal data was collected, and these include:

  • to comply with our legal and regulatory obligations;
  • for the performance of a contract with you (or to take steps at your request before entering into a contract);
  • for our legitimate interests or those of a third party; or
  • where you have given your consent (for example where you have consented to receive marketing materials from us).

 

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

 

We have set out below, in a table format, a description of all the ways we plan to use the various categories of your personal data, and which of the legal bases we rely on to do so.

We have also identified what our legitimate interests are where appropriate.

Purpose/Use

Type of data

Legal basis

To respond to enquiries that you raise and keep a record of our communications

Identity, Contact

Necessary for our legitimate interests and your legitimate interests, to manage our relationship with you

To keep you up to date with news and information about content, productions, events, discounts and offers, etc.

Identity, Contact, Marketing and Communications

Consent

To allow you to participate in interactive features on the Site

Identity, Contact

Necessary for our legitimate interests to operate our business and Site

To manage our relationship with you, including to notify you about changes to our Site, terms and policies

Identity, Contact

Necessary for performance of a contract with you

Necessary for our legitimate interests to keep our records updated

To use data analytics to improve our Site, services, marketing and user relationships and experiences

Technical, Usage

Necessary for our legitimate interests to keep our Site updated and relevant and to develop our business

OR

Consent, where such analytics data is obtained via a non-essential Site cookie

To administer our Site and internal operations, including troubleshooting, testing, etc.

Identity, Contact, Technical

Necessary for our legitimate interests for running our business and the provision of administration and IT services and network security

Necessary to comply with a legal obligation

To enable you to partake in a prize draw, competition or complete a survey

Identity, Contact, Usage, Marketing and Communication

Performance of a contract with you

Necessary for our legitimate interests to study how users use our Site and to develop it and grow our business

 

Marketing

We may use your personal data to send you updates by email about "The Enormous Crocodile The Musical". You will receive these marketing communications from us if you expressly opted-in to receive them (in which case we rely on your consent).

If you have consented to this, other members of the Roald Dahl Group (which is defined at the start of this privacy policy) may also send you exciting updates about content, productions or events, including the Roald Dahl Story Company newsletter.

We may ask you to confirm or update your marketing preferences if there are changes in the law or the structure of our business.

Please note that we may also send you other communications in relation to our services or in order to respond to queries you have raised. These communications are service communications and are not considered a form of marketing communication.

You always have the right to opt out of receiving further promotional communications by:

How long we keep your personal data for

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation regarding our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax or reporting requirements.

Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by emailing us at [email protected].

Security

Subject to the paragraph below, the information you provide to us and which we collect is stored on secure servers of our Site hosting and IT service providers.

Staff members who work for or on behalf of us and/or any of the entities in the Roald Dahl Group may process the information that you give to us and which we collect. Such staff members may, among other things, be involved in the provision of support services in relation to our Site. We will ensure at all times to take all reasonable steps necessary to maintain the security of your personal data in accordance with this Privacy Policy and data protection laws.

Unfortunately, the transmission of information via the internet is not completely secure.

Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to our Site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Transferring your personal data outside of the UK 

It is sometimes necessary for us to share your personal data outside of the UK, including:

  • with our service providers based outside of the UK;
  • if you are based outside of the UK; or
  • where there is an international dimension to the services we are providing to you.

Under data protection law, we can only transfer your personal data to a country or international organisation outside the UK where:

  • the UK government has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);
  • there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
  • a specific exception applies under data protection law.

Adequacy decision: We may transfer your personal data to certain countries, on the basis of an adequacy decision granted by the UK, as applicable.

These adequacy decisions granted by the UK include: all EEA countries, Gibraltar, the Republic of Korea, Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. Canada and Japan also have partial adequacy findings.

There is also a partial adequacy decision for US companies that have certified with the EU-US Data Privacy Framework and the UK extension to this.

The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.

There are some other countries or international organisations that we may transfer personal data to that do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception, as explained below.

Appropriate safeguards: Where there is no adequacy decision, we may transfer your personal data to another country or international organisation if we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects.

The safeguards will usually include using legally-approved standard data protection contract clauses (also known as ‘standard contractual clauses’). To obtain a copy of the standard contractual clauses and further information about relevant safeguards, please contact us (see the ‘Contact Us’ section below).

Specific exceptions: In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, e.g.: you have explicitly consented to the proposed transfer after having been informed of the possible risks; the transfer is necessary for the performance of a contract between us or to take pre-contract measures at your request; the transfer is necessary for important reasons of public interest or to protect someone’s vital interests; or the transfer is necessary to establish, exercise or defend legal claims.

Your Rights

If you are a UK citizen you have rights over your personal data that we need to make you aware of. These rights are as follows:

  • Access: You have the right to access the personal data we hold about you. This is called a Subject Access Request.
  • Rectification: You have the right to contact us to correct any inaccuracies in your personal data.
  • Erasure: Under certain circumstances you may have the right to instruct us to erase your personal data.
  • Restriction: In some cases, you may ask us to restrict how we use your personal data. This is an alternative to requesting the erasure of your data, for example if there are issues with the data we hold.
  • To data portability:  You have the right to receive personal data you provided to us in a structured, commonly used and machine readable format and to request that we provide the data directly to a third party.
  • Object: You have the right to ask us not to process your personal data for marketing purposes and to object to our processing of your personal data in other circumstances too, for example if we are processing based on legitimate interests.
  • Automated decision making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

If you wish to action any of these rights, you can do so by writing to us at Croc Prod 1 Limited, 30 Berners Street, London, United Kingdom, W1T 3LR or [email protected].

Links 

Our Site may, from time to time, contain links to and from the websites of our partner networks, advertisers, affiliates and other independent third parties, including the third party sites where you are redirected to purchase tickets and products. If you follow a link to any of these websites, please note that these websites have their own privacy policies and terms of use and that we do not and none of the Roald Dahl Group accept any responsibility or liability for such policies or their collection or processing of your personal data. Please check these policies and terms before you submit any personal data to these websites.

Cookies

For more information about the cookies we use and how to change your cookie preferences, please see our Cookies Policy.

How to contact us about your privacy

If you have any questions about the way in which we collect or process your information, please contact us.

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to Croc Prod 1 Limited, 30 Berners Street, London, United Kingdom, W1T 3LR or emailed to [email protected].

If you are in the UK, you can also find out more about your rights under applicable data protection laws, including the UK GDPR, by visiting the Information Commissioner's Office (ICO) website at www.ico.org.uk or by writing to: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

If you believe that your rights have not been respected at any time then you also have a right to contact the ICO to ask them for a resolution.