GDPR Policy
General Data Protection Regulation — Our commitment to your data rights under UK law.
Last Updated: April 2026Data Controller Information
Under UK GDPR, the "data controller" is the entity that determines the purposes and means of processing personal data. For all data collected through our website, mobile application, and studio services:
Organisation: Home of Pilates
Trading Address: Sheffield, United Kingdom
Data Protection Contact: info@homeofpilates.uk
Website: www.homeofpilates.uk
The Six Principles of UK GDPR
We process all personal data in accordance with the six core principles of UK GDPR:
- Lawfulness, Fairness and Transparency: We only process data on a lawful basis and are transparent about how we use it
- Purpose Limitation: We only collect data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes
- Data Minimisation: We only collect data that is adequate, relevant, and limited to what is necessary for our purposes
- Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date
- Storage Limitation: We do not retain personal data for longer than necessary and have clear retention schedules in place
- Integrity and Confidentiality: We implement appropriate technical and organisational measures to ensure data security
Lawful Bases for Processing
Every instance of processing your personal data at Home of Pilates is underpinned by at least one of the following lawful bases:
| Processing Activity | Lawful Basis | Type |
|---|---|---|
| Account registration and management | Contract performance | Contract |
| Processing class bookings | Contract performance | Contract |
| Processing payments | Contract performance | Contract |
| Sending booking confirmations & reminders | Contract performance | Contract |
| Waiting list SMS notifications | Contract performance / Consent | Consent |
| Marketing emails and promotions | Consent | Consent |
| Financial record keeping | Legal obligation (HMRC) | Legal |
| Website analytics | Legitimate interests | LI |
| Fraud prevention and security | Legitimate interests | LI |
Your Rights Under UK GDPR
Under UK GDPR, you have eight fundamental rights regarding your personal data. We are committed to honouring each of these rights:
Right to Be Informed
You have the right to know how we collect and use your personal data. This GDPR Policy and our Privacy Policy fulfil this obligation.
Right of Access (SAR)
You can request a copy of all personal data we hold about you. We will respond within 30 days free of charge.
Right to Rectification
You can ask us to correct any inaccurate or incomplete personal data we hold about you.
Right to Erasure
You can request deletion of your personal data where there is no compelling reason to continue processing it.
Right to Restrict Processing
You can ask us to pause or restrict the processing of your data in certain circumstances.
Right to Data Portability
You can request a copy of your data in a structured, machine-readable format to transfer to another service.
Right to Object
You can object to processing based on legitimate interests, including direct marketing at any time.
Automated Decision Rights
You have rights regarding automated decision-making and profiling that produces legal or similarly significant effects.
To exercise any of these rights, contact us at info@homeofpilates.uk. We will respond within 30 calendar days. In complex cases, we may extend this by a further 2 months, and we will notify you if this is necessary.
Special Categories of Data
UK GDPR provides additional protection for "special category" personal data. This includes health and medical information, which may be relevant when you inform our instructors of physical limitations, injuries, or medical conditions.
We only collect and process health information with your explicit consent and exclusively for the purpose of ensuring your safety during classes. This data is:
- Stored securely with restricted access
- Only shared with your class instructor on a need-to-know basis
- Never used for marketing or profiling purposes
- Retained only for the duration of your membership
You may withdraw consent for us to hold this information at any time, though this may affect your ability to participate in certain classes safely.
Data Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Member account data | Duration of membership + 2 years | Legitimate interests |
| Booking history | 7 years from booking date | Legal obligation (HMRC) |
| Financial transaction records | 7 years | Legal obligation (HMRC) |
| Health & medical information | Duration of membership | Consent |
| Email marketing consent | Until withdrawal of consent | Consent |
| Contact form enquiries | 3 years | Legitimate interests |
| Website analytics data | 26 months (anonymised) | Legitimate interests |
| Security logs | 12 months | Legitimate interests |
Data Breach Notification
In the event of a personal data breach, we have established procedures to ensure we meet our obligations under UK GDPR:
- Within 72 hours: We will notify the Information Commissioner's Office (ICO) if the breach is likely to result in a risk to individuals' rights and freedoms
- Without undue delay: We will notify affected individuals directly if the breach is likely to result in a high risk to their rights and freedoms
- Our notification will include the nature of the breach, likely consequences, and measures taken or proposed to address it
We maintain a data breach register and regularly test our response procedures.
Third-Party Data Processors
We use carefully selected third-party service providers (data processors) who process personal data on our behalf. All processors are bound by Data Processing Agreements (DPAs) ensuring UK GDPR compliance:
- Stripe Inc. — Payment processing (PCI DSS Level 1 certified)
- SendGrid (Twilio) — Email notification delivery
- Twilio Inc. — SMS notification delivery
- IT Brain Solutions Ltd — Platform development and hosting
- Google LLC — Analytics (data anonymised)
We never allow our processors to use your data for their own purposes and only permit them to process it in accordance with our documented instructions.
Lodging a Complaint
If you are unhappy with how we have handled your personal data, we encourage you to contact us in the first instance so we can address your concern.
However, you also have the right to lodge a complaint directly with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Exercise Your Data Rights
To make a Subject Access Request or exercise any other GDPR right, please contact our Data Protection Lead:
Email: info@homeofpilates.uk
Website: www.homeofpilates.uk
We will acknowledge your request within 5 working days and respond in full within 30 calendar days.