Privacy Policy

Home of Pilates is a Pilates studio based in Sheffield, United Kingdom. We provide in-person and online Pilates classes designed for all fitness levels, from beginners to advanced practitioners.

Data Controller: Home of Pilates UK
Address: Sheffield, United Kingdom
Email: info@homeofpilates.uk
Website: www.homeofpilates.uk

If you have any questions about how we handle your data, please contact us directly using the details above.

We collect several types of information to provide and improve our services to you. This includes:

We use the information we collect for the following purposes:

• Account Management: To create and manage your member account
• Class Bookings: To process your class bookings, manage your schedule, and maintain your booking history
• Payments: To process payments for classes, packages, and subscriptions through Stripe
• Communications: To send booking confirmations, class reminders, cancellation notices, and waiting list updates via email and SMS
• Customer Support: To respond to your enquiries, feedback, and support requests
• Service Improvement: To analyse usage patterns and improve our website, app, and class offerings
• Marketing: To send promotional emails about new classes, offers, and events (you may opt out at any time)
• Legal Compliance: To comply with legal obligations under UK law, including tax and financial record-keeping
• Safety: To protect the health and safety of our instructors and members

Under UK GDPR, we process your personal data on the following legal grounds:

• Contract Performance: Processing necessary to fulfil your membership, bookings, and purchases
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services and preventing fraud
• Legal Obligation: Processing required to comply with UK legal obligations, including HMRC requirements
• Consent: Processing based on your explicit consent, such as marketing communications and optional data collection

We do not sell, rent, or trade your personal information to third parties. We may share your data with trusted service providers who assist us in operating our services, strictly on a need-to-know basis:

• Stripe: For secure payment processing (PCI DSS Level 1 compliant)
• SendGrid: For sending transactional emails and notifications
• Twilio: For SMS notifications (waiting list alerts, reminders)
• IT Brain Solutions Ltd: Our technology provider responsible for building and maintaining our digital platform
• Google Analytics: For anonymised website usage analysis
• Hosting Provider: Our server and data storage provider based in the UK/EEA

All third-party providers are contractually obligated to handle your data in compliance with UK GDPR and to use it only for the specific services they provide to us.

We may also disclose your information when required by law, court order, or governmental authority.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Active Member Accounts: For the duration of your membership plus 2 years after your last activity
• Booking & Transaction Records: 7 years (required by HMRC for tax purposes)
• Email Communications: 3 years from the date of correspondence
• CCTV Footage (studio): 30 days, then automatically deleted
• Marketing Consent Records: Until you withdraw consent

When data is no longer required, it will be securely deleted or anonymised so that it can no longer be associated with you.

Our website uses cookies to enhance your browsing experience. Cookies are small text files stored on your device. We use the following types of cookies:

• Essential Cookies: Required for the website to function. These cannot be disabled.
• Performance Cookies: Help us understand how visitors interact with our website (Google Analytics)
• Functionality Cookies: Remember your preferences, such as login status and language settings
• Marketing Cookies: Used to deliver relevant advertisements (only with your consent)

You can manage your cookie preferences through our cookie banner when you first visit our website, or by adjusting your browser settings. Please note that disabling certain cookies may affect website functionality.

As a UK resident, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you (Subject Access Request)
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten") where there is no legitimate reason to continue processing it
• Right to Restrict Processing: Request that we limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at info@homeofpilates.uk. We will respond within 30 days of receiving your request. There is no charge for exercising your rights in most circumstances.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk if you believe we have not handled your data appropriately.

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These include:

• SSL/TLS encryption for all data transmitted between your device and our servers
• Secure, encrypted storage of passwords using industry-standard hashing (BCrypt)
• JWT (JSON Web Token) authentication for secure session management
• Restricted staff access to personal data on a need-to-know basis
• Regular security assessments and software updates
• PCI DSS compliant payment processing via Stripe (we never store payment card details)
• Regular database backups stored securely on UK-based servers

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay, in accordance with UK GDPR requirements.

Our services are intended for individuals aged 16 and over.

Your personal data is primarily stored and processed within the United Kingdom and the European Economic Area (EEA). Where data is transferred outside of these areas (for example, through certain cloud service providers), we ensure appropriate safeguards are in place, including:

• UK adequacy decisions for transfers to specific countries
• Standard Contractual Clauses (SCCs) approved by the ICO
• Binding Corporate Rules where applicable

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify registered members via email
• Display a prominent notice on our website and app

We encourage you to review this policy periodically. Continued use of our services after changes have been made constitutes acceptance of the updated policy.