Pilates with Elena

Privacy policy & GDPR

Pilates with Elena (“we”, “us”, “our”) is committed to protecting and respecting your privacy.

This Privacy Notice (Policy) explains how we collect, use, store and protect your personal data when you:

• Visit our website www.pilateswithelena.uk
• Fill out paper or digital forms
• Book or attend classes or private sessions
• Contact us by email, phone or via our website
• Use any of our digital services
• Purchase services or products

We process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Contact

If you have any questions about this policy or your personal data, please contact us: info@pilateswithelena.uk

2. Data Controller

For the purposes of UK data protection legislation, the Data Controller is Pilates with Elena.

3. What Personal Data We Collect

We may collect and process the following categories of personal data:

• Personal and Contact Details: First name and surname, Email address, Postal address, Telephone number.
• Personal Information: Date of birth, Age, Gender.
• Emergency Contact Information.
• Health Information: Where relevant to the safe provision of our services.
• Booking and Visit Information: Past and future bookings / attendance records.
• Records of your communications with us.
• Financial and Transactional Data: Payment amounts and dates, bank transfer details (where applicable).
• Marketing Information: Email marketing preferences, communication history.
• Promotional Images: Photographs / video taken during classes to showcase the studio atmosphere for promotional purposes.

4. How We Collect Your Data

We collect personal information:

• Directly from you (in person, by phone, email or via our website).
• Through our booking system or when you attend sessions.
• From third-party referrers (e.g., healthcare professionals), where applicable.

5. How We Use Your Personal Data

We collect and use your personal data to:

• Provide, improve or personalise our services and products.
• Manage bookings, client accounts and process payments.
• Communicate essential session updates or changes.
• Ensure health and safety within the studio.
• Respond to queries, complaints or claims.
• Comply with legal and regulatory obligations.
• Send marketing communications (where you have consented).
• Ask for feedback from you to help us develop and improve further.

5. How We Use Your Personal Data

We will never sell your data to third parties.

We only share data with essential service providers, such as our booking software and payment processors, professional or legal advisors, insurance providers, organisations we are legally obliged to share information with.

7. Lawful Basis for Processing your Data

Under UK GDPR, we rely on the following lawful bases:

• Consent: When you complete forms, provide health information, or opt in to marketing.
• Contract: To provide services you have booked or paid for.
• Legal Obligation: To comply with tax and regulatory requirements.
• Legitimate Interests: For business administration, insurance requirements, and defending potential legal claims.

8. Data Retention

We retain your information only as long as necessary. Under UK GDPR, we rely on our legitimate interests and legal obligations to retain personal data for legal, regulatory, insurance, and claims defence purposes.

We retain financial records for six (6) years after you cease to be a client in accordance with HMRC requirements for tax, accounting and anti-fraud purposes.

We retain general client data for up to seven (7) years to comply with Professional Indemnity Insurance requirements and to defend against potential negligence or legal claims.

9. Storage and Security of Your Data

We take appropriate technical and organisational measures to protect your personal data. Personal data is stored securely, and access is restricted to authorised persons only. Where data is held electronically, secure systems and password protection are used.

10. Cookies

This website uses essential session cookies required for authentication and security. These cookies do not track users for marketing purposes.

11. Third-Party Links

Our website may contain links to third party websites, plug ins, or applications (e.g., booking platforms). These external sites operate independently from us, and we have no control over their content, security, or privacy practices. When you follow a link to a third party site, you do so at your own discretion. We recommend that you review the privacy policies of any external websites you visit to understand how they collect and process your personal data.

12. Your Data Protection Rights

Under UK data protection law, you have the following rights:

1. Right of Access: You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
2. Right to Rectification: You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can inform us and your data will be updated.
3. Right to Erasure (“Right to be Forgotten”): You may request that we erase your personal data if you believe that we are unlawfully processing your Personal Data or that we no longer have a lawful basis to retain it. This right is not absolute. We may retain certain data where required to comply with legal obligations (e.g., six-year HMRC record retention) or where necessary for the establishment, exercise or defence of legal claims, including insurance requirements.
4. Right to Restriction of processing: You can ask us to limit the ways we use your personal information.
5. Right to Object: You have the right to object using your personal information at any time. However, it only applies in certain circumstances and may not need to stop if we have strong and legitimate reasons to continue using your data.
6. Right to Data Portability: You have the right to request a copy of your personal data in an accessible and machine-readable format (for example, a CSV file). You may also request that your personal data be transferred directly to another organisation, where this is technically feasible.
7. Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time by contacting us.

Read further information about Your Data Protection Rights on ICO website: https://ico.org.uk/for-organisations/advice-for-small-organisations/privacy-notices-and-cookies/create-your-own-privacy-notice/your-data-protection-rights/

13. Time Limits to respond to a SAR, Identity Verification and Fees

A request can be verbal or in writing. We recommend you follow up any verbal request in writing.

We aim to respond to all valid requests within one month. In certain circumstances we may need extra time to consider your request and can take up to an extra two months. If we are going to do this, we will let you know within one month that we need more time and why.

When exercising your rights, we may request proof of identity to protect your personal data. If they do this, then the one-month timeframe to respond to your request begins from when we receive this additional information.

There are generally no fees or charges for the first request, but additional requests for the same Personal Data, or requests which are manifestly unfounded or excessive, may be subject to a reasonable fee for administrative costs associated with the request.

14. Complaints

If you have concerns about how we handle your personal data, please contact us first so we can resolve the issue. Having done so, if you remain dissatisfied you can make a complaint to the Information Commissioner’s Office (ICO).

The ICO’s address: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

ICO Helpline: 0303 123 1113 and Website: www.ico.org.uk/make-a-complaint

15. Changes to This Privacy Policy

This Privacy Policy was last updated in February 2026. We may update this policy from time to time. Any changes will be published on our website. We encourage you to check it periodically when you visit our website.