Home · Privacy Policy

Privacy Policy

Last updated: [date]
Please note: This document is a template to help you get started and is not legal advice. Please review it, complete all [bracketed] placeholders, and make sure it accurately reflects how you actually handle data before publishing.

This Privacy Policy explains how [Your full name], trading as “WaveRetreat” (“we”, “us”, “our”), collects, uses and protects your personal data when you contact us, book our Services, or use this website. We are the “data controller” for the personal data we process.

We are committed to protecting your privacy and handling your data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

  • Controller: [Your full name], trading as WaveRetreat (sole trader).
  • Address: [your business address], Cornwall, England.
  • Email: hello@waveretreat.com
  • ICO registration: [your ICO registration number, if applicable]

2. The data we collect

Depending on how you interact with us, we may collect:

  • Contact & enquiry data — your name, email address, phone number and the contents of any message you send via our enquiry form or by email.
  • Booking data — details needed to provide a Session or retreat, which may include emergency contact details and relevant health or ability information you choose to share.
  • Payment data — payments are handled by our payment/booking provider; we receive confirmation of payment but do not store your full card details.
  • Technical & usage data — limited information about your device and how you use the website, collected through cookies or analytics (see “Cookies” below).

Health information is “special category” data; we only collect it where you provide it for safety reasons and we handle it with additional care.

3. How we collect your data

  • Directly from you — when you complete our enquiry form, make a booking, or contact us by email, phone or social media.
  • Automatically — through cookies and similar technologies when you use our website (where enabled).

4. How we use your data & our lawful bases

  • To respond to your enquiry — lawful basis: our legitimate interests in answering and helping potential customers.
  • To take and manage bookings and provide our Services — lawful basis: performance of a contract with you.
  • To keep you safe during activities (using health/ability information) — lawful basis: your explicit consent and our legitimate interest in safety; in an emergency, protecting vital interests.
  • To send marketing (e.g. news about retreats and sessions) — lawful basis: your consent, or our legitimate interests where you are an existing customer. You can opt out at any time.
  • To meet legal and accounting obligations — lawful basis: compliance with a legal obligation.

5. Marketing

We will only send you marketing where you have agreed to receive it or where the law otherwise allows. Every marketing email includes an unsubscribe link, and you can opt out at any time by emailing hello@waveretreat.com.

6. Who we share your data with

We do not sell your personal data. We may share it with trusted third parties who help us run our business, including:

  • our booking and payment providers ([e.g. your booking system / Stripe / PayPal]);
  • our email, hosting and website providers ([e.g. email/newsletter provider, web host]);
  • professional advisers (such as accountants) and authorities where required by law.

These providers only process your data on our instructions and under appropriate safeguards.

7. International transfers

Some of our providers may process data outside the UK. Where they do, we take steps to ensure your data is protected by an adequate level of protection, for example through UK adequacy regulations or standard contractual clauses (an International Data Transfer Agreement or Addendum).

8. How long we keep your data

We keep personal data only for as long as necessary for the purposes set out above, including to meet legal, accounting or reporting requirements. For example, we typically keep enquiry data for [period] and booking and financial records for at least 6 years to comply with HMRC requirements. When data is no longer needed, we securely delete or anonymise it.

9. Your rights

Under UK data protection law, you have the right to:

  • request access to the personal data we hold about you;
  • ask us to correct inaccurate or incomplete data;
  • ask us to erase your data in certain circumstances;
  • ask us to restrict or object to our processing;
  • request the transfer of your data (data portability);
  • withdraw your consent at any time, where we rely on consent.

To exercise any of these rights, please email hello@waveretreat.com. We will respond within one month. There is normally no charge.

10. Cookies

Our website may use cookies and similar technologies to make the site work and to understand how it is used. Essential cookies are necessary for the site to function. Any analytics or non-essential cookies are only used with your consent. You can control cookies through your browser settings. [If you add analytics or a cookie banner, describe them here.]

11. How we protect your data

We use appropriate technical and organisational measures to keep your personal data secure and to prevent unauthorised access, loss or misuse. No method of transmission over the internet is completely secure, but we take reasonable steps to protect your information.

12. Children

Where Participants are under 18, we collect their data only with the consent and involvement of a parent or guardian, and only as needed to provide our Services safely.

13. Changes to this policy

We may update this Privacy Policy from time to time. The current version is always published on this page, with the “Last updated” date shown above.

14. How to contact us or complain

If you have any questions about this policy or how we handle your data, please contact us at hello@waveretreat.com.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection, at ico.org.uk or on 0303 123 1113. We would, however, appreciate the chance to address your concerns first.