Planted Wellbeing Yoga is the trading name of Adrienne Hanson.
- Enquiries from non-clients – message, name and email address – received via our website, social media or by email – held for up to a year and used to answer query and follow up.
- Mailing list – name and email address – populated by people registering on our website or opting in on an enquiry form. People completing a health declaration are added to the mailing list so they can be kept in touch with class information, but all mailings have an opt out link – held indefinitely, there is an opt out link on each marketing mailing.
- Health and registration forms from students – name, contact details and health information – completed via our website or in class – used for class management, and held for at least seven years for insurance purposes.
- Attendance registers – data collected in class – used for class management and held for at least seven years for insurance purposes.
- Emails – sent from clients and non-clients. Important messages are saved in our filing system, otherwise emails may be retained for up to two years.
- Payment data, excluding card information which we do not receive at any time. Received via accounting and banking systems and saved for at least seven years for accounting and tax obligations.
- Website cookies set automatically by our software. We do not knowingly access these or pass to third parties.
- Except where required by law, we do not share data with third parties or sell contact lists.
- Information held by Planted Wellbeing Yoga is accessed by staff working for Planted Wellbeing Yoga, and contractors working on IT, and may be shared, on a need to know basis, with other teachers at Planted Wellbeing eg if they are covering a class.
Storage of personal data
Planted Wellbeing is a UK-domiciled organisation who operates in the UK.
- Our websites and web applications are hosted in the EU and are accessed only by our EU-based staff.
- Our customer relationship management, marketing and accounting systems for our business are either EU-based or hosted by companies participating in the EU – U.S. Privacy Shield Framework.
- We may use a range of Cloud Service Providers (CSPs) as part of our processing environment. Unless we specifically state otherwise, we are, in respect of all these CSPs, the data controller.
- Unless we specifically state otherwise all of the CSPs that we use utilise EU-located processing facilities.
- Our payment processors and banking arrangements are based in the UK.
- We operate a data retention policy in respect of all data, whether paper-based or digital and those aspects of it which relate to personal data are contained in the Information Held section above.
Your rights as a data subject
As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please contact us.
In order to process your request, we will contact you and ask you to provide two valid forms of identification for verification purposes.
You are not required to pay any charge for exercising your rights. We have one month to respond to you.
We will inform you if answering requests is likely to require additional time or incurs unreasonable expense (which you may have to meet). We will explain if there are exceptional circumstances that mean we can refuse to provide the information. We reserve the right to refuse requests that are frivolous or vexatious.
Your rights are as follows:
Your right to be informed
As a data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy statement and any related communications we may send you.
Your right of access
You have the right to ask us for copies of your personal information we hold. This right always applies. We will verify your identity and, if relevant, the authority of any third-party requester. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right at the ICO.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right at the ICO.
Your right to erasure (the ‘right to be forgotten’)
You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right at the ICO.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right at the ICO.
Your right to object to processing
You have the right to object to our processing of your data where
- Processing is based on legitimate interest;
- Processing is for the purpose of direct marketing;
- Processing is for the purposes of scientific or historic research;
- Processing involves automated decision-making and profiling.
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right at the ICO.
Please contact us if you wish to make a request.
Should you wish to discuss a complaint, please feel free to contact us. All complaints will be treated in a confidential manner.
Should you feel unsatisfied with our handling of your data, or about any complaint that you have made to us about our handling of your data, you are entitled to escalate your complaint to a supervisory authority within the European Union. For the United Kingdom, this is the Information Commissioner’s Office (ICO), who is also our lead supervisory authority. Its contact information can be found at https://ico.org.uk/global/contact-us/.