PRIVACY POLICY
INTRODUCTION
ExePilates is a small independent Pilates studio based in Exmouth, Devon. As part of our compliance with the General Data Protection Regulation (GDPR) we have set out our privacy policy in this document to specify our commitment to our clients and users of our online services about how we collect, process and protect personal data that is supplied to us with their permission.
The GDPR seeks to protect and enhance the rights of data subjects. These rights cover the safeguarding of personal data, protection against the unlawful processing of personal data and the unrestricted movement of personal data within the EU. It should be noted that GDPR does not apply to information already in the public domain.
Any personal data that is collected when you enrol to participate in one of our classes, register via our website or use our online services is only used by us for essential communication appropriate to us performing our contractual obligation to you as a Pilates studio. As part of our business activities, we do employ appropriate direct marketing activities from time to time such as sending out a newsletter which is designed to enhance your experience and the services we offer. We do not share your data with third parties at any time.
In this document Exe Pilates sets out its privacy policy and explains how it secures and uses personal data appropriate to its business practices.
HOW WE COLLECT YOUR DATA
At the point of registration, Exe Pilates collects your name, email address and other relevant personal data such as phone number, postal address, emergency contact, referral type, date of birth and only relevant medical and musculoskeletal history in order to carry out basic communication, fulfil bookings, give you the best service and to safeguard your health and wellbeing to ensure classes are appropriate to you.
At the studio, your personal data is used by our personnel only for essential communication about your bookings, purchases, reminders and class changes and in the case of class cancellations and emergencies.
Any payment made through our website is handled by a separate, secure and certificated service provider Stripe which exceeds industry standards. Exe Pilates does not store specific customer payment information digitally or in paper form and all payment information is encrypted.
· ☑ Stripe is SSL (Secure Sockets Layer) protected.
This means that both you and your customer’s information is securely transmitted throughout the entire payment process.
· ☑ Stripe is PCI compliant.
As a PCI Service Provider Level 1, Stripe offers the highest possible level of payment processing security.
· ☑ Stripe is encrypted.
This ensures the security and integrity of information through encrypting all credit and debit card numbers.
The enrolment form we ask clients to complete when they first register with ExePilates, available in a paper and online format, is required by our insurance company and provides essential information required to work within our professional and studio guidelines. We are required by law to keep client records for seven years after last visit. These records are kept in a locked file at the studio or secure online via Squarespace when not in use by the client’s teacher and are only seen by personnel who have direct dealings with the client’s programme or bookings.
HOW WE USE YOUR DATA
We use email and SMS (text) as the primary form of communication with you if you are an existing customer. We also periodically send general email newsletters using Mailchimp about products and services we offer to both existing and previous customers, or those who have directly enquired about our services. You have the right to opt out of these at any time.
We may use your information for the following purposes:
in the normal course of our business, to allow us to register you to provide our services;
to allow us to manage your class bookings on the basis that processing is necessary in order to perform our contract with you to provide our services;
to validate your information to check that the data we hold about our customers is accurate, consistent and up to date on the basis that processing is necessary in order to perform our contract with you to provide our services;
to comply with any legal obligations to which we are subject
to periodically check that the personal data we store for you is accurate
HOW WE SHARE YOUR DATA
The information and data we collect is important for us and we would not want to share this with anyone else unrelated to or unemployed by ExePilates and its business practices. Unless we have your express consent, we will never disclose, rent, trade or sell your personal data to any third parties for their marketing or mailing purposes.
HOW WE PROTECT YOUR DATA
Our staff are trained to protect your digital and paper data using our secure systems (Squarespace, Stripe and Mailchimp) and through due diligence with paper filing systems held under lock and key.
We do not share your information with any third party. If you are under the care of another practitioner, be that a doctor or other healthcare professional or complementary therapist we will ask that you pass on any relevant information, rather than us speaking to them directly, unless both parties have your express permission.
We will treat all of your information in strict confidence and we will endeavour to take all reasonable steps to keep your personal information secure once it has been transferred to our systems. We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal information, and data stored on our IT systems, the website and associated databases.
YOUR RIGHT TO OPT-OUT OF DIRECT MARKETING AND PROMOTIONS
We provide an opt-out for marketing emails and invite prospective customers to opt-in for our newsletters and information in a secure form on our website and during the registration process. At any time you are able to opt out of these communications if you don’t wish to be kept updated.