Privacy policy

Who we are

Essential Studio is the controller for the personal data described in this policy. “Controller” means we decide why and how your personal data is used.

If you have any questions, want to exercise your rights, or want a copy of your data, contact us using the email address shown on the website. We aim to reply promptly and clearly.

What we collect

We only collect what we need to run bookings, communicate with you, and deliver sessions safely.

• Identity and contact details: name, email address, and phone number (if you provide it).
• Booking and communications: session type, date/time, and any messages or notes you choose to send us.
• Account information (if you create an account): login email and password (stored as a secure hash, never in plain text).
• Payment information (if payments are enabled): we do not store full card details. Payments are handled by our payment provider, who sends us confirmation and transaction references needed for accounting and customer support.
• Health and wellbeing information you share for safety and session suitability (for example injuries, contraindications, or comfort preferences). This is “special category” data under UK GDPR and we treat it with extra care.
• Technical data: basic logs (for example IP address, device and browser information) used to keep the site secure and working reliably.

Where the data comes from

• Directly from you (forms, emails, messages, bookings).
• From our service providers (for example payment confirmation and email delivery status).
• Automatically from your device (basic technical logs and, if enabled, cookies).

How we use your data and our legal bases

UK GDPR requires a legal basis for each use. Here is how it applies in practice.

What we do not do

• We do not sell your personal data.
• We do not use your health information for marketing or any unrelated purpose.
• We do not knowingly collect data from children for independent marketing purposes.
• We do not make decisions about you using fully automated processing that has legal or similarly significant effects.

Who we share data with

We share personal data only when needed to run the service, and only with providers who are under confidentiality and data protection terms.

• Booking and hosting providers used to run this website and store data securely.
• Email provider used to send confirmations and service messages.
• Payment provider (if enabled) to take payments and handle refunds.
• Analytics provider (if enabled) to understand general site usage and improve reliability.

We may also share information if required by law, to enforce our terms, or to protect rights, safety, and security (for example responding to a lawful request from authorities).

International transfers

Some service providers may process data outside the UK. When this happens, we use appropriate safeguards required by UK GDPR (for example UK adequacy regulations or contractual protections) to help keep your data protected.

How long we keep data

We keep personal data only for as long as necessary for the purposes described above.

• Booking and communications: kept while we are actively providing services, and for a reasonable period afterwards to manage follow-ups, disputes, or record keeping.
• Health and session notes (if any): kept only as long as needed for safe delivery of sessions and continuity, and reviewed periodically.
• Invoices and accounting records: kept for the period required by law and tax rules.
• Security logs: kept for short periods unless needed for investigating incidents or abuse.

If you ask us to delete data, we will do so unless we have a lawful reason to keep it (for example invoices).

Your rights under UK GDPR

You have rights over your personal data. These include the right to:

• access your data and receive a copy of it
• correct inaccurate or incomplete data
• ask for deletion in certain situations
• restrict processing in certain situations
• object to processing based on legitimate interests
• data portability (for data processed by automated means under consent or contract)
• withdraw consent at any time (where consent is used)

To exercise any of these rights, contact us using the details on the website. We may ask for verification to protect your privacy.

Complaints

We would appreciate the chance to resolve any concern directly. You also have the right to complain to the UK Information Commissioner's Office (ICO) if you believe your data has been handled improperly.

Cookies and analytics

We may use cookies and similar technologies to keep the site working and to understand general usage. Essential cookies are used for core functionality and security. Optional analytics, if enabled, is used in aggregate to improve the site. We do not sell tracking data or follow you across other websites.

Keeping your data safe

• Access is limited to people and systems that need it to run the service.
• Passwords are stored using secure hashing (never plain text).
• Payment details are handled by the payment provider rather than stored on our servers.
• We use standard security practices to protect systems and review them periodically.

Changes to this policy

We may update this policy to reflect changes in the service or legal requirements. The “Last updated” date at the top will show when changes were made. If changes are significant, we will take reasonable steps to highlight them on the site.