top of page

PRIVACY POLICY

Last Updated: 1 March 2026

This Privacy Policy explains how I collect, use, store, and protect your personal data when you (a) visit my website, (b) enquire or book, or (c) attend Pilates sessions, sports massage, cupping, or group classes (“Services”).

1) Who I Am (Data Controller)

Data Controller: Harmelie Kinsman
Email: info@harmeliepilates.com
If you have any questions about this policy or how your data is handled, contact me using the details above.

2) What Data I Collect

Depending on how you interact with me, I may collect:

A) Identity & contact details

  • Name

  • Email address

  • Phone number

B) Booking & service details

  • Appointment date/time, service type, location (e.g., studio or home visit)

  • Communication history (emails, messages, notes relating to your booking)

  • Preferences relevant to delivering the service (e.g., preferred times)

C) Address / location data (home visits)

  • Postcode and/or home address (only where needed for travel and attendance)

D) Payment & invoicing

  • Invoices, payment status, transaction references

  • I do not store full card details. Card payments are handled by your payment provider.

E) Health information (Special Category Data)

  • Medical history, injuries, pregnancy/postnatal information, contraindications, relevant medications, pain/injury notes, and session notes required for safe practice, planning, and insurance.

F) Website/technical data (if you have a website)

  • IP address, device/browser info, pages visited, and cookie/analytics data (where enabled)

3) How I Collect Your Data

I collect data when you:

  • Fill in a website form, health form, or consent form

  • Book via my booking system

  • Contact me by email, phone, social media, or messaging apps

  • Attend sessions (session notes and progress notes)

  • Use my website (cookies/analytics where enabled)

4) Why I Use Your Data (Purposes)

I use your data to:

  1. Provide Services you book (deliver sessions safely and appropriately)

  2. Manage bookings (confirmations, reminders, rescheduling, attendance)

  3. Keep clinical-style notes necessary for safe practice and continuity

  4. Take payments and issue invoices and keep financial records

  5. Meet insurance requirements and manage complaints/incidents if they arise

  6. Send service updates (e.g., changes to location, schedule, or policies)

  7. Send marketing about new classes/offers only if you opt in (see Section 6)

5) Lawful Bases for Processing (UK GDPR)

Under UK GDPR, I only process your data when I have a lawful basis.

A) For providing and managing Services (Article 6)

  • Contract: to deliver the Services you request and manage your booking

  • Legal obligation: to keep financial/tax records and comply with legal duties

  • Legitimate interests: to run my business effectively (e.g., appointment administration, preventing no-shows, maintaining service quality), provided your rights do not override these interests

B) Health information (Special Category Data — Article 9)
Health data is “special category” data and requires additional protection.

  • I process health data based on your explicit consent, collected via a health/consent form or written confirmation, for the purposes of safe practice, planning your sessions, and meeting insurance/professional requirements.

Important: If you choose not to provide necessary health information, or withdraw consent for processing it, I may not be able to safely provide Services.

6) Marketing Messages (Email/SMS)

I will only send you promotional messages (e.g., offers, new class announcements) if:

  • You have opted in, or have used my services, and

  • You can opt out at any time by using the unsubscribe option or contacting me.

Service messages that are necessary to deliver your booking (e.g., confirmations, reminders, schedule changes) are not marketing.

7) Who I Share Your Data With

I do not sell your data.

I may share your data only when necessary with trusted providers who help me run the business (“data processors”), such as:

  • Website provider: Wix 

  • Booking/scheduling provider: Wix

  • Payment provider

  • Accounting support: my accountant/bookkeeper (where applicable)

  • Professional/insurance support: my insurer or professional advisers if required for claims, complaints, or legal issues

  • Venue/studio (if applicable): only the minimum needed for attendance/admin

All providers are expected to protect your data and use it only for the services they provide to me.

8) International Data Transfers

Some of my providers may store or process data outside the UK. Where this happens, I ensure appropriate safeguards are in place (such as adequacy regulations or approved contractual protections) to protect your data.

9) Data Security

I take reasonable steps to protect your data from loss, misuse, unauthorised access, alteration, or disclosure. These steps may include:

  • Secure, password-protected devices/accounts

  • Limited access to client records

  • Secure storage practices for forms/notes (digital and/or physical)

No online system can be guaranteed 100% secure, but I work to keep protections appropriate to the type of data held.

10) How Long I Keep Your Data (Retention)

I keep data only for as long as needed for the purposes above, including legal, tax, and insurance obligations.

Typical retention periods (you can adjust these to match your insurer/accountant’s guidance):

  • Invoicing & financial records: up to 7 years

  • Health forms & session notes: 7 years after your last session (or longer if needed for insurance/complaint defence)

  • Marketing opt-in records: until you unsubscribe/withdraw consent

  • General enquiries (no booking): typically up to 12 months

If you want a specific retention schedule for your setup, tell me what your insurer requires and I’ll align it.

11) Your Rights

You have the right to:

  • Request access to the personal data I hold about you

  • Request correction of inaccurate or incomplete data

  • Request deletion of your data (where applicable; some data must be retained for legal/insurance reasons)

  • Request restriction of processing in certain circumstances

  • Object to processing based on legitimate interests

  • Request data portability where applicable

  • Withdraw consent at any time where processing is based on consent (e.g., marketing and health-data consent)

How to exercise your rights: contact me using the details in Section 1.
I will respond within one month (or sooner where possible).

12) Complaints

If you have concerns, please contact me first so I can try to resolve the issue.
You also have the right to complain to the Information Commissioner’s Office (ICO) (the UK supervisory authority for data protection).

13) Children / Minors

My Services are intended for adults. If I agree to provide Services to a minor, I will require consent from a parent/guardian and may apply additional safeguarding and data-handling steps.

14) Cookies & Website Analytics (if applicable)

If you use my website, it may use cookies and similar technologies for essential functions and (where enabled) analytics. You can manage cookie preferences via the cookie banner/settings on the website.

15) Changes to This Policy

I may update this policy from time to time. The latest version will be available on my website and/or provided on request. The “Last Updated” date shows when changes were made.

bottom of page