Data Controller

The Health Play Collective is the data controller under UK GDPR and the Data Protection Act 2018. This means we determine the purposes and means of processing your personal data. If you have any questions about how we handle your data, you can contact us at: info@thehealthplaycollective.co.uk

What We Collect & Why (Legal Bases)

We only collect data that is necessary for the purposes described below. We rely on the following legal bases under Article 6 UK GDPR:

Contractual Necessity (Art. 6(1)(b)) — processing required to deliver your booked event and fulfil our agreement with your organisation.

Legitimate Interests (Art. 6(1)(f)) — to improve our services, manage our business relationship, and send relevant content where you would reasonably expect this. We have conducted a Legitimate Interests Assessment (LIA) and are satisfied our interests do not override your rights.

Explicit Consent (Art. 6(1)(a) and Art. 9(2)(a)) — for special category data such as health information and for any direct marketing communications.

A note on Special Category Data: Health and dietary information is classified as “special category” data under Article 9 UK GDPR and carries the highest level of protection. We collect this solely to ensure participant safety during yoga, movement and nutrition sessions. You may withdraw this consent at any time without affecting your ability to attend non-physical elements of the day. We will never use health data for marketing purposes.

How Long We Keep Your Data (Retention)

We do not keep your data longer than necessary. Our retention schedule is as follows:

• Booking and contractual records: 6 years from the event date (to comply with the Limitation Act 1980 and HMRC requirements)
• Health screen forms: Destroyed within 30 days of the event, unless you have an ongoing relationship with us
• Marketing preferences: Until you withdraw consent or we have not had contact for 3 years (whichever is sooner)
• Cookie and analytics data: As per our Cookie Policy below (typically 13 months for Google Analytics)

Data Sharing

We share your data only where necessary and only with parties who are contractually obligated to protect it. Recipients may include:

• Our core practitioner team (nutritionists, yoga facilitators, music facilitators) — who receive only the information relevant to their role (e.g. health limitations and dietary requirements)
• Your chosen partner venue — who may need contact details for logistical coordination
• Our booking and CRM software provider — who act as a data processor on our behalf under a signed Data Processing Agreement (DPA)
• Payment processors — subject to their own privacy policies and PCI-DSS compliance

We do not sell your data. We do not share it with third parties for their own marketing purposes.

International Transfers

We are based in the UK. In limited circumstances, software tools we use (such as analytics or CRM platforms) may process data on servers outside the UK or EEA. Where this occurs, we ensure an appropriate safeguard is in place, which will be one of the following:

• The destination country has UK “adequacy” regulations in place (meaning the ICO has determined its data protection standards are equivalent to the UK’s)
• We have entered into UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) with the recipient
• The transfer is covered by an approved certification mechanism

You can request details of any specific transfers and the safeguards in place by contacting us.

Your Rights Under UK GDPR

You have the following rights, all of which you can exercise free of charge by contacting us at [insert contact email]. We will respond within one calendar month.

1. Right of Access (Art. 15): Request a copy of all personal data we hold about you, along with information on how and why it is processed.
2. Right to Rectification (Art. 16): Ask us to correct any inaccurate or incomplete data without undue delay.
3. Right to Erasure (Art. 17): Request deletion of your data where there is no compelling reason for us to continue holding it. Note this right is not absolute — we may need to retain certain records for legal compliance.
4. Right to Restrict Processing (Art. 18): Ask us to pause processing of your data while a dispute is resolved, for example if you contest its accuracy.
5. Right to Data Portability (Art. 20): Where processing is based on consent or contract and carried out by automated means, receive your data in a structured, machine-readable format (e.g. CSV) and transfer it to another provider.
6. Right to Object (Art. 21): Object to processing based on Legitimate Interests at any time. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
7. Right to Withdraw Consent: Where we rely on consent (including for health data and marketing), you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
8. Rights related to automated decision-making: We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

How to complain: If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the opportunity to address your concern directly before you contact the ICO.

Data Security

We take appropriate technical and organisational measures to protect your data against accidental loss, unauthorised access, alteration or disclosure. These include:

• Encryption of data in transit (TLS) and at rest where applicable
• Access controls — practitioner team members only access data relevant to their role
• Secure disposal of physical health forms after the retention period
• Regular review of our data processors and their security standards

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay, in line with Articles 33 and 34 UK GDPR.