top of page

Our Privacy Policy

Privacy Policy – STUDIO FORMA PILATES LTD

Effective Date: 01/10/25

Studio Forma Pilates (“we”, “our”, “us”) respects your privacy and is committed to protecting your personal data. This policy explains how we collect, use, and protect your information in line with UK GDPR and the Data Protection Act 2018.

1. Who we are

STUDIO FORMA PILATES LTD
Email: hello@studioformapilates.co.uk
Website: www.studioformapilates.co.uk

We are the data controller for the personal information you provide to us.

2. What information we collect

We may collect and process the following personal data when you interact with us:

  • Name, email address, phone number, emergency contact

  • Payment details (processed securely by our booking/payment provider – we do not store card details)

  • Health information relevant to participation in Pilates classes (e.g. PAR-Q, injuries, pregnancy, or medical conditions you choose to share)

  • Attendance and booking records

3. Why we collect your information

We use your information to:

  • Provide, manage, and improve our Pilates classes and services

  • Communicate with you about bookings, schedule changes, and updates

  • Keep you safe during classes (health information)

  • Process payments and manage accounts

  • Send you marketing updates (only if you have consented – you can opt out anytime)

4. Legal basis for processing

We process your personal data under the following bases:

  • Contract – to provide you with the classes and services you book

  • Legal obligation – to comply with tax and accounting rules

  • Consent – for collecting health details and sending marketing communications

  • Legitimate interest – to manage business operations and improve services

5. How we store and protect your information

  • Data is stored securely using our booking system (Punchpass) and email provider.

  • Health forms and personal data are only accessible to authorised staff.

  • We do not share your personal data with third parties, except payment processors or where required by law.

  • We keep your data only as long as necessary (usually up to 7 years for financial records).

6. Your rights

Under GDPR, you have the right to:

  • Access the data we hold about you

  • Correct inaccuracies in your data

  • Request deletion of your data (where legally possible)

  • Restrict or object to processing

  • Withdraw consent for marketing or health data at any time

To exercise your rights, email us at: hello@studioformapilates.co.uk

7. Marketing

If you choose to join our mailing list, we will send occasional updates about classes, offers, and events. You can unsubscribe at any time by clicking the link in our emails or contacting us directly.

8. Complaints

If you have any concerns about how we handle your data, please contact us first.
You also have the right to complain to the UK Information Commissioner’s Office (ICO): www.ico.org.uk

Data Protection Complaints Policy

 

1. Purpose

This policy explains how STUDIO FORMA handles data protection complaints fairly, promptly, and in line with UK data protection law, including the internal complaints process requirements introduced by the Data (Use and Access) Act 2025 and set out in DPA 2018, s.164A.

2. Scope

This policy applies where an individual complains that we have infringed data protection law in connection with their personal data (or personal data of someone they are authorised to act for).It covers complaints received from customers, staff, suppliers, website users, and any other individuals whose personal data we process. The duty to operate a complaints process applies broadly and the Infor-mation Commissioner’s Office (ICO) states there are no exemptions.Personal data (or personal information) means information that identifies or relates to an individual.The ICO is the UK’s independent regulator for data protection and privacy. It provides guidance to organi-sations, investigates complaints, and has legal powers to take enforcement action where organisations do not comply with data protection law.

3. What is a “data protection complaint”?

A data protection complaint is any expression of dissatisfaction where the person considers we have breached data protection legislation in how we handled their personal information, and they do not need to use legal terms or cite legislation.Examples include complaints about:●how we responded to a subject access request (SAR) (a request for a copy of personal information we hold about the individual) or other rights request;●security measures used to protect personal data (including concerns following a breach, whether or not reportable to the ICO);●how we collected, used, stored, retained, or kept personal data accurate.

4. What is not a data protection complaint?

Sometimes people complain about service or other issues while also exercising data protection rights; the ICO explains that this doesn’t count as a data protection complaint (for example, an employee grievance combined with a request for copies of personal data, or a customer service complaint combined with a de-letion request).Where a complaint raises both data protection issues and other concerns (such as service or employment matters), we will treat it as a “mixed complaint”. We will handle the data protection aspects under this pol-icy and ensure they are identified, recorded, and responded to separately and alongside any non-data pro-tection issues.If it is unclear whether the person intends to raise a data protection complaint, we will ask them to clarify.

5 .How people can complain to us

We provide clear routes for individuals to complain directly to us, and we will accept complaints however they are received.Preferred contact details: STUDIO FORMAEmail: hello@studioformapilates.co.ukPost: 105 Ella road, Nottingham, NG2 5GZTelephone: 07417 497087We may invite use of the preferred routes above, but people can complain via any channel (including to any staff member, or via social media if we have an online presence), and we must accept the complaint regardless.Where a complaint comes in via social media, we will request an alternative contact method because social media is generally not a secure way to exchange personal information.

6. Our legal duties

We will facilitate the making of complaints (for example, by providing a complaint form that can be com-pleted electronically and by other means).When we receive a data protection complaint, we will:

6.1. Acknowledge receipt within 30 days (the 30 days run from when the complaint is received).

6.2. Without undue delay - take appropriate steps to respond (including making appropriate enquiries and keeping the complainant informed of progress).

6.3. Without undue delay - inform the complainant of the outcome.

7. Making people aware of their right to complain

We will tell people that they can complain to us (and that they can also complain to the ICO) at the point we collect their personal information, for example in our privacy notice, using clear and plain language.We will also include information about this right when we respond to a subject access request.

8. Identity and authority checksWe will verify identity where necessary. If we have doubts about the complainant’s identity, we may ask for proof of ID and we will do this as early as possible; if we already have enough information to confirm identity, we will not request more.If someone complains on behalf of another person, we must check they are authorised to act for that per-son (for example, by a signed letter of authority or appropriate power of attorney). If we do not have evi-dence of authority, we will not investigate until we receive it.

9. Our process (step-by-step)

9.1. Logging and triage (Day 0 onward)We will log the complaint on receipt, record the channel it came through, and route it promptly to the Manager – Kate Manfredi. The duty to investigate begins when the complaint is received, not after the acknowledgement is sent.We will check whether it is a data protection complaint (see section 3) and, if unclear, we will ask the indi-vidual to clarify their intent.

9.2. Acknowledgement (within 30 days)We will acknowledge the complaint within 30 days. The acknowledgement will confirm receipt, that we will look into it, and the next steps. The 30 days start the day after receipt, including weekends/bank holidays, and if the last day falls on a weekend or public holiday the deadline moves to the next working day.We will make operational arrangements to ensure acknowledgements are sent even during staff absence.

9.3. Investigation (without undue delay)We will investigate without undue delay (meaning as soon as reasonably possible, and without unneces-sary delay). What is “undue” depends on the circumstances, and factors such as complexity, scale, and any harm caused by any delay.In most cases, we aim to provide a substantive response within one month, although complex complaints may take longer.Our investigation will be proportionate and may include reviewing relevant records, speaking to staff, com-paring the complaint with the data we hold, and checking compliance with our own policies and standards.If we need more information to understand the complaint, we will ask as soon as possible. We may also ask what outcome the individual is seeking to help resolve matters efficiently.

9.4. Keeping the complainant informed (without undue delay)We will keep the complainant updated about progress without undue delay, including timeframes, and where there are delays, the reason for these will be explained.

9.5. Outcome (without undue delay)Once we have finished our investigation, we will inform the complainant of the outcome without an unjusti-fiable or excessive delay.Our response will clearly explain what we did, what we found, and (where appropriate) what we changed or corrected. If we consider we complied with data protection law, we will explain why and provide enough detail to help the complainant understand how we reached that view; the ICO suggests itemising complaint points and responding to each.If the complaint is upheld, we may (as appropriate) correct data, amend processes, provide training, or take other remedial steps.

10. Review/escalation within the organisation

If the complainant remains unhappy, we may offer a review by a different decision-maker or a senior member of staff, where practical. The ICO indicates organisations could consider having a review process, but people can complain to the ICO at any point and do not have to wait for an internal review.

11. How to complain to the ICO

Individuals can complain to the ICO at any time. The ICO will, in most cases, ask individuals to raise their complaint with the organisation first, but the ICO remains available to handle eligible data protection com-plaints.ICO complaint information: https://ico.org.uk/make-a-complaint/data-protection-complaints/

12. Record keeping and retention

We will keep records to demonstrate compliance, including:●date received;●acknowledgement;●key communications and documents;●outcome; and●actions taken.We will not retain personal information for longer than necessary.We may also monitor themes and trends to identify recurring issues and improve compliance.

13. Children and vulnerable individuals

Children have the same rights as adults, but merit specific protection; if we receive a complaint from a child, we will use clear, plain language and assess competence to exercise rights.If we are within scope of the Age Appropriate Design Code (ICO rules for protecting children’s personal data online), we will also follow the ICO’s expectations for complaint mechanisms and escalation routes for urgent and/or safeguarding issues.

14. Joint controllers and processors

If we act as a joint controller (meaning we decide together with another organisation how and why per-sonal data is used), we will maintain a transparent arrangement that covers complaint handling and coor-dination, noting that the timeframe starts when any joint controller receives the complaint.Where we use data processors (organisations that process personal data on our behalf), we will ensure contracts/support arrangements enable us to meet our complaint-handling obligations; processors may assist administratively but the duty remains with us as controller.

15. Staff training and internal awareness

We will train staff to recognise data protection complaints and route them appropriately, because complaints can be received through any part of the organisation.

16. Policy ownership and review

Policy owner:STUDIO FORMA

Approved by:STUDIO FORMA PILATES LTD

Effective date:07/06/26

Next review date: 07/06/27

This policy will be reviewed at least annually and after any significant complaint trend or regulatory/guidance change.

bottom of page