PRIVACY NOTICE

BACKGROUND:

We respect the privacy of our clients and of everyone who visits our website, www.pinandpoke.com (Our Site). Pin and Poke Ltd (we /us / our) will only collect and use personal data in ways that are described in this Privacy Notice, and that are consistent with our obligations and your rights under the Data Protection Legislation.

1. Definitions and Interpretation 

In this Privacy Notice, the following terms shall have the following meanings:  

Client: means an individual client who engages our services or who purchases products from us, or on whose behalf our services are engaged or our products purchased; and

Data Protection 

Legislation: means all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including the privacy of electronic communications).

2. Information About Us

Pin and Poke Ltd is a limited company incorporated in England & Wales with company number 15287096, whose registered office address is at Elmwood House York Road, Kirk Hammerton, York, North Yorkshire, United Kingdom, YO26 8DH. We are the controller and responsible for your personal data.  

If you have any questions relating to your personal data or this Privacy Notice, you may contact us at hello@pinandpoke.com.

3. Third party links

Our Site may include links to third-party websites. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for the way in which they handle personal data. We encourage you to read the privacy policy or privacy notice of every website you visit.

4. Your personal data

Personal data is any information about you that enables you to be identified. Personal data covers your name and contact details, but also information such as electronic location data and other online identifiers. It does not include data where your identity has been removed (anonymous data).
It is important that your personal data is kept accurate and up-to-date. If any of the personal data we hold about you changes, please let us know.

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you do not provide that data when requested, we may not be able to perform that contract. In this case, we may have to cancel a product or service contract you have with us. We will notify you if this is the case. 

5. Your rights in relation to your personal data

Under the Data Protection Legislation, you have the following rights. More information on how to exercise these rights follows later in this Privacy Notice.

The right to be informed about our collection and use of your personal data. 
The right to access your personal data.  

The right to rectify your personal data if any of it is inaccurate or incomplete. 

The right to request deletion of your personal data (subject to certain legal requirements) or to withdraw consent to us using it.

The right to prevent processing of your personal data.

The right to restrict the use of your personal data for particular purposes.

The right of portability, enabling you to ask for a copy of your personal data to re-use with another business.

Rights relating to automated decision-making and profiling. We do not however use your personal data in this way.
The right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk if you believe your privacy or data protection rights have been breached. We would always appreciate an opportunity to work with you to resolve any issues or complaints you may have before you approach the ICO.

For more information about our use of your personal data or exercising your rights set out above, please contact us at hello@pinandpoke.com.

6. What Data We Collect 

Depending upon whether you are simply browsing Our Site or are a Client, we may collect and hold some or all of the personal data set out below, using the methods also set out below.

Please also see our Cookie Policy on Our Site regarding our use of cookies and similar technologies.  
We collect the following types of personal data:

Contact and Biographical Information: This may include your name, date of birth, email address, postal address, phone number, and other similar contact details that you provide when contacting us through Our Site, by email or telephone. If you are a Client receiving an in-person treatment, we will also collect contact information for your nominated emergency contact.

Account Information: If you create an account on Our Site, we may collect information associated with your account, such as your username, password, and profile details.

Payment Information: If you purchase goods or services from us, we may collect payment information, including credit card details, billing address, and transaction history. However, please note that we do not store full credit card numbers on our servers.

Communication Data: This includes any correspondence or communication between you and us. 

Usage Information: We automatically collect information about your usage of Our Site, including pages visited, time spent on the site, clickstream data, and referring URL, using our analytics software. This data helps us analyse website performance and user preferences.
Technical Information: We may collect technical information about your device and browser, using our analytics software, including your IP address, browser type and version, device type, operating system, and platform.
Social Media Data: If you interact with our social media pages or use social media features integrated into Our Site, we may collect information from your social media profiles, such as your social media handles and activities.

Cookies and Tracking Technologies: We may use cookies and similar tracking technologies to collect information about your browsing behaviour and preferences. For more details, please see our Cookie Policy.

Sensitive or special category data: If you are a Client, and with your consent, we may collect information relating to your mental and physical health and fitness, including existing or previous medical conditions, but only where (and to the extent that) this is relevant to the services we provide. We do not collect any ‘special category’ or ‘sensitive’ personal data or data relating to criminal convictions and/or offences, or in relation to children.  

 Other Information: We may collect additional information not specifically mentioned here with your consent or as required by applicable laws and regulations.

Please note that the exact information collected may vary depending on your interactions with Our Site and the services we offer. We only collect information that is necessary for the purposes outlined in this Privacy Notice and as permitted by Data Protection Law.

7. How we use your personal data

Under the Data Protection Legislation, we must always have a lawful basis for using personal data. 

We will use your personal data in the following circumstances:

To perform a contract with and/ or provide our services to you.

Where it is necessary for our legitimate interests (or those of a third party), for example:

To develop our business

To protect the security or integrity of our IT systems

To manage our relationship with you as our Client

To administer our business

To administer or improve Our Site

To maintain records for legal and regulatory compliance

To maintain or defend legal claims 

Note that we will only rely on our legitimate interests to use your personal data if your interests and rights do not override those legitimate interests.  

Where we need to comply with a legal or regulatory obligation.

Where you have consented to us using or processing your personal data (for example, by completing our intake form and GDPR consent disclosing any medical conditions which are relevant to the services we provide, or by consenting to receiving direct marketing communications from us). You have the right to withdraw consent at any time by contacting us.

With your permission and/or where permitted by law, to market our products and/ or services to you. You will not be sent any unlawful marketing or spam, and you will always have the opportunity to opt-out of marketing communications at any time.

We do not carry out automated decision making or any type of automated profiling. 

We will only use your personal data for the purposes for which it was originally collected unless we reasonably believe that another purpose is compatible with those original purposes and we need to use your personal data for that purpose. 

If we need to use your personal data for an unrelated or incompatible purpose to that for which it was originally collected, we will inform you and explain the legal basis which allows us to do so.

In some circumstances, where permitted or required by law, we may process your personal data without your knowledge or consent. This will only be done within the bounds of the Data Protection Legislation and your legal rights.

8. Keeping your personal data

We will only process and store our personal data for as long as is necessary taking into account the reasons for which it was first collected.

When deciding what the correct time is to keep the data for, we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means, and any legal and regulatory requirements. 

We may keep your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation arising out of our relationship.

The law requires us to keep basic information about our Clients (including identity, contact and payment information as well as information on the contracts we enter into with our Clients) for tax and regulatory purposes, for seven years after they stop being clients.

In some circumstances, we may anonymise your personal data for research or statistical purposes. In this case, we may use this information indefinitely without further notice to you.

9. Storing your personal data

The security of your personal data is essential to us.

To protect your personal data, we have put in place appropriate technical and organisational measures, including the following:

Personal data entered by you on Our Site is secured by SSL (secure socket layer) technology in transit and at rest to improve security. SSL secures connections and prevents impersonation or stealing of visitors’ information.

Stripe, our selected payment processor, is compliant with PCI-DSS. Sensitive card data is never handled by us. It goes directly to Stripe’s servers and we do not have access to this information.

we store personal data securely, including putting in place access controls, physical security, and secure backup procedures. Data relating to our Clients and the services provided to them is encrypted and stored securely using Cliniko practice management software. Please see Cliniko’s Security page for further information as to how it secures our Clients’ data. 

we collect only the minimum amount of personal data necessary for our purposes.

access to your personal data is limited to those employees, agents, contractors, and other third parties with a legitimate need to know and they are subject to duties of confidentiality.

we conduct regular data security audits to identify and address any vulnerabilities.

we keep our software, systems, and applications up-to-date with security patches and updates to address known vulnerabilities

we have in place procedures for dealing with data breaches. These include notifying you, acting quickly to identify and limit the breach and any consequences of the breach and/or notifying the relevant authorities where we are legally required to do so.

10. Transferring and sharing your personal data

We may use external third parties to provide systems, technology or support which involves them processing your personal data on our behalf. For example, we use:

Cliniko, to provide our practice management software, including appointment scheduling tools, Client record management and administering payments. Cliniko’s Privacy Policy and Data Processing Addendum set out how it processes and protects personal data.

Squarespace, to provide our email marketing software, and to create, manage and send marketing emails to Clients and other persons who have opted to receive them. Squarespace and Data Processing Addendum set out how it processes and protects personal data.  

Stripe to administer our payment processes. When you purchase certain products or services from us via Our Site, the payment information that you provide is encrypted and transmitted directly to Stripe. We do not store your payment information. The information you input is processed by Stripe in accordance with its Data Processing Addendum. 

Squarespace to provide our website and analytics software. Squarespace’s Privacy Policy and Data Processing Addendum set out how it processes and protects personal data.

Google to provide us with cloud document storage, productivity and collaboration tools. Please see Google’s Data Protection and Privacy Centre and Data Processing Addendum for more information on how Google stores and secures personal data on our behalf.

Some of these external third parties use physical or cloud storage which is based outside the United Kingdom. By providing any information, including personal data to us, you consent to such transfer, storage and processing. Third countries outside the EEA may not have data protection laws that are as strong as those in the UK. We use our best endeavours to select only external third parties that require the same levels of personal data protection that would apply under the Data Protection Legislation, and ensure these levels of protection are contained in the external third parties’ privacy policies and data processing addenda.  

In addition to the third party IT and systems providers referred to above, we may also:

share your personal data with other third parties if you specifically request this and have consented to it.

in exceptional circumstances, share personal data if we consider that there is a real risk of harm to you or to others.

on occasion, share your personal data with our professional advisers such as lawyers, bankers, auditors and insurers.  

share your personal data with HM Revenue & Customs, regulators and other authorities based in the United Kingdom if they request this.

transfer your personal data to any new owner, if we sell, transfer, or merge parts of our business or assets. Any new owner of our business may continue to use your personal data in the same way(s) that we have used it, as specified in this Privacy Notice.

be legally required to share certain personal data, which might include yours, if:

  • we are involved in legal proceedings

  • we are complying with legal obligations, for example as regards safeguarding, terrorism, money laundering or drug trafficking

  • we are complying with a court order

  • we are complying with the instructions of a government authority be required to share certain personal data, which might include yours, by a regulatory body, for example in relation to a client complaint or regulatory breach or investigation.

If any of your personal data is shared with a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law.

11. Controlling and withholding your personal data

In addition to your rights under the Data Protection Legislation, set out in Section 5 above, when you submit personal data via Our Site, you may be given options to restrict our use of your personal data. We aim to give you control over our use of your data for direct marketing purposes (including the ability to opt out of receiving marketing emails from us), which you may do by unsubscribing using the links provided. 

You may access certain areas of Our Site without providing any personal data. However, to use all features and functions available on Our Site you may be required to submit or allow for the collection of certain data.

You may restrict our use of Cookies. For more information, see our Cookie Policy which is available on Our Site.

12. Accessing your personal data

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it. This is known as a Subject Access Request.

All subject access requests should be made in writing and sent to the following email address: hello@pinandpoke.com. Please include “Subject Access request” in the email subject field.

There is not normally any charge for a subject access request, unless your request is ‘manifestly unfounded or excessive’, in which case we may charge an administrative cost.

We will aim to respond to your subject access request within one month of receiving it. If your request is more complex, more time may be required, up to a maximum of three months. We will keep you informed of our progress.

13. Our contact details

To contact us about anything to do with your personal data and data protection, please email us at hello@pinandpoke.com.

14. Updates to this Privacy Notice 

We may amend or update this Privacy Notice from time to time. A revised Privacy Notice will be uploaded on Our Site and you will be deemed to have accepted its terms on your first use of Our Site following the revisions. We recommend that you check this page regularly. 

This Privacy Notice was last updated on 4 November 2024.