Pin & Poke Ltd — Privacy Notice

Last updated: February 2026

BACKGROUND:

We respect the privacy of our clients and of everyone who visits our website,

www.pinandpoke.com (Our Site). Pin and Poke Ltd (we /us / our) will only collect and use

personal data in ways that are described in this Privacy Notice, and that are consistent with our

obligations and your rights under the Data Protection Legislation.

1. Definitions and Interpretation

In this Privacy Notice, the following terms shall have the following meanings:

Client: means an individual client who engages our services or who purchases

products from us, or on whose behalf our services are engaged or our

products purchased; and

Data Protection

Legislation: means all applicable data protection and privacy legislation in force from

time to time in the UK including the UK GDPR; the Data Protection Act

2018 (DPA 2018) (and regulations made thereunder); the Data (Use and

Access) Act 2025; the Privacy and Electronic Communications

Regulations 2003 (SI 2003/2426) as amended and all other legislation

and regulatory requirements in force from time to time which apply to a

party relating to the use of personal data (including the privacy of

electronic communications).

2. Information About Us

Pin and Poke Ltd is a limited company incorporated in England & Wales with company number

15287096, whose registered office address is at St George’s Court, Winnington Avenue,

Northwich, Cheshire CW8 4EE. We are the controller and responsible for your personal data.

If you have any questions relating to your personal data or this Privacy Notice, you may contact

us at hello@pinandpoke.com.

3. Third party links

Our Site may include links to third-party websites. Clicking on those links may allow third parties

to collect or share data about you. We do not control these third-party websites and are not

responsible for the way in which they handle personal data. We encourage you to read the

4. Your personal data

Personal data is any information about you that enables you to be identified. Personal data

covers your name and contact details, but also information such as electronic location data and

other online identifiers. It does not include data where your identity has been removed

(anonymous data).

It is important that your personal data is kept accurate and up-to-date. If any of the personal

data we hold about you changes, please let us know.

Where we need to collect personal data by law, or under the terms of a contract we have with

you, and you do not provide that data when requested, we may not be able to perform that

contract. In this case, we may have to cancel a product or service contract you have with us.

We will notify you if this is the case.

5. Your rights in relation to your personal data

Under the Data Protection Legislation, you have the following rights. More information on how

to exercise these rights follows later in this Privacy Notice.

● The right to be informed about our collection and use of your personal data.

● The right to access your personal data.

● The right to rectify your personal data if any of it is inaccurate or incomplete.

● The right to request deletion of your personal data (subject to certain legal

requirements) or to withdraw consent to us using it.

● The right to prevent processing of your personal data.

● The right to restrict the use of your personal data for particular purposes.

● The right of portability, enabling you to ask for a copy of your personal data to re-use

with another business.

● Rights relating to automated decision-making and profiling. We do not however use

your personal data in this way.

● The right to lodge a complaint if you believe your privacy or data protection right have

been breached. You should raise your complaint with us in the first instance, and a copy

of our Data Protection Complaints Policy is available on request. We will acknowledge

your complaint within 30 days and respond to it without undue delay. If we are unable to

resolve your complaint effectively then you may submit a complaint to the Information

Commissioner’s Office (ICO) at www.ico.org.uk.

For more information about our use of your personal data or exercising your rights set out

above, please contact us at hello@pinandpoke.com.

6. What Data We Collect

Depending upon whether you are simply browsing Our Site or are a Client, we may collect and

hold some or all of the personal data set out below, using the methods also set out below.

Please also see our Cookie Policy on Our Site regarding our use of cookies and similar

technologies.

We collect the following types of personal data:

Contact and Biographical Information: This may include your name, date of birth, email

address, postal address, phone number, and other similar contact details that you provide when

contacting us through Our Site, by email or telephone. If you are a Client receiving an in-person

treatment, or attending one of our events or workshops, we may also collect contact information

for your nominated emergency contact.

Account Information: If you create an account on Our Site, we may collect information

associated with your account, such as your username, password, and profile details.

Payment Information: If you purchase goods or services from us, we may collect payment

information, including credit card details, billing address, and transaction history. However,

please note that we do not store full credit card numbers on our servers.

Communication Data: This includes any correspondence or communication between you and

us.

Usage Information: We automatically collect information about your usage of Our Site,

including pages visited, time spent on the site, clickstream data, and referring URL, using our

analytics software. This data helps us analyse website performance and user preferences.

Technical Information: We may collect technical information about your device and browser,

using our analytics software, including your IP address, browser type and version, device type,

operating system, and platform.

Social Media Data: If you interact with our social media pages or use social media features

integrated into Our Site, we may collect information from your social media profiles, such as

your social media handles and activities.

Cookies and Tracking Technologies: We may use cookies and similar tracking technologies

to collect information about your browsing behaviour and preferences. For more details, please

see our Cookie Policy.

Sensitive or special category data: If you are a Client or attend one of our workshops or

events, and you disclose to us information relating to your mental and physical health and

fitness, including existing or previous medical conditions, we may collect and process that

information, but only where (and to the extent that) this is relevant to the services we provide.

We do not collect any ‘special category’ or ‘sensitive’ personal data or data relating to criminal

convictions and/or offences, or in relation to children.

Other Information: We may collect additional information not specifically mentioned here with

your consent or as required by applicable laws and regulations.

Please note that the exact information collected may vary depending on your interactions with

Our Site and the services we offer. We only collect information that is necessary for the

purposes outlined in this Privacy Notice and as permitted by Data Protection Law.

7. How we use your personal data

Under the Data Protection Legislation, we must always have a lawful basis for using personal

data.

We will use your personal data in the following circumstances:

● To perform a contract with and/ or provide our goods or services to you.

● Where it is necessary for our legitimate interests (or those of a third party), for

example:

○ To develop our business

○ To protect the security or integrity of our IT systems

○ To manage our relationship with you as our Client

○ To provide our services to Our Clients and attendees at our workshops and

events

○ To administer our business

○ To administer or improve Our Site

○ To maintain records for legal and regulatory compliance

○ To maintain or defend legal claims

Note that we will only rely on our legitimate interests to use your personal data if your

interests and rights do not override those legitimate interests.

● Where we need to comply with a legal or regulatory obligation.

● Where you have consented to us using or processing your personal data (for example,

by completing our intake form and/ or GDPR consent form disclosing any medical

conditions which are relevant to the services we provide, or by consenting to receiving

direct marketing communications from us). You have the right to withdraw consent at

any time by contacting us.

● With your permission and/or where permitted by law, to market our products and/ or

services to you. You will not be sent any unlawful marketing or spam, and you will

always have the opportunity to opt-out of marketing communications at any time.

We do not carry out automated decision making or any type of automated profiling.

We will only use your personal data for the purposes for which it was originally collected unless

we reasonably believe that another purpose is compatible with those original purposes and we

need to use your personal data for that purpose.

If we need to use your personal data for an unrelated or incompatible purpose to that for which it

was originally collected, we will inform you and explain the legal basis which allows us to do so.

In some circumstances, where permitted or required by law, we may process your personal data

without your knowledge or consent. This will only be done within the bounds of the Data

Protection Legislation and your legal rights.

8. Keeping your personal data

We will only process and store our personal data for as long as is necessary taking into account

the reasons for which it was first collected.

When deciding what the correct time is to keep the data for, we look at its amount, nature and

sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes,

if these can be achieved by other means, and any legal and regulatory requirements.

We may keep your personal data for a longer period in the event of a complaint or if we

reasonably believe there is a prospect of litigation arising out of our relationship.

The law requires us to keep basic information about our Clients and our corporate clients’

employees and contractors to whom we provide services (including identity, contact and

payment information as well as information on the contracts we enter into with our Clients) for

tax and regulatory purposes, for seven years after they stop being Clients.

In some circumstances, we may anonymise your personal data for research or statistical

purposes. In this case, we may use this information indefinitely without further notice to you.

9. Storing your personal data

The security of your personal data is essential to us.

To protect your personal data, we have put in place appropriate technical and organisational

measures, including the following:

● personal data entered by you on Our Site is secured by SSL (secure socket layer)

technology in transit and at rest to improve security. SSL secures connections and

prevents impersonation or stealing of visitors’ information.

● Stripe, our selected payment processor, is compliant with PCI-DSS. Sensitive card data

is never handled by us. It goes directly to Stripe’s servers and we do not have access to

this information.

● we store personal data securely, including putting in place access controls, physical

security, and secure backup procedures. Data relating to those Clients to whom we

provide in-person one-to-one therapeutic services, and the services provided to them, is

encrypted and stored securely using Cliniko practice management software. Please see

Cliniko’s Security page for further information as to how it secures our Clients’ data.

● we collect only the minimum amount of personal data necessary for our purposes.

● access to your personal data is limited to those employees, agents, contractors, and

other third parties with a legitimate need to know and they are subject to duties of

confidentiality.

● we conduct regular data security audits to identify and address any vulnerabilities.

● we keep our software, systems, and applications up-to-date with security patches and

updates to address known vulnerabilities

● we have in place procedures for dealing with data breaches. These include notifying

you, acting quickly to identify and limit the breach and any consequences of the breach

and/or notifying the relevant authorities where we are legally required to do so.

10. Transferring and sharing your personal data

We may use external third parties to provide systems, technology or support which involves

them processing your personal data on our behalf. For example, we use:

● Cliniko, to provide our practice management software, including appointment scheduling

tools, Client record management and administering payments. Cliniko’s Privacy Policy

and Data Processing Addendum set out how it processes and protects personal data.

● Flodesk, to provide our email marketing software, and to create, manage and send

marketing emails to Clients and other persons who have opted to receive them.

Flodesk’s Privacy Policy and Data Processing Addendum set out how it processes and

protects personal data.

● Stripe to administer our payment processes. When you purchase certain products or

services from us via Our Site, the payment information that you provide is encrypted and

transmitted directly to Stripe. We do not store your payment information. The

information you input is processed by Stripe in accordance with its Data Processing

Addendum.

● Squarespace to provide our website and analytics software. Squarespace’s Privacy

Policy and Data Processing Addendum set out how it processes and protects personal

data.

● Thrivecart to provide checkout services in relation to some of the digital and physical

products we provide. Please see Thrivecart’s Privacy Policy and Data Processing

Addendum for further information as to how Thrivecart processes and protects personal

data.

● Google to provide us with cloud document storage, productivity and collaboration tools.

Please see Google’s Data Protection and Privacy Centre and Data Processing

Addendum for more information on how Google stores and secures personal data on our

behalf.

Some of these external third parties use physical or cloud storage which is based outside the

United Kingdom. By providing any information, including personal data to us, you consent to

such transfer, storage and processing. Third countries outside the EEA may not have data

protection laws that are as strong as those in the UK. We use our best endeavours to select

only external third parties that require the same levels of personal data protection that would

apply under the Data Protection Legislation, and ensure these levels of protection are contained

in the external third parties’ privacy policies and data processing addenda.

In addition to the third-party IT and systems providers referred to above, we may also:

● share your personal data with other third parties if you specifically request this and have

consented to it.

● in exceptional circumstances, share personal data if we consider that there is a real risk

of harm to you or to others.

● on occasion, share your personal data with our professional advisers such as lawyers,

bankers, auditors and insurers.

● share your personal data with HM Revenue & Customs, regulators and other authorities

based in the United Kingdom if they request this.

● transfer your personal data to any new owner, if we sell, transfer, or merge parts of our

business or assets. Any new owner of our business may continue to use your personal

data in the same way(s) that we have used it, as specified in this Privacy Notice.

● be legally required to share certain personal data, which might include yours, if:

o we are involved in legal proceedings

o we are complying with legal obligations, for example as regards safeguarding,

terrorism, money laundering or drug trafficking

o we are complying with a court order

o we are complying with the instructions of a government authority

● be required to share certain personal data, which might include yours, by a regulatory

body, for example in relation to a client complaint or regulatory breach or investigation.

If any of your personal data is shared with a third party, as described above, we will take steps

to ensure that your personal data is handled safely, securely, and in accordance with your

rights, our obligations, and the third party’s obligations under the law.

11. Controlling and withholding your personal data

In addition to your rights under the Data Protection Legislation, set out in Section 5 above, when

you submit personal data via Our Site, you may be given options to restrict our use of your

personal data. We aim to give you control over our use of your data for direct marketing

purposes (including the ability to opt out of receiving marketing emails from us), which you may

do by unsubscribing using the links provided.

You may access certain areas of Our Site without providing any personal data. However, to use

all features and functions available on Our Site you may be required to submit or allow for the

collection of certain data.

You may restrict our use of Cookies. For more information, see our Cookie Policy which is

available on Our Site.

12. Accessing your personal data

If you want to know what personal data we have about you, you can ask us for details of that

personal data and for a copy of it. This is known as a Subject Access Request.

All subject access requests should be made in writing and sent to the following email address:

hello@pinandpoke.com. Please include “Subject Access request” in the email subject field.

There is not normally any charge for a subject access request, unless your request is

‘manifestly unfounded or excessive’, in which case we may charge an administrative cost.

We will aim to respond to your subject access request within one month of receiving it. If your

request is more complex, more time may be required, up to a maximum of three months. We

will keep you informed of our progress.

13. Our contact details

To contact us about anything to do with your personal data and data protection, please email us

at hello@pinandpoke.com.

14. Updates to this Privacy Notice

We may amend or update this Privacy Notice from time to time. A revised Privacy Notice will be

uploaded on Our Site and you will be deemed to have accepted its terms on your first use of

Our Site following the revisions. We recommend that you check this page regularly.

This Privacy Notice was last updated on 3 February