PedalHouse Privacy Policy – September 2020


PedalHouse respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

This Privacy Policy sets out the basis on which we collect and process personal data about you including our practices regarding the collection, use, storage and disclosure of personal data that we collect from you and/or hold about you, and your rights in relation to that data.

Please read the following carefully to understand how we process your personal data. By providing your personal data to us or by using our services, website or other online or digital platform(s) you are accepting or consenting to the practices as described or referred to in this Privacy Policy.

Our website and our services are not intended for children and we do not knowingly collect data relating to children.

It is important that you read this Privacy Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them. We may update this Privacy Policy to reflect changes to our information practices or in line with new legislation. We encourage you to periodically review this Privacy Policy.

PedalHouse Trading Limited, a company registered in Scotland with company number SC488779 with its registered office at 1-4 Atholl Crescent, Edinburgh EH106DL, is the controller and responsible for your personal data (referred to as "we", "us" or "our" in this Privacy Policy).

We have a data privacy manager who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, please contact the data privacy manager using the details set out below.

Email us: Ride-on@pedalhousedinburgh.com
Write to us: 5-6 Conference Square, Edinburgh, EH3 8RA

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

1 What personal data may we collect from you?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped into categories and explained when we will collect it as follows:
Identity and Contact data
Your title, name and surname, gender, and your contact details (address, email address and/or telephone number), date of birth, username or similar identifier, marital status, title, your next of kin or emergency contacts
The company you work for/represent (if contact is on behalf of company, or you are booking using a company special benefit)
When you sign up as a Customer or when you attend an event hosted by us on behalf of one of our partners or when you change your details
When you visit our studios
When you request information about our services via email/call/website
When you give your details or are photographed at an event we run
When you are named contact for a supplier
When someone contacts us (for example a friend or your employer) to make a class or event reservation on your behalf
Health information
if you have a medical condition that may affect you use of our services (please see “special categories of personal data” below)
If you choose to provide us with this information before participating in any of our classes or events or if you become unwell when you are in our studios
Transaction data
Billing address and payment card/bank details
When you sign up as a Customer and start an account or change your details
When you purchase any other products or services from us
Information about your transactions, including your payment card details/bank details and any payments we make to you When you purchase any products or services from us or when we make refunds to you or make payments to you. When you supply and goods or services to us if you are one of our suppliers.
Information about your Class Passes and purchases When you make these purchases on our website or in our studios
Profile data
The communications you exchange with us (for example, your emails, letters, calls, or logs of face to face interactions) and this would include any information about complaints and incidents
When you contact us or are in our studios or you are contacted by us
Your attendances at our classes or events When you attend classes or events
Your posts and messages on our social media platform pages When you interact with us on social media
Your feedback and preferences and marketing data When you reply to our requests for feedback or participate in our customer surveys and your preferences.
Information about how you use our website including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website. When you navigate on our website

If you give us information about anyone else
Where you have named someone as your next of kin and provided us with personal data about that individual, it is your responsibility to ensure that that individual is aware of and accepts the terms of this Privacy Policy. If you add register another person as a Customer on your account it is your responsibility to ensure that that individual is aware of and accepts the terms of this Privacy Policy.
Aggregated data
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a service we offer. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.
Special categories of personal data
In the course of providing services to you, we may collect information that is considered “special categories of personal data”. This will most often be health information relating to your ability to use our services. We only collect this information where you have chosen to tell us this and given your explicit consent, where it is necessary to protect your vital interests, or you have deliberately made it public. If you do not allow us to process any special category personal data, this may mean we are unable to provide all or parts of the services you have requested from us.
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

2. How do we use your personal data?
Please note that, although we have set out the purposes for which we may use your personal data below, we will not use your special categories of personal data for those purposes unless you have given us your explicit consent to do so.

Purposes for which we will use your personal data
We have set out below, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To register you as a new Customer
Performance of a contract with you
To process your bookings and deliver our services including:
(a) informing you of any changes to your booking or our classes or events or services and our of timetables and services
(b) to manage payments and any refunds
(c) collect and recover money owed to us

Performance of a contract with you
Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with you which will include:
(a) notifying you about changes to our terms or privacy policy
(b) asking you to leave a review or take a survey
(c) responding to communications from you

Performance of a contract with you
Necessary to comply with a legal obligation
Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To enable you to partake in a prize draw, competition or complete a survey
Identity
Contact
Profile Performance of a contract with you
Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) Identity
Contact
Profile Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you Identity
Contact
Profile
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences Profile Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you
Identity
Contact
Profile Necessary for our legitimate interests (to develop our products/services and grow our business)
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Promotional information from us
We may use your Identity, Contact and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.
You will receive marketing communications from us if you have requested information from us or purchased goods or services from us or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, product/service experience or other transactions. We may need to contact you by email, phone, letter and/or SMS for administrative, customer service or operational reasons, please be aware that these communications are not made for marketing purposes and as such, you will continue to receive them even if you choose not to receive marketing communications. Examples of these include; changes to classes or events, changes to our procedures and changes to booking terms.

3. How Long We Keep Your Data
We need to keep personal data for different periods of time.
The length of time we need to keep your personal data will vary depending on the nature of the personal data and the reason we hold it. We will apply appropriate risk based measures to protect your personal data which may include pseudonymising or anonymising the personal data. If personal data is pseudonymised, this means it is altered so you are no longer identifiable, but we can re-identify you if we have a requirement to do so. If personal data is anonymised, it is altered so you are no longer identifiable, but can never be re-identified in the future.
We will only retain your personal data for as long as necessary to fulfil a legally permitted purpose. We will delete your account if it has been inactive for more than 2 years. This will not include deleting information that we have to keep for tax or other laws. When we delete an account the user’s historic payment details and attendance details will be retained until these are no longer required.

4. Who We Transfer Data To
By law, transferring personal data to other organisations needs to take place with appropriate safeguards and you can be assured that we will only share the personal data that is needed for these organisations to be able to support what we do.
We may transfer your personal data to the following third parties:
• Technology service providers: our partners who provide IT and website services. For example we share your data with TeamUp our booking system providers. When you use TeamUp you will have to accept the TeamUp privacy policy. We are joint data controllers of the personal data on that system.
• Payment services providers: the secure third party payment platform used for purchases of our services and products (please note, when you make a payment, their own privacy policy and terms will apply when they process your payment card details).
• Marketing service providers: our partners who provide marketing services as our sub-contractor.
• Regulators: regulators and other governmental agencies or law enforcement agencies including track and trace for COVID-19.
• Purchasers: organisations who may be interested in purchasing our business or organisations who we may be interested in purchasing - we may sell parts of our business or acquire other businesses and your personal data may be shared with such third parties as part of this process
• Advisers: professional advisers including lawyers, accountants, bankers and insurers.
We will only transfer your personal data to third parties who adhere to appropriate data security standards and controls.

5. Countries Your Personal Data Will be Sent to and Why
Some of our service providers are not based in the UK.
Your personal data may be shared with a service partner located in other countries that help us deliver our services. This will, in certain situations, involve transferring your personal data outside the EEA to the country in which the service partner is located; these other countries may not necessarily have data protection laws as comprehensive or protective as those in the UK. Where this is the case, we will ensure that the transfer is subject to appropriate safeguards to protect your personal data and complies with applicable law. This may include having standard contractual clauses in place with the third party, the transfer being to a country which has been deemed by the European Commission to provide an adequate level of protection for the personal data (e.g. Canada) or, for the USA, under the EU-US Privacy Shield. For further information on how data can be transferred to other countries, please visit the European Commission website: https://ec.europa.eu/info/law/law-topic/data-protection_en

6. Your Rights
You have certain rights in respect of your personal data and we have processes to enable you to exercise these rights.
Right of Access: this is known as a Subject Access Request. If you want to know if we are processing personal data relating to you and to have access to any such personal data you contact us at ride-on@pedalhousedinburgh.com.
Right to Rectification: if you believe that we hold inaccurate personal data about you, then you can either contact us at ride-on@pedalhousedinburgh.com with your request or, if you have a customer account, update this information directly by logging in to your customer account and updating the relevant details. Depending on the type of personal data you believe is inaccurate, we may ask you for further proof to ensure that the personal data is being corrected properly.
Right to Erasure: you have a right to ask for your personal data to be erased in certain circumstances. However, this right does not apply where we have to comply with a legal obligation or where we need personal data for the establishment, exercise or defence of legal claims. If you opt out of marketing communications or have previously opted out of marketing communications, we have to keep a record of your opt out to ensure that we do not contact you in the future.
Right to Restriction: you have a right to request that processing of personal data is restricted in certain circumstances. However, we will still continue to process the personal data for storage purposes, for the establishment, exercise or defence of legal claims or with your consent.
Right to Object: where we are relying on legitimate interests as a legal basis to process your data, you have a right to object to this processing on grounds relating to your particular situation.
Automated Processing: from time to time, we may use automated processing in relation to the information we hold about you to make recommendations of products and services we think you would be interested in and to improve your experience when you visit our website by making it relevant and tailored to you.
Right to Complain to the Information Commissioner: you have the right to lodge a complaint with the Information Commissioner and more details can be found on their website www.ico.org.uk.

©2021 Pedalhouse