Calmababy is fully compliant with the General Data Protection Regulations (GDPR). We process personal client data to facilitate the booking of our classes and courses. We do not share any data we hold with third parties.
Our booking software
- Your name
- Your address
- Telephone numbers (usually you’re mobile)
- Email addresses
- Your children’s names and dates of birth
- Medical history for you and your children (if applicable)
Our mailing lists
- First name
- Last name
- Email address
- Booking confirmations and reminders
- Payment receipts
- Calmababy Newsletters
- Offers and promotions
Data relating to children
- Child’s name
- Date of birth
- Medical history (if appropriate)
Card payments and purchases
Calmababy is PCI compliant, in accordance with these regulations, we do not store debit or credit card details on site. If you have given us consent to retain your debit or credit card, your details are stored via secure third-party merchant providers on their systems. They are encrypted, except for the last four digits of the card number and its expiry date, and cannot be viewed by any member of the Calmababy team.
Our lawful basis for processing your data
When you visit our Centre, join as a member or contact us via email or social media we may ask permission to store your details in our booking software and mailing lists.
For existing customers who are attending classes and courses, we store, retain and use your data to provide the services agreed in your contract with us.
For new customers, all our systems require an affirmative opt-in before we can send you communications. We will undertake this process with you for each system during your initial registration.
For lapsed customers, we may from time to time, send you communications about our products and services which we believe you have a legitimate interest in receiving. You can opt out of these communications at any time.
Special category data
Calmababy does not collect special category data in the course of its routine operations. Following the COVID-19 pandemic, HM Government requires businesses to collect data for their Test & Trace scheme.
Our risk assessment recognises the need to potentially ask health screening questions to help make the Centre COVID secure. This data is defined as Special Category Data as it concerns the health of our staff and customers.
Our lawful basis for processing this data under Article 9 of GDPR is (i) Public health (with a basis in law). We delete all data collected for Test & Trace after 21 days.
Protecting your data
Your data is stored via a small number of third-party cloud software applications with whom we have individual contracts and service level agreements. Each provider has separate security and privacy policies, copies of which are available upon request by contacting the Centre.
Any internal data we hold is stored either on our hardware or via cloud storage. All our internal systems are password-protected, and user access is restricted.
We do not hold your data any longer than is necessary to provide you with our services or to comply with applicable law. We would expect to retain, store and use your data for the lifespan of your children’s swim journey with us, or for the duration of any classes and courses you attend.
While we do not place a specific timeframe on the retention of our data, we periodically review our records to edit, archive or delete data we deem surplus to requirements.
Calmababy Ltd is also required, by law, to retain financial information relating to its business practices for up to 7 years.
- to be provided with access to your personal data held by us;
- to request the rectification or erasure of your personal data held by us;
- to object to the collection of your data and request that we cease processing your data;
- to request that we restrict the processing of your personal data while we investigate your concerns with this information;
- to object to solely automated processing; and
- to request that your data be transferred to a third party (data portability).