Privacy Policy - The Well Foundation

1. Who we are

The Well Foundation (Scottish charity SC040105) is the data controller for personal data collected through this booking platform.

Registered office: 211B Main Street, Bellshill, ML4 1AJ, Scotland
Data protection contact: [email protected]

2. What data we collect

We collect the following personal data when you use this service:

Data	Purpose
Name, email, phone	Account creation and communication
Password (hashed)	Secure account access
Child/dependant names, dates of birth	Booking eligibility, age-appropriate activities, safeguarding
Medical notes, emergency contacts	Participant safety during activities
Parental consent records	Legal basis for processing children's data
Payment details	Processed by Stripe; we do not store card numbers
Booking and attendance records	Service delivery, reporting, and safeguarding
Gift Aid declarations (name, address)	HMRC Gift Aid claims
Marketing preferences	Sending updates about activities (opt-in only)

3. Legal basis for processing

We process your data under the following lawful bases (UK GDPR):

Contract — to provide the booking service you have requested
Consent — for marketing communications and processing children's data
Legal obligation — Gift Aid record-keeping as required by HMRC
Legitimate interests — safeguarding, service improvement, and fraud prevention

4. Children's data

When you add a child or dependant to your account, you confirm that you have parental responsibility or appropriate authority. We collect only the data necessary for safe participation in activities: name, date of birth, medical notes, and emergency contact details.

Children's data is handled with particular care and is only accessible to authorised staff and the activity instructors responsible for their sessions.

5. How we share data

We do not sell your personal data. We share data only with:

Stripe — for secure payment processing (Stripe Privacy Policy)
HMRC — Gift Aid claims for eligible donations
Activity instructors — participant names, attendance, and relevant medical/safety information for sessions they deliver

6. Data retention

We retain your data for as long as your account is active and as required by law:

Account data: until you request deletion
Booking and payment records: 7 years (financial record-keeping)
Gift Aid declarations: 6 years after the end of the tax year they relate to (HMRC requirement)
Marketing consent records: until withdrawn

7. Data security

We take appropriate technical and organisational measures to protect your data, including:

Passwords are stored using one-way hashing (bcrypt)
Authentication uses secure, HTTP-only cookies
Payment card details are handled entirely by Stripe and never touch our servers
Access to personal data is restricted to authorised personnel

8. Your rights

Under UK GDPR, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — ask us to correct inaccurate data
Erasure — ask us to delete your data (subject to legal retention requirements)
Restriction — ask us to limit how we use your data
Portability — receive your data in a structured, machine-readable format
Object — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent, you can withdraw at any time

To exercise any of these rights, contact us at [email protected].

9. Cookies

This platform uses only essential cookies required for the service to function:

auth_token — keeps you logged in (HTTP-only, secure, session duration)

We do not use analytics, advertising, or third-party tracking cookies.

10. Complaints

If you are unhappy with how we handle your data, please contact us first at [email protected].

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on this platform.