Privacy Policy

1. Who We Are

“Splash & Glow” is a trading name of Joanne Fraser, an individual sole trader operating an experiential entertainment venue at Unit 72A, Ocean Terminal Shopping Centre, Ocean Dr, Leith, Edinburgh EH6 6JJ. When we refer to “we”, “us”, or “our” in this policy, we mean Joanne Fraser trading as Splash & Glow.

Joanne Fraser is the data controller for the personal data described in this policy. If you have any questions about how we handle your data, contact us at info@splashandglow.co.uk or at the address above.

You can complain to the Information Commissioner's Office (ICO) at any time: ico.org.uk or 0303 123 1113. We would, however, appreciate the chance to address your concern first.

2. What Data We Collect

We collect the following categories of personal data:

• Booking and contact data: name, email address, phone number, postal address (where relevant), and the details of your booking
• Waiver data: name, date of birth (where relevant for age), emergency contact details, photography preference, and — where you choose to provide it — relevant medical information
• Special category (medical) data: information about allergies or health conditions you choose to share on your waiver. Treated as special category personal data under UK GDPR
• Payment data: processed securely by Stripe; we receive only the last four digits, card brand, and payment confirmation. We do not store full card details
• Photography and video: images and short clips captured during sessions (see Section 6)
• Enquiry and message data: the content of contact-form submissions, emails, and (where you contact us through them) social-media or messaging-app messages
• Marketing engagement data: whether you have opened or clicked our marketing emails, and your marketing preferences
• Website usage data: IP address, device and browser information, pages viewed, and referrer. Non-essential analytics and advertising cookies only fire with your consent

3. How We Use Your Data

We use your personal data to:

• Process and manage your bookings and payments
• Send transactional messages — booking confirmations, waiver links, reminders, schedule changes, and post-session follow-ups such as review requests
• Keep guests safe during sessions, including by acting on the medical information you choose to share on your waiver
• Respond to your enquiries and messages
• Promote our venue using photographs and short videos taken during sessions (see Section 6)
• Send marketing communications about Splash & Glow — only where you have opted in, or where the soft opt-in described in Section 9 applies
• Detect and prevent fraud, abuse, and unsafe behaviour
• Improve our website and services
• Comply with our legal and regulatory obligations and defend legal claims

4. Legal Basis for Processing

UK GDPR requires us to identify a lawful basis for each purpose. We rely on the following:

• Contract (Article 6(1)(b)) — to take and fulfil your booking, process payment, and communicate operational details
• Legitimate interests (Article 6(1)(f)) — to promote the venue (including through photography and video), send review requests after a session, prevent fraud and abuse, defend legal claims, and improve our services. Where we rely on this basis, we have balanced our interests against your rights and you have an unconditional right to object
• Consent (Article 6(1)(a)) — for non-essential cookies, marketing to prospective customers who have opted in, and other situations where we ask explicitly
• Legal obligation (Article 6(1)(c)) — to keep accounting records, respond to lawful requests from authorities, and comply with safeguarding and consumer-law obligations

Where you provide medical information on a waiver, we treat it as special category data under Article 9. Our lawful basis is your explicit consent (Article 9(2)(a)), captured by a separate tickbox on the waiver form. You can withdraw this consent at any time, although doing so may mean we cannot tailor the experience for an undisclosed medical need.

5. If You Choose Not to Provide Data

Some data is necessary in order for us to deliver your booking — your name, contact details, payment information, and a completed waiver. Without these we cannot accept the booking.

Other data is optional. Marketing preferences, medical information, and photography opt-out are entirely your choice and will not affect your booking, although they may affect what we can offer (for example, we cannot accommodate an undisclosed medical need, and we cannot send you news about future events if you have not opted in).

6. Photography, Video, and Images

We photograph and film our sessions to promote the venue on our website, social media, and in advertising. Our sessions take place in a low-light environment illuminated mainly by UV lighting. As a result, the great majority of our images do not show individual features in a clearly recognisable way. Where an image does not identify a person, it is not personal data and this policy does not apply to it.

Some images and short clips may nonetheless capture individuals in a recognisable way. Where that is the case:

• Our lawful basis is legitimate interests (Article 6(1)(f)) — promoting our venue — balanced against your rights
• You can opt out at any time: tick the photography opt-out box when you book, tell a member of staff before or during your session, or email info@splashandglow.co.uk to ask us to remove an image already published. We will remove opted-out images from our channels within 14 days, although we cannot guarantee removal from third-party reposts
• Guests who opt out before or during a session are issued a clearly visible vest. Our staff will exclude vest-wearers from filming and photography wherever practicable
• For children (under 18), we apply additional care: we will not use a recognisable image of a child in marketing without separate explicit consent from the parent or guardian who made the booking. Even where children appear in the lit environment, we take steps to ensure their identity is not recognisable in published images
• Images we use in paid advertising rely on consent rather than legitimate interests, because the processing is more visible and intrusive

7. Data Retention

• Booking and tax records: 6 years from the end of the relevant tax year, as required by HMRC
• Waivers: 6 years from the date of the session
• Medical information on waivers: encrypted at rest and automatically deleted 30 days after the session
• Other session-specific guest data: automatically deleted 30 days after the session
• Marketing consent and unsubscribe records: kept until withdrawn, plus 24 months for audit purposes
• Contact form, email, and message records: up to 24 months from your last interaction with us
• Lead and enquiry records: up to 24 months from your last interaction, unless your enquiry becomes a booking
• Gift voucher records: until expiry plus 6 years
• Photographs and video: see Section 6

8. Sharing Your Data

We do not sell your personal data. We share it only with service providers we use to run our business, all of whom act under written terms requiring them to protect your data:

• Stripe Payments Europe Ltd: payment processing and fraud screening
• Resend Inc.: transactional email delivery
• Vercel Inc.: website hosting
• Neon Inc.: database hosting
• Google LLC, Meta Platforms Ireland Ltd, and TikTok Information Technologies UK Ltd: website analytics and advertising — only where you have consented to non-essential cookies
• Our accountants, insurers, and legal advisors: for tax compliance, claim handling, and legal advice
• Law enforcement, regulators, or courts: where we are required to share data by law or to protect our legal rights
• A successor in business: if we restructure or sell the business, your data may transfer to the buyer or successor under equivalent protections

9. Marketing Communications

We send marketing about Splash & Glow by email and, where you have agreed, SMS. Our lawful basis depends on how we obtained your details:

• Explicit consent: if you ticked the marketing opt-in box (e.g. on our newsletter form), we rely on your consent
• Soft opt-in (PECR Regulation 22(3)): if you have booked with us before, we may contact you about similar Splash & Glow experiences. We give you the chance to opt out at the time we collect your details, and every message we send contains a one-click unsubscribe link

You have the absolute right to opt out of marketing at any time. Use the unsubscribe link in any message, or email info@splashandglow.co.uk.

10. International Data Transfers

Some of our service providers — including Stripe, Resend, Vercel, Neon, Google, Meta, and TikTok — process data outside the United Kingdom, principally in the European Economic Area and the United States.

Where data is transferred outside the UK, we rely on one of the safeguards permitted by UK GDPR: a UK adequacy decision (where available), the UK International Data Transfer Agreement (IDTA), or the European Standard Contractual Clauses with the UK Addendum. You can request a copy of the safeguards we use by emailing us at the address in Section 1.

11. Automated Decision-Making

We do not make solely automated decisions that have legal or similarly significant effects on you. Stripe applies automated fraud-screening rules to payments and may decline a transaction it considers high-risk. If your payment is declined for fraud reasons, contact us and we will help you make alternative arrangements.

12. Security

We use industry-standard measures to keep your data secure, including encryption in transit (HTTPS/TLS), encryption at rest for sensitive fields (medical information is encrypted using AES-256-GCM), role-based access controls, and audit logging. No method of transmission or storage is perfectly secure, but we review and improve our controls on an ongoing basis and will notify you and the ICO of any qualifying personal-data breach without undue delay.

13. Your Rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Have inaccurate data corrected
• Have your data erased, where applicable
• Restrict or object to our processing of your data
• Receive a portable copy of data you provided to us, where processing is based on consent or contract
• Withdraw any consent you have given (this does not affect the lawfulness of earlier processing)
• Object to direct marketing at any time — this right is unconditional and we will always honour it
• Lodge a complaint with the Information Commissioner's Office (see Section 1)

To exercise any of these rights, contact us at info@splashandglow.co.uk. We will respond within one month and may ask for proof of identity to protect your data.

14. Cookies

We use cookies on our website. Strictly necessary cookies are set automatically; non-essential cookies (analytics, advertising) only fire after you have given consent through our cookie banner. For full details, see our Cookie Policy.

15. Children's Data

Bookings involving anyone under 18 must be made and the waiver completed by a parent or guardian. We do not collect personal data directly from children.

Where children attend a session, we take additional care with photography and video (see Section 6). We will not use a recognisable image of a child in marketing without separate explicit consent from the parent or guardian who made the booking, and we apply the principles of the ICO's Age-Appropriate Design Code to any online services that may be used by under-18s.

16. Changes to This Policy

We may update this privacy policy from time to time. The “last updated” date at the top of the page reflects the most recent change. Where changes are significant, we will notify you by email where we have an address for you.

17. Contact Us

If you have any questions about this privacy policy or our data practices: