Privacy Policy
Last updated: June 2026
This privacy notice tells you what to expect us to do with your personal information and applies to all Bendy Bodies classes, services and events.
On this page
Contact details
- Business Owner: Candice Luwes trading as Bendy Bodies
- Website: www.bendybodies.co.uk
- Contact: Candice Luwes
- Telephone: +44 778 691 6950
- Email: info@bendybodies.co.uk
Candice Luwes trading as Bendy Bodies is the data controller for the purposes of UK data protection law.
What information we collect, use, and why
We collect or use the following information to provide services and goods, including delivery:
- Names and contact details
- Addresses
- Date of birth
- Purchase or account history
- Payment and transaction details. Card payments are processed securely by Stripe and we do not store full card details.
- Health information (including dietary requirements, allergies and health conditions)
- Health and safety information
- Account information
- Website user information (such as IP address and browser information)
- Photographs or video recordings
- Information relating to compliments or complaints
We also collect or use the following special category information to provide services and goods, including delivery. This information is subject to additional protection due to its sensitive nature:
- Health information
We collect or use the following information for the operation of customer accounts and guarantees:
- Names and contact details
- Addresses
- Payment details (processed securely by Stripe – we do not store full card details)
- Purchase history
- Account information, including registration details
- Marketing preferences
We collect or use the following information for service updates or marketing purposes:
- Names and contact details
- Marketing preferences
- Recorded images, such as photos or videos
- Purchase or viewing history
- Website and app user journey information
- Records of consent, where appropriate
We collect or use the following information to comply with legal requirements:
- Name
- Contact information
- Financial transaction information
- Health and safety information
- Safeguarding information
We also collect or use the following special category information to comply with legal requirements. This information is subject to additional protection due to its sensitive nature:
- Health information
We collect or use the following personal information for dealing with queries, complaints or claims:
- Names and contact details
- Address
- Account information
- Purchase or service history
- Witness statements and contact details
- Customer or client accounts and records
- Financial transaction information
- Information relating to health and safety
- Correspondence
We also collect the following special category information for dealing with queries, complaints or claims. This information is subject to additional protection due to its sensitive nature:
- Health information
Lawful bases and data protection rights
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
- Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
- Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
- Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.
- Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
- Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.
- Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
- Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.
If you make a request, we must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
Our lawful bases for the collection and use of your data
Our lawful bases for collecting or using personal information to provide services and goods are:
- Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
- Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.
Our legitimate interests are:
Bendy Bodies processes limited personal information in order to operate and deliver yoga classes safely and effectively.
This includes managing bookings, maintaining attendance records, communicating important updates (such as schedule changes), adapting instruction where appropriate, and ensuring a safe environment for participants.
Processing this information is necessary for the efficient administration of services and to provide a consistent and safe experience for clients. The benefits include accurate booking management, effective communication, injury prevention, and maintaining professional standards.
Only information that is relevant and necessary is collected. Data is stored securely using reputable systems, access is restricted, and individuals may request access, correction, or deletion of their information in accordance with UK GDPR.
The legitimate interests of the business do not override the rights and freedoms of participants, as the information collected is proportionate, expected within a service relationship, and used solely for the purpose of delivering yoga services.
Where we collect health information, this is processed on the basis of your explicit consent under Article 9(2)(a) UK GDPR, together with our legitimate interests in ensuring safe participation in physical activity.
For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.
Our lawful bases for collecting or using personal information for the operation of customer accounts and guarantees are:
- Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
- Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.
Our legitimate interests are:
Bendy Bodies processes personal information to operate its online booking system and manage customer accounts effectively.
This includes maintaining accurate booking records, processing payments, managing class credits or transfers, communicating important account-related updates, and ensuring secure access to booking information.
This processing is necessary for the efficient administration of services and provides clear benefits to participants, including convenience, accurate booking management, secure payment handling, and timely communication regarding their classes.
Only the minimum personal information required to operate the booking system is collected. Data is processed using secure third-party platforms, access is restricted, and individuals retain control over their information in accordance with UK GDPR.
The legitimate interests of the business are proportionate and do not override the rights and freedoms of participants, as the information processed is expected within a service relationship and is used solely for account management and service administration.
For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.
Our lawful bases for collecting or using personal information for service updates or marketing purposes are:
- Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Our lawful bases for collecting or using personal information for legal requirements are:
- Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:
- Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
- Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.
Our legitimate interests are:
Bendy Bodies processes personal information in order to respond to queries, investigate complaints, and manage potential claims appropriately and fairly.
This processing is necessary to:
- Communicate effectively with individuals raising concerns
- Review booking and attendance records
- Investigate incidents or accidents
- Comply with insurance requirements
- Resolve disputes in a transparent and timely manner
The benefits of processing this information include ensuring issues are handled responsibly, maintaining professional standards, protecting the safety of participants, and enabling fair resolution of complaints.
Only information that is relevant to the specific query, complaint, or claim is processed. Records are stored securely, access is restricted, and information is retained only for as long as required for legal or insurance purposes.
The legitimate interests of the business are balanced against the rights of individuals, and processing is limited to what is proportionate and necessary in the circumstances.
For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.
Where we get personal information from
- Directly from you
- Insurance companies
- Schools, colleges, universities or other education organisations
- Suppliers and service providers
Children’s Data
Where classes are provided to children, personal information is provided by a parent or legal guardian. We do not knowingly collect personal data directly from children without parental consent. Parents or guardians may request access, correction or deletion of their child’s information at any time.
How long we keep information
Bendy Bodies retains personal information only for as long as necessary to fulfil the purposes for which it was collected, including legal, insurance, safeguarding and accounting requirements.
Retention periods are as follows:
- Adult participant records (including health information and attendance records): retained for up to 10 years from the date of last attendance, in line with insurance and legal limitation periods.
- Children’s participant records: retained until the child reaches the age of 21, in line with safeguarding and legal limitation periods.
- Financial records and transaction information: retained for a minimum of 6 years in accordance with HMRC requirements.
- Incident and accident reports: retained in line with the above retention periods, depending on whether the participant is an adult or child.
- Marketing consent records: retained until consent is withdrawn.
- General enquiries: retained for up to 12 months unless further action is required.
At the end of the applicable retention period, personal information is securely deleted or anonymised.
For more information on how long we store your personal information or the criteria we use to determine this please contact us using the details provided above.
Sharing information outside the UK
Some of our service providers operate internationally. Where personal data is transferred outside the UK, this is done using recognised safeguards such as Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or adequacy regulations.
Data Security
We implement appropriate technical and organisational measures to protect personal information from unauthorised access, alteration, disclosure, loss or misuse. This includes secure cloud-based systems, restricted access controls and encrypted payment processing.
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
- Information Commissioner’s Office
- Wycliffe House
- Water Lane
- Wilmslow
- Cheshire
- SK9 5AF
- Helpline number: 0303 123 1113
- Website: https://www.ico.org.uk/make-a-complaint