Privacy Policy
Last updated: 2025-11-19
1. Introduction
This Privacy Policy explains how we collect, use, store, and protect personal data. We comply with UK GDPR and applicable international laws.
We act as:
- Data Controller: for data you provide to register your account.
- Data Processor: for data you store in our platform about your clients, staff, and business operations.
2. Data We Collect
As Controller:
- Name
- Business details
- Login information
- Usage logs
As Processor (data you upload):
- Client names (including children’s names)
- Email addresses
- Phone numbers
- Addresses
- Uploaded files (images, PDFs, documents)
3. Data Storage Location
Primary storage regions:
- eu-west-1 (Ireland)
- eu-west-2 (London)
Supporting services operate in:
- us-east-1 (Virginia)
- Global edge locations (CloudFront)
4. International Data Transfers
CloudFront and some AWS services process:
- IP addresses
- Request metadata
- Publicly served files
For transfers outside the UK/EU, we use:
- Standard Contractual Clauses (SCCs)
- UK Addendum
5. How We Use Data
We process data to:
- Provide and maintain the Service
- Host websites and content
- Enable scheduling, bookings, staff management
- Ensure security
- Improve functionality
6. No Review of User Content
We do not actively monitor or examine user-uploaded content.
Users are fully responsible for:
- Content legality
- Data subject permissions
- Compliance with privacy laws
7. Subprocessors
We use third-party providers including AWS, Paddle, and email delivery services. A full list is provided in our Subprocessor Disclosure.
8. Security Measures
Security measures include:
- Encryption at rest and in transit
- AWS IAM access controls
- Backups
- Logging and monitoring
See our Security & Data Protection page for more detail.
9. Data Retention
We retain data as long as:
- Your account remains active, or
- Applicable law requires retention.
Upon termination, data is deleted within 90 days unless backup retention applies.
10. Your Rights (UK & EU)
You may:
- Access your data
- Request correction
- Request deletion
- Object to processing
- Request data export
Requests are processed within 30 days.
Contact
Email: privacy@kimshiltd.com