Privacy Notice — Wake Up & Breathe
Last updated: 3 June 2026
Wake Up & Breathe is a private, subscription video platform for Katy's pilates clients. We collect the information we need to give you an account, take your subscription payment, deliver the classes, and — only if you choose to tell us — keep a note of your pilates goals and any injuries so your instructor can teach you safely. We don't sell your data, we don't show ads, and we only use the third-party services listed below to run the service. You have rights over your data, including the right to get a copy, correct it, or have it deleted, and the right to complain to the UK regulator (the ICO).
1. Who we are (the “data controller”)
The data controller — the organisation responsible for your personal data — is:
- Organisation / trading name: Katy Harvey trading as Wake Up & Breathe
- Address: 18 Garrett Apartments, 14-18 Ravensbury Terrace, SW18 4SB, London, UK
- How to contact us about privacy: [email protected]
We have not appointed a Data Protection Officer (a DPO is generally not required for an organisation of this size).
2. The personal data we collect
| Data | What it is | Where it comes from |
|---|---|---|
| Account details | Your name and email address, and a securely hashed password. | You, at sign-up or when you claim your invite. |
| Subscription & payment data | That you have an active/lapsed/comped subscription, your subscription dates, and a customer reference. We do NOT store your card number — card payments are handled entirely by Stripe. | You + Stripe. |
| Profile — goals & injuries (optional) | If you choose to provide it: your pilates goals, experience level, and any injuries or health conditions you want your instructor to know about. This is sensitive (“special category”) health data and we only store it with your explicit, separate consent. | You, only if you opt in. |
| Email communications | Transactional emails we send you (welcome, password reset, account changes) and — if you opt in — occasional announcement emails. | Us, via Resend. |
| Support correspondence | Any emails you send us and our replies. | You + us. |
| Technical/session data | A few strictly-necessary cookies set by our login system to sign you in and keep you signed in. Our application logs record technical events (e.g. that a sign-in happened) with passwords/tokens removed and without your email address. | Automatically, when you use the site. |
3. Why we use it, and our lawful basis
UK GDPR requires us to have a “lawful basis” for each use of your data. Ours are:
| Purpose | Lawful basis |
|---|---|
| Create and run your account; let you sign in and watch classes. | Contract — we need this to provide the service you signed up for. |
| Manage your subscription and your access to classes (we record your subscription status, dates, and a Stripe reference — Stripe handles the actual payment). | Contract — we need this to give you the access you pay for. Stripe holds the payment and invoice records under its own terms, not us. |
| Store and show your instructor your goals and injuries. | Explicit consent (UK GDPR Article 9(2)(a)) for the health data, plus consent under Article 6(1)(a). You can withdraw this at any time and we will delete that information. We will not require this to use the service. |
| Send you service/transactional emails (welcome, password reset, billing, account changes). | Contract / Legitimate interests — these are necessary to operate your account. |
| Send you announcement / marketing emails (e.g. new classes, pricing changes). | Legitimate interests — keeping subscribers informed about the service they pay for. To stop receiving announcement emails, email us at [email protected] and we'll take you off the list. |
| Keep the service secure, prevent abuse, and keep backups. | Legitimate interests — running a secure, reliable service. |
4. Who we share it with (our processors)
We don't sell your data. We share it only with the service providers we use to run Wake Up & Breathe, who act on our instructions:
| Provider | What they do | What they handle |
|---|---|---|
| Stripe | Payment processing & subscriptions. | Your name, email, and payment/card details (Stripe stores the card data, not us). |
| Bunny.net | Video hosting & streaming (the classes). | Technical playback requests; no account profile data. EU-based provider. |
| Resend | Sending our emails. | Your email address (the recipient). Some emails also include your first name in the message body, where you have one set. |
| Cloudflare | Content delivery, secure connection to our site, and encrypted off-site backups (R2). | Traffic to the site; encrypted database backups containing the data above. |
| Hosting | The application and database run on a self-hosted server located in the UK. | All of the above. |
Each provider has its own privacy/processing terms.
5. Sending data outside the UK
Some of our providers process data outside the UK. Where that happens, the transfer is protected by appropriate safeguards (such as the UK's International Data Transfer Agreement / Addendum or Standard Contractual Clauses, or an adequacy decision):
- Stripe, Resend, and Cloudflare may process data in the United States and other countries.
- Bunny.net is EU/EEA-based.
We rely on appropriate safeguards for these transfers, including the UK's International Data Transfer Agreement / Addendum, Standard Contractual Clauses, or adequacy decisions as applicable. For the current safeguard relied on by each provider, contact us at [email protected].
6. How long we keep it
| Data | Retention |
|---|---|
| Account & profile data | While your account is active, and for up to 12 months after it closes, then deleted. |
| Goals & injuries (health data) | Until you withdraw consent or close your account, whichever is first — then deleted. |
| Subscription record | Your subscription status, dates, and Stripe reference IDs — kept while your account is active; removed when your account is deleted. Stripe holds the actual payment and invoice records under its own retention. |
| Announcement records | We keep a record of each announcement (blast) we send — its subject, content, and how many recipients it succeeded/failed for. We do not store a per-recipient send list. Kept as an audit record. |
| Encrypted backups | On a rolling schedule (currently 14 daily, 4 weekly, 12 monthly), after which they are deleted. Data you ask us to delete will age out of backups within this window. |
| Application & traffic logs | Application logs (technical events; no email; passwords/tokens redacted) — retained for 90 days, then deleted. Network traffic incl. IP address is handled by Cloudflare under its own retention. |
7. Your rights
Under UK GDPR you have the right to:
- Be informed about how we use your data (this notice).
- Access a copy of the data we hold about you.
- Rectification — have inaccurate data corrected.
- Erasure— ask us to delete your data (“right to be forgotten”), subject to records we must keep by law.
- Restrict or object to certain processing.
- Data portability — receive your data in a portable format.
- Withdraw consentat any time where we rely on consent (e.g. your injuries data) — without affecting the service you've paid for. To stop receiving announcement emails, email us at [email protected].
To exercise any of these, contact us at [email protected]. We will respond within one month. There is normally no charge.
8. Cookies
We use only strictly-necessary cookies, all set by our own login system to sign you in and keep you signed in: a session cookie (keeps you logged in) plus a security (anti-CSRF) cookie and a short-lived sign-in-redirect cookie. We do not use any advertising or analytics tracking cookies, and we do notload fonts or scripts from third-party servers (our fonts are self-hosted). Because we use only strictly-necessary cookies, we don't show a cookie consent banner. (If analytics or any third-party embeds are added later, this section — and possibly a cookie banner — must be revisited under PECR.)
9. Automated decision-making
We do not make any decisions about you by automated means, and we do not profile you.
10. Complaints
If you're unhappy with how we've handled your data, please contact us first so we can try to put it right. You also have the right to complain to the UK regulator:
Information Commissioner's Office (ICO) — ico.org.uk — helpline 0303 123 1113.
11. Changes to this notice
We may update this notice. If we make a significant change we'll email you to let you know. The “last updated” date at the top shows the current version.
See also our Terms of Service.