Contents:

• 1. Introduction
• 7. Third-Party Platforms
• 14. Legal Basis
• 27. Your Rights
• 29. Cookies

Privacy Notice

Last updated: March 2026

1. Introduction

Pinnacle Body Rejuvenation Ltd (“we”, “us”, “our”, or the “Company”) recognises the importance of protecting personal data and is committed to processing such data in accordance with applicable data protection laws, including, but not limited to, the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and any other applicable legislation relating to privacy and electronic communications.

This Privacy Notice (“Notice”) explains in detail how we collect, use, store, disclose, transfer and otherwise process personal data in connection with:

• your access to and use of our website;
• your interaction with us, including communications and enquiries;
• the provision of services by us;
• your interaction with third-party systems accessed via our website;
• any other circumstances in which personal data is provided to us or collected by us.

This Notice is intended to provide transparency regarding the nature, scope and purposes of our data processing activities and to inform you of your rights under applicable data protection law.

By accessing our website, contacting us, or otherwise engaging with our services, you acknowledge that you have read and understood this Notice.

2. Scope of this Notice

This Notice applies to personal data processed by us in our capacity as a data controller in relation to:

• (a) visitors to our website;
• (b) individuals who contact or communicate with us;
• (c) clients who receive services from us;
• (d) individuals whose data is provided to us via third-party booking platforms;
• (e) any other individuals whose personal data is processed by us in the course of operating our business.

For the avoidance of doubt, this Notice does not apply to personal data processed exclusively by third-party platforms, including but not limited to Fresha, Treatwell, or similar booking or payment systems, which operate independently from us and act as separate data controllers.

Where such third-party platforms are used, their own privacy policies, terms and conditions, and data processing practices will apply.

3. Definitions

For the purposes of this Notice, the following definitions apply:

“Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to names, contact details, identification numbers, online identifiers, and information relating to physical, physiological, or behavioural characteristics.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.

“Data Controller” means the entity which determines the purposes and means of processing personal data.

“Data Processor” means an entity which processes personal data on behalf of a data controller.

“Third-Party Platform” means any external system, application, or service provider, including booking systems such as Fresha, through which users may interact, make bookings, or provide personal data independently of our website.

“Special Category Data” means personal data revealing racial or ethnic origin, health data, or other sensitive information as defined under applicable data protection law.

“UK GDPR” means the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland and Northern Ireland.

“ICO” means the Information Commissioner’s Office, the supervisory authority in the United Kingdom responsible for data protection.

4. Interpretation

In this Notice:

• references to “including” shall be construed as “including without limitation”;
• references to legislation shall include any amendments, updates or replacements;
• headings are for convenience only and do not affect interpretation;
• words in the singular shall include the plural and vice versa;
• references to “you” or “your” mean any individual whose personal data we process.

5. Relationship Between This Notice and Third-Party Services

This Notice applies solely to personal data processed by us.

Where our website contains links, integrations or references to third-party platforms:

• such platforms operate independently;
• we do not control their data processing activities;
• we are not responsible for their privacy practices;
• your interaction with such platforms is governed by their own terms.

You acknowledge and accept that where you choose to use such third-party platforms, you do so at your own discretion and subject to their own policies.

We strongly recommend that you review the privacy notices of any third-party platforms before providing personal data.

6. General Principles

We process personal data in accordance with the following principles:

• lawfulness, fairness and transparency;
• purpose limitation;
• data minimisation;
• accuracy;
• storage limitation;
• integrity and confidentiality;
• accountability.

We take reasonable steps to ensure that personal data is processed securely and in compliance with applicable legal requirements.

7. Third-Party Booking Platforms and Data Flow

Our website may include links, integrations, widgets or redirection mechanisms that allow you to access third-party booking platforms, including but not limited to Fresha, Treatwell or similar systems (“Third-Party Platforms”).

These Third-Party Platforms operate independently from us and provide their own infrastructure for booking, account management, payment processing and data storage.

7.1 Independent Data Controllers

When you choose to make a booking through a Third-Party Platform:

• you will be redirected away from our website;
• you will enter into a direct relationship with that Third-Party Platform;
• that platform will act as an independent data controller;
• that platform will determine the purposes and means of processing your personal data.

For the avoidance of doubt:

• we do not act as a joint controller with such platforms;
• we do not determine how such platforms process your data;
• we do not have access to their full data processing activities;
• we are not responsible for their compliance with applicable data protection laws.

7.2 Categories of Data Processed by Third-Party Platforms

Third-Party Platforms may collect and process personal data including, but not limited to:

• full name;
• email address;
• telephone number;
• billing and payment details;
• appointment history;
• account login details;
• device identifiers and technical data;
• behavioural and usage data.

Such processing is governed entirely by the privacy policies and terms of those Third-Party Platforms.

7.3 Transfer of Data to Us

Following a booking made via a Third-Party Platform, we may receive limited personal data from that platform, including:

• your name;
• your contact details;
• appointment details;
• any notes relevant to the booked service.

This data is provided to us solely for the purpose of enabling us to deliver the booked service.

7.4 Our Role After Booking

Once we receive such data:

• we act as an independent data controller;
• we process the data only for the purposes of service delivery, communication and record-keeping;
• we do not process such data for unrelated purposes without lawful basis;
• we do not assume responsibility for the original collection of the data by the Third-Party Platform.

7.5 Disclaimer of Responsibility

To the fullest extent permitted by law, we disclaim responsibility for:

• the data processing practices of Third-Party Platforms;
• the storage, security or retention of data within such platforms;
• any data breaches occurring within such systems;
• any loss, misuse or unauthorised access to data processed by such platforms.

You acknowledge that your use of such platforms is subject to their own terms and policies.

8. Types of Personal Data We Process

We may collect, use, store and otherwise process the following categories of personal data.

8.1 Identity Data

Includes:

• first name;
• last name.

8.2 Contact Data

Includes:

• email address;
• telephone number;
• any contact information voluntarily provided.

8.3 Booking and Service Data

Includes:

• appointment dates and times;
• services booked;
• service history;
• preferences and notes.

8.4 Technical Data

Includes:

• IP address;
• browser type and version;
• operating system;
• device identifiers;
• time zone setting.

8.5 Usage Data

Includes:

• pages visited;
• time spent on pages;
• interaction behaviour (clicks, scrolling, navigation patterns).

8.6 Special Category Data

We may process limited health-related information where:

• it is voluntarily provided by you;
• it is necessary for the safe provision of services.

Such data is treated with enhanced confidentiality and security.

9. How Personal Data Is Collected

We collect personal data through multiple channels, including:

9.1 Direct Interactions

You may provide personal data by:

• filling in forms;
• contacting us via email or phone;
• communicating with us directly.

9.2 Automated Technologies

As you interact with our website, we may automatically collect Technical Data and Usage Data through:

• cookies;
• analytics tools (such as Google Analytics);
• server logs.

9.3 Third-Party Sources

We may receive personal data from Third-Party Platforms following a booking.

We may also receive data from:

• service providers;
• communication platforms;
• publicly available sources where appropriate.

10. If You Visit Our Website

When you visit our website, we may automatically collect information about your device and browsing activity.

This may include:

• IP address;
• device type;
• browser configuration;
• pages viewed;
• navigation behaviour;
• time spent on pages.

This information is used to:

• ensure the website functions correctly;
• improve user experience;
• analyse performance;
• maintain security.

11. If You Contact or Engage With Us

If you contact us directly, we may collect:

• your name;
• your contact details;
• the content of your communication.

We use this information to:

• respond to your enquiries;
• provide requested information;
• maintain communication records.

12. If You Book or Receive Services

If you book or receive services from us, we may process:

• your identity and contact data;
• booking details;
• service-related information;
• any relevant notes or preferences.

This information is used to:

• provide the requested services;
• ensure service quality and safety;
• maintain accurate records;
• communicate regarding your appointment.

We may also retain records of services provided for operational, legal and safety purposes.

13. Purposes for Which We Use Personal Data

We use personal data only where we have a lawful basis to do so and only for purposes that are necessary, proportionate and consistent with our business operations.

Personal data may be used for the following purposes:

13.1 Provision of Services

We use personal data to:

• deliver services booked by you;
• manage appointments and scheduling;
• communicate with you regarding your bookings;
• provide customer support;
• ensure that services are delivered safely and appropriately.

13.2 Business Operations

We may process personal data in order to:

• operate and administer our business;
• maintain internal records;
• manage client relationships;
• ensure quality control and service consistency;
• maintain operational efficiency.

13.3 Communication

We may use your personal data to:

• respond to enquiries;
• provide requested information;
• send service-related updates;
• communicate regarding bookings or changes.

13.4 Safety and Risk Management

We may process personal data to:

• ensure that treatments are safe and suitable;
• assess risks associated with services;
• protect the health and safety of clients and staff.

13.5 Improvement of Services

We may analyse personal data (including anonymised or aggregated data) to:

• improve our website;
• improve service delivery;
• understand client behaviour and preferences;
• enhance user experience.

13.6 Legal and Regulatory Compliance

We may process personal data in order to:

• comply with legal obligations;
• respond to regulatory requirements;
• maintain records required by law;
• resolve disputes and enforce legal rights.

13.7 Security and Fraud Prevention

We may use personal data to:

• detect and prevent fraud;
• ensure the security of our systems;
• protect against misuse or unauthorised access.

14. Legal Basis for Processing

We process personal data only where we have a lawful basis under applicable data protection law.

The lawful bases we rely on include:

14.1 Contract

We process personal data where it is necessary for the performance of a contract with you, or to take steps at your request prior to entering into such a contract.

This includes:

• managing bookings;
• providing services;
• communicating regarding appointments.

14.2 Legitimate Interests

We may process personal data where it is necessary for our legitimate interests, provided that such interests are not overridden by your rights and freedoms.

Our legitimate interests include:

• operating and improving our business;
• maintaining records;
• ensuring service quality;
• managing risks;
• protecting our business and systems;
• preventing fraud or misuse;
• improving our website and services.

Where we rely on legitimate interests, we ensure that:

• the processing is necessary;
• the impact on your rights is minimal;
• appropriate safeguards are in place.

14.3 Consent

We rely on your consent where required by law, including:

• for the use of non-essential cookies;
• for certain optional communications.

You may withdraw consent at any time.

Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.

14.4 Legal Obligation

We may process personal data where necessary to comply with legal obligations, including:

• regulatory requirements;
• tax obligations;
• legal proceedings;
• requests from authorities.

15. What Do These Legal Bases Mean

For clarity:

• Contract means processing necessary to provide services you have requested.
• Legitimate interests means processing necessary for our business, provided your rights are respected.
• Consent means you have given clear permission for specific processing.
• Legal obligation means processing required by law.

In each case, we ensure that processing is lawful, fair and proportionate.

16. Special Category Data

We may process limited Special Category Data, specifically health-related information, where necessary for the provision of services.

16.1 Nature of Data

This may include:

• information about injuries;
• medical conditions;
• relevant health history;
• other information voluntarily provided by you.

16.2 Purpose of Processing

Such data is processed solely for:

• ensuring the safety of treatments;
• assessing suitability of services;
• preventing harm.

16.3 Lawful Basis

We process Special Category Data based on:

• your explicit consent; and/or
• necessity for health and safety in the provision of services.

16.4 Safeguards

We implement additional safeguards, including:

• restricted access;
• confidentiality;
• limited retention;
• secure handling procedures.

16.5 Limitation

We do not:

• request unnecessary health data;
• process such data for unrelated purposes;
• share such data unless required or authorised.

17. Data Minimisation

We ensure that:

• only necessary data is collected;
• data is relevant to the purpose;
• excessive data is not collected or retained.

18. Accuracy

We take reasonable steps to ensure that personal data is accurate and up to date.

You are responsible for informing us of any changes.

19. Storage Limitation

We retain personal data only for as long as necessary.

Retention periods are determined based on:

• the purpose of processing;
• legal requirements;
• operational needs.

20. Accountability

We are responsible for demonstrating compliance with applicable data protection laws.

We maintain appropriate records and implement internal controls to ensure compliance.

21. Data Sharing and Disclosure

We may share personal data with third parties only where it is necessary, proportionate, and lawful to do so.

Such third parties may include:

• Third-Party Booking Platforms (including Fresha and similar systems);
• payment processors and financial institutions;
• IT service providers and hosting providers;
• professional advisers, including legal and accounting services;
• regulatory authorities, law enforcement agencies, or governmental bodies where required by law.

We ensure that any sharing of personal data is limited to what is necessary for the relevant purpose.

We do not sell, rent, or trade personal data to third parties.

Where third parties process data on our behalf, we take reasonable steps to ensure that appropriate safeguards are in place.

However, where data is processed by independent data controllers (such as booking platforms), those parties are responsible for their own compliance.

22. Third-Party Processors and Controllers

Where third parties act as processors on our behalf, they are required to:

• process personal data only in accordance with our instructions;
• implement appropriate security measures;
• comply with applicable data protection laws.

Where third parties act as independent data controllers, including booking platforms:

• they determine their own processing purposes;
• they operate under their own privacy policies;
• they are solely responsible for their data processing activities.

We are not responsible for the actions, omissions, or data handling practices of independent data controllers.

23. International Data Transfers

Personal data may be transferred to or processed in countries outside the United Kingdom.

Such transfers may occur where third-party providers operate internationally.

Where we transfer personal data, we take reasonable steps to ensure that appropriate safeguards are implemented, including:

• reliance on adequacy regulations;
• contractual protections;
• appropriate technical and organisational measures.

Where third-party platforms transfer data internationally, they are responsible for ensuring compliance with applicable laws.

24. Data Security

We implement appropriate technical and organisational measures designed to protect personal data against:

• unauthorised access;
• accidental loss;
• destruction;
• alteration;
• disclosure.

Such measures may include:

• access controls;
• secure systems and storage;
• restricted data access;
• internal policies and procedures.

However, you acknowledge that:

• no system is completely secure;
• transmission of data over the internet carries inherent risks;
• we cannot guarantee absolute security.

25. Data Breaches

In the event of a personal data breach, we will:

• assess the nature and impact of the breach;
• take appropriate remedial action;
• notify the Information Commissioner’s Office (ICO) where required;
• notify affected individuals where required by law.

26. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected.

Retention periods may vary depending on:

• the nature of the data;
• the purpose of processing;
• legal and regulatory requirements.

In general, personal data may be retained for up to six (6) years after the last interaction for the purposes of:

• legal compliance;
• dispute resolution;
• business record-keeping.

We may retain anonymised or aggregated data for longer periods.

27. Your Rights

You have the following rights under applicable data protection law:

• the right to access your personal data;
• the right to request correction of inaccurate data;
• the right to request deletion of your data;
• the right to restrict processing;
• the right to object to processing;
• the right to data portability;
• the right to withdraw consent at any time.

Requests may be submitted to:
info@pbrmassage.com

We will respond to requests in accordance with applicable law.

We may require verification of identity before responding.

28. Complaints

If you have concerns about how we process your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

https://www.ico.org.uk

We encourage you to contact us first so that we may attempt to resolve any concerns.

29. Cookies and Similar Technologies

Our website uses cookies and similar technologies to collect and store information.

Cookies may include:

• strictly necessary cookies required for website functionality;
• performance and analytics cookies;
• functionality cookies;
• tracking or marketing cookies (if applicable).

Cookies are used to:

• ensure website functionality;
• improve user experience;
• analyse website usage;
• maintain security.

30. Cookie Consent

Non-essential cookies will only be activated with your explicit consent.

You may:

• accept cookies;
• reject cookies;
• change your preferences at any time.

If cookies are disabled, certain parts of the website may not function properly.

31. Google Analytics

We use Google Analytics to analyse how users interact with our website.

Google Analytics may collect:

• anonymised IP address data;
• device and browser information;
• usage patterns and behaviour.

This data is used to improve website performance and user experience.

Google Analytics will only be activated after you provide consent.

32. External Links

Our website may contain links to third-party websites.

We are not responsible for:

• the content of such websites;
• their privacy practices;
• their data processing activities.

Accessing such websites is done at your own risk.

33. Limitation of Liability

To the fullest extent permitted by law, we disclaim liability for:

• data processing carried out by third-party platforms;
• data breaches occurring outside our systems;
• failures of third-party services;
• indirect or consequential losses arising from data use.

Nothing in this Notice excludes or limits liability where such limitation is not permitted by law.

34. Changes to This Notice

We reserve the right to update or amend this Privacy Notice at any time.

Any changes will be published on this page.

Where appropriate, we may notify you of significant changes.

Your continued use of our services constitutes acceptance of the updated Notice.