Privacy Policy

Effective Date: 01 June 2025

This Privacy Policy explains how Woden Health Ltd ("we," "us," or "our"), a company based in the United Kingdom, collects, uses, stores, and protects your personal data when you use our website, purchase our sustainable health and martial arts goods, attend our Qigong classes, or otherwise interact with us.

We are committed to protecting your privacy and handling your personal data in a transparent and secure manner, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Woden Health Ltd is a company registered in England and Wales, with our registered office, available upon request.

For any privacy-related queries, please contact us at:

  • Email: trevor@wodenhealth.com

2. What Personal Data Do We Collect?

We may collect and process the following types of personal data about you:

  • Identity Data: Name, title, date of birth, gender.

  • Contact Data: Billing address, delivery address, email address, telephone numbers.

  • Financial Data: Payment card details (processed securely by our payment gateway providers, we do not store full card details), bank account details for refunds.

  • Transaction Data: Details about products and services you have purchased from us.

  • Health Data (Special Category Data): For Qigong classes, we may collect information about any relevant medical conditions, injuries, or health concerns. This is only collected with your explicit consent to ensure your safety and tailor our instruction. We process this data with extra care as required by UK GDPR.

  • Technical Data: Internet Protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.

  • Usage Data: Information about how you use our website, products, and services.

  • Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences.

  • Correspondence: Any communications you send to us, such as emails or letters.

3. How Do We Collect Your Personal Data?

We use different methods to collect data from and about you, including:

  • Direct Interactions: You may give us your Identity, Contact, Financial, and Health Data by filling in forms, creating an account, purchasing products, booking Qigong classes, subscribing to our newsletter, or corresponding with us by post, phone, email, or otherwise.

  • Automated Technologies or Interactions: As you interact with our website, we may automatically collect Technical and Usage Data using cookies, server logs, and other similar technologies. Please see our separate 'Cookie Policy section below' for more details.

  • Third Parties: We may receive personal data about you from various third parties, such as:

    • Payment and delivery services.

    • Analytics providers (e.g., Google Analytics).

    • Advertising networks.

    • Social media platforms if you interact with us through them.

4. How and Why We Use Your Personal Data (Lawful Basis)

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • To perform the contract: To process and deliver your orders for goods, book Qigong classes, and provide the services you have requested.

  • For our legitimate interests: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This includes:

    • Improving our website, products, and services.

    • Managing our relationship with you.

    • For internal administrative and business purposes.

    • For direct marketing purposes (where permitted and you have not opted out).

    • Preventing fraud and ensuring security.

  • To comply with a legal obligation: Where we need to comply with a legal or regulatory obligation (e.g., tax purposes, health and safety records).

  • With your consent: In specific situations where we require your explicit consent to process your data, such as for collecting health data for Qigong classes or sending certain marketing communications, you have the right to withdraw consent at any time.

Purposes for which we will use your personal data:

Purpose/ActivityType of Data CollectedLawful Basis for Processing (UK GDPR)To register you as a new customerIdentity, ContactPerformance of a contract with youTo process and deliver your orders10Identity, Contact, Financial, TransactionPerformance of a contract with you; Legitimate interests (to recover debts)To manage payments, fees, and chargesFinancial, TransactionPerformance of a contract with you; Legitimate interests (to recover debts)To manage our relationship with youIdentity, Contact, Marketing & Comms, UsagePerformance of a contract with you; Legitimate interests (to keep our records updated); Necessary to comply with a legal obligationTo enable you to participate in Qigong classes and tailor instruction safelyIdentity, Contact, Health (Special Category Data)Performance of a contract with you; Explicit Consent (for health data)To improve our website, products, services, marketingTechnical, UsageLegitimate interests (to define customer types, keep website updated, develop our business)To send you marketing communicationsIdentity, Contact, Marketing & CommsConsent; Legitimate interests (to grow our business, inform about relevant products)To administer and protect our business and websiteTechnicalLegitimate interests (for network security, preventing fraud); Necessary to comply with a legal obligation

5. How We Share Your Personal Data

We may share your personal data with the following categories of third parties:

  • Service Providers:11 Third-party service providers who perform services on our behalf, such as payment processing (e.g., Stripe, PayPal), shipping companies (e.g., Royal Mail, DPD), IT and system administration services, email service providers, and website analytics providers.

  • Professional Advisers: Lawyers, bankers, auditors, and insurers who provide legal, banking, audit, or accounting services.

  • Government & Regulators: HM Revenue & Customs, regulators, and other authorities, where required by law.

  • Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. International Transfers

We may transfer, store, and process your personal data outside the UK or the European Economic Area (EEA). If we do so, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK government.

  • Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

7. Data Security

We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting19 requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, and the applicable legal requirements.

Generally, we will keep basic information about our customers (including Contact, Identity, Financial, and Transaction Data) for six years after they cease being customers for tax and legal purposes. Health data collected for Qigong classes will be retained only as long as strictly necessary for safety and instruction purposes, and in accordance with relevant health and safety guidelines.

9. Processing of Payments

Payments are processed via our 3rd party platform, Stripe. Stripe handles data by prioritising security and privacy, implementing robust encryption and tokenisation, along with strict access controls. They also collect and use data for improving their services, such as fraud prevention and performance analysis, while complying with legal obligations and data protection laws. 

Security and Privacy:

  • Encryption:

    Stripe encrypts sensitive data, including payment card numbers (PANs) and bank account information, both in transit and at rest, using industry-standard encryption like AES-256. 

  • Tokenization:

    They use tokenisation to replace sensitive data with unique, non-sensitive tokens, further isolating raw data from the rest of their infrastructure. 

  • Separate Hosting:

    Stripe's infrastructure for storing and processing sensitive data runs in a separate, isolated environment, restricting access to a small team of trained engineers. 

  • Access Control:

    They have a formal process for granting and reviewing access to systems and data, implementing the principle of least privilege and requiring human review for actions within the most sensitive areas. 

  • Data Retention:

    Stripe has a data retention policy that minimises the amount of data it keeps while complying with regulatory and business requirements. 

Data Usage:

  • Fraud and Loss Prevention:

    Stripe uses personal data to train its fraud and loss prevention models, including those used by Stripe Radar and Stripe Identity. 

  • Product Improvement:

    They use data to analyse the performance of their products and services, allowing for continuous improvement. 

  • Legal Compliance:

    Stripe uses data to comply with legal obligations related to anti-money laundering, Know Your Customer (KYC) laws, and other regulations. 

  • Third-Party Relationships:

    Stripe may share personal data with affiliates and service providers, but only as necessary to fulfill contractual obligations and with strict adherence to data protection laws. 

Data Processing:

  • Data Pipeline:

    Stripe offers a Data Pipeline feature that allows users to sync their Stripe data to various data warehouses and cloud storage destinations. 

  • Payment Processing:

    Stripe's payment processing system securely encrypts data during transmission and uses a gateway to forward it to a payment processor. 

  • Compliance:

    Stripe provides tools and features to help businesses comply with regulations like GDPR, offering options for secure data collection and processing. 

10. Cookie Policy

This site is hosted and maintained by Squarespace. To learn more about their use of cookies, including cookies we used on squarespace.com and their web and mobile apps, visit our Cookie Policy and Privacy Policy.

11. Your Legal Rights (UK GDPR)

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:

  • Request access to your personal data.

  • Request correction of your personal data.

  • Request erasure of your personal data.

  • Object to processing of your personal data.

  • Request restriction of processing your personal data.

  • Request transfer of your personal data.

  • Right to withdraw consent (where applicable).

If you wish to exercise any of the rights set out above, please contact us at trevor@wodenhealth.com.

No Fee Usually Required: You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What We May Need From You: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Time Limit to Respond: We try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

12. Right to Lodge a Complaint

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please get in touch with us in the first instance.

13. Changes to This Privacy Policy

We may update this privacy policy from time to time by publishing a new version on our website.24 You should check this page occasionally to ensure you are happy with any changes. We may notify you of significant changes to this policy by email or through our website.