GDPR Data Protection Policy

Mini Makers - GDPR Data Protection Policy

1. Purpose of This Policy

This GDPR Data Protection Policy sets out how we collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We are committed to safeguarding the privacy and rights of all individuals who engage with our services, including children, parents, guardians, and website users.

2. Our Commitment to Data Protection

We will:

•Collect only the minimum personal data required.

•Use personal data only for clear, lawful purposes.

•Keep all data accurate and up to date.

•Store and handle data securely.

•Never sell personal information to third parties.

•Ensure transparency in how information is used.

•Respect all rights of individuals under UK GDPR.

3. What Data We Collect

Depending on the service, we may collect:

•Names of parents/guardians and children

•Contact details (email, phone number, address)

•Emergency contact information

•Allergy or medical information relevant for safety

•Booking details

•Payment details (processed securely via third-party payment providers)

•Photos/videos only with explicit consent

We do not collect unnecessary or intrusive information.

4. Lawful Basis for Processing Data

We process personal data under one or more of the following lawful bases:

•Consent – freely given by the parent/guardian or participant.

•Contract – to provide workshops, services, or bookings.

•Legal obligation – for insurance, safeguarding, or health and safety purposes.

•Vital interests – when information is needed to protect someone’s life (e.g., allergy or medical information).

•Legitimate interests – to improve our services or communicate updates.

5. How We Use Personal Data

Personal information may be used to:

•Manage bookings and workshop participation

•Ensure safety and safeguarding

•Contact parents/guardians if needed

•Respond to enquiries

•Keep internal records

•Send newsletters or marketing only with consent

6. How We Store and Protect Data

We take data security seriously and follow UK GDPR requirements by:

•Using secure, encrypted systems for digital data

•Keeping physical documents locked away

•Restricting access only to authorised staff

•Training all staff in data protection and confidentiality

•Using secure third-party software for payments or bookings

7. Data Sharing

We will only share personal data when:

•Required by law

•Necessary for safeguarding or safety

•Needed to fulfil a booking (e.g., payment processors)

•We have explicit consent

We do not share or sell personal data to external marketing companies.

8. Retention of Data

We keep personal data only for as long as necessary, based on:

•Legal requirements

•Insurance and safeguarding obligations

•Record-keeping needs

After this period, data is securely deleted or destroyed.

9. Your Rights Under UK GDPR

Parents, guardians, and participants have the right to:

•Access their personal data

•Request corrections

•Request deletion (“right to be forgotten”)

•Restrict or object to processing

•Withdraw consent at any time

•Request data portability

•Make a complaint to the Information Commissioner’s Office (ICO)

We will respond to all data requests within 30 days.

10. Consent for Children

For children under 13, consent must be provided by a parent or legal guardian.

We will always obtain consent before taking or using photos or videos for promotional purposes.

11. Breach Procedures

In the unlikely event of a data breach, we will:

•Investigate immediately

•Notify affected individuals

•Report to the ICO within 72 hours (if required)

•Take steps to prevent future breaches

12. Monitoring and Review

We are committed to keeping this policy up to date with UK GDPR standards.

•Last Reviewed: 30th November 2025

•Next Review Due: 30th November 2026