Privacy Policy

About This Policy

This privacy policy sets out how The Glow Group (NE) Ltd (referred to as "the Company", "we", "us", or "our") collects, uses, stores, discloses, and otherwise processes personal data in connection with our business activities.

This policy applies to:

• Visitors to our website(s) and social media pages
• Customers and prospective customers who book, purchase, or enquire about our services
• Visitors to our premises (including those captured on CCTV)
• Individuals who contact us by email, telephone, post, social media, or in person
• Job applicants and prospective employees
• Suppliers, contractors, and business contacts
• Any other individual whose personal data we process in the course of our business

We are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and all other applicable data protection legislation in force in England and Wales.

Data Controller

If you have any questions about this policy or about how we handle your personal data, please contact us using the details above.

Personal Data We Collect

We may collect and process the following categories of personal data, depending on the nature of your interaction with us:

3.1 Identity and Contact Data

• Full name, title, date of birth
• Postal address, email address, telephone number(s)
• Social media handles or profile information (where you interact with us via social media)

3.2 Transaction and Financial Data

• Records of services booked and products purchased
• Payment card details (processed securely via PCI-DSS compliant third-party payment processors; we do not store full card numbers)
• Billing and invoice information
• Refund and credit records

3.3 Health and Consultation Data

• Skin type, skin conditions, and sensitivity information
• Relevant medical history, allergies, and medications disclosed during consultation
• Pregnancy status or other health conditions relevant to the safe provision of tanning or wellness treatments
• Treatment records, consent forms, and aftercare notes

3.4 Technical and Usage Data

• IP address, browser type and version, device type, and operating system
• Time zone setting and geographic location data (approximate, derived from IP address)
• Pages visited on our website, time spent, click patterns, and referral source
• Cookie identifiers and similar tracking technologies

3.5 CCTV and Visual Data

• CCTV footage and still images captured at and around our premises
• Photographs taken with your consent for marketing or social media purposes

3.6 Communications Data

• Records of correspondence with us by email, telephone, post, live chat, or social media
• Feedback, reviews, and complaint records
• Marketing preferences and consent records

3.7 Employment and Recruitment Data

• CV, covering letter, qualifications, employment history, and references
• Right to work documentation
• Interview notes and assessment records
• Equal opportunities monitoring data (provided voluntarily and processed in anonymised form)

3.8 Supplier and Contractor Data

• Business contact details, bank details for payment, and contractual correspondence

How We Collect Your Personal Data

Directly from you

When you book a service, make a purchase, complete a consultation form, fill in a form on our website, create an account, subscribe to marketing, contact us, apply for a job, visit our premises, or otherwise provide information to us.

Automatically

When you visit our website, we automatically collect technical data through cookies, server logs, and similar technologies. When you enter our premises, CCTV systems automatically capture visual data.

From third parties

• Online booking platforms and scheduling software providers
• Payment service providers and merchant acquirers
• Social media platforms (where you interact with our accounts or use social login features)
• Recruitment agencies and job boards
• Credit reference agencies (where applicable)
• Analytics providers (e.g. Google Analytics)

Purposes and Lawful Bases

Marketing

We may contact you with marketing communications where you have given specific consent or where you are an existing customer and we are contacting you about similar services (the "soft opt-in" under PECR), and you have not opted out.

You can opt out of marketing at any time by:

• Clicking the unsubscribe link in any marketing email or SMS
• Contacting us at [email protected]
• Informing a member of staff at any of our locations

Withdrawing from marketing will not affect service-related communications. We do not share your personal data with third parties for their own direct marketing purposes without your explicit consent.

Recipients of Your Personal Data

We may share your personal data with the following categories of recipients, strictly on a need-to-know basis:

• Service providers: IT, hosting, email marketing, booking software, payment processors, cloud storage
• Professional advisers: Accountants, auditors, lawyers, insurers
• Security providers: CCTV maintenance and monitoring
• Payment processors: Banks, merchant acquirers, PCI-DSS compliant providers
• Regulatory bodies: HMRC, ICO, local authorities, police
• Courts and legal parties: Where necessary for legal claims
• Recruitment platforms: Where you applied via a third-party agency

We do not sell, rent, or trade your personal data to any third party.

International Data Transfers

We primarily store and process personal data within the United Kingdom. Where any third-party providers transfer data outside the UK, we ensure appropriate safeguards are in place, including adequacy decisions, UK International Data Transfer Agreements, or EU Standard Contractual Clauses with the UK Addendum.

Data Retention

We retain personal data only for as long as necessary. Our standard retention periods:

CCTV

We operate CCTV at our premises for the prevention and detection of crime, protection of staff and customers, health and safety monitoring, and investigation of incidents.

CCTV is processed on the basis of our legitimate interests. Clear signage is displayed at all entry points. Footage is stored securely with access limited to authorised personnel, retained for 30 days, then automatically overwritten unless required for a specific incident.

You have the right to request access to CCTV footage of yourself under Article 15 of the UK GDPR. Requests must include sufficient detail (date, time, location) and we will respond within one calendar month.

Cookies

Our website uses cookies — small text files placed on your device. We use the following categories:

You can manage or delete cookies through your browser settings. Disabling certain cookies may affect website functionality.

Your Rights

Under the UK GDPR, you have the following rights:

• Access: Request confirmation and a copy of your personal data
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion in certain circumstances
• Restriction: Request restricted processing in certain circumstances
• Portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interest, including direct marketing
• Withdraw Consent: Withdraw consent at any time without affecting prior processing
• Automated Decisions: Not be subject to solely automated decision-making (we do not currently do this)

To exercise any right, contact us at [email protected]. We will respond within one calendar month. No charge applies unless a request is manifestly unfounded or excessive.

Data Security

We implement appropriate technical and organisational measures including encryption in transit and at rest, role-based access controls, multi-factor authentication, regular security assessments, secure disposal procedures, staff training, physical security measures, and incident response procedures.

Personal Data Breaches

In the event of a breach, we will assess the nature and severity, notify the ICO within 72 hours where required, notify affected individuals where there is high risk, and document all breaches in our breach register.

Children

Our services are generally intended for individuals aged 16 and over. Where we provide services to individuals under 16, we will obtain parental or guardian consent. We do not knowingly collect data from children under 13.

Third-Party Links

Our website may contain links to third-party websites. This policy does not apply to those services. We encourage you to read the privacy policy of every website you visit.

Changes to This Policy

We may update this policy from time to time. Material changes will be posted on our website with an updated version number. We encourage you to review this policy periodically.

Complaints

If you are dissatisfied with how we have handled your personal data, please contact us first. You also have the right to lodge a complaint with the ICO:

Contact Us