Privacy Policy

1. Who We Are

We are Cerese Ltd, trading as Body & Soul, registered in England & Wales (Company No. 14954016, VAT GB 458443566). Our registered office is at 167–169 Great Portland Street, London, W1W 5PF. Our studio is located at 2 Bocking Street, London, E8 3RL. References in this policy to “Body & Soul”, “we”, “us”, or “our” mean Cerese Ltd.

We are the data controller responsible for your personal data and are registered with the Information Commissioner’s Office. Being the data controller means we decide how and why your personal data is processed.

If you have any questions about this privacy policy or how we handle your data, please contact us:

2. What This Policy Covers

This privacy policy explains what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have. It applies to all personal data we collect from you as a client, prospective client, or website visitor.

By “personal data” we mean any information that identifies you or could be used to identify you, including your name, email address, photographs, call recordings, and payment information.

3. What Personal Data We Collect

Identity & contact information: Your full name, email address, phone number, postal address, and date of birth.

Photographs and images: Professional photographs created during your session, in both digital and print format. These photographs may identify you and are treated as personal data. We also collect any reference images or inspiration material you share with us during session planning.

Health and accessibility information: If you tell us about mobility limitations, medical conditions, allergies, or skin sensitivities so that we can run your session safely and tailor hair and makeup appropriately, we record that information. This is special category data and we process it only with your explicit consent, solely to make appropriate arrangements for your session (see section 4).

Payment and financial information: Your payment method details are processed by our third-party payment providers (see section 6 below). We do not store your full card details on our systems. We retain records of transaction amounts, dates, payment methods used, and payment plan details.

Communications: Records of emails, SMS, WhatsApp and other messages, and correspondence between you and our team, including enquiries, booking confirmations, and post-session communications.

Call recordings: We record video and telephone calls for quality assurance, training, compliance, and dispute resolution purposes. You will be notified at the start of any recorded call. If you prefer not to be recorded, tell us and we will offer an alternative such as an unrecorded call or email correspondence (see section 5).

Gallery and download data: When you access your private online gallery, our gallery platform records access logs, download events, IP addresses, timestamps, and device information.

Session and order information: Details of your session (date, location, styling preferences), your image selections, collection details, album specifications, and order history.

Website data: When you visit our website, we may collect your IP address, browser type, device information, pages visited, and referring URLs through cookies and similar technologies (see section 11 below).

Marketing preferences: Your consent status and preferences for receiving marketing communications from us.

4. How and Why We Use Your Personal Data

We only use your personal data when we have a lawful basis to do so. The list below sets out each processing activity, the purpose, and the lawful basis we rely on.

To deliver our photography services and fulfil your order, scheduling your session, providing hair and makeup services, conducting the photoshoot, editing and retouching images, creating your online gallery, producing albums, prints and artwork, and delivering your order. Lawful basis: performance of our contract with you.

To make arrangements for your health, safety, and comfort, using any health, mobility, allergy, or sensitivity information you share with us to plan your session, adapt the studio environment, and select suitable hair and makeup products. Lawful basis: performance of our contract with you; for special category data, your explicit consent (UK GDPR Article 9(2)(a)). You may withdraw consent at any time, though this may limit the arrangements we can safely make.

To process payments, taking deposits, processing card payments, managing payment plans and finance applications through our finance partners, issuing refunds, and managing payment schedules. Lawful basis: performance of our contract with you.

To communicate with you about your order, booking confirmations, session reminders, gallery access notifications, delivery updates, post-session check-ins, and responding to your queries or concerns. Lawful basis: performance of our contract with you.

To record calls, we record video calls and telephone calls for quality assurance, staff training, compliance monitoring, and to maintain an accurate record of what was discussed and agreed. You are notified when a call is being recorded and may request an unrecorded alternative. Lawful basis: legitimate interests (maintaining quality standards, training staff, protecting both parties in the event of a dispute).

To handle complaints and disputes, investigating and responding to complaints, managing Subject Access Requests, defending chargebacks and payment disputes, and liaising with regulators or legal advisers where necessary. Lawful basis: legitimate interests (resolving disputes fairly) and compliance with legal obligations.

To use behind-the-scenes content for marketing, as set out in our Terms and Conditions, we may use non-intimate content captured during your session (getting-ready footage, clothed images, behind-the-scenes video) to promote our business, including on our website, social media, and in paid advertising. Lawful basis: legitimate interests (promoting our business using our own work product). You have the right to object at any time, see section 9, and you may opt out before your session by emailing privacy@bodyandsoulstudios.uk.

To use your portrait images for marketing, we will only ever use intimate portrait imagery for promotional purposes with your separate, specific written consent, sought after your session on an image-by-image basis. Lawful basis: consent. You can withdraw consent at any time and we will promptly stop using the images.

To send you marketing communications, information about future events, offers, or services we think you may be interested in. Lawful basis: consent (for email and SMS marketing). You can withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us.

To improve our services, we analyse aggregated and anonymised data about sessions, orders, and client feedback to improve our photography, service delivery, and client experience. Lawful basis: legitimate interests (improving our business).

To comply with legal and regulatory obligations, maintaining financial records for tax and accounting purposes, responding to lawful requests from regulators or law enforcement, and complying with data protection law. Lawful basis: compliance with legal obligations.

To protect our business and enforce our rights, detecting and preventing fraud, enforcing our terms and conditions, pursuing or defending legal claims, and protecting our property and rights. Lawful basis: legitimate interests (protecting our business).

5. Call Recording, Additional Detail

Because call recordings capture personal data including your voice, your image (on video calls), and the content of your conversations, we want to be transparent about how we handle them.

What we record: Art curation calls, follow-up calls, and any other calls where you are notified that recording is in progress.

How you are notified: On video calls, you will see a notification when you join that the call is being recorded. On telephone calls, you will be informed verbally at the start of the call. If you prefer not to be recorded, tell us at the start of the call and we will offer an alternative, such as continuing unrecorded or corresponding by email.

Payment card details: If you provide payment card details verbally during a recorded call, we take steps to ensure sensitive card data (particularly CVV/security codes) is not retained in the recording. Where card details are captured on an existing recording, we will redact them before any disclosure.

How long we keep recordings: Call recordings are retained for 12 months from the date of recording, unless they are relevant to an ongoing dispute or legal matter, in which case they are retained until the matter is resolved. Recordings are then securely deleted.

Your rights: Call recordings form part of your personal data and are disclosable in response to a Subject Access Request.

6. Who We Share Your Data With

We share your personal data with the following categories of third parties, and only to the extent necessary for the purposes described in this policy. The named providers below are current at the date of this policy; an up-to-date list is available on request.

Payment and finance providers: Our card payment processor, direct debit provider (GoCardless), and regulated finance partners. These providers process your payment data securely in accordance with PCI DSS standards. We do not store your full card details, your payment data is held by these providers under their own privacy policies. Where a finance partner makes a credit decision, it does so as a controller in its own right (see section 10).

CRM and communications platform: We use a customer relationship management platform (currently HighLevel/LeadConnector, based in the United States) to manage contact details, bookings, correspondence (email, SMS, WhatsApp), and call data.

Gallery platform: ShootProof (based in the United States) hosts your private online gallery and processes gallery access data including IP addresses, download logs, and timestamps.

Video conferencing: Zoom Video Communications, which processes call data and recordings under a data processing agreement with us.

E-signature platform: The provider we use for electronic signing of order forms, which processes your name, email address, IP address, and signature.

Production and quality-assurance tools: We use trusted software tools, which may include AI-assisted tools, to support image selection, editing, and quality review. These providers process images under contract with us and are not permitted to use your images to train their models.

Print and production partners: Third-party printers, framers, album manufacturers, and book binders who produce your physical products. They receive only the data necessary to fulfil your order (images and delivery details).

Advertising partners: Where you consent to marketing cookies, advertising platforms (such as Meta) collect data about your visit through pixels on our website. We may also share hashed contact details with advertising platforms to show our advertising to existing contacts or similar audiences. You can object to this at any time (see section 9) and manage cookie consent at any time (see section 11).

Professional advisers: Our accountants, solicitors, and insurance providers, where necessary for legal, tax, or insurance purposes.

Regulatory and legal bodies: The Information Commissioner’s Office (ICO), Trading Standards, courts, or law enforcement agencies, where we are required to do so by law or to protect our legal rights.

Business transfers: If Cerese Ltd is sold, merged, or restructured, your personal data may be transferred to the new owner as part of the business assets. We will notify you if this happens and explain your options.

We do not sell your personal data to any third party.

7. International Data Transfers

Some of our third-party service providers are based outside the United Kingdom, including in the United States. When your personal data is transferred outside the UK, we ensure it is protected by appropriate safeguards as required by UK data protection law. Depending on the provider, these safeguards include the UK Extension to the EU–US Data Privacy Framework (the “UK–US Data Bridge”), the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses.

You can contact us for more information about the specific safeguards in place for any particular transfer.

8. How Long We Keep Your Data

We keep your personal data only for as long as necessary for the purposes set out in this policy, or as required by law.

Session images you do not select: If you do not complete your image selections within 90 days of your art curation call being offered, your session images are permanently deleted in line with our Terms and Conditions, after reasonable attempts to contact you.

Purchased photographs (digital files): 4 months from completion of your order, then securely deleted, unless you arrange extended storage with us or have given consent for marketing use.

Images used for marketing with your consent: Until you withdraw consent.

Health and accessibility information: Deleted within 3 months of your session unless relevant to an ongoing matter.

Call recordings: 12 months from the date of recording, or until resolution of any ongoing dispute, whichever is later.

Order records and contracts: 6 years from the date of your last transaction, in line with the limitation period for contractual claims under English law.

Payment records: 6 years from the date of transaction, as required for tax and accounting obligations.

Marketing consent records: Until you withdraw consent or unsubscribe, plus 12 months to maintain a suppression list so we do not contact you again.

Gallery access and download logs: 12 months from the date of gallery expiry.

Email and message correspondence: 6 years from the date of your last transaction.

Website analytics data: 26 months (aggregated and anonymised where possible).

When the applicable retention period expires, we securely delete or anonymise your personal data. Where deletion is not immediately possible (for example, because data is held in backup systems), we isolate the data and prevent further processing until deletion is completed.

9. Your Rights

Under UK data protection law, you have the following rights. You can exercise any of them by contacting privacy@bodyandsoulstudios.uk.

Right of access (Subject Access Request): You can ask us to confirm whether we are processing your personal data and, if so, to provide a copy along with information about how and why we process it. We will respond within one month. For complex or voluminous requests, we may extend this by up to two further months, but we will tell you within the first month and explain why.

Right to rectification: If your personal data is inaccurate or incomplete, you can ask us to correct or complete it. We will do so without undue delay.

Right to erasure: You can ask us to delete your personal data in certain circumstances, including where we no longer need it, where you withdraw consent, or where you successfully object to processing. We may refuse erasure where we need to keep the data to comply with a legal obligation, for the establishment, exercise, or defence of legal claims, or on other grounds permitted under Article 17(3) of UK GDPR.

Right to restrict processing: You can ask us to suspend processing in certain circumstances, such as while we verify accuracy or consider an objection. While processing is restricted, we will store your data but not use it without your consent (except for legal claims, protecting others’ rights, or important public interest reasons).

Right to data portability: You can ask us to provide your personal data in a structured, commonly used, machine-readable format, or to transmit it to another controller where technically feasible. This applies to data you provided to us that we process on the basis of consent or contract performance.

Right to object: You can object to processing based on legitimate interests, including the use of behind-the-scenes content for marketing and the sharing of hashed contact details with advertising platforms. If you object, we will stop unless we can demonstrate compelling legitimate grounds that override your interests. You can object to direct marketing at any time, and we will stop immediately.

Right to withdraw consent: Where we rely on your consent (email marketing, intimate image marketing, health information), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint: If you are unhappy with how we have handled your personal data, you can complain to the Information Commissioner’s Office (ICO): www.ico.org.uk | 0303 123 1113 | Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would appreciate the opportunity to address your concerns first.

10. Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making that produces legal effects or similarly significant effects on you.

We may use limited profiling to tailor our marketing, for example, segmenting our mailing list by interests or past enquiries. This does not produce legal or similarly significant effects, and you can object at any time.

Where third-party finance providers make automated credit decisions as part of a finance application, those decisions are made by the finance provider as a data controller under their own privacy policy, not by us. We act as a credit broker, not a lender.

11. Cookies and Website Tracking

When you visit bodyandsoulstudios.uk, we use cookies and similar technologies.

Essential cookies: Required for the website to function properly (e.g. session management, security). These do not require consent.

Analytics cookies: Used to understand how visitors interact with our website. Set only with your consent.

Marketing cookies: Used by us and our advertising partners to deliver relevant advertisements and measure campaign effectiveness. Set only with your consent.

Non-essential cookies are not placed until you consent via the cookie banner, and you can change or withdraw your cookie consent at any time through the cookie settings on our website or your browser settings. For more information, see the cookie section of this Privacy Policy.

12. Children’s Data

Our services are available only to adults aged 18 or over, and we do not knowingly collect personal data from anyone under 18. Where a session booked and consented to by a parent or guardian includes a person under 18, the parent or guardian is responsible for providing consent on their behalf. If you believe we have collected data about a child without appropriate consent, please contact us immediately and we will delete it.

13. Data Security

We take the security of your personal data seriously, particularly given the sensitive and intimate nature of portrait photography, and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These measures include:

• Encrypted storage systems for photographs and personal data
• Secure access controls with role-based permissions for our team
• Secure payment processing through PCI DSS-compliant providers
• Regular review of our security practices and access logs
• Staff training on data protection and information security
• Secure deletion of personal data when retention periods expire

Data breaches: If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, as required by law. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

While we take all reasonable steps to protect your data, no system is completely secure. If you become aware of any security incident affecting your data, please contact us immediately.

14. Third-Party Links

Our website may contain links to third-party websites, including social media platforms. We are not responsible for the privacy practices of those websites. We encourage you to read their privacy policies before providing any personal data.

15. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, our services, or applicable law. When we make significant changes, we will notify you by email or by posting a prominent notice on our website. The “last updated” date at the top indicates when it was most recently revised.

16. Contact Us

If you have any questions about this privacy policy, want to exercise any of your rights, or wish to make a complaint about how we handle your data, please contact us:

For Subject Access Requests, please email privacy@bodyandsoulstudios.uk with the subject line “Subject Access Request.” We may ask you to verify your identity before processing your request.