Privacy Policy

Body & Soul Studios Ltd Last updated: February 2026

1. Who We Are

We are Body & Soul Studios Ltd, registered in England & Wales (Company No. 14954016, VAT 458443566). Our registered office is at 167–169 Great Portland Street, London, W1W 5PF. Our studio is located at 2 Bocking Street, London, E8 3RL.

We are the data controller responsible for your personal data. This means we decide how and why your personal data is processed.

If you have any questions about this privacy policy or how we handle your data, please contact us:

Email: privacy@bodyandsoulstudios.uk Phone: 07400 626771 Post: Body & Soul Studios Ltd, 167–169 Great Portland Street, London, W1W 5PF

2. What This Policy Covers

This privacy policy explains what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have. It applies to all personal data we collect from you as a client, prospective client, or website visitor.

By “personal data” we mean any information that identifies you or could be used to identify you, including your name, email address, photographs, call recordings, and payment information.

3. What Personal Data We Collect

We collect the following categories of personal data:

Identity & contact information: Your full name, email address, phone number, postal address, and date of birth.

Photographs and images: Professional photographs created during your session, in both digital and print format. These photographs may identify you and are treated as personal data. We also collect any reference images or inspiration material you share with us during session planning.

Payment and financial information: Your payment method details are processed by our third-party payment providers (see section 6 below). We do not store your full card details on our systems. We retain records of transaction amounts, dates, payment methods used, and payment plan details.

Communications: Records of emails, messages, and other correspondence between you and our team, including enquiries, booking confirmations, and post-session communications.

Call recordings: We record video and telephone calls for quality assurance, training, compliance, and dispute resolution purposes. When you join a recorded call, you will be notified that recording is taking place and given the opportunity to consent or decline before the call proceeds.

Gallery and download data: When you access your private online gallery, our gallery platform records access logs, download events, IP addresses, timestamps, and device information.

Session and order information: Details of your session (date, location, styling preferences), your image selections, collection details, album specifications, and order history.

Website data: When you visit our website, we may collect your IP address, browser type, device information, pages visited, and referring URLs through cookies and similar technologies (see section 11 below).

Marketing preferences: Your consent status and preferences for receiving marketing communications from us.

4. How and Why We Use Your Personal Data

We only use your personal data when we have a lawful basis to do so. The table below sets out each processing activity, the purpose, and the lawful basis we rely on.

To deliver our photography services and fulfil your order This includes scheduling your session, providing hair and makeup services, conducting the photoshoot, editing and retouching images, creating your online gallery, producing albums, prints and artwork, and delivering your order. Lawful basis: Performance of our contract with you.

To process payments This includes taking deposits, processing card payments, setting up and managing direct debit payment plans through GoCardless, processing finance applications through Klarna or Pay It Monthly, issuing refunds, and managing payment schedules. Lawful basis: Performance of our contract with you.

To communicate with you about your order This includes booking confirmations, session reminders, gallery access notifications, delivery updates, post-session check-ins, and responding to your queries or concerns. Lawful basis: Performance of our contract with you.

To record calls We record video calls (via Zoom) and telephone calls for quality assurance, staff training, compliance monitoring, and to maintain an accurate record of what was discussed and agreed. You are notified when a call is being recorded. Lawful basis: Legitimate interests (maintaining quality standards, training staff, protecting both parties in the event of a dispute).

To handle complaints and disputes This includes investigating and responding to complaints, managing Subject Access Requests, and liaising with regulators or legal advisers where necessary. Lawful basis: Legitimate interests (resolving disputes fairly) and compliance with legal obligations.

To use your images for marketing and promotion With your permission, we may use selected images from your session in our portfolio, on our website, on social media, and in printed promotional materials. We exercise professional judgment in selecting appropriate images and will never use images that compromise your dignity or privacy. You can withdraw permission at any time and we will promptly remove your images. Lawful basis: Legitimate interests (promoting our business using our own work product). You have the right to object at any time — see section 9.

To send you marketing communications We may send you information about future events, offers, or services we think you may be interested in. Lawful basis: Consent (for email marketing). You can withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us.

To improve our services We analyse aggregated and anonymised data about sessions, orders, and client feedback to improve our photography, service delivery, and client experience. Lawful basis: Legitimate interests (improving our business).

To comply with legal and regulatory obligations This includes maintaining financial records for tax and accounting purposes, responding to lawful requests from regulators or law enforcement, and complying with data protection law. Lawful basis: Compliance with legal obligations.

To protect our business and enforce our rights This includes detecting and preventing fraud, enforcing our terms and conditions, pursuing or defending legal claims, and protecting our property and rights. Lawful basis: Legitimate interests (protecting our business).

5. Call Recording — Additional Detail

Because call recordings capture sensitive personal data including your voice, your image (on video calls), and the content of your conversations, we want to be transparent about how we handle them.

What we record: Art curation calls, follow-up calls, and any other calls where you are notified that recording is in progress.

How you are notified: On Zoom calls, you will see a notification when you join that the call is being recorded and must click to consent before proceeding. On telephone calls, you will be informed verbally at the start of the call.

Payment card details: If you provide payment card details verbally during a recorded call, we take steps to ensure sensitive card data (particularly CVV/security codes) is not retained in the recording. Where card details are captured on an existing recording, we will redact them before any disclosure.

How long we keep recordings: Call recordings are retained for 12 months from the date of recording, unless they are relevant to an ongoing dispute or legal matter, in which case they are retained until the matter is resolved. Recordings are then securely deleted.

Your rights: Call recordings form part of your personal data and are disclosable in response to a Subject Access Request.

6. Who We Share Your Data With

We share your personal data with the following categories of third parties, and only to the extent necessary for the purposes described in this policy.

Payment processors: Stripe (card payments), GoCardless (direct debit), Klarna and Pay It Monthly (finance). These providers process your payment data securely in accordance with PCI DSS standards. We do not store your full card details — your payment data is held by these providers under their own privacy policies.

Gallery platform: ShootProof (based in the United States). ShootProof hosts your private online gallery and processes gallery access data including IP addresses, download logs, and timestamps. Data transferred to ShootProof is protected by appropriate safeguards (see section 7 below).

Video conferencing: Zoom Video Communications. Zoom processes call data and recordings. Zoom’s data processing is governed by their data processing agreement with us.

E-signature platform: The provider we use for electronic signing of order forms, which processes your name, email address, IP address, and signature.

Print and production partners: Third-party printers, framers, album manufacturers, and book binders who produce your physical products. They receive only the data necessary to fulfil your order (images and delivery details).

Professional advisers: Our accountants, solicitors, and insurance providers, where necessary for legal, tax, or insurance purposes.

Regulatory and legal bodies: The Information Commissioner’s Office (ICO), Trading Standards, courts, or law enforcement agencies, where we are required to do so by law or to protect our legal rights.

Business transfers: If Body & Soul Studios Ltd is sold, merged, or restructured, your personal data may be transferred to the new owner as part of the business assets. We will notify you if this happens and explain your options.

We do not sell your personal data to any third party, and we do not share your data with third parties for their own marketing purposes.

7. International Data Transfers

Some of our third-party service providers are based outside the United Kingdom, including ShootProof and Zoom (both based in the United States). When your personal data is transferred outside the UK, we ensure it is protected by appropriate safeguards as required by UK data protection law. These safeguards include the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable.

You can contact us for more information about the specific safeguards in place for any particular transfer.

8. How Long We Keep Your Data

We keep your personal data only for as long as necessary for the purposes set out in this policy, or as required by law. The table below sets out our standard retention periods.

Photographs (digital files): 4 months from completion of your order, then archived or securely deleted unless you request extended storage. Extended storage is available on request — please contact us to discuss.

Call recordings: 12 months from the date of recording, or until resolution of any ongoing dispute, whichever is later.

Order records and contracts: 6 years from the date of your last transaction. This aligns with the limitation period for contractual claims under English law.

Payment records: 6 years from the date of transaction, as required for tax and accounting obligations under HMRC regulations.

Marketing consent records: Until you withdraw consent or unsubscribe, plus 12 months to maintain a suppression list to ensure we do not contact you again.

Gallery access and download logs: 12 months from the date of gallery expiry.

Email and message correspondence: 6 years from the date of your last transaction.

Website analytics data: 26 months (aggregated and anonymised where possible).

When the applicable retention period expires, we will securely delete or anonymise your personal data. Where deletion is not immediately possible (for example, because data is held in backup systems), we will isolate the data and prevent further processing until deletion is completed.

9. Your Rights

Under UK data protection law, you have the following rights in relation to your personal data. You can exercise any of these rights by contacting us at privacy@bodyandsoulstudios.uk.

Right of access (Subject Access Request): You can ask us to confirm whether we are processing your personal data and, if so, to provide you with a copy of that data along with information about how and why we process it. We will respond within 30 calendar days. For complex or voluminous requests, we may extend this by up to two further months, but we will tell you within the first 30 days and explain why.

Right to rectification: If your personal data is inaccurate or incomplete, you can ask us to correct or complete it. We will do so without undue delay.

Right to erasure (right to be forgotten): You can ask us to delete your personal data in certain circumstances, including where we no longer need it for the purpose it was collected, where you withdraw consent, or where you successfully object to processing. We may refuse erasure where we need to keep the data for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for other grounds permitted under Article 17(3) of UK GDPR.

Right to restrict processing: You can ask us to suspend processing of your personal data in certain circumstances, such as while we verify its accuracy or consider your objection to processing. While processing is restricted, we will store your data but not use it without your consent (except for legal claims, protecting others’ rights, or important public interest reasons).

Right to data portability: You can ask us to provide your personal data in a structured, commonly used, machine-readable format, or to transmit it directly to another controller where technically feasible. This applies to data you provided to us and that we process on the basis of consent or contract performance.

Right to object: You can object to processing of your personal data where we rely on legitimate interests as our lawful basis. This includes objecting to the use of your images for marketing and promotion. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. You can also object to direct marketing at any time, and we will stop immediately.

Right to withdraw consent: Where we rely on your consent to process personal data (such as email marketing), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint: If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner’s Office (ICO):

Website: www.ico.org.uk Telephone: 0303 123 1113 Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to us first so we can try to resolve the matter.

10. Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on you.

Where third-party finance providers (such as Klarna or Pay It Monthly) make automated credit decisions as part of a finance application, those decisions are made by the finance provider under their own privacy policy, not by us. We act as a credit broker, not a lender.

11. Cookies and Website Tracking

When you visit bodyandsoulstudios.uk, we may use cookies and similar technologies to improve your experience, analyse website traffic, and support our marketing activities.

Essential cookies: Required for the website to function properly (e.g. session management, security). These do not require your consent.

Analytics cookies: Used to understand how visitors interact with our website, including pages visited, time spent, and traffic sources. We use these to improve our website and services.

Marketing cookies: Used to deliver relevant advertisements and track the effectiveness of our marketing campaigns.

You can manage your cookie preferences through your browser settings or through the cookie consent tool on our website. For more information, please see our Cookie Policy at bodyandsoulstudios.uk/cookies.

12. Children’s Data

Our photography services are designed for adults. We do not knowingly collect personal data from children under the age of 18 unless a parent or guardian has booked a session that includes a minor, in which case the parent or guardian is responsible for providing consent and ensuring the minor’s rights are protected. If you believe we have collected data about a child without appropriate consent, please contact us immediately and we will delete it.

13. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These measures include:

Encrypted storage systems for photographs and personal data
Secure access controls with role-based permissions for our team
Secure payment processing through PCI DSS-compliant providers
Regular review of our security practices and access logs
Staff training on data protection and information security
Secure deletion of personal data when retention periods expire

While we take all reasonable steps to protect your data, no system is completely secure. If you become aware of any security incident affecting your data, please contact us immediately.

14. Third-Party Links

Our website may contain links to third-party websites, including social media platforms. We are not responsible for the privacy practices of those websites. We encourage you to read their privacy policies before providing any personal data.

15. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, our services, or applicable law. When we make significant changes, we will notify you by email or by posting a prominent notice on our website. The “last updated” date at the top of this policy indicates when it was most recently revised.

16. Contact Us

If you have any questions about this privacy policy, want to exercise any of your rights, or wish to make a complaint about how we handle your data, please contact us: