Privacy Statement

Privacy Policy

Last Updated: February 1, 2026

1. Introduction

Welcome to Massage & Glow. We respect your privacy and are committed to protecting your personal data. This privacy policy informs you how we look after your personal data when you visit massageandglow.co.uk and outlines your privacy rights under the UK General Data Protection Regulation (UK GDPR).

2. Data Controller

The data controller responsible for your personal data is:

Entity Name: MASSAGE & GLOW (SCOTLAND) LTD
Company Number: SC607528
Contact Name: Judith Bisset
Registered Address: Inospace Lightyear, 9 Marchburn Drive, Airport Business Park, Paisley, Scotland, PA3 2SJ
Email: contact@massageandglow.co.uk

3. The Data We Collect

We may collect, use, and store the following types of personal data:

Identity Data: Name, title, and business name (for corporate clients).
Contact Data: Email address, telephone numbers, and site addresses for mobile treatments.
Health Data: As a massage service, we may collect basic health information (e.g., injuries, allergies, or pregnancy status) to ensure treatments are safe and effective. This is treated as Special Category Data under GDPR.
Technical Data: IP address, browser type, and location data when you use our website.

4. Lawful Basis for Processing

We process your data under the following legal grounds:

Performance of a Contract: To fulfill your booking for mobile, event, or corporate massage.
Consent: When you explicitly provide health information during a consultation or sign up for marketing.
Legitimate Interests: To improve our website and respond to general inquiries.

5. Hosting & Data Residency (Cloudways)

Our website is hosted using managed infrastructure provided by Cloudways Ltd. (a DigitalOcean company).

Data Location: All website data and associated databases are stored on secure servers located in London, United Kingdom.
Security: We utilise SSL encryption (HTTPS) to secure all data transmitted between your browser and our server.
International Transfers: While primary storage is in the UK, our provider (DigitalOcean, LLC) is US-based. We ensure protection via the UK International Data Transfer Addendum, ensuring your data receives an equivalent level of protection as it does under UK law.

6. Third-Party Sub-processors & Service Providers

We share your information with selected third parties to operate our business:

Cloudways / DigitalOcean: Managed Hosting & Infrastructure (London, UK).
Booking/Payment Systems: To securely manage appointments and payments.
Independent Therapists: If your service is fulfilled by one of our qualified sub-contracted therapists, they will be provided with the necessary contact and site address details.

7. Data Retention

We retain your data only as long as necessary:

Treatment Records: Kept for 7 years following your last treatment to comply with professional insurance and legal requirements.
General Inquiries: Kept for 12 months if no booking is made.

8. Your Legal Rights

Under UK GDPR, you have the right to:

Access: Request a copy of the personal and health data we hold.
Rectification: Request we fix incorrect data.
Erasure: Request we delete your data (where legal retention requirements allow).
Data Portability: Request your data be provided in a structured, machine-readable format.
Withdraw Consent: Withdraw consent for marketing or data processing at any time.