Privacy Policy | Maplewood Drawing UK

Who we are

Maplewood Drawing (maplewood.top) is a UK-based provider of drawing courses and related educational services. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Maplewood Drawing is the data controller for personal information we process.

Where we act on behalf of institutional partners, we may be a data processor and will process personal information strictly under the controller’s instructions and our contract.

Scope

This policy explains what personal data we collect, how and why we use it, the lawful bases we rely on, who we share it with, how long we keep it, and the rights you have. It applies to our website (maplewood.top), enquiries, enrolments, events, and marketing where we reference this policy.

It does not cover third-party websites or services you may access through our site. Please review their privacy information separately.
If we provide a privacy notice for a particular activity, that notice should be read together with this policy.

Data we collect

We collect and process the following categories of personal data, depending on your interactions with us:

Identity and contact details: name, email address, telephone number, and city or region.
Account and enrolment data: course selections, attendance, progress notes, communications, and payment references (we do not store full card numbers on our systems).
Preferences: interests, marketing preferences, accessibility needs you choose to share to tailor our services.
Technical data: IP address, device type, browser type, time zone, referrers, pages visited, and cookie identifiers.
Usage data: interactions with emails (opens/clicks where permitted), support requests, and survey responses.
Special category data: only if you volunteer information about health or accessibility needs to support your participation. We will ask for your explicit consent when required.
Child data: limited to name and age range when necessary for age-appropriate classes, processed with appropriate safeguards and, where required, guardian consent.

Sources of data

Directly from you via forms, email, phone, or in person.
Automated technologies through our website and cookies.
Third parties such as payment providers, event platforms, and advertising partners where permitted by law.

How we use data

To provide, administer, and improve our courses, events, and website.
To manage enquiries, enrolments, payments, and customer support.
To personalise recommendations and content based on your preferences.
To send service messages (for example, booking confirmations, schedule changes).
To send marketing communications where you have opted in or where we rely on legitimate interests and you have not objected.
To ensure site security, prevent fraud, and diagnose issues.
To comply with legal obligations, including tax and accounting requirements.

We minimise data and will not use your personal information for purposes that are materially different from those described here without informing you and, where appropriate, obtaining your consent.

Our lawful bases

Under UK GDPR, we rely on one or more of the following lawful bases:

Consent: when you opt in to marketing or provide special category data for accessibility. You can withdraw consent at any time.
Contract: to perform a contract with you or take steps at your request before entering into a contract (for example, processing an enrolment).
Legal obligation: to comply with UK law (for example, financial record-keeping).
Legitimate interests: to operate, grow, and secure our business in ways that do not override your rights and freedoms (for example, site analytics, service improvement, limited direct marketing to existing participants).
Vital interests: only where necessary to protect someone’s life, such as significant health or safety incidents during an event.

For special category data, we use additional safeguards and rely on explicit consent or other applicable conditions under UK data protection law.

Sharing your data

We share personal data only when necessary and with appropriate safeguards in place. Categories of recipients include:

Service providers under contract (for example, payment processing, email delivery, secure cloud hosting, analytics).
Instructors and assistants delivering courses and workshops, limited to data they need to perform their role.
Professional advisers (for example, accountants, insurers, legal advisers).
Authorities where required by law, court order, or to protect our legal rights.

We do not sell your personal data.

International data transfers

Your data is primarily stored in the UK or the EEA. If we transfer personal data outside the UK, we will ensure an adequate level of protection by using one or more of the following:

Adequacy regulations recognised by the UK Government.
International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
Supplementary measures following a risk assessment, where appropriate.

Data retention

We keep personal data only as long as necessary for the purposes described in this policy and to meet legal, accounting, or reporting requirements. Typical retention periods include:

Enquiry records: up to 24 months from last contact.
Enrolment and transaction records: up to 6 years from the end of the financial year of the transaction.
Marketing preferences: until you opt out, plus up to 24 months to maintain suppression lists.
Special category data for accessibility: only for the duration needed to provide support, then securely deleted or anonymised.

When we no longer need personal data, we securely delete or anonymise it.

Data security

We use organisational and technical measures to protect personal data, including role-based access controls, encryption in transit, secure configuration, monitoring, staff training, and supplier due diligence. While no system is completely secure, we continually assess and improve our security posture.

If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will assess and, where required, notify the UK supervisory authority and affected individuals.

Cookies and similar technologies

Cookies are small files placed on your device to help our site function and to understand usage. We use:

Strictly necessary cookies: required for core functionality such as security and session management.
Performance and analytics cookies: to measure site traffic and improve user experience, using aggregated or pseudonymised data.
Preference cookies: to remember settings like your chosen region or communication preferences.

You can manage cookies through your browser settings. Where required, we will present controls to accept or reject non-essential cookies, and your choices will be respected.

Analytics

We use privacy-conscious analytics to understand how our website is used, improve content, and diagnose issues. This may collect IP addresses (which may be truncated or salted), device information, and event data. We do not use analytics to build profiles for cross-site advertising.

We configure analytics to minimise personal data, respect opt-out preferences where applicable, and retain event data for limited periods aligned with our retention policy.

Marketing communications

We send marketing communications about classes, events, and offers if you have opted in or where permitted under legitimate interests. You can opt out at any time by using the unsubscribe link in our emails or by contacting us.

If you opt out, we will retain minimal information to ensure we respect your preference.

Children’s data

Our website is not directed at children. For youth classes, we collect only the minimum information necessary and may require consent from a parent or guardian. If you believe a child has provided us with personal data without appropriate consent, please contact us so we can take appropriate steps.

Automated decision-making

We do not engage in solely automated decision-making that produces legal or similarly significant effects on individuals. If this changes, we will notify you and provide information about the logic involved and your rights.

Your rights

Under UK GDPR, you have the following rights, subject to conditions and exemptions:

Access: request a copy of your personal data and other information about our processing.
Rectification: ask us to correct inaccurate or incomplete data.
Erasure: ask us to delete your data where there is no good reason for us to continue processing.
Restriction: ask us to suspend processing of your data in certain circumstances.
Portability: receive your data in a structured, commonly used, machine-readable format and transmit it to another controller where feasible.
Objection: object to processing based on legitimate interests or to direct marketing.
Withdraw consent: where processing is based on consent, you can withdraw it at any time.

To exercise your rights, contact us using the details below. We may need to verify your identity. We aim to respond within one month of receiving your request.

Concerns and complaints

If you have concerns about how we handle your data, please contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113.

Changes to this policy

We may update this policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated policy on this page and adjust the “Effective date” above. For significant changes, we may provide additional notice.

Contact

Maplewood Drawing is the controller of your personal data. To contact our Data Protection Lead or to exercise your rights, please use:

Email: [email protected]
Phone: +44 20 8089 7423

If you contact us, please include enough information for us to identify you and respond to your request securely.