Data Protection Policy

1. Introduction and Purpose
Femmeprenista (Thrivology Limited T/A Femmeprenista) is committed to being transparent about how we collect and use Personal Data and to meeting our data protection obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy sets out Femmeprenista's commitment to data protection and the rights of Data Subjects in relation to their Personal Data processed by us.
2. Scope
This policy applies to all Personal Data processed by Femmeprenista, including data relating to our employees, contractors, coaches, clients, program participants, community members, suppliers, website visitors, and any other individuals whose data we process. It covers all companies and operations within the Thrivology Limited group trading as Femmeprenista.
3. Person with Responsibility for Data Protection
The Data Protection Lead (Admin) has primary day-to-day responsibility for implementing this policy, dealing with data protection queries, and handling Subject Access Requests. They can be contacted at info@femmeprenista.com. Overall responsibility for compliance lies with the Company leadership.
4. Definitions
Personal Data: Any information relating to an identified or identifiable natural person ('Data Subject').
Data Subject: An individual who can be identified, directly or indirectly, by reference to Personal Data.
Processing: Any operation performed on Personal Data (e.g., collection, recording, storage, use, disclosure, erasure).
Data Controller: The entity which determines the purposes and means of the processing of Personal Data (in this case, Femmeprenista).
Data Processor: An entity which processes Personal Data on behalf of the Controller.
UK GDPR: The retained EU law version of the General Data Protection Regulation ((EU) 2016/679) as it applies in the UK.
(Other relevant GDPR definitions apply as standard).
5. Data Protection Principles
Femmeprenista processes Personal Data in accordance with the following data protection principles:
Lawfulness, Fairness, and Transparency: Processing is lawful, fair, and transparent to the Data Subject.
Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimisation: Data collected is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Accuracy: Data is accurate and, where necessary, kept up to date.
Storage Limitation: Data is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
Integrity and Confidentiality (Security): Data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
(Privacy Notices: Femmeprenista provides detailed information about its data processing activities through separate Privacy Notices tailored to specific groups, e.g., website visitors, clients, employees.)
6. Individual Rights
Data Subjects have several rights under UK GDPR. Femmeprenista is committed to upholding these rights:
Right of Access (Subject Access Request - SAR): Data Subjects have the right to access their Personal Data and supplementary information held by Femmeprenista. Requests should be made in writing to Admin at info@femmeprenista.com.
Right to Rectification: Data Subjects have the right to have inaccurate Personal Data rectified, or completed if it is incomplete.
Right to Erasure (Right to be Forgotten): Data Subjects have the right to request the deletion or removal of Personal Data where there is no compelling reason for its continued processing.
Right to Restrict Processing: Data Subjects have the right to 'block' or suppress processing of Personal Data in certain circumstances.
Right to Data Portability: Data Subjects have the right to obtain and reuse their Personal Data for their own purposes across different services.
Right to Object: Data Subjects have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing; and processing for purposes of scientific/historical research and statistics.
Rights related to Automated Decision Making and Profiling: Data Subjects have rights relating to automated decisions made without human involvement.
Requests to exercise these rights should be directed to Admin at info@femmeprenista.com.
7. Data Security
Femmeprenista takes the security of Personal Data seriously. We have implemented appropriate technical and organisational measures to protect data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. This includes:
Access controls limiting access to Personal Data to those who need it for their role.
Use of secure passwords and encryption where appropriate.
Secure storage practices (e.g., avoiding storage on local drives or personal devices where possible, using secure cloud services).
Procedures for handling data securely during transfer.
Regular review of security measures.
8. Privacy Impact Assessments (PIAs)
Where processing is likely to result in a high risk to Data Subjects' rights and freedoms, Femmeprenista will conduct a Data Protection Impact Assessment (DPIA) to identify and minimise risks.
9. Data Breaches
Femmeprenista has procedures in place to detect, report, and investigate potential Personal Data breaches. Any suspected data breach must be reported immediately to the Data Protection Lead (Admin) at info@femmeprenista.com. Breaches will be handled in accordance with Femmeprenista's Personal Data Breach Procedure and reported to the Information Commissioner's Office (ICO) where required.
10. International Data Transfers
Femmeprenista may transfer Personal Data outside the UK/European Economic Area (EEA) where necessary (e.g., using international service providers). Such transfers will only take place if appropriate safeguards are in place, such as an adequacy decision by the UK government, standard contractual clauses (SCCs) approved by the ICO, or other mechanisms permitted under UK GDPR.
11. Individual Responsibilities
All individuals working for or with Femmeprenista (employees, contractors, coaches) who handle Personal Data have a responsibility to:
Process data only for authorised, legitimate purposes.
Handle data securely and confidentially.
Access only the data necessary for their role.
Keep data accurate and up-to-date where feasible.
Not disclose Personal Data inappropriately.
Report any suspected data breaches immediately to the Data Protection Lead (Admin).
Complete required data protection training.
Failure to observe these requirements may result in disciplinary action or termination of engagement, depending on the severity of the breach.
12. Training
Femmeprenista will provide appropriate data protection training to relevant team members upon starting and at regular intervals thereafter. Individuals with specific data protection responsibilities will receive additional training.
13. Review of this Policy
This policy will be reviewed periodically (at least annually) and updated as necessary to reflect changes in law or company practice.
14. Further Information and Support
For any queries regarding this Data Protection Policy, please contact Admin at info@femmeprenista.com.