Privacy Policy

Effective date: 7 February 2026

This Privacy Policy explains how Wave Davis (“we”, “us”, “our”) collects, uses, stores, and protects personal data when you use wavedavis.me (the “Website”), join the mailing list, make an enquiry, or book a workshop, retreat, or 1:1 session. It is written to align with key EU GDPR principles such as transparency, data minimisation, purpose limitation, and security. We only request information that is relevant to the purpose, and we aim to keep your choices clear and respected. Where consent is needed, we ask for it, and you can change your mind at any time. If you have questions about anything in this policy, contact us at wave@wavedavis.me. Using the Website means you accept that we may process data as described here, subject to your rights.

1) Who is responsible for your data (Data Controller)

Wave Davis is the Data Controller for the personal data processed through this Website and related services. This means we decide why and how personal data is used, in line with GDPR obligations. You can contact the Data Controller at wave@wavedavis.me for privacy-related queries, requests, or concerns. We handle requests in a timely way and may ask for limited information to verify your identity before disclosing or changing data. If we use service providers (such as email or booking tools), we remain responsible for ensuring appropriate safeguards are in place. We do not appoint a Data Protection Officer unless legally required, but you can always reach us directly by email.

2) What data we collect

We collect personal data in three main ways: information you provide directly, data collected automatically when you browse, and (rarely) sensitive information you choose to share. If you submit an enquiry, we may collect your name, email address, phone number (if provided), and the contents of your message. If you book an event or session, we may collect additional details needed to manage your booking, such as scheduling information, preferences you volunteer, and payment confirmation details. When you browse the site, our systems may collect technical data such as IP address, device type, browser version, pages viewed, and approximate location derived from IP. We aim to avoid collecting anything unnecessary, and you can choose what to share—especially in free-text fields.

3) Special category (sensitive) data

In the context of workshops and 1:1 work, you may choose to share personal information that could be considered special category data under GDPR (for example, health-related information, trauma history, sexual orientation, or relationship details). We do not require this information as a condition of general website use, and we never request it unless it is genuinely relevant for safety, access needs, or facilitation care. If you include such information in an enquiry, we treat it as confidential and limit access to it. Where special category data is processed, we rely on explicit consent and/or your clear voluntary disclosure for a specific purpose (such as responding appropriately to your enquiry or supporting participation needs). You can request deletion of this information where appropriate, and you can also choose to provide an alternative, minimal description (e.g., “I have access needs I’d like to discuss”).

4) How we use your data

We use your data to communicate with you and to deliver the services you request in a practical, respectful way. This includes replying to enquiries, answering questions about events, confirming bookings, sending logistical details (location, timings, what to bring), and informing you of changes that affect your participation. If you opt in to marketing communications, we use your contact details to send updates about upcoming workshops, retreats, and related offerings. We may also use aggregated usage data to understand how people navigate the Website, which helps us improve clarity, accessibility, and performance. We do not use your personal data for automated decision-making that produces legal or similarly significant effects. If we ever introduce a materially new use of data, we will update this policy and, where required, ask for your consent.

5) Legal bases for processing (EU GDPR)

Under GDPR, we must have a lawful basis to process personal data, and we select the basis that best fits the situation. Contract applies where you ask to book a place or session and we need your information to provide what you requested and manage practical arrangements. Legitimate interests may apply for running the Website securely, preventing misuse, and making measured improvements, but we balance this carefully against your rights and expectations. Consent is used for marketing emails and for non-essential cookies (where required), and you can withdraw that consent at any time without penalty. Legal obligation may apply where we must keep certain records for tax, accounting, or regulatory reasons. For special category data, we typically rely on explicit consent, and we aim to keep sensitive details to the minimum required.

6) Who we share your data with

We share personal data only when it is necessary to operate the Website, manage communications, and deliver services, and we keep sharing limited and purposeful. This may include website hosting providers, email/newsletter platforms, booking or client management tools, and payment processors used to handle transactions securely. These providers may act as data processors (acting on our instructions) or, in some cases, independent controllers for their own compliance needs. We only share the information they need to perform their role, and we do not sell personal data or allow third parties to use it for their own unrelated marketing. If you ask, we can describe the categories of providers in use and the types of data involved. We may also disclose data if legally required, for example in response to a valid request from authorities, but only to the extent mandated.

7) Cookies and analytics

Cookies are small files stored on your device that support site functionality and help us understand website usage patterns. Some cookies are strictly necessary to ensure the site works properly and remains secure, and these do not require consent in most EU contexts. Other cookies, such as analytics or preference cookies, may be used only with your consent where required by local law and guidance. Analytics data typically includes information like page visits, time on page, and referral sources, and is used to improve navigation, messaging clarity, and performance. Where possible, we aim to configure analytics to reduce identifiability (for example, by limiting retention and using aggregated reporting). You can manage cookie preferences through any cookie banner/settings provided and through your browser controls. Blocking some cookies may affect certain site functions, but core access should remain available.

8) International data transfers

Some tools used to host the Website, deliver email, or process bookings may involve data being stored or accessed outside the European Economic Area (EEA). Where personal data is transferred internationally, we use safeguards recognised under GDPR to protect your information. These safeguards may include an EU adequacy decision for certain countries, or Standard Contractual Clauses (SCCs) with additional measures where necessary. We also aim to select providers that maintain strong security practices and clear contractual commitments around confidentiality and data handling. International transfers are not made lightly; we keep them limited to what is operationally necessary. You can contact us to ask what safeguards apply to a particular category of provider. If we become aware of a material transfer risk, we will take steps to address it and update this policy where relevant.

9) How long we keep your data (retention)

We keep personal data only for as long as it is needed for the purpose it was collected, plus any legally required retention periods. Enquiry data is typically retained long enough to respond and follow up reasonably, and then removed or minimised, usually within 12–24 months after last contact unless you become a participant or client. Booking records may be retained for longer to support administration, safety follow-up, and accounting obligations, commonly 3–7 years depending on the nature of the records and legal requirements. Mailing list data is retained until you unsubscribe, after which we remove or suppress your details in line with email platform practices. Technical analytics data is usually retained for limited periods and often in aggregated form. Where we keep data longer for legal claims or compliance, we restrict access and retain only what is necessary.

10) Your rights under GDPR

You have strong rights under GDPR, and we aim to make them straightforward to use. You can request access to the personal data we hold about you and ask for a copy in a commonly used format where applicable. You can ask us to correct inaccurate information, and you can request deletion where there is no overriding reason to keep the data (for example, legal obligations may require retention of some records). You can also ask us to restrict processing in certain situations, and you can object to processing based on legitimate interests where your situation warrants it. If processing is based on consent (such as marketing), you can withdraw consent at any time, and we will stop that processing promptly. To exercise your rights, email wave@wavedavis.me; we may request verification to protect your information.

11) Complaints and supervisory authorities

If you have concerns about how your personal data is handled, we encourage you to contact us first at wave@wavedavis.me so we can address the issue directly. We will take complaints seriously and aim to respond with clarity and practical steps. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority in the EU/EEA. If you are in the UK, the relevant authority is the Information Commissioner’s Office (ICO). You can also seek a judicial remedy if you believe your rights have been infringed. Raising a complaint will not affect your ability to participate in events or access services, and we will not treat you unfavourably for exercising your rights. We aim to resolve issues informally where possible, but formal routes remain available.

12) Security and confidentiality

We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse, or alteration. This may include secure hosting, access controls, password management, and limiting data access to only those who need it for operational reasons. We also aim to reduce risk by collecting minimal data and avoiding unnecessary retention. While we take security seriously, no system can guarantee absolute protection, and there is always some risk in transmitting information online. If we become aware of a personal data breach that is likely to result in risk to your rights and freedoms, we will act in line with GDPR requirements, including notifications where required. We encourage you to contact us if you suspect any unauthorised use of your data. Confidentiality matters in this work, and we apply that principle across our systems and communications.

13) Children’s privacy

Our Website, events, and services are intended for adults and are not designed for children. We do not knowingly collect personal data from anyone under the age where parental consent would be required under applicable law. If you believe a child has provided personal data to us, please contact wave@wavedavis.me so we can investigate and remove the data where appropriate. In practical terms, our workshops and sessions typically involve adult themes and consent-based exercises that are not suitable for minors. If age checks are required for a specific event, we will state this clearly in the event details and booking flow. We aim to keep participation requirements transparent and respectful. Where identity or age verification is necessary, we will keep checks proportionate and minimise retention.

14) Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in services, legal requirements, or how the Website operates. When we update it, we will revise the effective date at the top of the page and publish the new version on the Website. If changes are significant (for example, introducing a new type of processing that affects your rights), we will take reasonable steps to highlight this and, where required, seek consent again. We encourage you to review this page occasionally so you remain informed. Continued use of the Website after an update means the updated policy applies, subject to any consent choices you have made. Older versions may not be stored publicly, but you can request clarification on what applied at a given time. Transparency is part of how we build trust, and we aim to keep updates clear and readable.

15) Contact

If you have questions, requests, or concerns about this Privacy Policy or how your data is handled, email wave@wavedavis.me. Please include enough detail for us to identify your request (for example, the email address you used to contact us or join the mailing list). We may ask for verification before making changes or sharing copies of data, to protect you from unauthorised access. We aim to respond within a reasonable timeframe and within GDPR deadlines where applicable. If your request relates to marketing emails, you can also use the unsubscribe link included in those messages, which typically action changes immediately. For anything sensitive, you can ask us to communicate in a particular way (for example, only by email). We will do our best to accommodate reasonable preferences while keeping things secure.