Privacy policy
Last updated: October 29, 2025
Plain Language Summary
- We collect your contact, order, account and usage data to provide our Services.
- We only keep your data for as long as necessary (typically 1–6 years depending on type).
- Your data is encrypted in transit and at rest.
- We do not share your information with third parties for marketing without your explicit consent.
- You have full GDPR rights, including access, deletion, correction, portability and withdrawal of consent.
- If a data breach occurs, we will notify you and regulators as required by law.
Introduction
This Privacy Policy describes how Holidity (the "Site", "we", "us", or "our") collects, uses, and discloses your personal information when you visit, use our services, or make a purchase from holidity.com (the "Site") or otherwise communicate with us regarding the Site (collectively, the "Services").
For purposes of this Privacy Policy, "you" and "your" means you as the user of the Services, whether you are a customer, website visitor, or another individual whose information we have collected pursuant to this Privacy Policy.
We are the data controller of your personal information unless explicitly stated otherwise.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on the Site, update the "Last updated" date and, where required by law, notify you of significant changes.
How We Collect and Use Your Personal Information
We collect personal information about you directly, automatically, and from third parties in order to provide our Services.
Information You Provide
- Contact details (name, address, phone number, email)
- Order details (billing, shipping, payment confirmation)
- Account information (username, password, security credentials)
- Customer support communications
- Reviews, loyalty points, referrals or gift card information
Information We Collect Automatically
- Device, browser, and network data
- IP address and geolocation
- Site usage, browsing behaviour, and account activity
- Cookies and tracking technologies (see Cookies section)
Information From Third Parties
- Shopify (store platform, order fulfilment)
- Payment processors (to process transactions securely)
- Analytics, advertising, and customer support providers
How We Use Your Personal Information
We use your personal data for the following purposes:
- Contract fulfilment: to process orders, manage your account, deliver products/services.
- Marketing (with your consent): to send promotional messages and personalised offers.
- Security & fraud prevention: to detect and prevent fraud, illegal or malicious activity.
- Service improvement: to provide customer support and improve our products.
- Legal compliance: to meet regulatory and legal obligations.
Lawful Bases
We process data under:
- Contract (Art. 6(1)(b) GDPR) – to deliver the Services you request.
- Consent (Art. 6(1)(a) GDPR) – for marketing communications and any processing of special category health data.
- Legitimate interests (Art. 6(1)(f) GDPR) – to improve Services, maintain security, and prevent fraud.
- Legal obligation (Art. 6(1)(c) GDPR) – to comply with laws and regulations.
Special Category / Health Data
Our Services may involve processing information about your habits or behaviours related to health and wellbeing. Where such information is considered special category data under GDPR, we will only process it with your explicit consent (Art. 9(2)(a) GDPR). You may withdraw this consent at any time.
Data Minimisation
We only collect the minimum personal data necessary to deliver our Services and do not collect data unrelated to these purposes.
Data Retention
We keep your data only for as long as necessary for the purposes described.
Retention Schedule
|
Data Category |
Purpose |
Retention Period |
Disposal Method |
|---|---|---|---|
|
Order & Payment Data |
Process transactions; legal/tax obligations |
6 years |
Secure deletion/anonymisation |
|
Account Information |
Manage your account and access to Services |
12 months after closure/inactivity |
Secure deletion |
|
Customer Support Records |
Assistance, training, quality assurance |
24 months |
Secure deletion |
|
Marketing & Consent Records |
Manage communication preferences and consent |
Until withdrawal of consent |
Secure deletion |
|
Technical/Usage Data |
Analytics, service improvement, security |
12 months |
Anonymisation or secure deletion |
|
Sensitive/Health Data |
Deliver wellbeing services (with explicit consent) |
Until consent withdrawn or account closure |
Secure deletion |
Security of Your Data
We apply strong security measures to protect your data.
Security Controls
|
Category |
Measures in Place |
|---|---|
|
Encryption in Transit |
TLS 1.2+ applied to all communications |
|
Encryption at Rest |
AES-256 or equivalent for stored data |
|
Access Controls |
Role-based, least-privilege access; logged and monitored |
|
Data Hosting |
GDPR-compliant hosting with physical and logical protections |
|
Monitoring & Auditing |
Regular penetration tests and security audits |
|
Staff Training |
Annual mandatory security and privacy training |
|
Incident Response |
Data breach plan in place; regulators notified within 72 hours; users notified where high risk |
Data Breach Notification
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours. Where the breach presents a high risk to you, we will also notify you without undue delay.
Cookies and Tracking
We use cookies and similar technologies to:
- Operate and improve our Site (Shopify cookies)
- Analyse usage and improve functionality
- Provide tailored advertising (with your consent)
See Shopify’s Cookie Policy. You can manage cookies via your browser or opt out via Global Privacy Control (GPC).
Marketing Communications
We will only send marketing messages where you have given your explicit consent. You may opt out at any time via unsubscribe links or by contacting us. Service-related communications (e.g., order confirmations) will still be sent.
Sharing of Personal Information
We share data only as necessary:
- Essential providers: Shopify, payment processors, fulfilment, and IT support.
- Affiliates/marketing partners: only with your consent.
- Legal or regulatory bodies: where required by law.
- Business transfers: in case of merger, acquisition, or restructuring.
You may withdraw consent to non-essential sharing at any time.
Children’s Data
Our Services are not directed to children under 16, and we do not knowingly collect their data. If you believe a child has provided us with personal data, contact us to request deletion.
International Data Transfers
Where personal data is transferred outside the UK or EEA, we use recognised transfer mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs) or UK equivalents.
Your Rights
You have the right to:
- Access your data
- Request correction or deletion
- Object to processing or restrict processing
- Withdraw consent at any time
- Request portability of your data
- Opt out of marketing, sale, or sharing
- Appeal decisions or lodge a complaint with a supervisory authority
We will respond within 30 days of receiving a verified request.
Complaints
If you are unhappy with how we process your data, please contact us. If unresolved, you have the right to lodge a complaint with your local supervisory authority (see EU list here).
Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee compliance.
Data Protection Officer
Email: julia@holidity.com
Address: Workspace® | Pill Box, Pill Box, ENG, E2 6GH, GB
Contact
If you have questions about this Privacy Policy or your rights, please contact us:
Email: habits@holidity.com
Address: Workspace® | Pill Box, Pill Box, ENG, E2 6GH, GB