top of page
Horses in Mist

Data Protection & GDPR Policy

1. Introduction

Pony Wisdom is committed to protecting the personal data of clients, staff, volunteers, and suppliers. This policy outlines how we collect, store, use, and protect personal information in compliance with the General Data Protection Regulation (GDPR) 2018 and the Data Protection Act 2018.

2. Purpose

  • To protect personal information and privacy.

  • To ensure all data is handled lawfully, fairly, and transparently.

  • To clarify responsibilities regarding data protection.

3. Data We Collect

We may collect and process the following personal data:

  • Clients / Participants: name, age, contact details, medical information, emergency contacts, consent forms, session attendance, and feedback.

  • Staff / Volunteers: name, address, contact details, bank information, training records, medical/emergency info, employment contracts.

  • Suppliers / Partners: contact details, invoicing information, contractual agreements.

  • Digital records: photos/videos taken during sessions (with consent), email communications, bookings, and payments.

4. Legal Basis for Processing

We process personal data under one or more of the following legal bases:

  • Consent – explicit consent for marketing, photos/videos, and special category data.

  • Contract – data necessary to deliver sessions, pony experiences, or employment.

  • Legal obligation – compliance with health & safety, safeguarding, and licensing regulations.

  • Legitimate interests – ensuring the safety, welfare, and smooth running of sessions.

5. How We Use Your Data

  • To administer bookings, payments, and attendance records.

  • To manage health and safety and welfare of clients and ponies.

  • To communicate important updates, schedules, and events.

  • To comply with licensing, insurance, and safeguarding requirements.

  • To evaluate and improve services (feedback, surveys, training).

6. Data Storage & Security

  • Records are stored securely, either electronically with password protection or in locked filing cabinets.

  • Access is restricted to authorised staff only.

  • Personal data is encrypted where possible.

  • Paper records are shredded when no longer required.

7. Retention of Data

  • Health, attendance, and incident records: minimum 5 years.

  • Financial records: minimum 7 years (for tax purposes).

  • Marketing consent and newsletters: retained until consent is withdrawn.

  • Photos/videos: retained only with consent and deleted upon request.

8. Sharing Data

  • Personal data is not shared with third parties unless legally required or with explicit consent.

  • Data may be shared with:

    • Local authorities or licensing bodies (for inspections).

    • Emergency services or medical professionals (if necessary for safety).

    • Veterinary or welfare professionals (for pony health).

  • Third parties must comply with GDPR.

9. Rights of Individuals

Clients, staff, or volunteers have the following rights under GDPR:

  1. Right of access – see the data we hold about them.

  2. Right to rectification – correct inaccurate or incomplete data.

  3. Right to erasure – request deletion of personal data where lawful.

  4. Right to restrict processing – limit how data is used.

  5. Right to data portability – receive data in a readable format.

  6. Right to object – opt-out of processing for marketing or profiling.

  7. Right to withdraw consent – at any time for marketing, photos, or special category data.

Requests should be made in writing to the Data Controller.

10. Consent

  • Explicit consent is obtained for:

    • Photos/videos of children or adults during sessions.

    • Marketing communications (emails, newsletters).

    • Special category data (health conditions affecting participation).

  • Consent is recorded and can be withdrawn at any time.

11. Data Breach Procedure

In the event of a data breach:

  1. Contain the breach and secure data.

  2. Assess the risk to individuals.

  3. Notify the Information Commissioner’s Office (ICO) within 72 hours if high risk.

  4. Inform affected individuals if likely to cause harm.

  5. Review procedures to prevent recurrence.

12. Data Protection Officer / Data Controller

  • Data Controller: Dr Kristina Grant

  • Contact Email: dr.kris.grant@gmail.com

  • Contact Phone: 07309595665

  • Responsible for GDPR compliance, staff training, and responding to data requests.

13. Use of Photos & Videos

  • Only taken with written consent from participants or guardians.

  • Used for: promotional material, website, social media, or training purposes.

  • Stored securely and deleted upon request.

14. Staff Responsibilities

  • Understand and follow this policy.

  • Maintain confidentiality.

  • Report breaches immediately to the Data Controller.

  • Ensure secure storage of all records.

15. Policy Review

This policy is reviewed annually or when regulations change.
Last reviewed: 05/01/2026

bottom of page