Privacy Policy

Last updated:

This Privacy Policy explains how SpineShift, operated under the brand Shouldersvital at shouldersvital.world, collects, uses, stores, and protects personal data when you enquire about, purchase, or participate in our healthy back in the office programmes and related workplace wellness services in the United Kingdom.

1. Data Controller

The data controller responsible for your personal data is Shouldersvital, trading as SpineShift, with registered business address at 34, New House, 67-68 Hatton Garden, London EC1N 8JY, United Kingdom. For privacy-related enquiries, contact us using the details on our contact page. Email: info@shouldersvital.world. Phone: +442034880210.

2. Scope of This Policy

This policy applies to personal data processed through our website, booking enquiries, on-site and virtual programme delivery, comfort surveys, facilitator communications, and post-programme follow-up related specifically to office back health education, desk assessments, and team movement sessions offered by SpineShift.

3. Categories of Personal Data We Collect

Depending on your relationship with us, we may collect the following categories of data:

• Identity and contact data: full name, job title, employer name, business email address, business telephone number, and postal address when you submit an enquiry or register for a programme.
• Booking and programme data: selected package (Desk Posture Foundations, Team Flex Hour Programme, or SpineShift Enterprise Rollout), preferred session dates, delivery format (on-site or virtual), team size, and special access requirements for your workplace.
• Wellness survey data: anonymised or attributed responses regarding desk comfort, movement habits, and session feedback, depending on whether you consent to identifiable responses being shared with your employer.
• Technical data: IP address, browser type, device information, pages visited, and cookie identifiers when you use shouldersvital.world, as described in our Cookies Policy.
• Communication data: content of messages you send via our contact form, email correspondence, and notes from discovery calls.
• Payment-related data: billing contact details and transaction references. Card details are processed by our payment provider and are not stored on our servers.

4. Sources of Personal Data

We collect data directly from you when you complete forms, book programmes, participate in sessions, or communicate with us. We may also receive limited data from your employer when they sponsor a corporate booking, such as a list of participant names and email addresses for session invitations. We do not purchase personal data from third-party marketing lists.

5. Purposes and Legal Bases for Processing

We process personal data only where a lawful basis under the UK General Data Protection Regulation applies:

• Contract performance: to respond to enquiries, confirm bookings, deliver healthy back in the office programmes, provide materials, and manage cancellations or rescheduling.
• Consent: to send optional wellbeing tips, include identifiable quotes in internal employer reports when you opt in, and place non-essential cookies on your device.
• Legitimate interests: to improve programme content, ensure workplace safety during sessions, prevent fraud, and maintain secure IT systems, balanced against your rights.
• Legal obligation: to retain financial records for tax and accounting purposes and to comply with applicable UK regulations.

6. Processing During Programme Delivery

During SpineShift sessions, facilitators may observe general movement patterns in group settings. We do not record video of participants without explicit written consent. Comfort surveys are designed to assess programme effectiveness; aggregated results may be shared with your employer sponsor. Individual survey answers are shared with employers only when you have given clear consent at the point of survey completion.

7. Sharing Your Personal Data

We may share personal data with:

• Service providers acting as processors, including hosting providers, email platforms, survey tools, payment processors, and scheduling software, bound by data processing agreements.
• Your employer, where they have commissioned the programme and you have consented to identifiable feedback, or where aggregated anonymised reports are contractually required.
• Regulators, courts, or law enforcement when required by law or to protect our legal rights.

We do not sell personal data to third parties.

8. International Transfers

Our primary systems are located within the United Kingdom or the European Economic Area. If a sub-processor transfers data outside the UK, we ensure appropriate safeguards such as UK International Data Transfer Agreements or adequacy regulations are in place.

9. Data Retention

Enquiry records are retained for up to twenty-four months unless a booking progresses. Contract and booking records are retained for seven years for accounting purposes. Survey data in identifiable form is deleted within twelve months of programme completion unless you consent to a longer retention for follow-up research. Marketing consent records are kept until you withdraw consent plus a reasonable audit period.

10. Security Measures

We implement appropriate technical and organisational measures including access controls, encrypted connections (HTTPS), staff training on confidentiality, and regular review of processor security practices. No method of transmission over the internet is completely secure; we encourage you to use strong passwords where accounts are provided.

11. Your Rights

Under UK data protection law you have the right to:

• Request access to personal data we hold about you.
• Request correction of inaccurate data.
• Request erasure in certain circumstances.
• Request restriction of processing.
• Request data portability where processing is based on consent or contract and carried out by automated means.
• Object to processing based on legitimate interests or for direct marketing.
• Withdraw consent at any time where processing relies on consent, without affecting prior lawful processing.

You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your rights have been infringed.

12. Children

Our programmes are designed for adult workplace participants. We do not knowingly collect data from individuals under eighteen. Contact us if you believe we have received such data in error.

13. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects in relation to our office wellness programmes.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our programmes, technology, or legal requirements. The date at the top indicates the latest revision. Material changes will be highlighted on shouldersvital.world where appropriate.

15. Contact

For any privacy request, contact Shouldersvital at the address above or via info@shouldersvital.world. We aim to respond within thirty days.