Privacy Policy
Effective date: 25 May 2026 · Last updated: 25 May 2026
This privacy notice explains how BYBU Aesthetics & Wellness ("BYBU", "we", "us", "our") collects, uses, shares, and protects your personal information. It is written to comply with the Gibraltar GDPR, the Data Protection Act 2004, and equivalent UK and EU data protection law where it applies.
We are the data controller for the information described below. If you have any question about this notice or want to exercise any of your rights, contact us at info@bybuaesthetics.com.
1. Who we are
BYBU Aesthetics & Wellness
15 Horse Barrack Court, Suite 2, Horse Barrack Lane, Gibraltar
Gibraltar
Email: info@bybuaesthetics.com
Phone / WhatsApp: +350 5406 8245
We have not appointed a Data Protection Officer because we are not required to under Gibraltar GDPR Article 37. The named contact for all privacy queries is the address above.
2. What this policy covers
This policy applies to personal information we collect when you:
- Visit bybuaesthetics.com or any sub-domain;
- Create a BYBU account or sign in;
- Book or attend a wellness class (yoga, pilates, meditation);
- Buy a class pack or any other product through our website;
- Contact us by email, phone, WhatsApp, social media, or in person;
- Fill in a consultation or intake form at the clinic.
What this policy does not cover: aesthetic treatments are booked through Fresha. When you book through the Fresha link, Fresha's privacy notice governs the data you give them. Once you arrive at the clinic, this notice applies again to anything we record about your visit.
3. What personal information we collect
- Identity: first name, last name, and (where you choose to give it) date of birth.
- Contact: email address, phone number, and any postal address you give us.
- Account: a hashed password (we never see or store the plain text), sign-in timestamps, and IP address of the device used to sign in.
- Transactional: records of class bookings, class packs purchased, credits granted and used, refunds, and a Stripe payment reference. We never receive or store your card number, CVV, or full card details — Stripe handles those directly.
- Health and wellness: any information you choose to share with an instructor before a class (for example, a pregnancy, injury, or medical condition we should be aware of) and any consultation notes you sign at the clinic.
- Communications: the content of emails, WhatsApp messages, contact-form submissions, and any reviews or feedback you submit.
- Marketing preferences: whether you have opted in to marketing emails, and a record of when you opted in or out.
- Technical and usage: IP address, browser type and version, device type, operating system, referring page, pages visited, approximate location derived from IP, and timestamps. This is collected through cookies, server logs, and (where you consent) PostHog product analytics.
4. How we collect it
- Directly from you when you create an account, fill in a form, book a class, send a message, or speak to us in person.
- Automatically through cookies, server logs, and analytics — see our Cookie Policy for the full list.
- From third parties we work with: Stripe sends us payment confirmations and metadata after you check out; Fresha may send us booking confirmations for clinic visits; if you contact us through Instagram or Facebook, Meta hands the message content to us.
5. Why we use it and our lawful basis
Gibraltar GDPR requires us to identify a lawful basis for every purpose we use your data for. Here is the full mapping:
| Purpose | Lawful basis |
|---|---|
| Create and run your account; let you sign in | Performance of a contract |
| Take and confirm class bookings and pack purchases | Performance of a contract |
| Process payments through Stripe | Performance of a contract |
| Send transactional emails (confirmations, cancellations, password resets, receipts) | Performance of a contract |
| Contact you if a class is changed, cancelled, or the instructor needs to reach you | Performance of a contract / legitimate interest in running the studio safely |
| Keep accounting, tax, and VAT records | Legal obligation (Gibraltar Income Tax Act, anti-money-laundering rules) |
| Detect and prevent fraud, abuse, and security incidents on the site | Legitimate interest in keeping the site, our staff, and our other clients safe |
| Understand how the site is used and improve it (product analytics, only with your consent) | Consent |
| Send you marketing emails about new classes, offers, and the studio | Consent (opt-in, withdrawable at any time) |
| Record any health, injury, pregnancy, or condition you tell an instructor about so a class is safe for you | Explicit consent under Gibraltar GDPR Article 9 |
| Defend or pursue legal claims, respond to regulators, and meet court orders | Legal obligation / legitimate interest |
Where we rely on legitimate interests, we have weighed our interest in running the studio against the impact on your rights and freedoms. You can object to processing based on legitimate interests at any time — see "Your rights" below.
6. Who we share it with
We share your information only with the suppliers ("sub-processors") who help us run the studio, and only to the extent each one needs to do its job. The full and current list is at /legal/processors and includes Stripe, SendGrid, Supabase, Vercel, PostHog, Fresha, Meta (WhatsApp), and Hetzner.
Within BYBU, access is limited:
- Instructors see the attendee list for the classes they teach.
- Admin staff see booking, payment, and account records to run the studio day-to-day.
- The owners have full administrative access for governance and finance.
We may also share information when we are legally required to — for example, in response to a valid court order, a request from the Royal Gibraltar Police, or a regulator with jurisdiction over us — or where we need to in order to defend ourselves in a legal claim.
We do not sell your personal data, ever. We do not share it with advertising networks or data brokers.
7. International transfers
Most of our suppliers process data inside the European Economic Area or Gibraltar. Some — including Stripe, SendGrid, Meta, and Vercel — process data in the United States or other countries outside the EEA. Where this happens, the transfer is protected by:
- An adequacy decision recognised by Gibraltar (for example, the UK and the EEA itself);
- Standard Contractual Clauses approved by the European Commission and/or the UK, signed with the supplier; and
- Where appropriate, additional technical safeguards such as encryption in transit and at rest.
You can ask us for a copy of the relevant safeguards by emailing info@bybuaesthetics.com.
8. How long we keep it
| Type of data | Retention period |
|---|---|
| Account data (name, email, phone, password hash) | While the account is active. Deleted within 30 days of a deletion request, except where law requires us to keep specific records longer. |
| Booking history and class attendance | Up to 6 years after the booking, to support refunds, disputes, and tax records. |
| Payment and accounting records | 6 years from the end of the tax year, in line with Gibraltar tax law. |
| Marketing consent log (proof you opted in or out) | 3 years after you withdraw consent, to prove we acted on the request. |
| WhatsApp and email correspondence | Up to 24 months unless an active dispute, complaint, or safeguarding concern requires us to keep it longer. |
| Server logs and IP-level security logs | Up to 90 days, then aggregated or deleted. |
| Health information shared with an instructor | Only as long as you remain a client and at most 2 years after your last class, unless it is relevant to a safeguarding or insurance matter. |
| Anonymised analytics (PostHog, with consent) | Up to 13 months, then auto-purged. |
When data reaches the end of its retention period it is either deleted or irreversibly anonymised. The technical erasure flow is implemented in our codebase and applies an anonymisation cascade across account, bookings, and payment metadata.
9. Your rights
Under Gibraltar GDPR you have the following rights. We will respond within one month — and at most two further months if the request is complex, in which case we will tell you within the first month.
- Right of access: ask for a copy of the personal data we hold about you.
- Right to rectification: ask us to correct anything inaccurate or incomplete.
- Right to erasure ("right to be forgotten"): ask us to delete your data where we no longer need it, where you withdraw consent, or where we have no lawful basis to keep it. We use an automated anonymisation flow for this and will confirm by email once it has run.
- Right to restrict processing: ask us to pause processing while we look into a dispute about accuracy or lawfulness.
- Right to object: object to processing we do under legitimate interests, including any profiling, and to marketing at any time.
- Right to data portability: ask for a machine-readable export of the data you gave us, where we process it by consent or contract.
- Right to withdraw consent: for anything we rely on consent for (marketing, optional analytics, health information), you can withdraw at any time without affecting anything we did before you withdrew.
- Right not to be subject to automated decisions: we do not make decisions about you using automated processing alone (see Section 11).
- Right to complain — see Section 10.
To exercise any right, email info@bybuaesthetics.com from the email address on your account or, if you do not have an account, with enough information for us to identify you. We do not charge for these requests except in the limited cases the law allows.
10. How to complain
If you are unhappy with how we have handled your personal data, please contact us first at info@bybuaesthetics.com — we would much rather hear from you and put it right.
You also have the right to complain to the data protection regulator without contacting us first:
Gibraltar Regulatory Authority (GRA)
2nd Floor, Eurotowers 4, 1 Europort Road, Gibraltar GX11 1AA
Website: www.gra.gi/data-protection
Email: info@gra.gi
If you live in the UK or EEA you may also have the right to complain to your local supervisory authority — for example, the UK Information Commissioner's Office (ICO) at ico.org.uk.
11. Automated decision-making and profiling
We do not make any decision about you — about your booking, your account, your eligibility for a class, your refund, or anything else — using automated processing alone. A human reviews any decision that has a meaningful effect on you. If we ever introduce automated decision-making we will update this notice and tell signed-in clients by email at least 30 days before it goes live.
12. Children
Our online services are not directed at children under 16. We do not knowingly collect personal data from children under 16 online. If you believe a child has given us personal information through the website, please email info@bybuaesthetics.com and we will delete it. Children can attend classes with a parent or guardian, who provides any necessary information on their behalf.
13. How we keep your data secure
We take security seriously and use measures appropriate to the risk:
- The site is served only over HTTPS / TLS.
- Passwords are stored hashed with bcrypt. We cannot see your password and will never ask you for it by email or phone.
- Card details are processed entirely by Stripe — they never reach our servers.
- Form submissions are protected against cross-site request forgery (CSRF).
- Database access is restricted to authorised staff, on the principle of least privilege.
- Data at rest is encrypted by our database and hosting providers.
- We review access regularly and revoke it promptly when someone leaves.
No system is perfectly secure. If we ever become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the GRA within 72 hours where required, and notify you directly without undue delay where the law requires it.
14. Cookies
For the full list of cookies we set and how to manage them, see our Cookie Policy. Analytics and optional cookies are only set after you consent.
15. Links to other sites
Our website links to third-party sites (Fresha, Instagram, Facebook, WhatsApp, and others). We are not responsible for how those sites handle your data. Please read their own privacy notices before using them.
16. Changes to this policy
We may update this notice from time to time. If we make a material change — for example, adding a new purpose, a new supplier, or a new category of data — we will update the "Last updated" date, post a notice on the site, and where appropriate email signed-in clients before the change takes effect. Continuing to use the site after a change means you accept the updated notice.
17. Contact
BYBU Aesthetics & Wellness
15 Horse Barrack Court, Suite 2, Horse Barrack Lane, Gibraltar
Gibraltar
Email: info@bybuaesthetics.com
Phone: +350 5406 8245