Privacy Policy

Last updated: March 2026

DRAFT - This policy is a template for review by your solicitor before publication.

Disco Well Ltd (we, us, our) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you use discowell.com (the Platform).

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Disco Well Ltd is registered in England and Wales. For data protection purposes, we are the data controller.

1. Information We Collect

Information you provide:

  • Name, email address, phone number
  • Profile photo and identity verification documents
  • Practitioner qualifications, certificates, and insurance documents
  • Listing details (practice descriptions, photos, pricing, availability)
  • Messages sent through our platform
  • Payment information (processed by Stripe - we do not store card details)

Information collected automatically:

  • IP address and device information
  • Pages visited and time on site (via Plausible Analytics - privacy-focused, no personal data stored)
  • Location data when you use map-based search features (via Mapbox)
  • Cookies necessary for platform functionality

2. How We Use Your Information

We use your information to:

  • Create and manage user accounts
  • Facilitate bookings between users
  • Process payments and payouts via Stripe
  • Verify Practitioner identity, qualifications, and insurance
  • Communicate with you (transactional emails and support)
  • Improve and maintain the Platform
  • Detect fraud and ensure platform security
  • Comply with legal and regulatory obligations

We do not sell your personal data.

3. Lawful Basis for Processing

Where we rely on legitimate interests, we ensure that our processing is balanced against your rights and freedoms. Under the UK GDPR, we process your personal data on the following lawful bases:

  • Contract: To provide the platform and related services
  • Legitimate interests: to operate, improve, and secure the Platform
  • Consent: for optional marketing communications (where applicable)
  • Legal obligation: to comply with applicable laws (e.g. tax and fraud prevention)

4. Payments - Stripe

We use Stripe to process payments and payouts. Stripe (stripe.com), a PCI-DSS compliant payment processor.

  • Payment details are entered directly into Stripe’s systems
  • Stripe may collect identity and financial information as required by law (KYC/AML)
  • Stripe processes data in accordance with their Privacy Policy
  • For practitioner payouts, Stripe Connect requires identity verification
  • Stripe acts as an independent data controller for payment processing data

Practitioner subscriptions (£16/month or £150/year) are processed via Stripe Checkout. Stripe is certified to PCI Service Provider Level 1, the highest level of payment security certification.

5. Sharing Your Information

We share your information only as necessary:

  • Other users: Your name, profile photo, and listing details are visible to other users as part of normal platform use
  • Stripe: Payment and identity data required for transaction processing
  • Mapbox: When you use location search, your search queries are sent to Mapbox to display maps and find nearby practitioners. See Mapbox Privacy Policy
  • Plausible Analytics: We use Plausible for privacy-friendly website analytics. Plausible Analytics is configured to minimise data collection and does not use cookies or track users across websites. See Plausible Data Policy
  • Sharetribe: Our platform is built on Sharetribe technology. See Sharetribe’s Privacy Policy
  • Legal requirements: We may disclose information if required by UK law, court order, or to protect the rights and safety of our users

We do not sell or rent personal data to third parties.

6. Data Retention

We retain personal data only as long as necessary:

  • Account data: for the duration of your account
  • Transaction data: retained for 6 years (UK legal requirement)
  • Deleted accounts: personal data removed within 90 days, except where retention is required by law

We may also retain technical logs and system backups for security, fraud prevention, and service reliability.

7. Your Rights Under UK GDPR

Under UK data protection law, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Restrict processing
  • Object to processing based on legitimate interests
  • Data portability
  • Withdraw consent (where applicable)

To exercise these rights, contact us at info@discowell.com. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO): ico.org.uk | 0303 123 1113

8. Security

We take reasonable steps to protect your information including:

  • HTTPS encryption
  • Secure payment processing via Stripe (PCI-DSS compliant)
  • Access controls and least-privilege principles

No system is completely secure. If you believe your account has been compromised, contact us immediately at info@discowell.com.

9. Cookies

We use cookies that are strictly necessary for the platform to function (session management, authentication). We do not use advertising or tracking cookies.

Plausible Analytics does not set any cookies. Plausible Analytics is configured to minimise data collection and does not use cookies or track users across websites.

Third-party services such as Stripe and Mapbox may set their own cookies as described in their respective privacy policies.

10. Contact Us

For any privacy questions or concerns:

Disco Well Ltd info@discowell.com

Registered in England and Wales.

11. International Data Transfers

Some of our service providers (including Stripe, Mapbox, and Sharetribe) may process data outside the UK.

Where this occurs, we ensure appropriate safeguards are in place, such as:

  • UK adequacy regulations
  • Standard contractual clauses

12. Changes

We may update this Privacy Policy from time to time.

Where changes are material, we will provide notice via the Platform or email.

13. Practitioner Data

Practitioners are independent data controllers in respect of any personal data they collect from clients outside the Platform.