Last reviewed: May 2026.
This GDPR Policy sets out, in more detail than our short-form Privacy Policy, how Telos Studio Ltd meets its obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003. It is intended for customers, suppliers, candidates and visitors to teloswellness.co.uk who want to understand how we operate as a data controller.
1. Data controller
Telos Studio Ltd is the data controller for the personal data described in this policy. Our registered office and contact details are: The Old Mill, High Street, Stow-on-the-Wold, Gloucestershire, GL54 1BB; support@teloswellness.co.uk; +44 7383 567 839. Company No. 14829076.
2. Data Protection Officer
We are not currently required to appoint a statutory Data Protection Officer (DPO). Our core processing activities do not, on a regular and systematic basis, require monitoring of data subjects on a large scale, nor do we process special category or criminal-conviction data on a large scale. Day-to-day responsibility for data protection sits with our Operations Director, who can be reached at support@teloswellness.co.uk. We will keep the need for a DPO under review as the business grows.
3. Lawful basis matrix
We process personal data only where we have a lawful basis under Article 6 of the UK GDPR. The table below summarises the basis we rely on for each main processing purpose.
- Order fulfilment, payment, delivery, install, after-care, warranty: Article 6(1)(b) — performance of a contract with you, or steps you have asked us to take before entering into a contract.
- Tax records, accounting, legal records (six-year retention under HMRC rules): Article 6(1)(c) — compliance with a legal obligation.
- Fraud prevention, network and information security, debt recovery, defending legal claims, training: Article 6(1)(f) — our legitimate interests, balanced against your rights.
- Soft opt-in postal mail to existing customers about similar products: Article 6(1)(f) — legitimate interest under PECR Regulation 22.
- Quarterly email letter, optional research, non-essential cookies: Article 6(1)(a) — your consent, freely given, specific, informed and unambiguous, and as easy to withdraw as to give.
- Recruitment (CVs, interview notes, references): Article 6(1)(b) and Article 6(1)(f) — steps prior to a contract and our legitimate interest in finding suitable colleagues.
- Public-interest health-and-safety records (where required for an installation site): Article 6(1)(c) and (e).
We do not process special category data (Article 9) save in the rare case where a customer voluntarily shares health information with us when discussing whether sauna or cold exposure is appropriate for them. Where this happens we rely on explicit consent (Article 9(2)(a)) and keep the information only for as long as needed to answer the question.
4. Data we collect
We collect the categories of personal data described in the Privacy Policy, summarised here as: identity data (name), contact data (address, email, phone), transaction data (orders, invoices, payment status), technical data (IP, device and cookie identifiers), correspondence and any information you choose to share with us.
5. Data subject rights
You have the rights set out below in respect of your personal data. To exercise any right, email support@teloswellness.co.uk with the subject line “Data Subject Request” or write to the registered office. We may ask for proof of identity where we have any doubt about who is making the request, but only as much as is necessary.
- Right to be informed — met through this policy and the Privacy Policy.
- Right of access (DSAR) — we will provide a copy of your personal data within one calendar month. The service is free unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse and explain why. The deadline can be extended by up to two further months for complex or numerous requests; we will tell you within the first month if this applies and why.
- Right to rectification — we will correct inaccurate data without undue delay and within one month at the latest.
- Right to erasure — the “right to be forgotten” applies in defined circumstances, for example where data is no longer necessary or you have withdrawn consent. It does not override our legal duty to keep tax and warranty records.
- Right to restrict processing — in defined circumstances we will pause processing while a dispute about accuracy or lawfulness is resolved.
- Right to object — you can object to processing based on legitimate interests at any time and we will stop unless we can show compelling legitimate grounds. You can object to direct marketing absolutely.
- Right to data portability — where processing is based on consent or contract and is carried out by automated means, you can ask for your data in a structured, commonly used, machine-readable format.
- Rights in relation to automated decision-making and profiling — we do not make decisions that have a legal or similarly significant effect on you using only automated means.
6. International data transfers
Some of our processors operate from outside the UK. Where personal data is transferred internationally we rely on:
- An adequacy decision (for transfers to the EEA, and to other jurisdictions the UK has recognised as providing an adequate level of protection);
- The UK extension to the EU Standard Contractual Clauses (the International Data Transfer Addendum) for transfers to the United States and other non-adequate countries; or
- The UK–US Data Bridge for transfers to organisations certified under the relevant framework.
Before relying on these mechanisms we carry out a transfer risk assessment. Encryption in transit and at rest, contractual restrictions on access by foreign public authorities, and the right to be told if such access is sought, are applied where appropriate.
7. Records of processing activity (ROPA)
We maintain a record of processing activity covering each business function, the data categories involved, lawful basis, recipients, retention periods and security controls. The ROPA is reviewed annually and whenever a new processing activity is introduced.
8. Data protection by design and default
When we introduce a new system, supplier or product feature we consider the data protection impact at the design stage and choose the most privacy-protective option that still allows the activity. For higher-risk activities we carry out a Data Protection Impact Assessment (DPIA) before going live.
9. Security measures
We hold personal data on Shopify’s PCI DSS Level 1 platform and on a small number of well-known UK and EU systems used to run the business. Controls include: role-based access; mandatory multi-factor authentication for all administrative accounts; encrypted laptops and phones; encrypted backups; logged administrative changes; regular review of supplier security; and a privacy incident response plan with named owners.
10. Personal data breaches
If we become aware of a personal data breach we will assess the risk to data subjects within 24 hours and, where the risk is more than low, notify the ICO within 72 hours of becoming aware. Where the risk is high we will notify affected data subjects directly without undue delay and explain what has happened, what we are doing about it and what they can do to protect themselves.
11. Suppliers and contracts
Where we engage a supplier as a data processor we put a written contract in place containing the Article 28 mandatory clauses, including security obligations, sub-processor restrictions, the duty to assist with data subject rights and the duty to delete or return data at the end of the engagement.
12. Training
Everyone who works with personal data at Telos receives data protection training when they start and annually thereafter. Training is supplemented with role-specific guidance for customer-care, marketing and finance colleagues.
13. Right to complain
If you are not satisfied with how we have handled your personal data, please raise it with us first. You also have the right to complain to the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, on 0303 123 1113 or via ico.org.uk.
14. Review
This policy is owned by the Operations Director and is reviewed at least annually and whenever the law or our processing materially changes.