Privacy.

Fish Island Circus (“we”, “us”, “our”) operates a circus and aerial rehearsal + training space in Hackney Wick, East London, and the website at fishislandcircus.co.uk. We are the data controller for personal information you give us through the site.

Contact: fishislandcircus@gmail.com.

• Account & profile. Name, email, phone, postal address, emergency-contact name + phone, experience level, the disciplines you train, and an optional avatar you upload. You enter all of this yourself when signing up or completing your profile.
• Bookings. The sessions you book — date, time, sections, type of session, person count, payment metadata (Stripe PaymentIntent id only — we never see your card number).
• Induction requests. Free-text preferred times and any notes you add.
• Contact form submissions. Name, email, and the message you sent.
• Technical. Server logs from Firebase (timestamps, IP at the request level, user-agent) for security, debugging, and abuse prevention. We do not run third-party tracking analytics today.

• To run your account, accept your bookings, and contact you about them (transactional emails: booking submitted, confirmed, declined, cancelled, moved; reminder the day before; new-message notifications).
• To notify the admin team when you submit a booking, induction request, or contact form.
• To process payment with Stripe for paid bookings.
• To keep the site working and secure (rate limiting, abuse detection).

Lawful bases (UK GDPR): contract for the booking relationship, legitimate interests for keeping the site secure and contacting members about their bookings, and consent for anything specifically opted into via the cookie banner.

We use third-party processors who handle data on our behalf. Each is bound by their own contracts and security regimes:

• Google Firebase (Auth, Firestore, Hosting, Cloud Functions, Storage) — runs the site infrastructure. Data is hosted in the EU region.
• Stripe — processes card payments. We pass the booking amount and a description; Stripe handles the card itself.
• Resend — sends transactional emails on our behalf (we pass them the recipient + body).

We do not sell your data and we do not share it with third-party advertisers.

Account profiles persist while your account exists; closing it removes the profile (we keep a minimal audit trail of past bookings and payments for legal / accounting reasons, with personal identifiers removed where practical).

Booking records are retained for up to 6 years to satisfy UK accounting / tax requirements. Server logs are retained for up to 90 days.

TODO: solicitor review — confirm exact retention periods against the latest HMRC + ICO guidance.

We use a small number of cookies and equivalent local-storage entries:

• Essential — sign-in session, CSRF protection, basket state. These cannot be disabled if you want the site to work.
• Analytics (opt-in) — we keep this in the banner as a hook for future use; nothing fires under this flag today.

You can change your cookie choice at any time by clearing your browser’s storage for this site, which re-shows the banner.

Under UK GDPR you can ask us to:

• show you what we hold about you;
• correct anything that’s wrong;
• delete your account and the personal data on it (subject to legal retention requirements above);
• port your data to another service in a machine-readable form;
• object to processing where we’ve relied on legitimate interests.

Email fishislandcircus@gmail.com and we’ll respond within one calendar month. If you’re unhappy with how we’ve handled your request you can complain to the ICO (ico.org.uk).

We’ll update this page when our processing changes and note the “last reviewed” date at the top. We don’t email everyone for minor wording tweaks; for material changes we’ll surface a notice next time you sign in.