• Home
    • Taster Lesson
    • Singing
    • Piano
    • Guitar
    • Drums
    • Ukulele
    • Bass
    • Violin
    • Mandolin
    • Saxophone
    • Flute
    • Theory
  • Our Team
  • Booking/Prices
Menu

Wirral Music Factory

  • Home
  • Our Lessons
    • Taster Lesson
    • Singing
    • Piano
    • Guitar
    • Drums
    • Ukulele
    • Bass
    • Violin
    • Mandolin
    • Saxophone
    • Flute
    • Theory
  • Our Team
  • Booking/Prices

Privacy Policy — Wirral Music Factory

Last updated: 30 April 2026

This privacy policy explains how Wirral Music Factory ("WMF," "we," "us," or "our") collects, uses, stores, and protects your personal data when you visit our website, book lessons, or interact with us in any other way. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this policy carefully. If you have any questions, you can contact us at any time using the details in Section 1.

1. Who We Are (Data Controller)

Wirral Music Factory is a music school based on the Wirral, offering tuition in drums, guitar, bass, piano, singing, violin, flute, saxophone, ukulele, mandolin and music theory to students of all ages, including children.

  • Data Controller: Matt Duffy

  • Website: www.wirralmusicfactory.com

  • Email: md@wirralmusicfactory.com

WMF is registered in England and is the data controller responsible for the personal data collected through our website, booking system, email communications, and in-person interactions. This means we decide how and why your personal data is processed, and we are accountable for doing so lawfully and transparently.

2. What Personal Data We Collect

We collect different types of personal data depending on how you interact with us. The categories include:

Contact information — your name, email address, phone number, and postal address.

Booking and lesson information — the type of lessons you book, your schedule, and payment details (payments are handled by third-party processors — we do not store your full card details).

Student information — age, skill level, lesson preferences, and progress notes used to tailor your tuition.

Children's information — for students under 18, we collect the child's name and age along with parent or guardian contact details. This data is collected with parental consent where required (see Section 5).

Website usage data — IP address, browser type, device information, pages visited, and cookie data (see Section 11).

Communication data — the content of emails, enquiry form submissions, and any messages you send us.

Marketing preferences — whether you have opted in to receive marketing emails, and records of when consent was given or withdrawn.

3. How We Collect Your Data

We collect personal data in three main ways:

Directly from you — when you fill in a booking form, submit an enquiry, phone us, email us, or speak with us in person at a lesson or event.

Through our website — automatically via cookies and similar technologies when you browse our site (see Section 11).

Through third-party services — our booking system (Acuity Scheduling / Squarespace) collects information on our behalf when you book lessons online. These services have their own privacy policies, which we encourage you to read.

4. Why We Process Your Data and Our Lawful Basis

Under UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out the purposes for which we use your data and the legal basis we rely on in each case.

PurposeData UsedLawful BasisManaging lesson bookings and schedulingContact details, lesson preferencesContract performance — necessary to deliver the lessons you have bookedCommunicating about lessons (reminders, schedule changes, cancellations)Contact detailsContract performance — necessary to fulfil our obligations to youProcessing paymentsPayment information (handled by third-party processor)Contract performance — necessary to collect payment for services providedSending marketing emails and newslettersEmail address, nameConsent — only sent where you have actively opted inImproving our website and servicesWebsite usage data, cookiesLegitimate interest — to understand how visitors use our site and improve the experienceSafeguarding children and vulnerable adultsStudent age, emergency contacts, relevant medical or additional needs informationLegal obligation and vital interests — to meet our duty of care and safeguarding responsibilitiesResponding to enquiriesContact details, message contentLegitimate interest — to reply to people who contact usMaintaining student records and progress notesLesson notes, skill assessmentsLegitimate interest — to provide quality, personalised tuitionComplying with legal and tax obligationsFinancial records, booking historyLegal obligation — required by HMRC and other regulatory bodies

Where we rely on legitimate interest, we have carried out a balancing test to ensure our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interest (see Section 9).

5. Children's Data

WMF teaches students of all ages, including children, and we take the protection of children's personal data very seriously.

Students under 13 — We obtain consent from a parent or guardian before collecting any personal data about a child under 13. A parent or guardian must complete the booking process on the child's behalf.

Students aged 13–17 — We may collect data directly from students in this age group (for example, during lessons), but we keep parents and guardians informed about the data we hold and how it is used.

Data minimisation — We only collect the minimum personal data necessary to provide tuition safely and effectively. We do not collect more information about child students than we need.

Marketing — Children's data is never used for marketing purposes without explicit parental consent.

ICO Children's Code — We follow the principles set out in the ICO's Age Appropriate Design Code (the Children's Code) when designing and operating services that children are likely to access. This means we default to high-privacy settings, minimise data collection, and do not use children's data in ways that could be detrimental to their wellbeing.

Data (Use and Access) Act 2025 — We comply with the higher protection duty for children's data introduced by this legislation, ensuring that the processing of children's personal data is carried out with particular care and with their best interests as a primary consideration.

6. Who We Share Your Data With

We share your personal data only where it is necessary for the purposes described in this policy, or where we are required to do so by law. We share data with the following parties:

  • Acuity Scheduling / Squarespace — our booking management platform, used to manage lesson scheduling and appointments. Squarespace, Inc. is based in the United States (see Section 7 on international transfers).

  • Payment processors — payments made through our booking system are handled by third-party payment processors (such as Stripe, PayPal or Square), each of which has its own privacy policy and is independently responsible for the payment data they process.

  • HMRC — we share financial records with HM Revenue & Customs where required by law for tax purposes.

We do not sell your personal data to any third party. We only share data where it is necessary for the purposes described above or where we are legally required to do so.

7. International Data Transfers

Some of the third-party services we use — including Acuity Scheduling / Squarespace — are based in the United States. This means your personal data may be transferred to, and processed in, a country outside the United Kingdom.

Where this happens, we ensure that appropriate safeguards are in place to protect your data, as required by UK GDPR. These safeguards may include:

  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office

  • The service provider's compliance with recognised data protection frameworks

  • A UK adequacy decision covering the destination country, where applicable

We will not transfer your personal data to any country or organisation that does not have adequate protections in place.

8. How Long We Keep Your Data

We keep your personal data only for as long as necessary for the purpose it was collected, or as required by law. The table below sets out our standard retention periods.

Data TypeRetention PeriodReasonActive student recordsDuration of tuition + 2 yearsTo manage the ongoing relationship and handle any follow-up queriesFinancial and payment records6 years after the transactionHMRC legal requirementEmail marketing dataUntil you unsubscribe or withdraw consentConsent-based processingWebsite analytics data26 monthsStandard analytics retention periodEnquiry form submissions12 monthsTo follow up and improve our servicesChildren's dataDuration of tuition + 1 year, then securely deletedData minimisation principle — children's data receives higher protection

Once retention periods expire, personal data is securely deleted or anonymised so that it can no longer be linked to you.

9. Your Rights Under UK GDPR

You have the following rights in relation to your personal data. These rights apply in certain circumstances and are subject to some exceptions.

  1. Right of access — You can request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR) and is free of charge.

  2. Right to rectification — You can ask us to correct any personal data that is inaccurate or to complete data that is incomplete.

  3. Right to erasure — You can ask us to delete your personal data in certain circumstances, for example where we no longer need it or where you withdraw consent.

  4. Right to restrict processing — You can ask us to limit how we use your data in certain situations, for example while we investigate a complaint you have made.

  5. Right to data portability — You can request that we provide your data in a structured, commonly used, machine-readable format so that you can transfer it to another service.

  6. Right to object — You can object to processing that is based on our legitimate interest or that is carried out for direct marketing purposes. Where you object to direct marketing, we will stop immediately.

  7. Right to withdraw consent — Where we process your data based on consent (such as marketing emails), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before you withdrew consent.

  8. Rights related to automated decision-making — We do not carry out any automated decision-making or profiling that produces legal effects or similarly significantly affects you.

To exercise any of these rights, please email us at md@wirralmusicfactory.com. We will respond to your request within one calendar month. No fee is charged for reasonable requests. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on it, but we will always explain our reasons.

10. Marketing Communications

We send marketing emails — such as newsletters, promotions, and updates about new services — only to people who have given us their explicit consent to do so, in compliance with the Privacy and Electronic Communications Regulations (PECR).

Every marketing email we send contains a clear unsubscribe link. You can also opt out at any time by emailing md@wirralmusicfactory.com and asking to be removed from our mailing list.

Our marketing emails may contain small tracking pixels that help us understand whether emails are being opened and which links are being clicked. This information is used solely to improve the relevance and quality of our communications.

Opting out of marketing will not affect essential service communications about your lessons, such as booking confirmations, schedule changes, or cancellations. Those are sent under our contractual obligation to you and will continue as long as you are an active student.

11. Cookies

Cookies are small text files placed on your device when you visit a website. They help the site work properly, remember your preferences, and understand how visitors use the site.

Our website uses the following types of cookies:

Essential cookies — These are necessary for the website to function correctly (for example, keeping you logged in or remembering items in a booking form). They cannot be switched off.

Analytics cookies — We use Google Analytics to understand how visitors interact with our website, such as which pages are most popular and how long people spend on the site. Google Analytics uses cookies to collect this data. IP addresses are anonymised so that individual visitors cannot be personally identified through analytics data alone.

Third-party cookies — Some cookies may be set by third-party services embedded in our website, such as the Acuity Scheduling booking widget. These cookies are governed by the privacy policies of the respective third parties.

Non-essential cookies (analytics and third-party cookies) are only placed with your consent. You can manage your cookie preferences through your browser settings at any time. Most browsers allow you to block or delete cookies — please refer to your browser's help documentation for instructions. Blocking certain cookies may affect the functionality of our website.

12. Data Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:

  • Secure, password-protected systems for storing personal data

  • Encrypted email communications where appropriate

  • Limiting access to personal data to only those individuals who need it to carry out their role

  • Regular review of our data handling practices and security measures

In the event of a personal data breach that is likely to pose a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform affected individuals without undue delay, as required by UK GDPR.

13. How to Complain

If you are unhappy with how we have handled your personal data, please contact us in the first instance so that we can try to resolve the issue:

  • Email: md@wirralmusicfactory.com

  • Data Controller: Matt Duffy

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority for data protection:

  • Website: https://ico.org.uk

  • Telephone: 0303 123 1113

  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, the services we offer, or legal requirements. Where we make significant changes, we will notify you by email or by placing a prominent notice on our website.

We encourage you to check back periodically to stay informed about how we are protecting your data. The "Last updated" date at the top of this policy will always reflect when the most recent changes were made.

© 2026 Wirral Music Factory. All rights reserved.

Privacy Policy                     |                      Terms                     |                      t: 01514526362            |                      e: help@wirralmusicfactory.com