Privacy Policy
Effective Date: 18 March 2026
This Privacy Policy is issued by Glass Hammer Ltd, a company incorporated in England and Wales (Company No. 14672595), with registered address at Garden Close, Watford, WD17 3DP ("Glass Hammer", "we", "us", or "our").
This policy explains how we collect, use, store, and share personal data in connection with the Zumbook platform ("Platform"). Please read it carefully.
1. Who This Policy Applies To
This Privacy Policy applies to three categories of people:
- Instructors — individuals or businesses who register for a Zumbook Account to manage and promote fitness-related activities. For Instructor personal data, Glass Hammer acts as the data controller.
- Customers — individuals who make bookings through any Zumbook-powered booking page. For Customer personal data, the relevant Instructor is the data controller and Glass Hammer acts as the data processor on their behalf.
- Visitors — individuals who visit the Zumbook marketing website without registering or booking.
If you are a Customer making a booking through an instructor's Zumbook-powered page, you should also refer to that instructor's own privacy notice, which governs how they use your personal data in their capacity as data controller.
2. Data Controller and Data Processor
2.1 Glass Hammer as Data Controller
Glass Hammer is the data controller for:
- Personal data collected from Instructors during registration and use of the Platform (including name, email address, billing information, and business details).
- Personal data collected from Visitors to the Zumbook marketing website.
As data controller, Glass Hammer determines the purposes and means of processing this data and is responsible for compliance with UK GDPR in relation to it.
2.2 Glass Hammer as Data Processor
For personal data collected from Customers through Instructor-operated booking pages, the Instructor is the data controller. Glass Hammer processes that data solely on the Instructor's behalf, in accordance with the Instructor's instructions and the terms of the Data Processing Agreement set out in Section 10 of this Policy.
Glass Hammer does not use Customer personal data for its own purposes.
2.3 Instructor Responsibilities
Instructors are responsible for:
- Ensuring they have a lawful basis to collect and process their Customers' personal data.
- Providing Customers with an appropriate privacy notice before or at the point of data collection.
- Responding to data subject requests made by their Customers in relation to data for which they are the controller.
- Ensuring that their use of the Platform to process Customer data complies with UK GDPR and all other applicable data protection legislation.
3. Personal Data We Collect
3.1 Instructor Data (Glass Hammer as Controller)
When you register and use the Platform as an Instructor, we may collect:
- Full name and contact details (email address, phone number)
- Business name and details
- Billing and payment information (processed via Stripe)
- Account credentials and login activity
- Class, event, course, and camp listings and related content
- Communications with Glass Hammer
3.2 Customer Data (Glass Hammer as Processor)
When a Customer makes a booking through an Instructor's Zumbook-powered page, we process on the Instructor's behalf:
- Full name and contact details
- Booking details and history
- Payment information (processed via Stripe on behalf of the Instructor)
- Any other information collected by the Instructor as part of the booking process
3.3 Visitor Data
When you visit the Zumbook marketing website, we may automatically collect:
- IP address and approximate location
- Browser type and device information
- Pages visited and time spent
- Referring URLs
This data is collected via cookies and analytics tools. See Section 9 for details.
4. How We Use Personal Data
4.1 Instructor Data
We process Instructor personal data for the following purposes and on the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Providing and operating the Platform | Performance of contract |
| Billing and subscription management | Performance of contract |
| Sending transactional and account communications | Performance of contract |
| Sending product updates and offers | Legitimate interests (see note below) |
| Improving and developing the Platform | Legitimate interests |
| Complying with legal obligations | Legal obligation |
| Preventing fraud and ensuring Platform security | Legitimate interests |
Note on product updates and offers: We rely on legitimate interests to send Instructors emails about Platform updates, new features, and occasional offers. We consider this proportionate given the existing commercial relationship. You may unsubscribe from non-essential communications at any time using the unsubscribe link in any such email. Transactional and service-related communications cannot be opted out of while your Account remains active.
4.2 Customer Data
We process Customer personal data only as instructed by the relevant Instructor, and only for the purposes of:
- Processing and managing bookings
- Facilitating payment transactions via Stripe
- Communicating booking confirmations and updates on behalf of the Instructor
We do not use Customer personal data for our own marketing, profiling, or analytics purposes.
5. Sharing Personal Data
5.1 Sub-Processors
We use the following third-party sub-processors to assist in delivering the Platform. These sub-processors are bound by data processing agreements and may only process personal data as instructed:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA / EU (Standard Contractual Clauses apply) |
| Resend | Transactional and product email delivery | USA (Standard Contractual Clauses apply) |
| Google Analytics | Platform analytics and usage tracking | USA (Standard Contractual Clauses apply) |
We will maintain an up-to-date list of sub-processors and will notify Instructors of any new sub-processors in accordance with Section 10.3. By continuing to use the Platform after such notice, Instructors accept the addition of the new sub-processor.
5.2 Other Disclosures
We may also share personal data:
- With professional advisers (legal, financial, insurance) under obligations of confidentiality.
- With law enforcement or regulatory authorities where required by law.
- In connection with a merger, acquisition, or sale of Glass Hammer's business, provided the receiving party agrees to protect personal data in accordance with this Policy.
We do not sell personal data to third parties.
6. International Data Transfers
Some of our sub-processors are based outside the United Kingdom. Where personal data is transferred to a country not deemed adequate by the UK Information Commissioner's Office, we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs), as applicable.
7. Data Retention
7.1 Instructor Data
We retain Instructor personal data for as long as your Account is active. Following termination of your Account for any reason, we will retain your personal data for a period of 120 days, after which it will be securely deleted or anonymised. You may export your data at any time while your Account is active.
7.2 Customer Data
We retain Customer personal data processed on behalf of Instructors for as long as the relevant Instructor Account remains active, plus a period of 120 days following Account termination. After this period, Customer data will be securely deleted or anonymised.
7.3 Exceptions
We may retain certain data for longer periods where required to do so by law (for example, financial records required for tax compliance), or where necessary for the establishment, exercise, or defence of legal claims.
8. Your Rights
8.1 Instructor Rights
As a data subject, you have the following rights under UK GDPR in relation to personal data for which Glass Hammer is the controller:
- Right of access — to request a copy of the personal data we hold about you.
- Right to rectification — to request correction of inaccurate or incomplete data.
- Right to erasure — to request deletion of your personal data in certain circumstances.
- Right to restriction — to request that we limit processing of your personal data.
- Right to data portability — to receive your personal data in a structured, machine-readable format.
- Right to object — to object to processing based on legitimate interests.
- Rights in relation to automated decision-making — we do not carry out solely automated decision-making that produces legal or similarly significant effects.
To exercise any of these rights, please contact us at the details set out in Section 12.
8.2 Customer Rights
If you are a Customer and wish to exercise your data subject rights, you should contact the relevant Instructor directly, as they are the data controller for your personal data. If you are unable to reach the Instructor, you may contact us and we will assist in directing your request appropriately.
8.3 Right to Complain
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at any time. The ICO's contact details are available at ico.org.uk.
9. Cookies
9.1 What Are Cookies
Cookies are small text files placed on your device when you visit a website. We use cookies on the Zumbook marketing website and on Zumbook-powered Instructor booking pages.
9.2 Categories of Cookies We Use
Strictly Necessary Cookies
These cookies are essential for the Platform and booking pages to function. They enable core features such as session management, security, and access to secure areas. These cookies do not require consent and cannot be disabled.
Functional Cookies
These cookies enable enhanced functionality and personalisation, such as remembering your preferences. They are not strictly necessary but improve your experience. Disabling them may affect how the Platform functions.
Analytics Cookies
We use Google Analytics to understand how visitors interact with the Platform and Instructor booking pages. This helps us improve our service. Analytics cookies collect anonymised information about page visits, time on site, and user journeys. These cookies are only placed with your consent.
Marketing Cookies
These cookies may be used to deliver advertising relevant to you and to measure the effectiveness of marketing campaigns. These cookies are only placed with your consent.
9.3 Cookie Consent
For non-essential cookies (functional, analytics, and marketing), we obtain your consent via a cookie consent banner presented on your first visit. You may withdraw or update your consent at any time by adjusting your cookie preferences through the consent tool on the relevant site.
Strictly necessary cookies do not require consent and are always active.
9.4 Third-Party Cookies
Some cookies are set by third parties, including Google Analytics. These third parties have their own privacy and cookie policies, which we encourage you to review.
9.5 Managing Cookies
You can also control cookies through your browser settings. Please note that disabling cookies may affect the functionality of the Platform or booking pages. For more information about managing cookies, visit aboutcookies.org.
10. Data Processing Agreement (Instructors)
This section constitutes the Data Processing Agreement ("DPA") between Glass Hammer (as data processor) and each Instructor (as data controller) for the processing of Customer personal data through the Platform.
10.1 Scope and Instructions
Glass Hammer will process Customer personal data only on documented instructions from the Instructor, which includes the instructions given by virtue of the Instructor's use of the Platform. Glass Hammer will inform the Instructor if, in its opinion, an instruction infringes applicable data protection law.
10.2 Confidentiality
Glass Hammer ensures that all personnel authorised to process Customer personal data are subject to appropriate obligations of confidentiality.
10.3 Sub-Processors
Glass Hammer engages sub-processors as listed in Section 5.1. Glass Hammer will notify Instructors of any intended addition or replacement of sub-processors by updating the sub-processor list published in this Policy and providing at least 30 days' notice via email or Platform notification. Continued use of the Platform after the notice period constitutes acceptance of the new sub-processor.
Instructors acknowledge that the appointment of sub-processors is necessary for the operation of the Platform and that the ability to object to specific sub-processors is limited to circumstances where the Instructor can demonstrate a reasonable, documented objection based on data protection grounds. Glass Hammer will consider such objections in good faith but reserves the right to determine that a particular sub-processor is essential to the operation of the Platform, in which case the Instructor's remedy is to terminate their Account in accordance with the Terms of Service.
10.4 Security
Glass Hammer will implement and maintain appropriate technical and organisational measures to protect Customer personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, having regard to the nature of the data and the risks involved.
10.5 Assistance with Data Subject Rights
Glass Hammer will provide reasonable assistance to Instructors in responding to data subject requests made by Customers, including requests for access, rectification, erasure, or portability, insofar as this is possible given the nature of the processing.
10.6 Data Breach Notification
Glass Hammer will notify the relevant Instructor without undue delay upon becoming aware of a personal data breach affecting Customer personal data. The notification will include, to the extent available, the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed.
10.7 Audit Rights
Glass Hammer will make available to Instructors all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits and inspections conducted by the Instructor or an auditor mandated by the Instructor, subject to reasonable notice and confidentiality obligations.
10.8 Deletion on Termination
On termination of an Instructor's Account, Glass Hammer will delete or anonymise all Customer personal data processed on that Instructor's behalf within 120 days, in accordance with Section 7.2, unless longer retention is required by law.
10.9 Governing Law
This DPA is governed by the laws of England and Wales, and forms part of the Terms of Service between Glass Hammer and the Instructor.
11. Security
We take the security of personal data seriously and implement appropriate technical and organisational measures to protect it. These include encryption of data in transit, access controls, and regular security reviews.
However, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, and you use the Platform at your own risk in this respect.
If you believe your personal data has been compromised, please contact us immediately using the details in Section 12.
12. Contact Us
For any questions about this Privacy Policy, to exercise your data subject rights, or to raise a data protection concern, please contact:
Glass Hammer Ltd
Garden Close, Watford, WD17 3DP
Email: [email protected] (update with correct address before publishing)
13. Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify Instructors by email or via a notice on the Platform. Continued use of the Platform following the effective date of any updated Policy constitutes acceptance of the revised terms.
The current version of this Policy is always available on the Zumbook website.
Last reviewed: 18 March 2026
Glass Hammer Ltd · Company No. 14672595 · Garden Close, Watford, WD17 3DP