Privacy Policy

1. Introduction & Data Controller

PYAANO ("we," "us," or "our") operates a members-only creative house in North West London. We are committed to protecting your personal data and respecting your privacy rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains what personal information we collect, why we collect it, how it is stored, who we share it with, and what rights you have over it.

Data Controller: PYAANO
Contact: hello@pyaano.com

2. What Personal Data We Collect

We collect personal data at several points in your relationship with PYAANO. Here is a complete list:

2.1 Membership Application

When you apply, we collect:

• Full name and email address
• Phone number
• Profile photo (headshot — required)
• Creative discipline(s) and biographical information
• Instagram handle and optional portfolio/website URL
• Workplace and current projects ("what are you working on?")
• Lifestyle questions (e.g. "Perfect Saturday in NW London", "my friends would describe me as…")
• Whether you run a business and its name (optional)
• How you heard about PYAANO
• Referral code (if applicable)
• TikTok handle (optional)
• Interests and tags (multi-select)

Step 1 of the application form collects your email and phone number only. If you do not complete the full application, this partial data is automatically deleted after 7 days.

2.2 Member Account & Profile

Once approved, your member profile additionally stores:

• Hashed password (never stored in plain text)
• Membership number, tier, and status
• Date of birth (optional — once set, cannot be changed by you; age display is separately controlled by a visibility toggle)
• Gender (optional — Male / Female)
• "Open to collaborate" preference
• Profile visibility setting (controls whether you appear in the member directory)
• Last login timestamp
• Membership start/end dates
• Onboarding completion status

2.3 Waiver Signatures

When you sign our liability waiver before using the facilities, we record: your digital signature, the timestamp, your IP address, and your browser/device user agent string. These are collected for insurance and legal compliance purposes.

2.4 Class & Event Bookings

When you book a class or event:

• Booking reference and status
• Amount paid (in GBP)
• Stripe session reference (payment ID — no card details are stored by us)
• QR code issued for entry
• IP address at time of booking (retained in our payment audit log)
• Browser user agent (retained in our payment audit log)

2.5 Entry Logs (QR Scans)

Every time you use your QR code at the door, we log: your member ID and name, the exact timestamp, whether entry was granted or denied, any denial reasons, which booking was used (if applicable), and your profile photo URL (for staff verification). These logs are automatically deleted after 90 days.

2.6 Password Reset & Account Security

When you reset your password, we create a one-time secure token (expires in 7 days) and record when it is used. We track login timestamps to help you identify unauthorised access.

2.7 Referrals & Credits

If you refer another member or are referred by one, we record the referral relationship for the purposes of issuing credits. We store your unique referral code and track when it is used.

2.8 Communications

We collect and retain email addresses used to send you transactional communications (approval, rejection, booking confirmations, reminders, onboarding guidance). We also retain records of when certain communications were sent to prevent duplicates (e.g. one reminder per incomplete application).

3. How & Why We Use Your Data (Lawful Basis)

Under UK GDPR, every processing activity must have a lawful basis. Here is ours for each type:

4. Profile Photos & Uploaded Media

A profile photo is required as part of your membership application. Here is how we handle it:

• Storage: Photos are uploaded to Cloudflare R2 (object storage) via our secure upload proxy. Files are stored in Cloudflare's infrastructure and served via their CDN.
• Use: Your photo is used to verify your identity at the door when you scan in, to display on your profile in the member directory (if you choose to be visible), and in administrative views to help staff recognise members.
• Access: Your photo URL is visible to other logged-in members who visit your profile or see you in the directory. It is also displayed to staff on the QR scanner screen when you enter.
• Deletion: Your photo is deleted from Cloudflare R2 when your application is deleted (rejected or abandoned) or when your member account is deleted.
• Updating: You can replace your profile photo at any time from within the member portal. The old photo is deleted when replaced.

PYAANO event photography: PYAANO may photograph or film events at the venue for marketing and editorial purposes. If you are present at an event, you may appear in such media. If you do not wish to be photographed, please inform a staff member. This is separate from your uploaded profile photo.

5. Member Directory

PYAANO provides an opt-in member directory so that members can discover and connect with each other.

• Visibility is your choice: You control whether your profile appears in the directory. You can turn this on or off at any time in your profile settings at /portal/profile.
• What is shown (if visible): Your name, profile photo, bio, disciplines, interests, and Instagram handle.
• What is never shown: Your phone number, email address, birthday (the age may optionally be shown, but only if you enable the age visibility toggle), workplace, and booking history.
• Who can see it: The member directory is accessible to logged-in PYAANO members only — it is not publicly accessible.
• Member follows: Members may "follow" one another within the platform. Follow relationships are stored but not shown publicly beyond who each member is following.

6. Third-Party Processors

We do not sell your personal data. We work with the following sub-processors, all of whom process data on our behalf and are bound by appropriate data processing agreements:

We may also share data with law enforcement or legal authorities where required by law, court order, or to protect the safety of individuals.

7. Data Retention Schedule

We retain personal data only for as long as necessary for the purposes described in this policy.

8. Account Deletion

You can request deletion of your account at any time. Here is what happens:

8.1 How to request

Use the Delete My Account option in your member portal at /portal/account, or email us at hello@pyaano.com with the subject line "Data Deletion Request".

8.2 14-day grace period

After you request deletion, your account enters a 14-day grace period. During this time your membership is suspended but not yet deleted. You will receive a cancellation confirmation email with a link to undo the deletion if you change your mind. After 14 days, deletion is permanent.

8.3 What gets deleted

• Your member profile (name, email, phone, bio, social handles, disciplines, interests)
• Profile photo (deleted from Cloudflare R2)
• Application data and submission history
• Class and event booking history
• Credits, referral codes, and follow relationships
• Notifications and in-app messages
• QR codes and waiver signatures (subject to legal retention where required)

8.4 What may be retained after deletion

We may retain certain records where legally required — for example, financial records for tax compliance (up to 6 years), anonymised or aggregated data that does not identify you, and waiver signatures where insurance obligations require it. Entry logs are retained for their normal 90-day window and then automatically deleted.

8.5 Download your data first

Before deleting your account, you can download a copy of your personal data in CSV format via the Download Data option in your account settings at /portal/account.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of all personal data we hold about you (see Section 10).
• Right to Rectification: Ask us to correct inaccurate or incomplete data. You can update most profile fields directly in the member portal.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (see Section 8). Note that some data may be retained where we have a legal obligation to do so.
• Right to Restriction: Ask us to limit how we process your data while a dispute is being resolved.
• Right to Data Portability: Receive your data in a portable format. You can download your data as a CSV directly from /portal/account, or request it via email.
• Right to Object: Object to processing based on legitimate interests or for direct marketing. To opt out of marketing emails, email hello@pyaano.com.
• Right to Withdraw Consent: Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact hello@pyaano.com. We will respond within 30 days. Complex or multiple requests may take up to an additional two months — we will inform you if this applies.

10. Data Subject Access Requests (DSAR)

You have the right to receive a copy of all personal data we hold about you.

Self-service: Members can download a CSV of their own data at any time from /portal/account — no request needed.

Full DSAR: Email hello@pyaano.com with subject line "Data Access Request", including your full name and registered email address. We will respond within 30 days with a complete copy of your data in a clear, readable format.

No fee: Your first access request in any 12-month period is free. Manifestly unfounded or excessive requests may incur a reasonable administrative fee.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Passwords stored using industry-standard cryptographic hashing (bcrypt) — never in plain text
• Authentication via JWT tokens, stored in browser local storage (not cookies)
• All data transmission over HTTPS/TLS
• Payment card data never stored by PYAANO — all card handling is delegated to Stripe (PCI-DSS compliant)
• One-time, time-limited tokens for password resets and emergency admin access
• Access controls limiting data access to authorised personnel only
• Rate limiting on application form submissions to prevent automated abuse

Despite our precautions, no internet-based system is completely secure. If you have concerns about the security of your data, contact us at hello@pyaano.com.

12. Cookies & Local Storage

PYAANO does not use traditional HTTP cookies for tracking or advertising. We use browser local storage — a similar technology covered by the UK Privacy and Electronic Communications Regulations (PECR) — to keep you logged in and, with your consent, to measure anonymous page views. No personal data is ever shared with advertisers.

What we store and why

Your choices

Essential storage cannot be disabled without breaking core site functionality. Functional storage (the anonymous analytics ID) is only set after you accept our consent notice.

You can clear all local storage through your browser settings:

• Chrome / Edge: Settings → Privacy and security → Clear browsing data → Cookies and other site data
• Firefox: Settings → Privacy & Security → Cookies and Site Data → Clear Data
• Safari: Settings → Advanced → Website Data → Remove All Website Data

Clearing site data will log you out and reset your consent preference.

13. International Transfers

Some of our third-party processors (Stripe, Render) are based in the United States. Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) and adequacy decisions — as required by UK GDPR. Cloudflare R2 and Neon store data within UK/EU infrastructure.

14. SMS Communications

PYAANO may send SMS messages to members using the phone number provided during the membership application. Messages include class reminders, event updates, schedule changes, and account notifications.

Lawful basis:

• Operational messages (class reminders, booking confirmations, account notifications) — Legitimate interests: keeping you informed about the services you have booked or enrolled in.
• Marketing messages (promotions, new offerings) — Consent: we will only send marketing SMS where you have separately opted in.

Opt-out: You can opt out of SMS messages at any time by replying STOP to any SMS we send, or by contacting us at hello@pyaano.com. Opting out of marketing SMS does not affect operational messages related to your active bookings.

Retention: Your phone number is stored as part of your member record. It is deleted when your account is deleted (see Section 8). SMS delivery is handled by Twilio (see Section 6 for details).

15. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date at the top. Material changes will be communicated to active members by email. Continued use of PYAANO services after changes constitutes acceptance.

16. Complaints & Contact

If you're unhappy with how we've handled your personal data, please come to us first — we'd like the chance to make it right.

hello@pyaano.com
Use one of the following subject lines:

• "Data Deletion Request" — to request erasure of your personal data
• "Data Access Request" — to request a copy of your data (DSAR)
• "Privacy Query" — for any other privacy question

You also have the right to lodge a complaint directly with the UK's data protection regulator at any time:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113