Your privacy Matters
Privacy Policy.
MOVA Studios Limited
Privacy Policy
Effective Date: 21st April 2026| Version 2.0
Data Controller | MOVA Studios Limited |
Company Number | 16535562 |
Registered Address | Suite Ra01, 195–197 Wood Street, London, E17 3NU |
Studio Address | First Floor, Hargrave House, Boroughbridge Road, Acomb, York, YO26 5RX |
ICO Registration Number | CSN2913873 |
Supervisory Authority (UK) | Information Commissioner’s Office (ICO), ico.org.uk |
This Privacy Policy explains how we collect, use, store, and share your personal data when you use our services, visit our website, or interact with us. It applies to all individuals whose data we process, regardless of location.
This policy is structured as a core global notice with jurisdiction-specific annexes. The core sections apply to everyone. If you are located in a specific jurisdiction, the relevant annex provides additional information about your local rights and our obligations.
CORE PRIVACY NOTICE
MOVA Studios Limited is a company registered in England and Wales (Company No. 16535562). Registered office: Suite Ra01, 195–197 Wood Street, London, E17 3NU. Studio address: First Floor, Hargrave House, Boroughbridge Road, Acomb, York, YO26 5RX.
1. What Data We Collect
1.1 Identity & Contact Data
Your name, email address, phone number, postal address, date of birth, and emergency contact details.
1.2 Financial Data
Payment card details (processed by our third-party payment provider — we do not store full card numbers), billing address, transaction history, and direct debit mandates.
1.3 Health Data (Special Category)
Information you provide on your health questionnaire, including medical conditions, injuries, pregnancy status, and medications. Health data is special category data under applicable data protection law and is processed only with your explicit consent.
1.4 Booking & Attendance Data
Class bookings, attendance records, cancellations, no-shows, waitlist activity, and class preferences.
1.5 Membership Data
Membership type, tier, billing dates, pause history, Founders status, communications preferences, and complaint/dispute records.
1.6 Technical Data
If you visit our website or use our app, we may collect IP address, browser type, device information, and cookie data. See our Cookie Policy for full details.
1.7 Photography & Video
Images or video of you taken at the Studio for marketing purposes, only with your consent.
1.8 AI-Generated & Inferred Data
Some of our third-party service providers use artificial intelligence and automated processing to generate data about you that we did not directly collect. This may include:
- Churn risk scores or engagement predictions generated by our booking platform.
- Fraud risk assessments generated by our payment processor.
- Audience segmentation or behavioural profiles generated by our email marketing platform.
We treat AI-generated and inferred data with the same protections as directly collected personal data. See Section 6 (Automated Decision-Making, Profiling & AI) for full details.
2. How We Use Your Data
We process your personal data for the following purposes and on the following legal bases:
2.1 Performance of Our Contract with You
- To provide your membership, process payments, manage bookings, and communicate with you about your account.
- To administer pauses, cancellations, hardship requests, and the dunning process described in our Terms & Conditions.
- To enforce our Terms & Conditions, including no-show fees and early termination fees.
2.2 Legitimate Interests
- To improve our services, analyse booking patterns, and manage studio capacity.
- To prevent fraud, resolve disputes, and defend legal claims.
- To maintain health and safety records and administer our complaints process.
- To monitor the performance of third-party tools and AI-assisted features used in our operations (see Section 6).
2.3 Your Consent
- To send you marketing communications (newsletters, offers, event invitations). You may withdraw consent at any time.
- To use your image or likeness in our marketing materials.
2.4 Explicit Consent for Health Data
- To process your health questionnaire and any medical information you provide, for the purpose of ensuring your safety during classes.
- To process medical pause requests, hardship cancellation requests, and pregnancy-related modifications.
2.5 Legal Obligation
- To comply with tax, accounting, and regulatory requirements (e.g. HMRC).
- To report accidents under RIDDOR where required.
- To respond to lawful requests from law enforcement or regulatory authorities.
3. Who We Share Your Data With
We will never sell your personal data. We share your data only with the following categories of third-party processors, who are bound by data processing agreements and appropriate security obligations:
- Payment processor: Stripe — to process your membership payments and manage card transactions. Stripe uses AI-powered fraud detection (see Section 6).
- Booking, CRM & communications: bsport — to manage class scheduling, bookings, member accounts, and transactional and (where consented) marketing emails. bsport may use AI-powered features including churn prediction, automated waitlist management, send-time optimisation, and audience segmentation (see Section 6).
- CCTV provider: Euphy — for the security of our premises (see Section 9).
- Accountants and professional advisors: for tax compliance and legal advice.
- Regulators and authorities: where required by law (e.g. HMRC, HSE under RIDDOR, ICO).
Where we introduce new third-party processors or where existing processors introduce material new AI features, we will update this Privacy Policy accordingly.
4. How Long We Keep Your Data
We retain your personal data only for as long as necessary for the purposes for which it was collected:
- Membership and billing data: for the duration of your membership plus 6 years (to comply with HMRC requirements and the Limitation Act 1980).
- Health questionnaire: for the duration of your membership plus 3 years (to support any injury-related claims).
- Marketing consent records: for the duration of your consent plus 12 months after withdrawal.
- CCTV footage: maximum 30 days unless required for an investigation or legal claim.
- Accident reports: 3 years from the date of the incident (or longer if a claim is made).
- Complaints records: 3 years from the date of resolution.
- AI-generated or inferred data (e.g. churn scores, fraud assessments): deleted or refreshed in line with the retention policies of our third-party processors. We do not independently retain AI-generated profiles beyond the active period of your membership.
When data is no longer needed, it is securely deleted or anonymised.
5. Your Rights
Under applicable data protection law, you have the following rights in relation to your personal data:
- Right of access: you can request a copy of the personal data we hold about you (a Subject Access Request, or SAR).
- Right to rectification: you can ask us to correct inaccurate or incomplete data.
- Right to erasure: you can ask us to delete your data in certain circumstances (e.g. if we no longer need it for its original purpose).
- Right to restrict processing: you can ask us to temporarily stop processing your data while we resolve a concern.
- Right to data portability: you can request your data in a structured, commonly used format.
- Right to object: you can object to processing based on legitimate interests. You can object to direct marketing at any time. You can object to profiling (see Section 6).
- Right to withdraw consent: where we process data based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
- Rights relating to automated decision-making: you have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you, except in limited circumstances. See Section 6 for full details.
To exercise any of these rights, contact us at [email protected]. We will respond within one month. If your request is complex, we may extend this by a further two months, and we will let you know.
6. Automated Decision-Making, Profiling & AI
Some of the third-party tools we use in operating the Studio incorporate artificial intelligence (AI) and automated processing features. This section explains what those features are, how they may affect you, and what rights you have.
6.1 Our AI and Automation Inventory
The following table lists the AI-assisted and automated processing features currently in use or planned for use in our operations. We will update this table when material changes occur.
Tool | Provider | AI Function | Data Processed | Decision Type | Legal Basis |
Booking, CRM & Email | bsport | Churn prediction; automated waitlist; class recommendations; send-time optimisation; audience segmentation | Booking & attendance data; membership data; contact data; engagement data | AI-assisted (human reviews flagged members; staff approve campaigns) | Legitimate interest; Consent (marketing) |
Payment Processor | Stripe | Fraud detection; payment risk scoring | Financial data; technical data (IP, device) | Automated with human review on flag | Contractual necessity; legitimate interest |
Email Platform | bsport | Send-time optimisation; audience segmentation; subject line suggestions | Contact data; booking data; engagement data | AI-assisted (staff approve campaigns) | Consent (marketing); contractual necessity (service emails) |
No-show / Fee System | bsport | Automated fee application based on cancellation/attendance rules | Booking & attendance data | Automated — human review before charge is applied | Contractual necessity |
Dunning Process | Stripe | Automated payment retry and member notifications | Financial data; membership data | Automated notifications; human review before pause/cancellation | Contractual necessity |
[Future: Chatbot] | [Not yet in use] | [If implemented: member query handling] | [Contact data; booking data] | [Would require AI Act Art. 50 disclosure] | [Legitimate interest / consent] |
6.2 What This Means for You
Profiling
Profiling means automated processing of your personal data to evaluate or predict aspects of your behaviour, preferences, or status. Examples relevant to MOVA include:
- bsport may analyse your attendance patterns to predict whether you are likely to cancel your membership (“churn prediction”). This may result in you receiving a retention offer or personalised communication. bsport may also segment you into audience groups based on your class preferences, attendance frequency, or membership tier to send you more relevant content.
- Your payment processor may assess the fraud risk of your transactions based on your payment history, device, and location.
In each of these cases, the profiling is used to improve the service we offer you or to protect the security of our systems. It does not, by itself, result in any decision that has legal or similarly significant effects on you.
Automated Decision-Making
Automated decision-making means a decision made by a machine with no meaningful human involvement. We are committed to ensuring that no decision with legal or similarly significant effects on you is made solely by automated means without human review.
Specifically:
- No-show and late cancellation fees: our booking platform may automatically flag a no-show or late cancellation, but a member of staff reviews and confirms the charge before it is applied to your account. You will always have the opportunity to dispute a charge (see our Terms & Conditions, Section 8.1 and Section 19).
- Dunning and payment failures: our payment processor may automatically retry a failed payment and send notifications. However, any decision to pause or cancel your membership for non-payment is made by a member of staff after the automated dunning sequence has completed (see our Terms & Conditions, Section 7.3).
- Fraud blocks: if your payment processor’s AI flags a transaction as potentially fraudulent, the transaction may be blocked automatically. If this happens, we will contact you to resolve the issue and you can request a manual review.
AI-Generated Content
We may use AI-assisted tools to help draft marketing content, class descriptions, or social media posts. Where AI-generated content is used in communications directed at you, we will ensure it is reviewed by a member of staff before publication. If you are located in the European Union, we will comply with applicable AI transparency labelling requirements.
6.3 Your Rights Regarding Automated Processing
You have the following rights in relation to automated decision-making and profiling:
- Right to be informed: this Section 6 provides the information required about our automated processing. If you have further questions, contact us.
- Right to object to profiling: you can object to profiling carried out on the basis of our legitimate interests at any time. You can object to profiling for direct marketing purposes at any time, and we will stop immediately.
- Right to human review: if any automated decision produces legal or similarly significant effects on you, you have the right to request meaningful human review, to express your views, and to contest the decision.
- Right to an explanation: you have the right to request meaningful information about the logic involved in any automated decision that significantly affects you, including the significance and envisaged consequences.
To exercise any of these rights, contact us at [email protected].
6.4 How We Manage AI Risk
We take the following steps to ensure that AI-assisted tools are used responsibly:
- Vendor due diligence: before adopting any new tool with AI features, we assess its data processing practices, transparency, and compliance with applicable data protection and AI regulations.
- Data processing agreements: all third-party processors are required to notify us of material changes to their AI features. Our DPAs include AI-specific clauses covering transparency, data use, and incident notification.
- Human oversight: we maintain meaningful human review over all decisions that have legal or similarly significant effects on members. Automated tools assist but do not replace human judgment.
- Staff training: staff who operate or oversee AI-assisted tools receive training on how the tools work, their limitations, and how to handle member questions about automated processing.
- Regular review: we review our AI tool inventory at least annually and when any third-party provider notifies us of a material feature change.
- Data Protection Impact Assessment: where automated processing or profiling is likely to result in a high risk to individuals, we carry out a DPIA in accordance with applicable data protection law.
7. Marketing Communications
We will only send you marketing communications (such as newsletters, offers, or event invitations) if you have given us your consent. You can unsubscribe at any time by clicking the unsubscribe link in any marketing email, or by contacting us at [email protected].
We will continue to send you service-related communications (such as billing confirmations, renewal reminders, class updates, and account notifications) regardless of your marketing preferences, as these are necessary for the performance of our contract with you.
Where bsport uses automated features to optimise send times or segment audiences for marketing emails, this is done on the basis of your consent to receive marketing. You can withdraw that consent at any time, and we will stop all automated marketing profiling for your account.
8. Children’s Data
Our services are for individuals aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will delete it promptly.
9. CCTV
We operate CCTV at our Studio premises (provided by Euphy) for the purposes of crime prevention, health and safety, and the protection of our staff and members. CCTV signage is displayed at the entrance to the monitored area. Footage is retained for a maximum of 30 days and is only accessed where necessary for security, safety, or legal purposes.
10. Cookies
Our website uses cookies. For full details of the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy at [INSERT URL].
11. International Transfers
We primarily store and process your data in the United Kingdom. Where any of our third-party processors transfer data outside the UK or the European Economic Area (EEA), they are required to implement appropriate safeguards, such as:
- Standard contractual clauses approved by the relevant supervisory authority.
- Binding corporate rules approved by the relevant supervisory authority.
- Transfers to countries or territories subject to an adequacy decision.
If you would like to know more about the safeguards in place for any specific international transfer, please contact us.
12. Data Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include encrypted payment processing, access controls on member data, secure storage of health questionnaires, and staff training on data handling.
While we take all reasonable precautions, no method of data transmission or storage is completely secure. If you believe your data has been compromised, please contact us immediately.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority (ICO for UK residents) within 72 hours of becoming aware of the breach, where feasible.
- Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
- Document the breach, its effects, and the remedial action taken.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice on our website at least 14 days before the change takes effect. The effective date at the top of this document will always reflect the most recent version.
If a material change affects the way we use AI-assisted tools or automated decision-making, we will update Section 6 and notify you specifically of the change.
15. How to Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about automated decision-making or profiling, please contact us:
Data Controller | MOVA Studios Limited |
Company Number | 16535562 |
Studio Address | First Floor, Hargrave House, Boroughbridge Road, Acomb, York, YO26 5RX |
ICO Registration | CSN2913873 |
ANNEX A
United Kingdom — Jurisdiction-Specific Information
This annex applies to you if you are located in the United Kingdom. It supplements the core Privacy Notice above.
A1. Applicable Law
Your personal data is processed in accordance with the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 (DPA 2018).
A2. Supervisory Authority
The supervisory authority for data protection in the UK is the Information Commissioner’s Office (ICO). If you are not satisfied with how we handle your data or your request, you have the right to lodge a complaint with the ICO:
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
A3. Automated Decision-Making (UK GDPR Article 22)
Under Article 22 of the UK GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We can only carry out this type of decision-making where it is:
- Necessary for entering into or performing a contract with you; or
- Authorised by UK law with appropriate safeguards; or
- Based on your explicit consent.
As described in Section 6 of the core notice, we maintain meaningful human review over all decisions with legal or similarly significant effects. If you believe an automated decision has been made about you without appropriate human review, please contact us and we will investigate and provide a human review within 10 business days.
A4. Data (Use and Access) Act 2025
The Data (Use and Access) Act received Royal Assent on 19 June 2025 and introduces amendments to the UK GDPR framework, including changes to automated decision-making provisions. The ICO is currently updating its guidance to reflect these changes. We will update this Privacy Policy if and when any changes affect how we process your data.
A5. UK AI Regulation
As of the date of this policy, the UK does not have a single comprehensive AI law equivalent to the EU AI Act. The UK government has adopted a principles-based, sector-specific approach, with existing regulators (including the ICO) applying existing laws to AI within their respective remits. We monitor regulatory developments and will update this policy as the UK’s AI regulatory framework evolves.
Regardless of the regulatory framework, we are committed to the following principles in our use of AI-assisted tools: transparency (telling you when AI is involved), human oversight (ensuring meaningful human review of significant decisions), fairness (monitoring for bias or unfair outcomes), and accountability (maintaining records of our AI tool usage and decision-making).
ANNEX B
European Economic Area — Jurisdiction-Specific Information
[NOTE: This annex will be activated when MOVA offers services to individuals located in the EEA, for example through online class bookings or an e-commerce website accessible to EEA residents. Until then, this annex is provided for structural completeness and does not create any obligations.]
B1. Applicable Law
If you are located in the EEA, your personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 (EU GDPR). References to “applicable data protection law” in the core notice include the EU GDPR where it applies to you.
B2. Supervisory Authority
You have the right to lodge a complaint with the data protection authority in your EEA member state. A list of EEA data protection authorities is available at edpb.europa.eu.
B3. EU AI Act (Regulation (EU) 2024/1689)
The EU AI Act introduces transparency obligations for deployers of AI systems that interact directly with individuals located in the EU. From 2 August 2026, if we deploy any AI system that directly interacts with you (for example, a chatbot), we will inform you that you are interacting with an AI system.
If we use AI systems to generate or manipulate content (such as images, text, or video) that is directed at individuals in the EEA, we will label that content as AI-generated in accordance with Article 50 of the EU AI Act.
The AI tool inventory in Section 6.1 of the core notice identifies the AI-assisted features currently in use. We will update this inventory to reflect any new EU AI Act obligations as they take effect.
B4. International Transfers (EEA-Specific)
Where your personal data is transferred from the EEA to the UK, we rely on the European Commission’s adequacy decision for the UK (adopted 28 June 2021). Where data is transferred to other countries outside the EEA, we rely on standard contractual clauses approved by the European Commission or other appropriate safeguards under EU GDPR Article 46.
ANNEX C
Other Jurisdictions — Placeholder
[This annex is reserved for future use. If MOVA expands its services to individuals in jurisdictions outside the UK and EEA (for example, the United States, where state-level privacy laws such as the California Consumer Privacy Act may apply), jurisdiction-specific information will be added here.]
[No obligations are created by the inclusion of this placeholder annex.]
This Privacy Policy was last updated on 21st April 2026
MOVA Studios Limited
Privacy Policy
Effective Date: 21st April 2026 | Version 2.0
Data Controller | MOVA Studios Limited |
Company Number | 16535562 |
Registered Address | Suite Ra01, 195–197 Wood Street, London, E17 3NU |
Studio Address | First Floor, Hargrave House, Boroughbridge Road, Acomb, York, YO26 5RX |
| [email protected] | |
ICO Registration Number | CSN2913873 |
Supervisory Authority (UK) | Information Commissioner’s Office (ICO), ico.org.uk |
This Privacy Policy explains how we collect, use, store, and share your personal data when you use our services, visit our website, or interact with us. It applies to all individuals whose data we process, regardless of location.
This policy is structured as a core global notice with jurisdiction-specific annexes. The core sections apply to everyone. If you are located in a specific jurisdiction, the relevant annex provides additional information about your local rights and our obligations.
CORE PRIVACY NOTICE
MOVA Studios Limited is a company registered in England and Wales (Company No. 16535562). Registered office: Suite Ra01, 195–197 Wood Street, London, E17 3NU. Studio address: First Floor, Hargrave House, Boroughbridge Road, Acomb, York, YO26 5RX.
1. What Data We Collect
1.1 Identity & Contact Data
Your name, email address, phone number, postal address, date of birth, and emergency contact details.
1.2 Financial Data
Payment card details (processed by our third-party payment provider — we do not store full card numbers), billing address, transaction history, and direct debit mandates.
1.3 Health Data (Special Category)
Information you provide on your health questionnaire, including medical conditions, injuries, pregnancy status, and medications. Health data is special category data under applicable data protection law and is processed only with your explicit consent.
1.4 Booking & Attendance Data
Class bookings, attendance records, cancellations, no-shows, waitlist activity, and class preferences.
1.5 Membership Data
Membership type, tier, billing dates, pause history, Founders status, communications preferences, and complaint/dispute records.
1.6 Technical Data
If you visit our website or use our app, we may collect IP address, browser type, device information, and cookie data. See our Cookie Policy for full details.
1.7 Photography & Video
Images or video of you taken at the Studio for marketing purposes, only with your consent.
1.8 AI-Generated & Inferred Data
Some of our third-party service providers use artificial intelligence and automated processing to generate data about you that we did not directly collect. This may include:
- Churn risk scores or engagement predictions generated by our booking platform.
- Fraud risk assessments generated by our payment processor.
- Audience segmentation or behavioural profiles generated by our email marketing platform.
We treat AI-generated and inferred data with the same protections as directly collected personal data. See Section 6 (Automated Decision-Making, Profiling & AI) for full details.
2. How We Use Your Data
We process your personal data for the following purposes and on the following legal bases:
2.1 Performance of Our Contract with You
- To provide your membership, process payments, manage bookings, and communicate with you about your account.
- To administer pauses, cancellations, hardship requests, and the dunning process described in our Terms & Conditions.
- To enforce our Terms & Conditions, including no-show fees and early termination fees.
2.2 Legitimate Interests
- To improve our services, analyse booking patterns, and manage studio capacity.
- To prevent fraud, resolve disputes, and defend legal claims.
- To maintain health and safety records and administer our complaints process.
- To monitor the performance of third-party tools and AI-assisted features used in our operations (see Section 6).
2.3 Your Consent
- To send you marketing communications (newsletters, offers, event invitations). You may withdraw consent at any time.
- To use your image or likeness in our marketing materials.
2.4 Explicit Consent for Health Data
- To process your health questionnaire and any medical information you provide, for the purpose of ensuring your safety during classes.
- To process medical pause requests, hardship cancellation requests, and pregnancy-related modifications.
2.5 Legal Obligation
- To comply with tax, accounting, and regulatory requirements (e.g. HMRC).
- To report accidents under RIDDOR where required.
- To respond to lawful requests from law enforcement or regulatory authorities.
3. Who We Share Your Data With
We will never sell your personal data. We share your data only with the following categories of third-party processors, who are bound by data processing agreements and appropriate security obligations:
- Payment processor: Stripe — to process your membership payments and manage card transactions. Stripe uses AI-powered fraud detection (see Section 6).
- Booking, CRM & communications: bsport — to manage class scheduling, bookings, member accounts, and transactional and (where consented) marketing emails. bsport may use AI-powered features including churn prediction, automated waitlist management, send-time optimisation, and audience segmentation (see Section 6).
- CCTV provider: Euphy — for the security of our premises (see Section 9).
- Accountants and professional advisors: for tax compliance and legal advice.
- Regulators and authorities: where required by law (e.g. HMRC, HSE under RIDDOR, ICO).
Where we introduce new third-party processors or where existing processors introduce material new AI features, we will update this Privacy Policy accordingly.
4. How Long We Keep Your Data
We retain your personal data only for as long as necessary for the purposes for which it was collected:
- Membership and billing data: for the duration of your membership plus 6 years (to comply with HMRC requirements and the Limitation Act 1980).
- Health questionnaire: for the duration of your membership plus 3 years (to support any injury-related claims).
- Marketing consent records: for the duration of your consent plus 12 months after withdrawal.
- CCTV footage: maximum 30 days unless required for an investigation or legal claim.
- Accident reports: 3 years from the date of the incident (or longer if a claim is made).
- Complaints records: 3 years from the date of resolution.
- AI-generated or inferred data (e.g. churn scores, fraud assessments): deleted or refreshed in line with the retention policies of our third-party processors. We do not independently retain AI-generated profiles beyond the active period of your membership.
When data is no longer needed, it is securely deleted or anonymised.
5. Your Rights
Under applicable data protection law, you have the following rights in relation to your personal data:
- Right of access: you can request a copy of the personal data we hold about you (a Subject Access Request, or SAR).
- Right to rectification: you can ask us to correct inaccurate or incomplete data.
- Right to erasure: you can ask us to delete your data in certain circumstances (e.g. if we no longer need it for its original purpose).
- Right to restrict processing: you can ask us to temporarily stop processing your data while we resolve a concern.
- Right to data portability: you can request your data in a structured, commonly used format.
- Right to object: you can object to processing based on legitimate interests. You can object to direct marketing at any time. You can object to profiling (see Section 6).
- Right to withdraw consent: where we process data based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
- Rights relating to automated decision-making: you have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you, except in limited circumstances. See Section 6 for full details.
To exercise any of these rights, contact us at [email protected]. We will respond within one month. If your request is complex, we may extend this by a further two months, and we will let you know.
6. Automated Decision-Making, Profiling & AI
Some of the third-party tools we use in operating the Studio incorporate artificial intelligence (AI) and automated processing features. This section explains what those features are, how they may affect you, and what rights you have.
6.1 Our AI and Automation Inventory
The following table lists the AI-assisted and automated processing features currently in use or planned for use in our operations. We will update this table when material changes occur.
Tool | Provider | AI Function | Data Processed | Decision Type | Legal Basis |
| Booking, CRM & Email | bsport | Churn prediction; automated waitlist; class recommendations; send-time optimisation; audience segmentation | Booking & attendance data; membership data; contact data; engagement data | AI-assisted (human reviews flagged members; staff approve campaigns) | Legitimate interest; Consent (marketing) |
| Payment Processor | Stripe | Fraud detection; payment risk scoring | Financial data; technical data (IP, device) | Automated with human review on flag | Contractual necessity; legitimate interest |
| Email Platform | bsport | Send-time optimisation; audience segmentation; subject line suggestions | Contact data; booking data; engagement data | AI-assisted (staff approve campaigns) | Consent (marketing); contractual necessity (service emails) |
| No-show / Fee System | bsport | Automated fee application based on cancellation/attendance rules | Booking & attendance data | Automated — human review before charge is applied | Contractual necessity |
| Dunning Process | Stripe | Automated payment retry and member notifications | Financial data; membership data | Automated notifications; human review before pause/cancellation | Contractual necessity |
| [Future: Chatbot] | [Not yet in use] | [If implemented: member query handling] | [Contact data; booking data] | [Would require AI Act Art. 50 disclosure] | [Legitimate interest / consent] |
6.2 What This Means for You
Profiling
Profiling means automated processing of your personal data to evaluate or predict aspects of your behaviour, preferences, or status. Examples relevant to MOVA include:
bsport may analyse your attendance patterns to predict whether you are likely to cancel your membership (“churn prediction”). This may result in you receiving a retention offer or personalised communication. bsport may also segment you into audience groups based on your class preferences, attendance frequency, or membership tier to send you more relevant content.
Your payment processor may assess the fraud risk of your transactions based on your payment history, device, and location.
In each of these cases, the profiling is used to improve the service we offer you or to protect the security of our systems. It does not, by itself, result in any decision that has legal or similarly significant effects on you.
Automated Decision-Making
Automated decision-making means a decision made by a machine with no meaningful human involvement. We are committed to ensuring that no decision with legal or similarly significant effects on you is made solely by automated means without human review.
Specifically:
- No-show and late cancellation fees: our booking platform may automatically flag a no-show or late cancellation, but a member of staff reviews and confirms the charge before it is applied to your account. You will always have the opportunity to dispute a charge (see our Terms & Conditions, Section 8.1 and Section 19).
- Dunning and payment failures: our payment processor may automatically retry a failed payment and send notifications. However, any decision to pause or cancel your membership for non-payment is made by a member of staff after the automated dunning sequence has completed (see our Terms & Conditions, Section 7.3).
- Fraud blocks: if your payment processor’s AI flags a transaction as potentially fraudulent, the transaction may be blocked automatically. If this happens, we will contact you to resolve the issue and you can request a manual review.
AI-Generated Content
We may use AI-assisted tools to help draft marketing content, class descriptions, or social media posts. Where AI-generated content is used in communications directed at you, we will ensure it is reviewed by a member of staff before publication. If you are located in the European Union, we will comply with applicable AI transparency labelling requirements.
6.3 Your Rights Regarding Automated Processing
You have the following rights in relation to automated decision-making and profiling:
- Right to be informed: this Section 6 provides the information required about our automated processing. If you have further questions, contact us.
- Right to object to profiling: you can object to profiling carried out on the basis of our legitimate interests at any time. You can object to profiling for direct marketing purposes at any time, and we will stop immediately.
- Right to human review: if any automated decision produces legal or similarly significant effects on you, you have the right to request meaningful human review, to express your views, and to contest the decision.
- Right to an explanation: you have the right to request meaningful information about the logic involved in any automated decision that significantly affects you, including the significance and envisaged consequences.
To exercise any of these rights, contact us at [email protected].
6.4 How We Manage AI Risk
We take the following steps to ensure that AI-assisted tools are used responsibly:
- Vendor due diligence: before adopting any new tool with AI features, we assess its data processing practices, transparency, and compliance with applicable data protection and AI regulations.
- Data processing agreements: all third-party processors are required to notify us of material changes to their AI features. Our DPAs include AI-specific clauses covering transparency, data use, and incident notification.
- Human oversight: we maintain meaningful human review over all decisions that have legal or similarly significant effects on members. Automated tools assist but do not replace human judgment.
- Staff training: staff who operate or oversee AI-assisted tools receive training on how the tools work, their limitations, and how to handle member questions about automated processing.
- Regular review: we review our AI tool inventory at least annually and when any third-party provider notifies us of a material feature change.
- Data Protection Impact Assessment: where automated processing or profiling is likely to result in a high risk to individuals, we carry out a DPIA in accordance with applicable data protection law.
7. Marketing Communications
We will only send you marketing communications (such as newsletters, offers, or event invitations) if you have given us your consent. You can unsubscribe at any time by clicking the unsubscribe link in any marketing email, or by contacting us at [email protected].
We will continue to send you service-related communications (such as billing confirmations, renewal reminders, class updates, and account notifications) regardless of your marketing preferences, as these are necessary for the performance of our contract with you.
Where bsport uses automated features to optimise send times or segment audiences for marketing emails, this is done on the basis of your consent to receive marketing. You can withdraw that consent at any time, and we will stop all automated marketing profiling for your account.
8. Children’s Data
Our services are for individuals aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will delete it promptly.
9. CCTV
We operate CCTV at our Studio premises (provided by Euphy) for the purposes of crime prevention, health and safety, and the protection of our staff and members. CCTV signage is displayed at the entrance to the monitored area. Footage is retained for a maximum of 30 days and is only accessed where necessary for security, safety, or legal purposes.
10. Cookies
Our website uses cookies. For full details of the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy at [INSERT URL].
11. International Transfers
We primarily store and process your data in the United Kingdom. Where any of our third-party processors transfer data outside the UK or the European Economic Area (EEA), they are required to implement appropriate safeguards, such as:
- Standard contractual clauses approved by the relevant supervisory authority.
- Binding corporate rules approved by the relevant supervisory authority.
- Transfers to countries or territories subject to an adequacy decision.
If you would like to know more about the safeguards in place for any specific international transfer, please contact us.
12. Data Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include encrypted payment processing, access controls on member data, secure storage of health questionnaires, and staff training on data handling.
While we take all reasonable precautions, no method of data transmission or storage is completely secure. If you believe your data has been compromised, please contact us immediately.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority (ICO for UK residents) within 72 hours of becoming aware of the breach, where feasible.
- Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
- Document the breach, its effects, and the remedial action taken.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice on our website at least 14 days before the change takes effect. The effective date at the top of this document will always reflect the most recent version.
If a material change affects the way we use AI-assisted tools or automated decision-making, we will update Section 6 and notify you specifically of the change.
15. How to Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about automated decision-making or profiling, please contact us:
| Data Controller | MOVA Studios Limited |
| Company Number | 16535562 |
| [email protected] | |
| Studio Address | First Floor, Hargrave House, Boroughbridge Road, Acomb, York, YO26 5RX |
| ICO Registration | CSN2913873 |
ANNEX A
United Kingdom — Jurisdiction-Specific Information
This annex applies to you if you are located in the United Kingdom. It supplements the core Privacy Notice above.
A1. Applicable Law
Your personal data is processed in accordance with the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 (DPA 2018).
A2. Supervisory Authority
The supervisory authority for data protection in the UK is the Information Commissioner’s Office (ICO). If you are not satisfied with how we handle your data or your request, you have the right to lodge a complaint with the ICO:
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
A3. Automated Decision-Making (UK GDPR Article 22)
Under Article 22 of the UK GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We can only carry out this type of decision-making where it is:
- Necessary for entering into or performing a contract with you; or
- Authorised by UK law with appropriate safeguards; or
- Based on your explicit consent.
As described in Section 6 of the core notice, we maintain meaningful human review over all decisions with legal or similarly significant effects. If you believe an automated decision has been made about you without appropriate human review, please contact us and we will investigate and provide a human review within 10 business days.
A4. Data (Use and Access) Act 2025
The Data (Use and Access) Act received Royal Assent on 19 June 2025 and introduces amendments to the UK GDPR framework, including changes to automated decision-making provisions. The ICO is currently updating its guidance to reflect these changes. We will update this Privacy Policy if and when any changes affect how we process your data.
A5. UK AI Regulation
As of the date of this policy, the UK does not have a single comprehensive AI law equivalent to the EU AI Act. The UK government has adopted a principles-based, sector-specific approach, with existing regulators (including the ICO) applying existing laws to AI within their respective remits. We monitor regulatory developments and will update this policy as the UK’s AI regulatory framework evolves.
Regardless of the regulatory framework, we are committed to the following principles in our use of AI-assisted tools: transparency (telling you when AI is involved), human oversight (ensuring meaningful human review of significant decisions), fairness (monitoring for bias or unfair outcomes), and accountability (maintaining records of our AI tool usage and decision-making).
ANNEX B
European Economic Area — Jurisdiction-Specific Information
[NOTE: This annex will be activated when MOVA offers services to individuals located in the EEA, for example through online class bookings or an e-commerce website accessible to EEA residents. Until then, this annex is provided for structural completeness and does not create any obligations.]
B1. Applicable Law
If you are located in the EEA, your personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 (EU GDPR). References to “applicable data protection law” in the core notice include the EU GDPR where it applies to you.
B2. Supervisory Authority
You have the right to lodge a complaint with the data protection authority in your EEA member state. A list of EEA data protection authorities is available at edpb.europa.eu.
B3. EU AI Act (Regulation (EU) 2024/1689)
The EU AI Act introduces transparency obligations for deployers of AI systems that interact directly with individuals located in the EU. From 2 August 2026, if we deploy any AI system that directly interacts with you (for example, a chatbot), we will inform you that you are interacting with an AI system.
If we use AI systems to generate or manipulate content (such as images, text, or video) that is directed at individuals in the EEA, we will label that content as AI-generated in accordance with Article 50 of the EU AI Act.
The AI tool inventory in Section 6.1 of the core notice identifies the AI-assisted features currently in use. We will update this inventory to reflect any new EU AI Act obligations as they take effect.
B4. International Transfers (EEA-Specific)
Where your personal data is transferred from the EEA to the UK, we rely on the European Commission’s adequacy decision for the UK (adopted 28 June 2021). Where data is transferred to other countries outside the EEA, we rely on standard contractual clauses approved by the European Commission or other appropriate safeguards under EU GDPR Article 46.
ANNEX C
Other Jurisdictions — Placeholder
[This annex is reserved for future use. If MOVA expands its services to individuals in jurisdictions outside the UK and EEA (for example, the United States, where state-level privacy laws such as the California Consumer Privacy Act may apply), jurisdiction-specific information will be added here.]
[No obligations are created by the inclusion of this placeholder annex.]
This Privacy Policy was last updated on 21st April 2026