Privacy Policy | Keep Edinburgh Thriving
Legal

Privacy Policy

Thriving Media Ltd, trading as Keep Edinburgh Thriving · Version 1.1 · Last updated: May 2026

Data ControllerThriving Media Ltd (trading as Keep Edinburgh Thriving)
Contact Emailhi@keepedinburghthriving.com
ICO RegistrationC1893051
Websitekeepedinburghthriving.com
Applicable LawUK GDPR & Data Protection Act 2018

We are committed to protecting your personal data and being transparent about how we use it. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under UK data protection law. Please read this policy carefully. By using our website, becoming a member of the Thriving Card scheme, or booking a Wander with Nashy service, you acknowledge that you have read and understood this policy.

1

Who We Are

Thriving Media Ltd is a company registered in Scotland, trading as Keep Edinburgh Thriving. We support local and independent businesses across Edinburgh and the Lothians through our membership community and the Thriving Card membership scheme. We also operate Wander with Nashy, a guided experience service for visitors and locals.

Thriving Media Ltd also operates fitness and wellbeing activities, including Thriving Fitness and Get After It Girls.

For the purposes of UK data protection law, Thriving Media Ltd (trading as Keep Edinburgh Thriving) is the Data Controller in respect of the personal data we collect and process. Our registered address and contact details are available at keepedinburghthriving.com.

Our Data Protection Contact is Abby Nash. If you have any concerns or questions about the data we hold about you, please contact Abby at hi@keepedinburghthriving.com. If we are unable to resolve your concerns satisfactorily, you can contact the Information Commissioner at ico.org.uk.

We are registered with the Information Commissioner’s Office (ICO). Our registration number is C1893051. You can verify our registration at ico.org.uk.

2

What Personal Data We Collect

Membership and Thriving Card Data

When you sign up as a member or register for the Thriving Card, we collect: full name, email address, membership type and status, date of birth and payment records (processed and stored securely via Stripe; we do not store full card details ourselves).

Student Membership

If you sign up for a Student Membership, we collect the standard membership data above plus: the name of your university or college, your expected graduation year and an image of your valid student ID card. Your student ID image is used solely to verify your eligibility and is deleted once verification is complete. The legal basis for processing this data is contract performance.

Tourist Membership

If you sign up for a Tourist Membership (7-day or 30-day pass), we collect the same standard membership data listed above. Tourist Memberships are non-recurring and your data will be retained for the standard period set out in Section 3.

Business Directory Membership

If your business signs up to be listed in the Keep Edinburgh Thriving Business Directory, we collect standard membership data plus: business name, address, email, phone number and Thriving Card discount offered. These details will be displayed publicly as part of your directory listing. You may request removal or amendment at any time by contacting us at hi@keepedinburghthriving.com.

Wander with Nashy Booking Data

If you book a Wander with Nashy service (The Wander or Plan Your Trip), we collect data via our Booking Form (hosted by Tally) and via the payment process (Stripe). This includes: the lead booker’s full name, email address, phone number and where they are visiting from; the names and ages of all participants on the booking (including any children under 16); accessibility, mobility and health information voluntarily disclosed to allow us to plan a safe route; preferences for the Wander (interests, dates, group context); records of the consents you tick on the Booking Form (including the Alcohol Policy acknowledgement, parental responsibility declaration for children under 16, photography and filming consent, and your agreement to our Terms and Conditions and this Privacy Policy); and payment records (processed via Stripe).

Health, mobility and accessibility data is classified as special category data under UK GDPR and is processed on the basis of your explicit consent. Photography and filming consents (including separate consents for children where given by a parent or guardian) are also processed on the basis of your explicit consent. You may withdraw consent at any time, though doing so may affect our ability to deliver the booking safely or to use content in which you appear.

Events and Wellbeing Data

If you participate in a Keep Edinburgh Thriving Event (including run clubs, fitness sessions, walks and wellness sessions), we may collect health and medical screening data via a health screening questionnaire. Health screening data is classified as special category data under UK GDPR and is processed on the basis of your explicit consent. You may withdraw consent at any time, though this may mean you are unable to participate in certain activities.

Website and Communications Data

When you interact with our website or communications, we may collect: email address (if you subscribe to our newsletter via Beehiiv), open and click data from emails, and basic website analytics (pages visited, browser type, approximate location).

Business and Event Enquiries

If you contact us directly or register for an event, we may collect: name and email address, the content of your message or enquiry, and any additional information you choose to provide.

3

How We Use Your Personal Data

We use your personal data only for the following purposes and only where we have a valid legal basis under UK GDPR:

PurposeLegal BasisRetention
Managing your Thriving Card membershipContract performanceMembership + 2 years
Processing payments via StripeContract performanceAs required by HMRC (6 years)
Sending newsletter and updates via BeehiivConsentUntil you unsubscribe
Responding to enquiriesLegitimate interests2 years from last contact
Member communications about events and offersLegitimate interests / ContractDuration of membership
Health screening for KET EventsExplicit consentDuration of participation + 1 year
Student ID verificationContract performanceDeleted once verification is complete
Administering Wander with Nashy bookingsContract performanceDate of Wander + 2 years
Wander health, mobility and accessibility disclosuresExplicit consentDate of Wander + 1 year
Photography and filming consents (including for children)Explicit consentUntil consent is withdrawn, or content is no longer in use
Complying with legal and tax obligationsLegal obligation6 years minimum

4

Third-Party Services and Data Processors

We use a small number of trusted third-party platforms to operate our business. These companies act as data processors on our behalf and are contractually required to handle your data securely and in accordance with UK GDPR.

ProviderPurposeData Shared
Join ItMembership management and Thriving Card platformName, email, date of birth, membership data
StripeSecure payment processingPayment data (card details processed by Stripe only)
BeehiivNewsletter and email marketingEmail address, open and click data
Google WorkspaceBusiness email, documents and operationsBusiness communications
TallyWander with Nashy Booking FormLead booker details, participant names and ages (including children where applicable), accessibility and health disclosures, consent records, Wander preferences

We do not sell your personal data to any third party. We may share anonymised, aggregated data with Participating Businesses to demonstrate the reach and impact of The Thriving Card. For full privacy policies of our third-party providers, please visit: joinit.com/privacy, stripe.com/gb/privacy, beehiiv.com/privacy, policies.google.com/privacy, and tally.so/help/privacy-policy.

5

International Data Transfers

Some of our third-party providers (including Join It, Stripe, Beehiiv and Tally) may process data outside the UK, including in the European Economic Area and the United States. Where data is transferred outside the UK, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the UK ICO, the UK International Data Transfer Agreement, or that the recipient country benefits from an adequacy decision under UK GDPR.

You can read each provider’s data location and transfer arrangements in their own privacy policies, linked in Section 4.

6

How We Protect Your Data

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

  • Access to personal data restricted to authorised personnel only
  • Use of secure, reputable third-party platforms with their own security certifications (Stripe is PCI DSS compliant)
  • Google Workspace protected by two-factor authentication
  • Regular review of data handling practices
  • Data stored securely on encrypted cloud services provided by our third-party processors

No method of transmission over the internet is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security. We have a process in place to identify any data breach and will inform you and the ICO of any such breach as soon as reasonably possible.

7

Your Rights Under UK GDPR

Under UK data protection law, you have the following rights in relation to your personal data:

  • Right of access — You can request a copy of the personal data we hold about you (Subject Access Request).
  • Right to rectification — You can ask us to correct any inaccurate or incomplete data we hold.
  • Right to erasure — You can ask us to delete your personal data in certain circumstances (the right to be forgotten).
  • Right to restrict processing — You can ask us to restrict how we use your data in certain circumstances.
  • Right to data portability — You can ask us to provide your data in a structured, commonly used format.
  • Right to object — You can object to us processing your data where we rely on legitimate interests as our legal basis.
  • Right to withdraw consent — Where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact our Data Protection Contact at hi@keepedinburghthriving.com. We will respond within one calendar month. If you are unhappy with how we handle your data, you have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.

8

Cookies and Website Analytics

Our website may use cookies and similar tracking technologies to help us understand how visitors use our site and to improve your experience. These may include:

Essential cookies — required for the website to function correctly.

Analytics cookies — to understand traffic and usage patterns (such as Google Analytics).

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of our website. By continuing to use our website, you consent to the use of essential cookies.

9

Children’s Privacy

Our membership services and Keep Edinburgh Thriving Events involving physical or wellbeing activities are for adults only (aged 18 and over). We do not knowingly collect personal data from children for membership or event participation.

The one exception is Wander with Nashy bookings. Children under 16 are welcome to attend The Wander when accompanied by a parent or legal guardian who is a paying participant on the same booking. Where children attend a Wander, we collect their first name and age via the Booking Form. This data is provided by the parent or guardian, who has full parental responsibility for the child.

Where a parent or guardian gives consent for a child to appear in photographs or short video clips on Keep Edinburgh Thriving’s social media or marketing materials, we record that consent on the Booking Form and process it on the basis of explicit consent under Article 9 UK GDPR. If a parent or guardian does not give this consent, we will make reasonable efforts to avoid featuring the child in any public-facing content.

Children’s personal data is held for the period set out in Section 3 (Date of Wander + 2 years for booking records). Parents or guardians may at any time request that their child’s data be deleted, or that photography and filming consents be withdrawn, by contacting our Data Protection Contact at hi@keepedinburghthriving.com.

If you believe we have inadvertently collected data from a child outside the scope of a Wander booking, please contact us immediately and we will take steps to delete it.

10

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. The most current version will always be available at keepedinburghthriving.com/privacy-policy. We will notify active members of any significant changes by email. The current version number is shown at the top of the policy, and a summary of material changes in each version is recorded in the Version History at the bottom of this page.

11

Contact Us

Registered CompanyThriving Media Ltd
Trading AsKeep Edinburgh Thriving
Data Protection ContactAbby Nash
Emailhi@keepedinburghthriving.com
Websitekeepedinburghthriving.com
ICO RegistrationC1893051

Version History

Version 1.1 — May 2026 Added disclosure of Tally as a data processor for Wander with Nashy bookings. Rewrote the Children’s Privacy section to reflect that children under 16 may attend Wanders with a parent or guardian. Added Wander Booking data to the retention and processing tables. Renamed the Data Protection Officer role to Data Protection Contact. Updated the wording on how we store data.
Version 1.0 — May 2026 Initial publication of the Keep Edinburgh Thriving Privacy Policy.

This Privacy Policy was prepared in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.