PRIVACY
POLICY.

CHOOSE TO LEARN LTD, registered in England and Wales, is the data controller responsible for your personal data on chooseto.co. You can reach us at privacy@chooseto.co.

Account details — name, email, password (hashed), and any social profile we sign you in with (Google, Apple, Microsoft, GitHub).

Booking details — name, email, phone (if you give it), the events you've booked or registered interest in, and the price you paid.

Payment details — handled directly by Stripe. We never see your full card number; we only see the last four digits and the payment intent id.

Pitches and enquiries — anything you write into a host pitch or on-demand enquiry form.

Technical — IP address, browser, and device type, used for security and analytics. We log sign-in events for fraud detection.

We process data under three lawful bases:

Contract — to book your tickets, take payment, and let you in at the door.

Legitimate interests — to run the site, prevent fraud, send essential service emails (order confirmations, refund notices, password resets), and improve what we do.

Consent — for optional things like the welcome email, newsletter, marketing, and non-essential cookies. You can withdraw consent at any time.

Account data — for as long as your account is active, plus 30 days after you close it.

Booking and payment records — six years from the date of the event, because UK tax law makes us.

Technical logs — 90 days, then deleted or anonymised.

Pitches and enquiries — two years, then deleted unless we're actively working with you.

A small set of trusted processors — each bound by data-processing agreements:

Stripe — payments and refunds.
MailerSend — transactional email.
Bunny CDN — image and video hosting.
DigitalOcean — running the site itself.

We never sell your data, and we never share it with marketers, ad networks, or unrelated third parties.

Some processors are based outside the UK and EEA (e.g. Stripe in the US). Where this happens, we rely on UK Adequacy Regulations or the International Data Transfer Agreement / Standard Contractual Clauses to make sure your data is protected to UK GDPR standards.

Under UK GDPR you have the right to:

Access — get a copy of the personal data we hold about you.
Rectification — correct anything inaccurate.
Erasure — ask us to delete your data ("right to be forgotten") subject to legal retention.
Restrict processing — ask us to pause certain uses.
Portability — receive your data in a machine-readable format.
Object — to processing based on legitimate interests.
Withdraw consent — for anything you opted into.
Complain — to the Information Commissioner's Office (ICO).

To exercise any right, email privacy@chooseto.co. We respond within one month.

We keep cookies to a minimum. Necessary cookies (session, CSRF token, cookie-consent state) run by default. Analytics and marketing cookies only run if you opt in. You can change your choice any time via the cookie banner or our cookie policy.

We send service emails (bookings, refunds, password resets, account changes) under the contract / legitimate interests bases. Anything else — newsletter, suggestions, programme drops — only goes out if you've opted in. Every marketing email has a one-click unsubscribe; opting out won't affect service emails.

Our service is for adults. We don't knowingly collect data about anyone under 18 without parental consent. If you think a child has provided data, email privacy@chooseto.co and we'll delete it.

Data is encrypted in transit (TLS) and at rest where supported by the underlying service. Passwords are hashed with bcrypt. Production access is restricted, audited, and uses MFA. If we ever have a breach affecting your data, we'll notify the ICO within 72 hours and you as soon as practical.

We update this page from time to time. The "last updated" date at the top tells you when. Material changes will be flagged in the cookie banner and emailed to active account holders.

Anything privacy-related: privacy@chooseto.co. For everything else: hello@chooseto.co.