Arctic Parade

Privacy Policy

This policy explains how Arctic Parade collects, uses, and protects personal data.

Last updated: April 2026  ·  Applies to: arcticparade.com and the Arctic Parade platform

1. Who we are

Arctic Parade Ltd ("we", "us", "our") is a company registered in England and Wales (company number 17033806) and the operator of the Arctic Parade clinic management platform. We are the data controller for personal data collected from visitors to arcticparade.com and from users of the platform (clinic staff and owners).

Registered address: 9 Haigh Road, Huddersfield, HD3 2AE

We are registered with the Information Commissioner's Office (ICO). Our ICO application reference: C1912436. Our full ICO registration number will be published here once issued.

For privacy-related enquiries, please contact us or email arran@arcticparade.com.

2. Data we collect about you

When you sign up or use the platform

  • Name and email address of the account owner
  • Clinic name and subdomain you choose
  • Billing information (handled and stored by Stripe — we do not see or store your full card details)
  • Usage data: pages visited within the staff portal, actions taken (bookings created, emails sent, etc.)
  • Technical data: IP address, browser type, session identifiers

When you contact us

  • Your name and email address, and the content of your message

When you visit arcticparade.com

  • IP address and browser information via server logs (retained for security and debugging purposes)
  • A session cookie if you log into the platform (see Section 7 on cookies)

3. How we use your data

We use personal data to:

  • Provide the Service — process your account, manage your subscription, and enable platform features (lawful basis: contract)
  • Send transactional emails — account confirmation, password reset, billing notices, trial reminders (lawful basis: contract)
  • Provide support — respond to enquiries or issues you raise (lawful basis: legitimate interests)
  • Improve the platform — understand how the platform is used to fix bugs and prioritise features (lawful basis: legitimate interests)
  • Comply with legal obligations — retain records as required by law (lawful basis: legal obligation)

We do not sell your data. We do not use your data for advertising or share it with marketing companies.

4. Clinic patient data — our role as data processor

When you use Arctic Parade to manage your clinic, you enter data about your own patients and staff. In that context:

  • You are the data controller for your patients' and staff members' data
  • We are the data processor — we process that data only as instructed by you, to provide the platform

We do not use your patients' data for any purpose other than operating the platform on your behalf. If you need a Data Processing Agreement (DPA), please contact us.

5. Who we share data with

We use trusted third-party providers to operate the platform. These are our sub-processors:

  • Microsoft Azure — cloud hosting and infrastructure (servers located in the UK/EU)
  • Azure Database for PostgreSQL — managed database service
  • Postmark (ActiveCampaign) — transactional email delivery (e.g. welcome emails, password resets)
  • Stripe — payment processing and subscription management
  • Cloudflare — bot protection on sign-up forms (Turnstile)
  • Sentry — error monitoring to help us detect and fix platform issues
  • Twilio — SMS delivery where SMS features are enabled

All providers are selected on the basis of having appropriate data protection standards. We do not transfer personal data outside the UK or EEA except where the provider has adequate safeguards in place (such as Standard Contractual Clauses or an adequacy decision).

We may disclose personal data if required to do so by law or to protect the rights, property, or safety of Arctic Parade, our users, or others.

6. How long we keep your data

  • Account and subscription data — retained for the duration of your subscription and for a reasonable period afterwards (typically up to 2 years) to allow for disputes or regulatory requirements, then deleted or anonymised
  • Contact and support enquiries — retained for up to 2 years from the date of the enquiry
  • Server logs — typically retained for 90 days for security and debugging purposes
  • Billing records — retained for 7 years as required by HMRC/tax regulations

7. Cookies

We use a small number of cookies on arcticparade.com:

  • Session cookie (sessionid) — a strictly necessary cookie set when you log into the staff portal. It keeps you logged in during your session. It is not used for tracking or analytics and is deleted when you close your browser or log out.
  • CSRF token (csrftoken) — a security cookie that protects forms against cross-site request forgery attacks. Strictly necessary.
  • Cloudflare Turnstile — our sign-up form uses Cloudflare Turnstile to prevent automated bot sign-ups. Cloudflare may set cookies or use browser signals as part of this check. See Cloudflare's privacy policy for details.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. No cookie consent banner is required for the strictly necessary cookies described above.

8. Security

We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include TLS encryption in transit, role-based access controls, and isolated data handling per clinic. See our Security overview for more detail.

No system is perfectly secure. If you discover a potential security issue, please report it responsibly using the contact details in Section 1.

9. Your rights under UK GDPR

As a data subject you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data, subject to legal or contractual obligations that require us to retain it
  • Restriction — ask us to restrict processing in certain circumstances
  • Portability — receive your data in a structured, machine-readable format where applicable
  • Object — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, please contact us. We will respond within one calendar month.

You also have the right to lodge a complaint with the ICO at ico.org.uk/make-a-complaint if you believe we have handled your data unlawfully.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Material changes will be communicated to active subscribers by email.