Legal
Privacy Policy
Last updated: May 2026
1. Who We Are
ESA Support
Website: esasupport.co.uk
Contact: support@esasupport.co.uk
We are the data controller for personal data processed through this website. Where we engage third-party services to process data on our behalf, those parties act as data processors under our instruction and under written data processing agreements.
2. What Personal Data We Collect and Why
2a. Registration Data
When you register an Emotional Support Animal (ESA) with ESA Support, we collect:
- Your information: full name, email address, telephone number, home address
- Animal information: animal name, species, breed, date of birth, ESA category
- Photographs: handler photo and animal photo — used on your NFC ID card and verification profile
- Health & wellbeing information (Special Category Data) — completely optional: you may choose to include a brief note (e.g. anxiety disorder, PTSD, depression) to help others understand your need for an ESA. This is entirely voluntary — your registration is fully valid without it. If provided, it is stored securely and never shown publicly without your consent
- Emergency contact information: name and telephone number of a nominated contact
- Subscription & payment data: plan type and billing cycle. Card details are never stored by us — they are processed directly by Stripe (PCI-DSS Level 1 compliant) under their own privacy policy
Lawful basis: Performance of a contract (Article 6(1)(b) UK GDPR). For health/wellbeing information (Special Category data), the lawful basis is explicit consent (Article 9(2)(a)) given at point of registration.
2b. Your Public Verification Profile
When your QR code or NFC card is scanned, a limited verification profile is displayed publicly. This shows only:
- Animal name, species and ESA category
- Handler's first name only
- Handler and animal photographs
- Registration status (Active / Expired / Suspended)
- Emergency contact QR (behind a confirmation barrier — for genuine emergency use only)
Emergency contact details, wellbeing information, home address and full handler name are not publicly visible. All ESA profile pages carry a noindex, nofollow directive and an X-Robots-Tag HTTP header — your profile cannot be indexed by Google, Bing or any major search engine.
Lawful basis: Legitimate interests (Article 6(1)(f)) — enabling third parties to verify ESA status is the core purpose of the service and is reasonably expected by registrants. Only the minimum data necessary is displayed.
2c. Website Usage Data
We collect standard server logs (IP address, browser type, pages visited, timestamps) for security monitoring and to diagnose technical issues. Retained for 30 days and not linked to your registration data.
Lawful basis: Legitimate interests (Article 6(1)(f)).
2d. Marketing Communications
If you opt in, we may send you service updates, renewal reminders, and information about new features. We use Mailchimp as our email processor. You can unsubscribe at any time via any email or by contacting us.
Lawful basis: Consent (Article 6(1)(a)).
3. Special Category Data
Any health or wellbeing information you provide is special category data under UK GDPR (Article 9). We apply the highest level of protection:
- Never displayed publicly on your verification profile
- Accessible only behind an explicit confirmation step for emergency use
- Stored encrypted at rest in our database
- Retained only for the duration of your active registration, plus a maximum of 12 months after expiry
- Deleted immediately upon request — see Section 7 (Your Rights)
4. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Registration record (active) | Duration of subscription + 12 months after expiry |
| Registration record (deleted on request) | Deleted within 30 days of verified request |
| Health / wellbeing information | Same as above; deleted immediately on request |
| Payment records (transaction references) | 7 years (HMRC legal obligation) |
| Marketing email data | Until unsubscribe or account deletion |
| Server logs | 30 days |
5. Who We Share Your Data With
We do not sell, rent, or trade your personal data. We share data only with the following processors, all bound by data processing agreements:
- Stripe — payment processing (PCI-DSS Level 1). Data shared: billing name, email, transaction amount
- IONOS / 1&1 — web hosting and server infrastructure (UK/EU data centres)
- Mailchimp (Intuit) — email marketing. Data: name, email, subscription status. Data stored in USA under Standard Contractual Clauses
- Cloudflare — DNS, CDN and DDoS protection. Data: IP addresses in transit only; no registration data shared
We may disclose personal data to law enforcement or regulatory authorities if legally required.
6. International Data Transfers
Your data is primarily stored within the United Kingdom. Where processors operate outside the UK (Mailchimp — USA), we ensure an appropriate transfer mechanism is in place, specifically Standard Contractual Clauses (SCCs) approved under UK GDPR.
7. Your Rights Under UK GDPR
To exercise any right, email us at support@esasupport.co.uk with proof of identity. We will respond within one calendar month.
- Right of access — request a copy of all personal data we hold about you (Subject Access Request)
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — request deletion of your data. Note: we may retain certain data where required by law (e.g. financial records for 7 years)
- Right to restriction — request that we limit processing while a dispute is resolved
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent — where processing is consent-based (marketing, health data), you may withdraw at any time
- Rights related to automated decision-making — we do not use automated decision-making or profiling that produces legal or significant effects
Right to complain
You have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
🌐 ico.org.uk/make-a-complaint
📞 0303 123 1113
8. Cookies
We use cookies to operate the website. See our full Cookie Policy for details. Strictly necessary cookies (session, CSRF security token) cannot be disabled as they are essential to the service. With your consent, we may also use functional and analytics cookies.
9. Security
We implement appropriate technical and organisational measures to protect your data:
- TLS encryption in transit (HTTPS) across the entire site
- Encryption at rest for special category (health/wellbeing) data
- Access controls limiting data access to those with a legitimate operational need
- All ESA profile pages carry
noindex, nofollowdirectives — search engines cannot index your profile - Regular security reviews and dependency updates
In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Articles 33–34.
10. Children's Data
Our registration service is intended for individuals aged 18 and over. We do not knowingly collect personal data from children under 13. If a registration is submitted for a handler under 18, a parent or guardian must provide consent. Contact us immediately if you believe we have inadvertently collected data relating to a child.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be notified to registered users by email at least 14 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
12. Contact Us
For data protection enquiries, Subject Access Requests, or to exercise any of your rights:
We aim to respond to all privacy enquiries within 5 working days and to formal Subject Access Requests within one calendar month.