F Fernly
Legal

Privacy Notice

Last updated: 17 June 2026

This Privacy Notice explains how Hix Digital Ltd ("we", "us", "our"), trading as Fernly, collects and processes personal data through the Fernly holiday club booking platform ("the Service").

We are registered in England and Wales with our registered office at 20 Old Bond Street, Bath BA1 1BP. You can contact us about anything in this notice at info@fernlyapp.com.

1. Our role

Fernly is used by small UK childcare providers ("Providers") to take holiday club bookings from parents. The Provider is the data controller for parent and child records held in the Service. Hix Digital Ltd is the data processor, acting on the Provider's instructions under a Data Processing Agreement which forms part of our Terms of Service.

For data we collect about Providers themselves (e.g. admin contact details, billing), we act as the data controller.

2. What personal data we process

Parent and child data (processor):

  • Parent name and email address
  • Child's first name, last name and optionally date of birth
  • Bookings made and the payment status set by the Provider
  • Audit log entries for changes made by Provider admins

We deliberately do not collect medical, allergy, safeguarding, attendance, dietary, location, photographic or biometric data through Fernly.

Provider admin data (controller):

  • Admin name, email, hashed password
  • Billing contact and Stripe customer identifier
  • Audit log of admin actions in the platform

Technical data:

  • IP address and user agent at login (for security and rate limiting)
  • Server logs of HTTP requests (retained for up to 30 days)

3. Legal basis for processing

  • Performance of a contract — processing necessary to operate the Service for Providers and to take parent bookings.
  • Legitimate interests — security, fraud prevention, technical logging, and audit trail.
  • Legal obligation — record keeping required by UK tax, accounting and consumer law.

For parent and child personal data, the Provider sets the legal basis when collecting from parents at booking time.

4. How long we keep data

For Provider data: for as long as the Provider has an active subscription, plus 30 days after cancellation for restore purposes. Billing records are retained for 6 years to meet UK accounting requirements.

For parent and child data: governed by the Provider's instructions. We delete it within 30 days of the Provider's account being cancelled, unless the Provider exports and continues to hold it themselves.

Server logs: 30 days. Audit log entries: lifetime of the account (so providers can investigate historical changes).

5. Who we share data with

We do not sell or rent personal data. We share data only with:

  • Stripe Payments UK Ltd — to process Provider subscription payments. Stripe does not see parent or child data.
  • Our UK-based hosting provider — for the encrypted storage that runs the Service.
  • Our email delivery provider — to send transactional emails (booking confirmations, password resets) on behalf of Providers.
  • Law enforcement or regulators — where we are legally required to disclose, and we will notify the affected party where lawful to do so.

All sub-processors operate under contractual data protection terms equivalent to ours.

6. International transfers

Fernly data is hosted in the United Kingdom. Some sub-processors (e.g. email delivery) may transfer data to the European Economic Area or to other adequate countries under UK GDPR-compliant transfer mechanisms.

7. Your rights

Under UK GDPR you have the right to: access your personal data; correct inaccurate data; have data deleted; restrict or object to processing; data portability; and to withdraw consent where processing is consent-based.

If you are a parent with data in a Provider's account, please contact your Provider first — they control your data. If they cannot help, email info@fernlyapp.com.

You can also complain to the UK Information Commissioner's Office if you believe we have not handled your data properly.

8. Security

We use HTTPS for all traffic, hash passwords with industry-standard algorithms, prepare every database query against injection, and audit-log every admin change. We enforce role-based access and strict tenant isolation between Providers. Despite this no system is completely secure; we keep our security practices under regular review.

9. Cookies

See our Cookie Notice for details. In short: one essential session cookie. No advertising, analytics or tracking cookies on parent-facing pages.

10. Changes to this notice

We will post material changes here with at least 14 days' notice and email Provider admins where relevant.

11. Contact

Hix Digital Ltd
20 Old Bond Street
Bath BA1 1BP
info@fernlyapp.com