# PRIVACY POLICY
**Pro Gym Fitness Ltd**
**Effective Date: January 2026**
---
## 1. INTRODUCTION
Pro Gym Fitness Ltd ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
This policy applies to all members, prospective members, website visitors, and anyone who interacts with Pro Gym Fitness.
---
## 2. WHO WE ARE (DATA CONTROLLER)
**Company Name:** Pro Gym Fitness Ltd
**Registered Address:**
Southern Court Newport, Unit 7
Launceston
PL15 8EX
United Kingdom
**Contact Details:**
Email: progymlaunceston@gmail.com
Phone: 07380 380561
**Data Protection Contact:**
Lukasz Lodziana (Director)
Email: progymlaunceston@gmail.com
**ICO Registration Number:** [Registration Pending - to be updated upon receipt]
You have the right to contact us at any time regarding your personal data. For data protection queries, please use the contact details above.
---
## 3. WHAT PERSONAL DATA WE COLLECT
We collect and process the following categories of personal data:
### 3.1 Identity and Contact Information
- Full name
- Date of birth
- Gender
- Home address
- Email address
- Telephone number
- Photograph (for membership card if applicable)
### 3.2 Financial Information
- Bank account details (for Direct Debit payments)
- Payment card information (if applicable)
- Payment history and transaction records
- Membership fee information
### 3.3 Health and Medical Information (Special Category Data)
- Pre-existing medical conditions disclosed during sign-up
- Injuries or health concerns that may affect training
- Fitness assessment data
- Any health-related information you choose to share with us or our staff
**Note:** Health information is "special category data" under UK GDPR and receives extra protection. We only process this data with your explicit consent or where necessary for health and safety reasons.
### 3.4 Membership and Usage Data
- Membership type and status
- Gym access logs (QR code scans)
- Class bookings and attendance records
- Induction completion records
- Complaints or incident reports
### 3.5 Parental/Guardian Information (for members under 18)
- Parent/guardian name and contact details
- Parent/guardian bank details (for Direct Debit in their name)
- Parental consent records
### 3.6 Technical and Website Data
- IP address
- Browser type and version
- Device information
- Website usage data (via cookies and analytics)
- Form submissions through our website
### 3.7 CCTV and Security Data
- CCTV footage from our premises
- Access control records
- Incident reports
### 3.8 Marketing and Communications Data
- Marketing preferences
- Newsletter subscription status
- Social media interactions
- Consent records for photography/video
---
## 4. HOW WE COLLECT YOUR PERSONAL DATA
We collect personal data through the following methods:
### 4.1 Directly From You
- Membership application forms (online or in-person)
- ClubRight booking system registration
- Parental consent forms
- Health questionnaires
- Direct communication (email, phone, in-person)
- Website contact forms
- Payment information you provide
### 4.2 Automatically
- CCTV cameras on our premises (clearly signposted)
- QR code access system when you enter the gym
- Website cookies and analytics (Google Analytics)
- ClubRight system usage logs
### 4.3 From Third Parties
- Payment processors (GoCardless via ClubRight)
- Your bank (for Direct Debit mandate verification)
---
## 5. WHY WE COLLECT YOUR DATA (LEGAL BASIS)
We process your personal data under the following legal bases:
### 5.1 Contract Performance (Article 6(1)(b) UK GDPR)
To provide gym membership services to you, including:
- Processing your membership application
- Managing your membership account
- Processing payments
- Providing gym access
- Booking you into classes
- Communicating about your membership
### 5.2 Legal Obligation (Article 6(1)(c) UK GDPR)
To comply with legal requirements, including:
- Financial record-keeping (UK tax law)
- Health and safety regulations
- Age verification for members under 18
- Responding to legal requests from authorities
### 5.3 Legitimate Interests (Article 6(1)(f) UK GDPR)
For our legitimate business interests, including:
- CCTV monitoring for security and safety
- Fraud prevention
- Debt recovery
- Improving our services
- Business administration
### 5.4 Consent (Article 6(1)(a) UK GDPR)
Where we have your explicit consent for:
- Marketing communications (newsletters, promotional emails)
- Taking and using photographs/videos for social media and promotional materials
- Non-essential cookies on our website
### 5.5 Special Category Data - Health Information (Article 9(2) UK GDPR)
We process health information under:
- **Explicit consent:** You provide consent during sign-up
- **Substantial public interest:** For health and safety purposes to ensure safe exercise and prevent injury
You have the right to withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.
---
## 6. HOW WE USE YOUR PERSONAL DATA
We use your personal data for the following purposes:
### 6.1 Membership Management
- Create and manage your membership account
- Verify your identity and age
- Grant access to gym facilities via QR code system
- Process class bookings
- Manage inductions and personal training sessions
### 6.2 Payment Processing
- Collect membership fees via Direct Debit
- Process one-time payments
- Manage failed payments and arrears
- Issue receipts and invoices
### 6.3 Health and Safety
- Ensure you can exercise safely based on disclosed health conditions
- Provide appropriate guidance and modifications
- Respond to medical emergencies (if necessary)
- Maintain a safe environment through CCTV monitoring
### 6.4 Communication
- Send membership confirmations and updates
- Notify you of class schedule changes
- Respond to your inquiries
- Send important notices about your membership
- Provide customer support
### 6.5 Marketing (with your consent)
- Send newsletters and promotional offers
- Share gym updates and success stories
- Post photos/videos on social media (with your consent)
- Inform you about new services or classes
### 6.6 Legal and Compliance
- Comply with legal obligations
- Prevent fraud and enforce our terms
- Resolve disputes
- Respond to legal requests from authorities
### 6.7 Business Improvement
- Analyze gym usage patterns
- Improve our services and facilities
- Website analytics to enhance user experience
---
## 7. WHO WE SHARE YOUR DATA WITH (DATA PROCESSORS AND THIRD PARTIES)
We may share your personal data with the following third parties:
### 7.1 Service Providers (Data Processors)
These companies process data on our behalf under strict contractual terms:
**ClubRight Ltd**
- Purpose: Gym management software, booking system, membership database
- Location: United Kingdom
- Data shared: All membership data, bookings, access logs
- Website: clubright.co.uk
**GoCardless Ltd (via ClubRight)**
- Purpose: Direct Debit payment processing
- Location: United Kingdom
- Data shared: Name, bank account details, payment amounts
- Website: gocardless.com
**Google LLC**
- Purpose: Website analytics (Google Analytics), email services (Gmail)
- Location: USA (with UK GDPR adequacy safeguards)
- Data shared: Website usage data, IP addresses
- Website: google.com
**CCTV System Provider**
- Purpose: Security camera system maintenance
- Location: United Kingdom
- Data shared: Access to CCTV footage for technical support only
### 7.2 Legal and Regulatory Authorities
We may share data with:
- Police and law enforcement (if required by law or for crime prevention)
- Courts and tribunals (if required by legal proceedings)
- HM Revenue & Customs (for tax compliance)
- Information Commissioner's Office (if required for data protection compliance)
- Health and Safety Executive (if required for safety investigations)
### 7.3 Debt Collection Agencies
If your membership fees are significantly overdue, we may share necessary information with debt collection agencies to recover amounts owed.
### 7.4 Professional Advisors
We may share data with:
- Legal advisors (for legal advice and proceedings)
- Accountants (for financial reporting and tax compliance)
- Insurance providers (for insurance claims)
### 7.5 Business Transfers
If Pro Gym Fitness is sold or merged with another company, your data may be transferred to the new owners to ensure continuity of service. You will be notified of any such change.
---
## 8. INTERNATIONAL TRANSFERS
### 8.1 Data Storage Location
Your primary membership data is stored on servers in the **United Kingdom** via ClubRight.
### 8.2 Limited International Transfers
Some of our service providers may store or process data outside the UK:
**Google Analytics (USA)**
- Google is certified under the UK-US Data Bridge Framework
- We have Data Processing Agreements in place
- Appropriate safeguards ensure UK GDPR compliance
We do not routinely transfer data outside the UK or EU. Where necessary, we ensure appropriate safeguards are in place as required by UK GDPR (such as adequacy decisions, standard contractual clauses, or certification schemes).
---
## 9. HOW LONG WE KEEP YOUR DATA
We retain personal data for different periods depending on the type of data and legal requirements:
### 9.1 Active Members
- All membership data is retained for the duration of your membership plus **6 years** after membership ends
- Required for UK tax law compliance and potential legal claims
### 9.2 Specific Data Retention Periods
| Data Type | Retention Period | Reason |
|-----------|------------------|--------|
| Membership records | 6 years after membership ends | Legal obligation (tax law) |
| Financial records | 6 years after transaction | Legal obligation (tax law) |
| Health information | 6 years after membership ends | Legal claims (limitation period) |
| CCTV footage | 30 days | Security and safety (unless incident occurs) |
| CCTV (incidents) | Up to 6 years | Evidence for investigations/claims |
| Marketing consent | Until withdrawn or 2 years of inactivity | Consent management |
| Website analytics | 26 months | Google Analytics default |
| Failed membership applications | 6 months | Business records |
### 9.3 Legal Holds
If data is required for legal proceedings, investigations, or disputes, we may retain it beyond normal retention periods until the matter is resolved.
### 9.4 Deletion
After retention periods expire, we securely delete or anonymize your personal data so it can no longer identify you.
---
## 10. YOUR DATA PROTECTION RIGHTS
Under UK GDPR, you have the following rights regarding your personal data:
### 10.1 Right of Access (Subject Access Request)
You have the right to request a copy of the personal data we hold about you. We will provide this free of charge within **30 days** of your request.
**What you'll receive:**
- Confirmation that we process your data
- A copy of your personal data
- Information about how we use it
### 10.2 Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data. We will update your records within **30 days**.
### 10.3 Right to Erasure ("Right to be Forgotten")
You can request deletion of your personal data in certain circumstances:
- Data is no longer necessary for the purpose it was collected
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- Data was processed unlawfully
**Note:** We may not be able to delete all data if we have a legal obligation to retain it (e.g., financial records for 6 years for tax purposes).
### 10.4 Right to Restriction of Processing
You can request that we limit how we use your data in certain situations:
- You contest the accuracy of the data
- Processing is unlawful but you don't want it deleted
- We no longer need the data but you need it for legal claims
- You've objected to processing and we're verifying our legitimate grounds
### 10.5 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV file) and transfer it to another organization.
**Applies to:**
- Data processed based on consent or contract
- Data processed by automated means
### 10.6 Right to Object
You can object to processing based on legitimate interests or for direct marketing purposes.
**Direct Marketing:** You can opt-out at any time by:
- Clicking "unsubscribe" in emails
- Contacting us at progymlaunceston@gmail.com
- Updating preferences in your ClubRight member portal
**Legitimate Interests:** You can object to processing based on our legitimate interests. We will stop processing unless we have compelling legitimate grounds that override your rights.
### 10.7 Rights Related to Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects.
### 10.8 Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.
### 10.9 How to Exercise Your Rights
To exercise any of these rights, please contact us:
**Email:** progymlaunceston@gmail.com
**Phone:** 07380 380561
**Post:** Lukasz Lodziana, Pro Gym Fitness Ltd, Southern Court Newport, Unit 7, Launceston, PL15 8EX
We will respond to your request within **30 days**. If your request is complex, we may extend this by a further 60 days and will inform you.
**Proof of Identity:** For security, we may request proof of identity before fulfilling your request.
---
## 11. DATA SECURITY
We take the security of your personal data seriously and implement appropriate technical and organizational measures:
### 11.1 Technical Security Measures
- **Encryption:** Payment data is encrypted during transmission (SSL/TLS)
- **Password Protection:** All systems require strong passwords and regular updates
- **Access Controls:** Only authorized staff can access personal data
- **Secure Servers:** Data stored on secure UK-based servers (ClubRight)
- **Firewall Protection:** Network security to prevent unauthorized access
- **Regular Backups:** Data backed up regularly to prevent loss
### 11.2 Organizational Security Measures
- **Staff Training:** All staff trained on data protection and confidentiality
- **Limited Access:** Staff only access data necessary for their role
- **Confidentiality Agreements:** Staff sign confidentiality agreements
- **Data Processor Agreements:** Written contracts with all third-party processors
- **Incident Response Plan:** Procedures in place for data breaches
### 11.3 CCTV Security
- CCTV footage stored on secure, password-protected systems
- Access restricted to authorized personnel only
- Footage automatically deleted after 30 days (unless retained for incidents)
- Clear signage informing visitors of CCTV monitoring
### 11.4 Physical Security
- Secure premises with controlled access
- Locked filing cabinets for any paper records
- Visitor logs and access control
### 11.5 Your Responsibility
Please help us keep your data secure by:
- Keeping your login credentials confidential
- Not sharing your membership QR code
- Reporting any security concerns immediately
### 11.6 Data Breach Notification
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours
- Notify affected individuals without undue delay
- Take immediate steps to contain and remedy the breach
---
## 12. CCTV AND VIDEO SURVEILLANCE
### 12.1 CCTV Usage
Our premises are monitored by CCTV cameras 24 hours a day, 7 days a week for the following purposes:
- Security and crime prevention
- Health and safety monitoring
- Incident investigation
- Protection of staff, members, and property
### 12.2 Legal Basis
CCTV processing is based on our **legitimate interests** in maintaining a safe and secure environment. We have conducted a Legitimate Interests Assessment confirming this is proportionate and necessary.
### 12.3 CCTV Location and Signage
- Cameras are located in public areas: entrance, gym floor, reception, car park
- **No cameras in changing rooms, toilets, or private areas**
- Clear signage is displayed at all entry points and throughout the premises
### 12.4 CCTV Access and Retention
- Footage is stored securely and only accessible by authorized personnel
- Footage is automatically deleted after **30 days** unless required for an investigation
- Footage may be shared with police if a crime has been committed
- You have the right to request access to CCTV footage of yourself (Subject Access Request)
### 12.5 CCTV Subject Access Requests
To request CCTV footage of yourself:
- Email progymlaunceston@gmail.com with the date, time, and location
- We must verify your identity before providing footage
- We will provide footage within 30 days (where you are clearly identifiable)
- We may redact or refuse footage if it includes other identifiable individuals
---
## 13. COOKIES AND WEBSITE TRACKING
### 13.1 What Are Cookies?
Cookies are small text files stored on your device when you visit our website. They help us improve your experience and analyze website usage.
### 13.2 Cookies We Use
**Essential Cookies (Always Active)**
- Session cookies to remember your login status
- Security cookies to prevent fraud
- These are necessary for the website to function and cannot be disabled
**Analytics Cookies (Optional - Requires Consent)**
- **Google Analytics:** Tracks website visits, pages viewed, time on site, device type
- Used to improve our website and understand user behavior
- Data is anonymized where possible
### 13.3 Third-Party Cookies
Our website may include embedded content (e.g., YouTube videos, Google Maps) that may set their own cookies. We do not control these third-party cookies.
### 13.4 Managing Cookies
You can control cookies through:
**Browser Settings:**
- Most browsers allow you to refuse or delete cookies
- Instructions: Check your browser's "Help" section
**Google Analytics Opt-Out:**
- Install the Google Analytics Opt-Out Browser Add-on: https://tools.google.com/dlpage/gaoptout
**Note:** Disabling cookies may affect website functionality.
### 13.5 Cookie Consent
When you first visit our website, you'll see a cookie banner. By clicking "Accept," you consent to analytics cookies. You can withdraw consent at any time through your browser settings.
---
## 14. MARKETING COMMUNICATIONS
### 14.1 How We Use Your Data for Marketing
With your consent, we may send you:
- Newsletters with gym updates and tips
- Promotional offers and discounts
- Information about new classes or services
- Success stories and member achievements
### 14.2 Legal Basis
Marketing communications are sent based on **consent**. You can withdraw consent at any time.
### 14.3 How to Opt-Out
You can stop receiving marketing communications by:
- Clicking "Unsubscribe" at the bottom of any marketing email
- Emailing progymlaunceston@gmail.com with "Unsubscribe" in the subject
- Updating your preferences in the ClubRight member portal
- Calling us on 07380 380561
**Important:** Opting out of marketing does not stop essential membership communications (e.g., payment confirmations, class cancellations, Terms and Conditions updates).
### 14.4 Social Media and Photography
We may take photographs or videos during gym activities for promotional purposes (website, social media, printed materials).
**Consent:** We will obtain your consent before using your image. You can:
- Inform staff if you do not wish to be photographed
- Withdraw consent at any time by contacting us
- Request removal of images from our platforms
**CCTV footage is separate and used only for security purposes, not marketing.**
---
## 15. CHILDREN AND YOUNG PEOPLE (UNDER 18)
### 15.1 Parental Consent
Members under 18 require parental or guardian consent. We collect:
- Parent/guardian name and contact details
- Parent/guardian bank details (for Direct Debit payments)
- Parental consent for membership and health declarations
### 15.2 Processing Children's Data
We process children's data based on:
- **Parental consent** for membership services
- **Legal obligation** for age verification and safeguarding
- **Legitimate interests** for health and safety
### 15.3 Parental Rights
Parents/guardians have the right to:
- Access their child's personal data
- Request correction or deletion of their child's data
- Withdraw consent for their child's membership
- Object to processing of their child's data
### 15.4 Age Verification
We verify age during sign-up to ensure:
- Members under 18 have parental consent
- Access restrictions are applied (must leave by 18:00 unless accompanied by parent/guardian who is also a member)
---
## 16. DATA PROTECTION BY DESIGN AND DEFAULT
We implement data protection principles from the outset:
- **Data Minimization:** We only collect data necessary for our purposes
- **Purpose Limitation:** Data is only used for the purposes disclosed
- **Accuracy:** We keep data accurate and up to date
- **Storage Limitation:** Data is deleted when no longer needed
- **Integrity and Confidentiality:** Security measures protect data
- **Accountability:** We document our compliance with data protection laws
---
## 17. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect:
- Changes in laws or regulations
- Changes to our business practices
- New services or features
### 17.1 How We Notify You
- **Minor changes:** Updated policy posted on our website with a new "Effective Date"
- **Significant changes:** We will notify you by email or prominent notice on our website
### 17.2 Your Continued Use
Continued use of our services after changes take effect constitutes acceptance of the updated policy. If you do not agree, please contact us to discuss.
---
## 18. COMPLAINTS AND CONCERNS
### 18.1 Contact Us First
If you have concerns about how we handle your personal data, please contact us first:
**Lukasz Lodziana (Data Protection Contact)**
Email: progymlaunceston@gmail.com
Phone: 07380 380561
Post: Pro Gym Fitness Ltd, Southern Court Newport, Unit 7, Launceston, PL15 8EX
We will investigate and respond to your complaint within **30 days**.
### 18.2 Right to Complain to the ICO
You have the right to lodge a complaint with the UK's data protection authority:
**Information Commissioner's Office (ICO)**
Website: https://ico.org.uk
Helpline: 0303 123 1113
Live Chat: Available on ICO website
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
The ICO can investigate your complaint and take action against us if we have breached data protection law.
---
## 19. DEFINITIONS
**Data Controller:** The organization that determines how and why personal data is processed (Pro Gym Fitness Ltd).
**Data Processor:** An organization that processes personal data on behalf of the data controller (e.g., ClubRight, GoCardless).
**Personal Data:** Information relating to an identified or identifiable individual.
**Special Category Data:** Sensitive personal data including health information, which receives extra protection under UK GDPR.
**Processing:** Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
**UK GDPR:** UK General Data Protection Regulation - the UK's data protection law post-Brexit.
---
## 20. CONTACT INFORMATION
**Pro Gym Fitness Ltd**
**Registered Address:**
Southern Court Newport, Unit 7
Launceston
PL15 8EX
United Kingdom
**Contact Details:**
Email: progymlaunceston@gmail.com
Phone: 07380 380561
**Data Protection Contact:**
Lukasz Lodziana (Director)
Email: progymlaunceston@gmail.com
**ICO Registration Number:** [Pending - to be updated]
For all data protection queries, privacy concerns, or to exercise your rights, please contact us using the details above.
---
**Last Updated: January 2026**
**Next Review Date: January 2027**
---
## ACKNOWLEDGMENT
By signing up for membership at Pro Gym Fitness Ltd, you acknowledge that you have read, understood, and agree to this Privacy Policy. You confirm that:
- You have provided accurate personal information
- You understand how your data will be used
- You consent to the processing of your data as described in this policy
- You understand your rights and how to exercise them
If you have any questions about this Privacy Policy, please contact us before signing up.
---
**END OF PRIVACY POLICY**