CLC Fitness - Privacy Policy Last Updated: 21 May 2025 (Supersedes policy dated August 2020)

1. Who We Are (Data Controller): CLC Fitness (Carly Corrigall t/a CLC Fitness), 21 Abbots Close, Guildford GU2 7RW. Email: carly@clcfitness.co.uk. Website: www.clcfitness.co.uk. We are responsible for your personal data and determine how it is processed.

2. How We Collect Your Personal Information:

We collect information when you use our website, social media, or services. This includes:

  • Personal Information (identifiable data):

    • Identity Data: Name, maiden name, marital status, title, date of birth, gender.

    • Contact Data: Address, email, phone number(s), emergency contacts.

    • Financial Data: Bank account and payment card details.

    • Technical Data: IP address, login data, browser information, device details, location, time zone (when using our website or Zoom).

    • Transaction Data: Details of purchased services (classes, packages, trials).

    • Profile Data: Exercise programmes, questionnaire responses (PAR-Q, lifestyle, health trackers, consent forms, food diaries), interests, preferences, feedback, survey responses.

    • Usage Data: How you use our website and services.

    • Marketing and Communications Data: Your preferences for receiving marketing from us.

  • Non-Personal Information (anonymous data): Website pages accessed, files downloaded (used to improve our services).

You provide this information via our website, apps, social media, phone, email, or in person.

3. How We Use Your Personal Information (Purposes and Legal Basis):

We use your data for the following purposes, based on the legal grounds stated:

  • To provide requested services, classes, or information (e.g., class entry, newsletters) - Contractual necessity.

  • To maintain records of our relationship - Legitimate interests.

  • To manage your contact preferences - Legitimate interests/Consent.

  • For research and analytics to improve our services (aggregated and anonymised where possible) - Legitimate interests.

  • To communicate with you, including service updates - Contractual necessity/Legitimate interests.

  • To monitor the effectiveness of our communications (e.g., email tracking in anonymised form) - Legitimate interests.

  • With your Consent, to send you marketing about our news, classes, events, and occasionally partner projects (you can opt out at any time).

  • To assess your health and fitness level - Contractual necessity/Consent (for sensitive data like health information).

  • To contact you about services we think may interest you - Legitimate interests/Consent.

  • To share with the Government's COVID-19 test and trace programme (if applicable) - Legal obligation/Public interest.

4. Sharing Your Personal Information:

We take data security seriously and will never sell your personal information for marketing purposes. We may share your data with:

  • Staff for service provision.

  • Trusted suppliers and partners who process data on our behalf (e.g., IT support, payment processors, cover instructors). We ensure adequate data protection by these providers, including those outside the UK/EEA (you consent to this transfer by using our services).

  • Government COVID-19 test and trace programme (if applicable).

  • Professional advisors (legal, financial, insurance).

  • Police or other authorities if legally required.

  • Insurers.

  • HM Revenue & Customs and other regulatory bodies.

  • Third parties in case of business sale, transfer, or merger.

  • Applications and tools we use (e.g., Zoom, Squarespace, Gmail, Vimeo, Jotform, SurveyMonkey. Stripe).

5. How Long We Keep Your Data:

We retain your data only as long as necessary to provide services, meet legal obligations, and for our legitimate interests (e.g., legal claims, tax/accounting rules). Generally, we keep personal data for 7 years after it's no longer needed, unless:

  • The law requires a longer or shorter retention period.

  • You request erasure (where applicable and no overriding legal reason to retain).

  • Limited exceptions under law allow indefinite retention with appropriate safeguards.

We will securely dispose of your data when it's no longer needed.

6. Your Rights:

Under data protection law, you have the right to:

  • Access: Request a copy of your personal data.

  • Correction: Ask us to correct inaccurate data.

  • Erasure ("Right to be Forgotten"): Request deletion of your data in certain circumstances.

  • Object to Processing: Object to processing based on legitimate interests or direct marketing.

  • Restriction of Processing: Ask us to limit how we use your data in specific situations.

  • Data Portability: Request your data in a portable format.

  • Withdraw Consent: If we rely on your consent, you can withdraw it at any time.

For more information, visit the ICO website (www.ico.org.uk). To exercise your rights, please email us with details of your request and proof of identity (two forms of ID). We will respond within one month. Note that some rights have limitations.

7. Updating Your Data:

Please inform us of any changes to your personal information (name, address, email, etc.) to ensure accuracy. Contact us using the details in Section 1.

8. Third-Party Links:

Our website may contain links to other websites. We are not responsible for their privacy practices; please review their policies.

9. Reporting a Data Breach:

If we experience a data breach that is likely to cause harm to you, we will notify the ICO within 72 hours and inform you without undue delay.

10. Changes to This Policy:

We may update this policy periodically. Changes will be posted on our website and/or communicated via email, taking effect 7 days after posting or email date (whichever is earlier). Please review this policy regularly. Continued use of our services after changes constitutes acceptance.

This Privacy Policy is dated 21 May 2025.