Thrive Fitness understands that your personal data is entrusted to us and appreciates the importance of protecting and respecting your privacy. To this end we comply fully with General Data Protection Regulation (EU) 2016/679, as adopted into law of the United Kingdom in the Data Protection Act 2018 (“UK Data Protection Law”).
Who is collecting the personal data?
For the purpose of UK Data Protection Law, the data controller is Thrive Fitness, which is operated on a sole trader basis by Michel Glendinning, who can be contact via email at email@example.com or by phone on 07789795847.
When we refer to ‘we’, ‘us’ and ‘our’, we mean Thrive Fitness.
What personal data is being collected?
When we refer to personal data in this policy, we mean information that can or has the potential to identify you as an individual.
The data we collect enables us to deliver our services and helps us to review and continually improve those services.
This personal data may include:
information that you give us when you enquire about our services or become a client or apply to work for us as an independent freelance contractor including name, address, contact details (including email address and phone number)
details of enquiries, quotes and other contact and correspondence we may have had with you
information you give us when you make a payment to us, such as financial or credit card information
details of services you have received from us
training programmes and individual session notes
body measurements – e.g. weight, waist, hips, BMI
feedback and outcome information that you provide
information about complaints and incidents
information obtained from customer surveys, promotions and competitions that you have entered or taken part in
Special Category or Sensitive Personal Data
Personal Data from Individuals Under the Age of 16
We do not knowingly collect personal information from individuals under 16 years of age without the permission of their parent or guardian. As a parent or legal guardian, please do not to allow your children to submit personal information without your permission.
What is the legal basis for processing the personal data?
The legal basis for processing non-sensitive personal data is that it is necessary:
for the performance of a contract - for any contract you have with us, or because you have asked us to take specific steps before entering into a contract, such as responding to your enquiry, providing pricing information, etc.
for our legitimate interests - to review and improve our services.
The legal basis for processing your sensitive personal data (including health data) is that it is necessary for the performance of any contract you have with us, and we do so based on your explicit consent.
Will the personal data be shared with any third parties?
We employ other companies and individuals to perform certain functions on our behalf. Examples include freelance personal trainers who are authorised representatives of Thrive Fitness and are contracted to deliver services directly to our clients, IT support and email exchange, website hosting, client management software, third party payment processors, third party delivery companies (including Royal Mail), providing marketing assistance and providing debt collection assistance.
We also share personal information where necessary to protect Thrive Fitness, our clients and others. We release account and other personal information when we believe release is appropriate to comply with the law, regulations, court orders, or other legal obligations or to assist in an investigation; enforce or apply our client or other agreements; or protect the rights, property or safety of Thrive Fitness, our clients or others.
We may also share personal information with third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
What about cookies?
A cookie is a small piece of information sent by a web server to a web browser, which enables the server to collect information from the browser. They are used to improve the user experience of a website and collect statistical data about the user’s browsing actions and patterns. They do not identify you as an individual.
What about links to other websites?
Internet based data transfer
The internet is a global environment, using it to collect and process personal data necessarily involves the transmission of data on an international basis. This means for instance that data you pass to us may be processed outside the European Economic Area, although the data will always be held securely and in line with the requirements of UK Data Protection Law. By communicating electronically with us, you acknowledge and agree to our processing of personal data in this way.
How will the information be used?
We will only use your sensitive personal data for the purposes for which you have given us your explicit consent to do so. For example, we use health data to assess your readiness for physical exercise and to ensure that we deliver safe, appropriate and effective personal training sessions and exercise classes.
We may use your personal data to:
enable us to carry out our obligations to you arising from any contract between you and us including the provision by us of services to you and related matter such as billing, accounting and audit, credit or other payment card verification and anti-fraud screening
provide you with information, products or services that you request from us
provide you with information about products or services we offer that we feel may interest you, provided that they are similar to those which you previously purchased or enquired about from us
allow you to participate in interactive features of our services, when you choose to do so
notify you about changes to our products or services
respond to requests where we have a legal or regulatory obligation to do so
check the accuracy of information about you and the quality of the service you have received, as part of any internal audit or part of any claims or litigation process
support your doctor, nurse or other healthcare professional
assess the quality and/or type of service you have received (including giving you the opportunity to complete customer satisfaction surveys) and any concerns or complaints you may raise, so that these can be properly investigated
to conduct and analyse market research
How secure will the personal data be?
We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally data. Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you.
Transmitting information via the internet, e-mail, SMS, social media and phone is generally not completely secure, and we can’t guarantee the security of your data. Any data you transmit to us in these ways is at your own risk, and by communicating with us in these ways, you acknowledge and agree to us using them to communicate with you also.
Currently we do not collect personal information via our own website. We use e-mail, SMS and messaging services for the general day-to-day management of client accounts – for activities such as booking sessions, sending out invoices, distributing training programmes and advice, etc. We generally do not share personal information these ways and if we do, we keep it to a minimum and separate it out or use partial names or pseudonyms. Where we need to transmit sensitive information or complete personal data sets such as full contact details, we do so using encryption or offline methods such as delivering in person or via secure post. For example, the transmission of data to our client management system is encrypted and we use end-to-end encrypted messaging services such as WhatsApp.
Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access or unlawful processing of personal data and to prevent personal data being lost, destroyed or damaged. This incudes for example adhering to the Cyber Essentials guidelines promoted by the UK government. For more information please go to https://cyberessentials.ncsc.gov.uk
How long will the personal data be stored for?
Any personal data you provide will be held for as long as is necessary having regard to the purpose for which it was collected and in accordance with all applicable UK laws.
For example, if you are client we will store your personal data for as long as you remain so, as the processing of your personal data is necessary to deliver our services to you in accordance with the contract we have with you. Once you are no longer a client we are obliged for legal and tax purposes to retain client personal information for a period of at least six years from the date you cease being a client.
What rights do you, the data subject have?
Currently we only send out marketing information about our services, to those who have made a direct request for such information. However, having made such a request, you have the right to ask us to stop processing your personal information for marketing purposes by sending an email to firstname.lastname@example.org
Currently UK Data Protection Law gives you the right to access personal information held about you. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable admin fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. If you would like to access your personal information, please email email@example.com
You have the right to have the personal data we hold about you corrected if it is factually inaccurate. It is important to understand that this right does not extend to matters of opinion, such as progress tracking. If any of your personal data has changed, especially contact information such as: email address, postal address and phone number please get in touch with your designated personal trainer or email firstname.lastname@example.org
You have the right to request your data to be erased, also known as ‘the right to be forgotten’. If you would like us to erase your information you would first need to request access to it as detailed above, please email email@example.com.
Your right to request data to be erased does not apply if processing is necessary for one of the following reasons:
to continue to deliver our services to you, under the contractual obligations we have with you;
to exercise the right of freedom of expression and information;
to comply with a legal obligation – such as those detailed above;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
for the establishment, exercise or defence of legal claims.
Notices and revisions
If you have any concern about privacy at Thrive fitness, please e-mail firstname.lastname@example.org with a thorough description and we will try to resolve the issue for you.
If you are not satisfied with how we handle your request, you can contact the Information Commissioner’s Office on 0303 123 1113 or visit their website https://ico.org.uk