This privacy notice covers:

*Why we use your personal information

*The legal basis for processing

*What personal information we use

*How we use your personal information

*Your rights under data protection legislation

*Sharing personal information with third parties

*How long we may keep your information

Why we use your personal information

We process your personal data for the following purposes:

*to provide you with the fitness programme requested

*to verify your identity where required

*for the ongoing administration of the service

*to allow us to improve the service we offer to our clients

*for statistical analysis including payment and usage patterns (this is in an anonymized manner when we use your data for this purpose)

*to enable us to comply with our legal and regulatory obligations

*to offer services to you which are relevant and appropriate, and only to the extent that would be reasonably expected.

What personal information we keep.

In order to carry out these services, we obtain and record the following information:

Client name

Sessions (sessions planning on attending)

Start date

Programme end date (if start on fixed period programme or if give an end date)

Contact details (Phone number, Postal address, Email address)

Date of birth

Gender

Dates away

How heard about us (including referral name)

Details relevant to how programme will work and information allowing us to offer relevant support e.g. physical attributes (height, weight), barriers (children, work, travel, motivation), goals (events, clothes), eating habits and restrictions (vegetarian)

Injuries/illnesses

Card details for payments

Session bookings (to plan and provide the service including accountability)

Record of payments (to work out how far through term of contract and when can attend sessions)

How we use your personal information.

We use the personal information only to the extent required to carry out the services for the Client. It is accessed only by people who need to access it to provide the service (by Tom Kynaston and any employed administrators) and some information is shared with other trainers providing the service when it is necessary e.g. injuries/illnesses, pregnancy requiring amendments to the service to be given.

The personal information is stored using secure systems and the software used to access the information is password protected. It is not possible to safeguard against all unauthorised access but within reasonable limits.

We only process your personal information in the UK.

Some of our supporting services (for example Acrobat’s Echosign, Glofox, MailChimp), might use cloud platforms that operate from countries outside of the UK. Acrobat and MailChimp have confirmed that they have EU-US Privacy Shield certification and will work within that. Glofox currently stores data in the EU for EU countries but where data processing is

conducted within the US they have EU-US Privacy Shield certification and will work within that. (Note for post-Brexit, outside the EU data is stored on a local server so should still be fine but will need to confirm at the time.)

Your rights under Data Protection Law

Right to Access

You have the right of access to your personal information that we process and details about that processing. You can raise a Data Subject Access Request (DSAR) to receive this information.

Right to Rectification

You have the right to request that information is corrected if it’s inaccurate. You can contact us to make the changes.

Right to Erasure (Right to be Forgotten)

You have the right to request that your information is removed. We might choose to hold a minimum amount of information for legal or insurance purposes.

Right to Object

You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request.

Right to Restriction of Processing

You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request.

Right to Data Portability

You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine readable format suitable for transferring to another controller.

Right to lodge a complaint with a supervisory authority

If you think we have infringed your privacy rights, you can lodge a complaint with the relevant supervisory authority. You can lodge your complaint in particular in the country where your live, your place of work or place where you believe we infringed your right(s).

You can exercise your rights by sending an e-mail to contact@tktotalfitness.co.uk. Please state clearly in the subject that your request concerns a privacy matter, and provide a clear description of your requirements.

Note: We may need to request additional information to verify your identity before we action your request.

Sharing personal information with third parties

We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, [and in full compliance with Data Protection Law]

These service providers include:

*Payment Processors (Stripe & Glofox) – to securely process your card payments (once entered we do not see the full card details and we do not store card details separately)

*SMS Providers (O2, Groups app) – to send out our SMS notifications or messages to Clients and receive messages from Clients

*Email Providers (Microsoft Outlook & MailChimp) – to send out our email notifications or messages to Clients and receive messages from Clients

*Contract Providers (Acrobat Echosign) – to send out our Informed Consent and Payment Agreements for Clients and to store returned contracts

*Spreadsheet/Database Providers (Microsoft Office) – to securely store our Client details

*We will only disclose your information to other parties in the following limited circumstances

*where we are legally obliged to do so, e.g. to law enforcement and regulatory authorities

*where there is a duty to disclose in the public interest

*where disclosure is necessary to protect our interest e.g. to prevent or detect crime and fraud, or for insurance purposes

*where you give us permission to do so e.g. by providing consent when we ask.

How long we may keep your personal information

We will retain information for as long as is necessary to deliver the service safely and securely. We may need to retain some records to maintain compliance with other applicable legislation – for example finance, taxation, insurance, fraud and money laundering law requires certain records to be retained for an extended duration, in some cases for up to seven years.

Also we choose to retain your contact details after you have stopped receiving the services in order to maintain contact with you, to keep you up-to-date with services available to you. You can request for this to stop at any point (SMS) or remove yourself (unsubscribe from email list).