PRIVACY POLICY
1. Welcome to Gymset’s privacy and data protection policy (“Privacy Policy”)
At Gymset (“Gymset”,“we”, “us” or “our”) we are committed to protecting and respecting your privacy and Personal Data in compliance with the law and guidelines of the EU General Data Protection Regulation (“GDPR”). This Privacy Policy explains how we collect, process and keep your data safe. The Privacy Policy will tell you about your privacy rights, how the law protects you, and inform our employees and staff members of all their obligations and protocols when processing data.
The individuals from which we may gather and use data can include:
· Customers
· Suppliers
· Business contacts
· Suppliers
· Business contacts
· Customers
· Third parties connected to customers
and any other people that the organisation has a relationship with or may need to contact.
This Privacy Policy applies to all our employees and staff members and all Personal Data processed at any time by us.
Gymset is your Data Controller and Data Protection Officer and therefore responsible for your Personal Data. Therefore, any enquiries about your data should be sent to us on email at hello@thegymset.com.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
2. Information we hold
2.1 When you use the Website and/or Mobile Application we may collect the following information about you:
2.2 Personal information including first and last name, date of birth and photograph;
2.3 Contact information including residential address, geographic location, primary email address and/or primary phone number;
2.4 If you sign up to the Website and/or Mobile Application through a third-party service such as Facebook or Google, we may extract information from your Account e.g. name, email address, photograph and any other personal information that your privacy settings permit us to access;
2.5 Information about your contacts when you invite others to join your workout session or as part of any promotional activities we run;
2.6 Technical information including IP address, operating system, browser type and related information regarding the device you used to visit the site, the length of your visit and your interactions with the site;
2.7 Information relevant to service, customer surveys and/or offers;
2.8 We may monitor your use of the Website and Mobile Application through ‘cookies’ or similar tracking technologies (Facebook Pixel and Google Analytics). We may also monitor traffic, location or other data and information about users of the Website and Mobile Application. Such data and information, to the extent that you are individually identifiable from it, shall constitute information as defined above. However, some of this data will be aggregated or statistical, which means that we will not be able to identify you individually;
2.9 Occasionally we may receive information about you from other sources e.g. from other users on the Website and/or Mobile Application who provide feedback ratings or other details. We will add this information to the data we already have collected to help us carry out activities listed.
3. How long we hold your information
3.1 We will keep your information only for as long as we need to hold it for the purposes set out below in Clause 6.
3.2 If required, we will be entitled to hold information for longer periods in order to comply with our legal or regulatory obligations.
4. Legal basis for your information
4.1 Under Data Protection Law, we may only process your information if we have a “legal basis” e.g. a legally permitted reason for doing so. For the purposes of this policy, our legal basis for processing your information is:
4.1.1 Where we have requested it and made it known to you or asked for your consent set out in Clause 5;
4.1.2 Where the processing is necessary e.g. taking any preliminary steps that are required before you can enter a contract with us as set out in this policy and others);
4.1.3 Where there is legitimate business interest of providing services to our users through the Website and/or Mobile Application which requires the processing of your information to enable us to provide these services. Subject to your rights set out in Clause 14.
5. Consent to process
5.1 You will be required to give consent to certain processing activities before we can process your information. Where applicable, we will seek this consent from you when you first submit information through the Website and/or Mobile Application.
5.2 If you have previously given consent you may freely withdraw such consent at any point by emailing hello@thegymset.com or unsubscribing by other means.
5.3 If you withdraw your consent and if we do not have another legal basis for processing your information as set out in Clause 4, then we will stop processing your information. If we do have another legal basis for processing your information, then we may continue to do so subject to your legal rights in Clause 14.
5.4 Please note that if we need to process your information in order to operate the Website or and/or Mobile Application, and you object or do not consent to us processing your information, the Website and/or the Mobile Application will not be available to you.
6. How we use your information
6.1 We may process information held about you for the following purposes:
6.1.1 To operate, administer, maintain, provide, analyse and improve the Website and/or Mobile Application along with the services available through them;
6.1.2 To investigate and address any comments, enquiries or complaints made by you regarding the Website and/or Mobile Application and any similar or related comments enquiries or complaints from other users;
6.1.3 To ensure the content on the Website and/or Mobile Application is presented in the most effective manner for you and for your device;
6.1.4 To conduct research, statistical analysis and behavioural analysis which includes anonymising data for these purposes;
6.1.5 To provide insights based on aggregated, anonymous data collected through the research and analysis referred to at 6.1.4 above;
6.1.6 To allow you to participate in interactive features of the Website and/or Mobile Application including inputting information and providing feedback;
6.1.7 To contact you for marketing purposes, where applicable subject to Clause 7;
6.1.8 To disclose your information to selected third parties as permitted by this policy subject to Clause 8;
6.1.9 To notify you about the changes to the Website and/or Mobile Application;
6.1.10 To comply with our legal obligations, including related to the protection of Personal Data.
7. Marketing and opting out
7.1 If you have given us permission, we may contact you through electronic messaging services including but not limited to; email, SMS and similar (“Messaging Services”) about our products, services, promotions and special offers that may be of interest to you. We will inform you before collecting your data and always seek your permission if we intend to use your data for such purposes. If you prefer not to receive any direct marketing communication from us, or you no longer wish to receive them, you can withhold consent and/or opt out anytime using the methods outlined in 7.4.
7.2 If you have given us permission, we may contact you through these Messaging Services to provide information about products, services, promotions, special offers and other information we think may be of interest to you from carefully selected third parties. We will inform you before collecting your data if we intend to use your data for such purposes. If you would rather not receive such third-party marketing information from us, you can withhold consent and/or opt out at any time using methods outlined in 7.4.
7.3 If you have given us permission, we may share your personal data with carefully selected third party organisations and/or business partners so that they can contact you directly through Messaging Services about products, services, promotions and special offers that might be of interest to you. We will inform you before collecting your data and seek your permission if we intend to disclose your data to third parties for such purposes. If you would rather not receive direct marketing communications from our third-party organisation and/or business partners, you can withhold consent and/or opt out at any time using methods outlined in 7.4.
7.4 You have the right at any time to ask us or any third-party, to stop processing your information for direct marketing purposes. If you wish to exercise this right, you should contact us by sending an email to hello@thegymset.com or contact the relevant third-party using their contact details. Please ensure you provide the information of the Messaging Services you are receiving marketing on so you can be identified and removed. Alternatively, you can follow the change of preferences instructions in the footer of emails or other communications you receive from us or them.
8. Disclosure of your information
8.1 We may disclose your information including Personal Data:
8.1.1 To other companies within our group of companies including subsidiaries of our ultimate holding company as defined in section 1159 of the UK Companies Act 2006;
8.1.2 To third-party organisations, business partners and/or service providers to enable them to undertake services for us and/or on our behalf. We will always ensure we have appropriate measures in place to protect your Personal Data;
8.1.3 If we are under a duty to disclose or share Personal Data in order to comply with any legal obligation including but not limited to any request or order from law enforcement agencies and/or HMRC in connection with any investigation to help prevent unlawful activity;
8.1.4 To other third parties if you have consented us to do so;
8.1.5 We may disclose aggregated, anonymous information which you cannot personally be identified by or insights based on such anonymous information to selected third parties including but not limited to analytics and search engine providers to assist us in the improvement and optimisation of the Website and/or Mobile Application;
8.1.6 If our whole business is sold or integrated with another business your information may be disclosed to our advisers and any prospective purchasers and their advisers and will be passed on to the new owners of the business.
9. Keeping information secure
9.1 We will use technical and organisational measures in accordance with good industry practise to safeguard your information.
9.2 While we will use all the reasonable efforts to safeguard your information, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any information that is transferred from you or to you via the internet.
10. Monitoring
10.1 We may monitor and record communications with you such as telephone conversation and emails for the purposes of provision of services, quality assurance, training, fraud prevention and compliance purposes. Any information that we receive through such monitoring and communications will be added to the information we already hold about you and may also be used for the purposes listed in Clause 6.
11. Overseas transfers
11.1 Every so often we may need to transfer your information to countries outside the European Economic Area, which compromises the EU members plus Norway, Iceland and Liechtenstein (“EEA”). Non-EEA countries that we may need to transfer your information to include but not limited to the United States of America and India.
11.2 Such countries may not have similar protections in place regarding the protection and use of your data as those set out in this policy. Therefore, if we do transfer your information to countries outside the EEA, we will take reasonable steps in accordance with Data Protection Law to ensure adequate protections are in place to ensure the security of your information.
11.3 By submitting your information to us in accordance with this policy, you also consent to these transfers for the purposes specified inside this policy.
12. Payment processing
12.1 Payment details you provide will be encrypted using secure sockets layer (SSL) technology before they are submitted over the internet. Payments made on the Website and/or Mobile Application are made through our payment gateway provider, Stripe. You will be providing debit or credit card information directly to Stripe which operates a secure server to process payment details, encrypting your information and authorising the payment. Information which you supply to Stripe is not within our control and is subject to Stripe’s own Privacy Policy and Terms.
13. Invitees and other individuals
13.1 As part of our service, we allow registered users to send invitations to individuals (“Invitees”) to invite them to participate in a session. Where you wish to send an invitation to a proposed individual who is also a registered user on the Website and/or Mobile Application, we will process Personal Data that relates to that individual in accordance with this policy.
13.2 Where you wish to send an invitation to a proposed individual who is not a registered user of the Website and/or Mobile Application, the individual will be redirected to the Mobile Application. We will seek consent from them to process their Personal Data in accordance with these Terms.
13.3 Subject to the above, if you otherwise give us Personal Data that relates to a third-party, you confirm that the third-party has appointed you to act on his/her/their behalf and has agreed that you can give consent on his/her/their behalf to the processing of his/her/their Personal Data, receive on his/her/their behalf any data protection notices and give consent to the transfer of his/her/their Personal Data abroad, where applicable.
14. Your rights
14.1 You have the right to request information about the Personal Data that we may hold and/or process about you, including whether or not we are holding and/or processing your Personal Data, the extent of the Personal Data we are holding and the purposes and extent of the processing.
14.2 You have the right to request that any inaccurate information we hold about you to be updated and/or corrected. If you require any changes to your information or you become aware of any inaccuracies in such information, please let us know by forwarding your request to hello@thegymset.com.
14.3 From 25th May 2018, you have the right in certain circumstances to request that we delete all Personal Data we hold about you.
(“Right of Erasure”). Please note that this right is not available in all circumstances e.g. where we need to retain the Personal Data for legal compliance purposes. If this is the case, we will let you know.
14.4 From 25th May 2018, you have the right in certain circumstances to request that we restrict the processing of your Personal Data e.g. where the Personal Data is inaccurate or where you have objected to the processing. See Clause 14.6.
14.5 From 25th May 2018, you have the right in certain circumstances to request a copy of the Personal Data we hold about you and to have it provided in a structured format suitable for you to be able to transfer it to a different Controller (“Right To Data Portability”). Please note this right is only available in some circumstances e.g. where the processing is carried out by automated means. If you requested the right and it is not available, we will let you know.
14.6 You have the right in certain circumstances to object to the processing of your Personal Data. If so, we shall stop processing your Personal Data unless we can demonstrate sufficient and compelling legitimate grounds for continuing the processing which override your own interests. If, as a result of your circumstances, you do not have the right to object to such processing, we will let you know.
14.7 You have the right in certain circumstances not to be a subject to a decision based solely on automated processing e.g. where a computer algorithm, rather than a person, makes decisions which affect your contractual rights. Please note that this right is not available in all circumstances. If you request this right and it is not available to you, we will let you know.
14.8 You have the right to object to direct marketing. Please see Clause 7.4.
15. Complaints
15.1 If you have any concerns about how we collect or process your information then you have the right to lodge a complaint with a supervisory authority, which for the UK is the UK Information Commissioner’s Office (“ICO”). Complaints can be submitted to the ICO through the ICO helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available at https://ico.org.uk/concerns/.
16. Cookies and related software
16.1 Our software may issue (“Cookies”) which are small text files on your device. When you access and use the Website, you will be asked to consent to this the first time you visit our Website or each time after your cache has been cleared. Cookies do not affect your privacy or security as a Cookie cannot read data from your system or other Cookie files created by other websites.
16.2 Our Website uses Cookies and other tracking software to distinguish our users, collect standard internet log information and to collect visitor behaviour information. This information is used to track user interactions with the Website and allows us to provide you with a personalised and improved experience along with improving our site and build statistical reports. We may also use Cookies to allow us to effectively continue marketing to you after visiting our Website.
16.3 You can set your system not to accept cookies, if you wish. You can do this by changing your browser settings so that cookies are not accepted. However, please note, that some of our Website features may not function if you remove cookies from your system. For further general information about cookies, please visit https://www.aboutcookies.org or https://www.allaboutcookies.org.
17. Changes to the policy
17.1 We keep this policy under regular review and may change it. If we change the policy we will post the changes on this page and place notices on other pages of the Website and/or mobile application as applicable so that you can be aware of the information we collect and how we use it at all times. You are responsible for ensuring that you are aware of the most recent version of this policy as it will apply each time you access the Website and/or mobile application.
17.2 This policy was last updated on 7th March 2022.
18. Links to other websites
18.1 Our site may contain links to other websites. This policy only applies to our site. If you access links to other websites, any information you provide to them will be subject to the privacy policies of those other websites.
19. Accessibility
19.1 This policy aims to provide you with all the relevant details about how we process your information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. If you have any difficulty in reading or understanding this policy, or if you would like this policy in another format e.g. audio, large print or braille, please let us know.
20. Contact us
20.1 We welcome your feedback and questions on this policy. If you wish to contact us as the Data Controller or Data Protection Officer, please email us on hello@thegymset.com.
21. CCTV POLICY
21.1 This section sets out the appropriate actions and procedures which we follow in respect of the use of CCTV (closed circuit television) surveillance systems (“CCTV Systems”) at our premises.
21.1.1 Sound recording is disabled on all cameras.
21.1.2 Please note that all our Network are monitored by CCTV 24 hours a day. Gymset reserves the right for its employees and contractors to review footage as required and by entering onto our sites you consent to your image being recorded and reviewed and waive any and all claims in relation to same. Recorded CCTV footage will be stored securely and retained in compliance with applicable laws.
21.2 In drawing up this policy, due Account has been taken of the following:
21.2.1 The Regulation and any other relevant Data Protection legislation;
21.2.2 The CCTV Code of Practice produced by the Information Commissioner (“Code of Practice”);
21.2.3 The Human Rights Act 1998.
21.3 This policy will cover all employees and persons providing a service to Gymset, visitors and all other persons whose image(s) may be captured by our CCTV Systems.
21.4 We will also ensure that the personal data captured by our CCTV Systems is only processed in accordance with the following requirements:
21.4.1 It will be processed fairly, lawfully and in a transparent manner;
21.4.2 It will only be collected for specified, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes;
21.4.3 It will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
21.4.4 It will be accurate and, where necessary, kept up to date;
21.4.5 It will not be kept for longer than is necessary for the purposes for which the personal data are processed;
21.4.6 It will be processed in a manner that ensures appropriate security of the personal data.
21.5 The Gymset CCTV Officer has the legal responsibility for the day-to-day compliance with the requirements of this policy.
21.6 The purpose of the use of the CCTV Systems and the collection and processing of CCTV images is for the prevention or detection of crime or disorder, apprehension and prosecution of offenders (including use of images as evidence in criminal proceedings), interest of public and employee Health and Safety, protection of public health and the protection of our property and assets and to ensure compliance with our policies and procedures.
21.7 Prior to any camera installation the CCTV Officer will ensure that the installation complies with this policy and that the use of any camera is justified, necessary and proportionate. The CCTV Officer will regularly assess whether the use of any camera and the CCTV System as a whole continues to be justified, necessary and proportionate.
21.8 The location of the equipment is carefully considered because the way in which images are captured needs to comply with the Regulation.
21.9 All cameras are located in prominent positions within public and staff view and do not infringe on sensitive areas. All CCTV surveillance is automatically recorded, and any breach of this siting policy will be detected via controlled access to the CCTV System and auditing of the CCTV System.
21.10 The images produced by the equipment will as far as possible be of a quality that is effective for the purpose(s) for which they are intended. Upon installation, all equipment is tested to ensure that only the designated areas are monitored, and suitable quality pictures are available in live and play back mode. All CCTV equipment is maintained under contract.
21.11 Images which are not required for the purpose(s) for which the equipment is being used will not be retained for longer than is necessary. While images are retained, it is essential that their integrity be maintained, whether it is to ensure their evidential value or to protect the rights of people whose images may have been recorded. Access to and security of the images is controlled in accordance with the requirements of the Regulation.
21.12 All images are digitally recorded and stored securely within the system’s hard drives. Images are stored for a minimum of 14 days and typical for no more than 31 days.
21.13 Where the images are required for any other purpose, for example system testing, evidential purposes or disciplinary proceedings, a copy file will be moved to an access controlled confidential location and held until completion of the investigation. Viewing of images within the system is controlled by the CCTV Officer or a person nominated to act on their behalf. Only persons trained in the use of the equipment and authorised by the CCTV Officer can access data.
21.14 Access to, and disclosure of, the images recorded by our CCTV System and similar surveillance equipment is restricted and carefully controlled. This ensures that the rights of individuals are preserved, and the continuity of evidence remains intact should the images be required for evidential purposes e.g. a police enquiry or an investigation being undertaken as part of an internal procedure.
21.15 Access to the medium on which the images are displayed and recorded is restricted to the CCTV Officer, staff authorised by them and third parties as authorised from time to time for specific purposes. Access to and disclosure of images is permitted only if it supports the purpose for which such images were collected.
21.16 The Regulation gives any individual the right to request access to CCTV images which contain their personal data.
21.17 Individuals who request access to images must do so by contacting us on hello@thegymset.com. Please send details of; who you are, the reason for request, your contact details, the location of CCTV, the time in question and any details that might be useful. Upon receipt of the request, the CCTV Officer, or another member of staff authorised by them, will determine whether disclosure is appropriate and whether there is a duty of care to protect the images of any third parties. If the duty of care cannot be discharged, then the request can be refused.
A written response will be made to the individual, giving the decision (and if the request has been refused, giving reasons) within 31 days of receipt of the request.