Home
Sign In

Kirkby Lonsdale Health & Spa Club
Privacy Policy



Privacy Policy – Kirkby Leisure Club

Effective Date: 10.12.2025

Introduction and Scope:
Kirkby Leisure Club Ltd (“we”, “us”, or “the Club”) is committed to protecting your privacy and the personal information you share with us. This Privacy Policy explains what information we collect about members, guests, and visitors (collectively, “you”), how we use and protect that information, and your rights in relation to your data. It applies to data collected through our website (https://kirkbyleisureclub.co.uk), our membership portal (ClubRight), and in-person at our Club facilities. By using our services or providing your information, you agree to the terms of this Privacy Policy.

Data Controller: Kirkby Leisure Club Ltd is the “data controller” of your personal data. We are a company registered in England (Company No. 16675789) with registered office at 77 Windsor Road, Prestwich, Lancashire, United Kingdom, M25 0DB. This means we determine how and why your personal data is processed. If you have any questions about this policy or your data, please contact us (see the “Contact Us” section at the end).

1. Information We Collect

We only collect information that we need to provide our services, ensure safety, and improve your experience. The types of personal data we may collect include:

  • Identity Information: e.g. your full name, date of birth, gender, photo (for membership ID), and proof of identity details (if you provide ID for verification).

  • Contact Details: e.g. home address, email address, phone number, and emergency contact information (name and phone of someone to reach in case of emergency).

  • Membership Details: information related to your membership at the Club, such as membership start date, type of membership, membership ID number, attendance history (check-ins), and records of services you’ve used (e.g. classes booked, training sessions). If you are part of a corporate or family membership, this might include company or family member names.

  • Payment Information: e.g. your bank account details or credit/debit card information for processing membership fees or other purchases. We do not store full card numbers ourselves; these may be handled by our secure payment processors (e.g. ClubRight/GoCardless/Stripe – see Section 4). We may keep records of your payments, billing history, and any amounts due.

  • Health and Fitness Information: As part of providing a safe fitness service, we may collect some health-related information. This includes details you provide on health questionnaires or PAR-Q forms (such as medical conditions, injuries, medications, or exercise limitations) and any health metrics you choose to share (like weight, height, or fitness assessments). We might also record notes on any incidents or injuries that occur in the Club and any related medical assistance given. Note: Health information is considered “special category” data and is handled with extra care (we typically process this only with your explicit consent or vital interest, see Section 3 on legal bases).

  • Usage Data: We collect data about how you use our services. For example, if you use our website or ClubRight member app, we may collect your IP address, device type, browser type, and interactions (pages visited, features used). In the Club, we might log your entries/exits via membership card swipes. We also gather information on class bookings, cancellations, and attendance.

  • CCTV Footage: For security purposes, our premises are monitored by CCTV cameras. If you visit our Club, your image may be captured on video recordings. These recordings are typically only reviewed if an incident occurs, and are stored for a limited time (see Section 5 on retention). CCTV covers gym floors, lobby, building exterior, etc., but not private areas like changing rooms, showers, or toilets.

  • Communications: Copies of your communications with us are kept, whether via email, contact form, or phone. For instance, if you send us an inquiry, give feedback, or report an issue, we will retain that correspondence and our response.

  • Marketing Preferences: If you opt in to receive marketing or newsletter communications, we will record your preferences (e.g. email subscription status). We also keep track of contest entries or surveys you participate in.

  • Cookies and Online Data: Our website uses cookies and similar technologies to collect information about your browsing actions. This can include data about your website navigation, any preferences you set on our site, and possibly third-party analytics data. (See Section 9 on Cookies.)

We do not knowingly collect data from children under 16 for online services. If a member under 16 provides information, it should be with consent of a parent/guardian. (Member data for under-16s is generally provided by the parent during signup.)

We collect most data directly from you (through membership forms, class bookings, etc.). In some cases, we may receive information from third parties: for example, if you join via a corporate program, your employer might give us your name for eligibility; or if a friend refers you, they might give us your name and contact for an invitation.

We will only ask for information that is relevant. If you choose not to provide certain information (like not filling optional fields in the health questionnaire), some services (like personal training recommendations) might be limited, but you can generally still be a member. We will make clear what information is mandatory (e.g. emergency contact might be required for safety, payment info is required to activate membership, etc.).

2. How We Use Your Information

We use personal data for the following purposes, and only to the extent necessary for those purposes:

  • Provide and Manage Membership Services: The primary use of your data is to set up and administer your membership. This includes verifying your identity on signup and at check-in, processing your membership application, and enabling you to access the Club. We maintain internal records of members to know who is entitled to use the facilities. We use your data to facilitate services you request: for example, allowing you to book classes or sessions via the app, keeping track of your remaining personal training sessions, or registering your attendance for a class.

  • Process Payments and Billings: We use your payment information to collect membership fees and other purchases (such as cafe charges, merchandise, or paid events). Payment data is processed securely via our third-party payment providers, but we maintain records of transactions, amounts, and dates for accounting. If you have a direct debit or recurring payment, we use your details to trigger those monthly payments. We may also use your contact info to send payment reminders or invoices when needed.

  • Communicate with You: We will use your email, phone, or mailing address to send you important notices related to your membership. This includes membership confirmations, renewal notices, payment receipts, and updates about your use of the Club. For example, we send booking confirmations or waitlist notifications via email/SMS (if you use class bookings), and we might email about changes to opening hours or temporary closures. These service communications are essential and not promotional in nature.

  • Health & Safety: Health information you provide is used to ensure your safety while exercising. For instance, if you note a heart condition on your PAR-Q, we might flag your profile so that trainers are aware to give appropriate modifications. If you have a medical emergency at the Club, we may provide responders with your known medical info and emergency contact. We also use incident reports for safety monitoring – e.g. if multiple injuries occur on a particular machine, we investigate. During public health situations (like a pandemic), we might use contact details for contact tracing or to notify you of possible exposure, as required by health guidelines. Any health data is handled confidentially and only by staff who need to know (such as fitness instructors or first aid personnel).

  • Improve Our Services and Operations: We internally analyze usage data (e.g. which hours are busiest, which classes are most popular) to help with staffing, scheduling, and facility improvements. For example, knowing peak check-in times helps us manage front-desk staffing; knowing class demand helps us adjust the timetable. We may also use feedback you provide or surveys to improve our offerings. None of this analysis will identify you personally in any public report – it’s for operational insight.

  • Marketing and Promotions (with consent): If you have given us permission, we may use your contact details to send you promotional communications about Club news, upcoming events, special offers, or new services. This could include newsletters via email, SMS alerts about promotions, or targeted offers (like a personal training discount around New Year). You can opt-out of marketing at any time (see Section 7, Your Rights). We might also send occasional satisfaction surveys or ask for reviews/testimonials. Participation is voluntary. We do not spam; typically, we send club newsletters at a reasonable interval (e.g. monthly). For existing members, some marketing might be considered within our legitimate interests (e.g. informing you of a new class type), but we will always respect opt-out requests.

  • Social Media Engagement: If you tag us or interact with our social media pages, we might occasionally re-post or respond. However, we do not pull your data from social networks; any information visible to us depends on your privacy settings on those platforms. If we wish to share a member success story or photo for marketing, we will obtain your consent.

  • ClubRight Member Portal and App: When you use the ClubRight system (our member portal or app) to manage your membership or bookings, your data is used to authenticate you and provide relevant services (like showing your membership status, enabling class sign-ups). ClubRight may use certain personal data (like email and password for login, and your membership info) on our behalf to operate the portal. Their use of your data is bound by our contract with them and data protection law (see Section 4 on Data Sharing).

  • Security and Crime Prevention: We use CCTV footage to deter and investigate theft, vandalism, or any dangerous incidents at the Club. For example, if a locker theft is reported, we may review camera footage to identify the culprit. CCTV may also be monitored in real-time by management for general security. Additionally, we keep an access log (entries/exits) which could help in security investigations or in confirming attendance. If necessary, we might use personal data to ban individuals for misconduct (e.g. keeping their name on a watchlist) and to inform staff to deny entry (see Terms & Conditions regarding banned members).

  • Legal Compliance: There are certain laws and regulations we must follow that involve processing personal data. For example, accounting and tax laws require us to retain transaction records. Health and safety laws require us to document accidents in an accident log. If we receive a legally binding request (court order or law enforcement request), we may have to provide personal data to authorities. We also process data to comply with UK data protection laws (like honoring your rights requests).

  • Enforcing Policies and Legal Claims: We may process relevant personal data when necessary to enforce our contract or policies (for instance, using contact information to send a notice of termination or using payment records to pursue unpaid fees). If there are any legal disputes or claims involving you (e.g. a personal injury claim, or a debt collection), we will use and possibly share data as needed to defend or pursue those claims.

We will not use your personal information for purposes that are incompatible with those above. If we ever need to process your data for a new purpose, we will update our Privacy Policy and inform you as required by law. We do not use automated decision-making or profiling that has legal or significant effects on you – any profiling (like understanding your class attendance to suggest similar classes) is only for improving service and not for making decisions without human review.

3. Legal Bases for Processing Personal Data

Under UK General Data Protection Regulation (UK GDPR) and related laws, we must have a valid “legal basis” for each use of your personal data. We rely on the following legal bases:

  • Performance of a Contract: Most of the data we collect and use is for the purpose of fulfilling our contract with you as a member or guest. When you sign up for membership, a contract is formed – we need to process your data (like your identity, contact info, and payment details) to deliver the services you expect, such as granting access to facilities, processing payments, and managing your account. If you are not a member but are using a day pass or trial, we process your data to fulfill that service as well. Example: Using your email to send booking confirmations is necessary to provide the booked service; using your bank info to collect dues is part of providing membership.

  • Legal Obligation: We process some data because we have a legal obligation to do so. For instance, we keep financial transaction records to comply with tax and accounting laws. We may record and report accidents under health and safety regulations. If law enforcement requests data with proper authority, we may provide it to comply with the law. Example: Keeping your payment receipts for 6 years is required for VAT and tax record-keeping.

  • Legitimate Interests: We process certain data under the legitimate interests of our business, in a way that does not override your rights and freedoms. This includes using CCTV for security (our legitimate interest in protecting our property, members, and staff), analyzing usage patterns to improve our services, sending relevant communications to members about similar services (e.g. informing you of new classes or promotions if you are an existing member), and preventing fraud or misuse of our facilities. We believe these uses are expected and beneficial to you as well, but you have the right to object if you feel it impacts your rights (see Section 7). Example: It is in our legitimate interest to ensure the Club is secure; thus we use CCTV and access logs. It’s also in our interest to grow and retain membership, so we may send special offer emails to current members – but you can unsubscribe easily.

  • Consent: In some cases, we rely on your consent to process data. We will explicitly seek your consent for things like marketing emails to non-members (e.g. if you sign up on our website to get updates without being a member) or for certain uses of your health data. For example, health data (being sensitive) often requires explicit consent unless used to protect your vital interests. When you fill out a health questionnaire, we may ask for your signature/consent to use that data to tailor your exercise program and for our instructors to be aware of any issues. You can withdraw consent at any time (which would not affect past processing but would stop future processing). Example: We ask your consent to send you third-party promotional info or newsletters – if you agree, we use your email for marketing; if not, we won’t. Similarly, if we ever wanted to post your photograph or success story on our website or social media, we’d get your consent first.

  • Vital Interests: In rare cases, we may need to process personal data to protect someone’s vital interests, i.e. to prevent an imminent risk of serious harm or life-threatening situation. For instance, if you have a medical emergency and are unconscious, we might share your known medical conditions with paramedics – that’s to protect your vital interests (and those of the paramedics treating you). This is a lawful basis for using sensitive data when consent cannot be given.

If you have any questions about the legal basis of a particular processing activity, feel free to contact us for more detail. Generally, our aim is to ensure we have a sound justification under GDPR for all personal data uses.

4. How We Share Your Information

We treat your personal data with care and do not sell your information to third parties. However, in the course of running our business, we do need to share data with certain trusted parties. These include:

  • ClubRight (Membership Platform Provider): We use ClubRight as our gym membership management software. When you sign up or use our online portal, your personal data (identity, contact, membership and billing info) is stored in the ClubRight system. ClubRight Ltd operates this platform on our behalf as a “data processor”. They are contractually obligated to keep your data secure and use it only to provide the management software services to us. ClubRight may host the data on cloud servers and implement security measures. We have confirmed that ClubRight is GDPR compliant and dedicated to data security. (For more details, you can refer to ClubRight’s own privacy policy, but essentially they won’t use your data for their own purposes except as needed to run the service.)

  • Payment Processors: We use reputable payment processing companies to handle financial transactions. This may include GoCardless for direct debit collections and Stripe (or similar) for card payments. These processors will receive your payment details and process payments securely on our behalf. They are also GDPR compliant and will not use your data for anything other than processing transactions or complying with legal obligations. For example, when you set up a monthly direct debit, your name, address, and bank account info are processed by GoCardless and your bank. We do not see or store your full card number when you pay by card; Stripe tokenizes that information. We maintain records of the transactions (amount, date, last4 digits of card or similar) but rely on these processors to handle the sensitive payment data.

  • Email and IT Service Providers: We utilize certain software and service providers for communication and IT infrastructure. For instance, our email service (for sending newsletters or notifications) might be through a platform like Mailchimp or an SMTP service. If we send bulk communications, your email address and name might be processed by such a service. We ensure any such providers have appropriate data protection measures. Similarly, our website hosting company or IT support provider might have access to data stored on our systems (e.g. if they back up our database or troubleshoot an issue). We only work with companies that commit to confidentiality and security.

  • Personal Trainers and Coaches: If you work with one of our in-house personal trainers or class instructors, they will have access to certain information about you – primarily your relevant fitness/health info and goals, as well as your contact details to coordinate sessions. Our trainers are bound by confidentiality and only use your data to support your training. If we refer you to an independent therapist or nutritionist, we would only share your contact or health info with your consent.

  • Service Providers and Vendors: We may share limited data with other providers who help us run the Club’s operations. Examples include:

    • Security and Access Systems: If we use a third-party company for maintaining our door entry system or CCTV system, they might have incidental access to data (e.g. CCTV footage or entry logs) when servicing the equipment. They operate under our instructions and for our purposes.

    • Cleaning or Maintenance Contractors: Generally won’t access personal data, but if an incident occurred (like something recorded on CCTV involving a contractor), we might share relevant footage or info with their employer for investigation.

    • Marketing and Design Services: If we use an agency to help with marketing, we might provide them a distribution list (emails) or general demographic info to craft campaigns. They would be under contract to use it solely for our marketing as directed.

    • Cloud Storage/Software: We may store documents or data in cloud-based solutions (like Office 365, Google Workspace, etc.). As such, personal data (like a spreadsheet of members or incident reports) could reside on those systems. We ensure such services are reputable and secure.

  • Group Companies or Successor: Currently, Kirkby Leisure Club Ltd operates as a single entity. If in the future we form a group or the Club is acquired by or merged with another company, your data may be transferred to the new owners or affiliated company as part of the business transfer (so they can continue providing the services). They will be bound by the same laws and this privacy policy (unless you’re notified of changes). We will inform members of any such ownership change.

  • Legal and Professional Advisors: We may share information with our professional advisors such as lawyers, accountants, or insurance providers when necessary. For example, if there’s a personal injury claim, we would share relevant membership records, incident reports, and CCTV with our insurer or legal counsel to handle the case. Accountants may see personal data in the context of finances (e.g. names on transaction records) but they have a duty of confidentiality.

  • Law Enforcement and Authorities: If required by law, or if we believe it’s necessary to protect people’s rights, property, or safety, we may share data with law enforcement or regulatory authorities. This could include providing CCTV footage or access logs to the police for an investigation, reporting an incident to safeguarding authorities, or responding to government audits. We will validate any request to ensure it’s legitimate and only share the minimum necessary information. Also, if a public health authority requires attendance records for contact tracing (like during COVID-19), we would comply as legally required.

  • Emergency Medical Personnel: In case of a medical emergency at the Club, we might share your known medical conditions, personal details, or emergency contact info with paramedics or hospital staff to aid in your treatment (this falls under vital interests).

  • Other Members (Limited): By default, we do not disclose your personal data to other members. However, if you participate in group events, your name might be on a roster. If you connect with others via our social or community features (if any), information you choose to share (like on a members’ board or forum) could be seen by others – that would be by your action, not our direct sharing. Also, if a fellow member refers you for a membership or promotion, we might confirm to them whether you joined (for referral credit) but we wouldn’t share details beyond the basics needed for that program.

We require all third parties we share data with to respect the security of your personal data and to treat it in accordance with the law. We only permit them to process your data for specified purposes and in accordance with our instructions. Many of our third-party processors (like ClubRight, payment providers) have data processing agreements in place with us that define strict data protection obligations.

We do not share or transfer your data outside of the UK/European Economic Area unless it is to a country deemed adequate by the UK/EU or under appropriate safeguards (for example, if our cloud backup provider stores data in the US, they would be subject to Standard Contractual Clauses or an approved framework). If we ever need to transfer your data internationally, we will ensure compliance with GDPR transfer rules and inform you if necessary.

5. Data Security and Storage

We take data security seriously and have implemented various measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These include:

  • Physical Security: Our paper records (if any) containing personal data (e.g. membership forms, signed waivers, or health questionnaires) are kept in a secure location, such as locked filing cabinets in staff-only areas. The Club premises have controlled access and alarm systems when closed.

  • Electronic Security: We use password-protected systems and databases to store personal data. Each staff member has unique login credentials and access is role-based (meaning a staff member only accesses data they need for their job). For instance, front-desk staff can look up your membership account to check you in, but may not have access to detailed financial or health records which are restricted to management or trainers. We require strong passwords and regular updates.

  • Encryption: Sensitive data transfers are encrypted. Our membership portal and website utilize HTTPS (SSL/TLS encryption) for data in transit. Certain sensitive fields (like payment info) are encrypted in databases or handled by providers who specialize in secure transactions. When we store or transmit particularly sensitive info (like health details), we aim to encrypt that data at rest as well.

  • Firewalls and Network Security: Our digital infrastructure is protected by firewalls, anti-malware software, and monitoring for suspicious activities. We keep software and systems updated to patch vulnerabilities. If we use cloud services, they are reputable providers with strong security track records.

  • Data Minimization: We only retain the data that is necessary. If we don’t need certain personal info, we refrain from collecting or storing it. For example, we do not keep your card’s CVV or full number – that’s handled by the payment gateway. We also truncate or anonymize data in certain contexts (like using member ID instead of name in some internal logs) to limit exposure.

  • Training and Policies: Our staff are trained on data protection principles and are required to keep member information confidential. We have internal policies in place to prevent unauthorized sharing of data (for example, staff should not email member lists to personal accounts, etc.). Only authorized employees can access systems containing personal data.

  • Monitoring and Testing: We monitor our systems for potential breaches or attacks. If we use external IT management, they assist in monitoring. We also periodically review our security measures and may conduct vulnerability assessments or rely on our providers to do so.

  • Paper Document Handling: If and when we dispose of documents that contain personal data (e.g. old PAR-Q forms that have been updated), we shred or incinerate them securely. We do not toss documents with personal data in regular trash.

  • CCTV Security: CCTV footage is stored on a secure system with restricted access. Only management or designated security personnel can review footage, and it’s overwritten or deleted after a set period unless needed for an investigation. Monitors showing live CCTV may be in staff areas only.

Despite our robust measures, no system can be 100% secure. However, we follow industry best practices and continuously work to update our security protocols. If we ever experience a data breach involving your personal data, we will follow legal requirements to notify the affected individuals and authorities (like the ICO) as appropriate, especially if there is a risk to your rights and freedoms. We have a data breach response plan to handle such incidents, aiming to mitigate harm and prevent future incidents.

You also play a role in security: we encourage you to use a strong, unique password for our member portal and not share it. Be cautious if anyone contacts you claiming to be from the Club and asks for personal info – we will never ask for your password via phone or email. Report any suspicious activity or communications to us.

6. Data Retention – How Long We Keep Information

We will retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including any legal, accounting, or reporting obligations. Different types of data may have different retention periods:

  • Membership Data: If you are a member, we keep your personal and membership information active for the duration of your membership. When your membership ends, we will retain your core information for a certain period in case you rejoin or in case of any legal disputes. Typically, we retain basic membership records for up to 6 years after your membership ends, as this is often the statute of limitations for contract claims and also meets HMRC record requirements for financial transactions. This would include your contact details, membership history, and payment records. After that period, or upon your request (if feasible), we will either securely delete or anonymize your data.

  • Health and Fitness Information: Health questionnaires and training records are kept while you are an active member (so trainers have access to your history). After membership ends, we may retain those for a shorter period (for example, 1-2 years) unless an incident requires longer retention. If there’s an injury or incident, related records may be kept as long as the incident record (which could be 3 years or more if minors are involved, potentially until a minor turns 21 under UK law for injury claims). If you provided health info and leave without incident, we will likely delete this sensitive info sooner (e.g. within a year of membership ending) as it’s not needed long-term.

  • Payment Records: We retain financial transaction records for at least 6 years per tax law requirements. This includes invoices, receipts, and payment history linked to you. If there’s a dispute or unpaid balance, we keep related data until resolved and then as part of financial records.

  • Communications: Emails and correspondence with you may be retained for a period for reference. General inquiries that don’t result in membership are usually deleted or anonymized within a year or two. Member correspondence might be kept with your file for a few years to maintain history (especially if it led to policy agreements or important info). We regularly review old communications and purge what’s no longer needed.

  • CCTV Footage: CCTV recordings are typically retained for a short period, usually around 30 days, after which they are automatically overwritten or deleted, unless an incident is recorded that we need to investigate further. If footage is extracted relating to an incident (e.g. an accident or theft), that excerpt may be kept until the matter is resolved (e.g. until a claim is settled or police investigation concluded), then deleted.

  • Website Logs: Web server logs and analytics data are typically retained for a short duration, maybe 26 months for Google Analytics or similar (as is common) unless we configure differently. Cookies on your browser may persist according to their nature (session cookies vs. persistent cookies – see Cookies section). You can clear cookies anytime.

  • Prospective Members: If you inquire about membership but do not join, we might keep your contact info for a brief time to follow up, but generally no more than 1 year, unless you consent to ongoing marketing.

  • Marketing Data: If you have opted into newsletters, we will keep your contact info until you unsubscribe or the list is refreshed. If you unsubscribe, we may keep a record of your opt-out to ensure we don’t contact you, but will remove you from active mailing lists immediately.

  • Accident/Incident Reports: We maintain incident reports (accidents, injuries) for a minimum of 3 years, or longer if the law requires. For injuries involving minors, we might keep them until the child is 21 (3 years past age 18) because of potential legal claims timeframes.

  • Legal Records: If you were involved in any legal dispute, we will retain related information until the matter and any appeal period is concluded, possibly longer if required by legal authorities.

After the applicable retention period, we will either delete your personal data or anonymize it (so it can no longer be associated with you). For example, we may convert your usage data into aggregated statistics (which are not personal data) for long-term analysis after removing personal identifiers.

Anonymization: Sometimes we convert data into an anonymous form for research or business analysis (e.g. average age of our members, or monthly attendance stats). This is not personal data anymore and may be kept indefinitely as it poses no privacy risk.

If there is any data we technically cannot delete entirely from our systems (for instance, data stored in long-term backups), we will ensure it’s put beyond typical use – meaning it’s not readily accessible except if needed for disaster recovery, and even then we would protect it.

We periodically review the data we hold and erase or anonymize what is no longer needed. If you believe we’re holding data about you longer than we should, please contact us and we will review and correct if appropriate.

7. Your Rights and Choices

Under data protection laws, you have several rights regarding your personal data. We are committed to honoring these rights. They include:

  • Right to Access: You have the right to request a copy of the personal data we hold about you, as well as information on how we process it (commonly known as a “Data Subject Access Request”). We will provide you with a copy of your data in a commonly used format (unless doing so adversely affects the rights of others). This is usually free of charge, but if you request additional copies or the requests are excessive, we may charge a reasonable fee or refuse (but we would explain why). To make an access request, you can contact us via the contact details below. We will respond within one month of verifying your identity, or inform you if more time is needed for complex requests.

  • Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to have it corrected. It’s important that your information is up to date – please let us know of any changes (address, phone, email, etc.). You can also update certain info yourself via the ClubRight member portal (e.g. change your contact info or payment method). We will promptly update our records upon your request.

  • Right to Erasure (Right to be Forgotten): You may request that we delete your personal data, and we will do so in certain circumstances. This right is not absolute, but we will honor it if: the data is no longer necessary for the purposes collected, or you withdraw consent (for any data we solely rely on consent for), or you object to processing and we have no overriding legitimate grounds to continue, or if we unlawfully processed your data, or if required to erase to comply with a legal obligation. Note that if you request deletion of data essential to your membership (like your identity or billing info) and you are still within a contract, we might need to cancel the service as we cannot operate without it. Also, some data we might need to keep for legal reasons (e.g. transaction history for accounting) – in that case, we’ll let you know what we cannot erase and why.

  • Right to Restrict Processing: You have the right to ask us to restrict (pause) the processing of your personal data in certain situations. For example, if you contest the accuracy of the data, we’ll restrict processing until we verify the accuracy; or if you object (see below) and we’re considering that objection; or if processing is unlawful but you prefer restriction over deletion; or if we no longer need the data but you need it for a legal claim. While restricted, we can still store the data but not use it, except for certain exempt purposes (like legal claims or protecting others). We will inform you when a restriction is lifted.

  • Right to Data Portability: For data that you provided to us and that we process by automated means under consent or contract (e.g. your profile data, or workout records, etc., where applicable), you have the right to request a copy in a structured, commonly used, machine-readable format, and you have the right to have that data transmitted to another controller where technically feasible. In practice, this might mean if you decide to switch gyms, you could ask for an export of your basic membership and usage data so you can give it to the new gym. We will assist with this if relevant. Note this right does not apply to data we have inferred or generated (like our internal notes or risk ratings) – it mainly covers data you actively provided.

  • Right to Object: You have the right to object to certain types of processing:

    • Direct Marketing: You can object at any time to the use of your personal data for direct marketing purposes. If you do so, we will stop using your data for that purpose immediately. This includes profiling related to direct marketing. Practically, this means you can unsubscribe from our marketing emails at any time (each marketing email will have an unsubscribe link), or you can contact us to be placed on a do-not-contact list for promotions. There is no exception – if you object to marketing, we must honor it.

    • Legitimate Interests: If we are processing your data based on our legitimate interests (or for a task in the public interest) and you feel it impacts your rights, you have the right to object. Then we must stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for establishment/exercise/defense of legal claims. For instance, you could object to CCTV monitoring if you have particular grounds; we would then consider if our need (security) is overridden by your rights. We believe our processing is within reasonable expectations, but we will carefully review any objection.

  • Rights related to Automated Decision Making: We do not carry out any automated decision-making (including profiling) that produces legal or similarly significant effects on you without human involvement. If we ever do, you would have rights to contest such decisions or request human intervention. This is not applicable in our context currently, as decisions like membership approval or disciplinary actions are done with human oversight.

To exercise any of these rights, please contact us (see Contact section). We may need to verify your identity to ensure we don’t disclose or change data at the request of someone else. For example, we might ask you to confirm some details or show ID, especially for access or erasure requests, before executing them.

We will respond to rights requests within one month of receipt (and verification of identity). If the request is complex or numerous, we may extend by another two months but will inform you of the extension within the first month.

There is generally no fee for exercising your rights. However, if a request is clearly unfounded or excessive (for instance, repetitive requests without good reason), we may charge a reasonable fee to cover administrative costs or refuse to act on it. We will explain our reasoning in such cases.

Your Choices (Marketing): As mentioned, you can always choose not to receive marketing communications. Use the “unsubscribe” link in emails or reply STOP to SMS, or inform us directly. Even if you opt out of marketing, we will still send you important service messages (like payment notices or facility closures) as those are not promotional but part of our contractual obligations.

Updating Info: Please help us keep your data accurate by notifying us of any changes. You can update certain information through your online account or by contacting our membership services.

8. Cookies and Online Tracking

Our website (and related online services) uses “cookies” and similar technologies to improve user experience and to gather analytics about our site traffic. Cookies are small text files stored on your device (computer, smartphone) when you visit a website. They allow the website to remember your actions or preferences over time.

Types of Cookies We Use:

  • Necessary Cookies: These are essential for the website to function properly. For example, if our site has a member login, a session cookie would keep you logged in as you navigate pages. These cookies do not typically contain personal info beyond what’s needed for functionality and are usually session-based (expiring when you close your browser).

  • Analytics and Performance Cookies: We use these to collect information about how visitors use our site, such as which pages are most frequently visited, how users move around the site, and if they encounter errors. This helps us improve the website and our services. For instance, we might use Google Analytics which sets cookies to gather usage data (e.g. IP address, browser, time on page, referrals). The data is aggregated and not used to identify you directly. Google Analytics may use anonymized IP (and is subject to Google’s privacy policy). You can opt out of Google Analytics by using a browser add-on if you wish.

  • Functional Cookies: These cookies remember choices you make to give you a more personalized experience. For instance, if our site allows you to pick a preferred location or save login info, a cookie might store that preference.

  • Marketing/Advertising Cookies: Currently, we do not have third-party ads on our site, but if we run retargeting or use Facebook Pixel/Google Ads in the future, those cookies would track your site activity to provide tailored advertisements on other platforms. We would seek consent for such cookies if implemented.

Cookie Consent: When you first visit our website, you will see a cookie notice or banner. By continuing to use the site or clicking “Accept” (if applicable), you consent to our use of cookies as described. You can always adjust your browser settings to refuse or delete cookies. However, please note that blocking certain cookies may affect site functionality (for example, you might not be able to stay logged in or use some features if cookies are disabled).

Managing Cookies: You can usually manage cookies through your web browser controls. For example, you can set your browser to notify you when cookies are being set or to block them altogether. Different browsers have different ways to do this, so check your browser’s help section for instructions. Additionally, there are online tools and websites that allow you to opt-out of certain cookies (like http://www.aboutads.info for advertising cookies).

Third-Party Links: Our website or app might contain links to external websites (for example, a link to our social media pages, or to ClubRight’s platform). If you follow these links, understand that those websites have their own privacy and cookie policies. We do not control third-party sites, so please review their policies. We are not responsible for the content or data handling of external sites.

Do Not Track: Some browsers have a “Do Not Track” feature. At this time, our site does not respond differently to DNT signals, because there is no industry consensus on how to interpret them. We treat all site users the same with regard to cookies, but as described, you can opt out of specific tracking cookies as noted above.

9. Updates to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will update the “Effective Date” at the top of the policy. If changes are significant, we may also notify you directly via email or via a notice on our website or at the Club.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use our services or maintain membership after an update, it implies acceptance of the revised policy, to the extent permitted by law.

If we were to ever use your personal data in a materially different way than stated at the time of collection, we would notify you and, if required by law, seek your consent before the new use.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us:

Kirkby Leisure Club – Data Protection
Address: 77 Windsor Road, Prestwich, Lancashire, UK, M25 0DB
Email: admin@kirkbyleisureclub.co.uk 
Phone: 01524876195

We will gladly assist with privacy-related issues and aim to respond promptly.

Complaints: If you believe your data has been handled improperly or your requests haven’t been addressed, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues. You can contact the ICO at:

  • Website: https://ico.org.uk/make-a-complaint/

  • Helpline: +44 303 123 1113

  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the chance to address your concerns before you approach the ICO, so please consider reaching out to us first. Your privacy is important to us, and we’ll do our best to resolve any issue.