Privacy Policy (Zack Fitness)

Last updated: 12 August 2025

We respect your privacy. This notice explains how we collect, use, and protect your data under UK GDPR and the Data Protection Act 2018.

1) Controller & Contact

Controller: [Zack Fitness]
Address: [34–35 Hatton Garden, London, EC1N 8DX]
Email: [pr*****@************************er.com]
Phone: [(+44) 7403 109 102]
ICO Registration No.: [enter number if registered]

2) Data We Collect

Identity & contact: name, email, phone, billing address, emergency contact.
Training data: goals, session notes, progress data.
Health data (special category): medical history/injuries relevant to safe training (only with your explicit consent).
Transaction data: payments, invoices, refunds.
Technical data: IP, device/browser info, cookies (see Cookie section).
Marketing preferences: opt-in/opt-out records.
Images/testimonials: only with your consent.

3) Purposes & Legal Bases

Provide services & manage bookings (Contract).
Health & safety screenings (Explicit Consent for health data; Vital Interests in emergencies).
Payments & accounting (Legal Obligation; Contract).
Client support & communications (Legitimate Interests; Contract).
Marketing (email/social) (Consent; you can opt out anytime).
Site security/analytics (Legitimate Interests).
Legal claims/compliance (Legal Obligation/Legitimate Interests).

4) Consent for Health Data

We will ask you to sign a consent form before collecting health information. You can withdraw consent at any time; if you do, we may be unable to provide certain services safely.

5) Sharing Your Data

We share data only when necessary with:

Payment processors: [e.g., Stripe/SumUp]
Booking/CRM tools: [e.g., Calendly, Google Workspace, Trainerize]
Email/SMS providers: [e.g., Gmail, Mailchimp, Twilio]
Accountants and legal advisors (where required)
Gyms/studios for access control/safety when you train at those venues
All processors are bound by contracts to protect your data.

6) International Transfers

Some providers may store data outside the UK. Where this happens, we rely on UK adequacy regulations, IDTA/SCCs, or equivalent safeguards.

7) Retention

Client records: up to 6 years after last service (tax/legal).
Health questionnaires: up to 3 years after last session (or as required by venue insurance).
Marketing data: until you opt out.
We securely delete or anonymise data once no longer needed.

8) Your Rights

You can access, correct, delete, restrict, object, and port your data. Where we rely on consent, you may withdraw it at any time.
To exercise rights: email [pr*****@************************er.com].
You can complain to the ICO: ico.org.uk or 0303 123 1113. We’d appreciate the chance to resolve your concerns first.

9) Cookies & Analytics

We use necessary cookies for site functionality and optional cookies for analytics/marketing.
On your first visit, a banner lets you accept or manage cookies.
You can change preferences anytime via [Cookie Settings link] and in your browser settings.
Typical cookies:
- Necessary: session/login security.
- Analytics: aggregated usage statistics (e.g., Google Analytics with IP masking).
- Marketing: only if you consent.

10) Marketing

We’ll email or message you about tips, offers, or updates only if you opt in (or where soft opt-in applies for existing clients).
Unsubscribe links are included in every message.

11) Children’s Data

Our services are for clients 16+. For under-16s we require guardian consent and may require guardian presence depending on venue rules.

12) Security

We apply technical and organisational measures (access controls, encryption in transit, least-privilege access, regular reviews). No method is 100% secure; we work to mitigate risks and act promptly on incidents.

13) Third-Party Links

Our website may link to third-party sites. We’re not responsible for their privacy practices. Check their policies.

14) Changes to this Policy

We may update this notice to reflect changes in law or our services. We’ll post the new version with a new “Last updated” date.