GDPR Compliance

Last updated: January 2024

The General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 set out the framework for data protection law in the United Kingdom. At spotlessflight, we take our obligations under these regulations seriously and are committed to protecting your personal data.

Who We Are

Spotlessflight Fitness Ltd is the data controller responsible for your personal data. Our contact details are:

Spotlessflight Fitness Ltd
Unit 7, Riverside Business Centre
42 Mill Lane
Manchester, M15 4QU
Email: [email protected]

Your Rights Under GDPR

The UK GDPR provides you with specific rights regarding your personal data. We want to make sure you understand these rights and can exercise them easily.

Right to Be Informed

You have the right to be told how your personal data will be used. This notice, along with our Privacy Policy, explains our data processing practices in clear, plain language.

Right of Access

You can request a copy of all personal data we hold about you. This is commonly known as a Subject Access Request (SAR). We will respond to your request within one month, free of charge, unless the request is manifestly unfounded or excessive.

Right to Rectification

If you believe any information we hold about you is inaccurate or incomplete, you have the right to request correction. We aim to update records within one month of receiving your request.

Right to Erasure

Also known as the "right to be forgotten," you can request that we delete your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose we originally collected it
  • You withdraw consent (where consent was the legal basis for processing)
  • You object to processing and there is no overriding legitimate interest
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

Right to Restrict Processing

You can ask us to limit how we use your data while a complaint is being investigated, or in other specific circumstances defined by the regulation.

Right to Data Portability

Where we process your data based on consent or contract, and processing is automated, you have the right to receive your data in a commonly used, machine-readable format and to transmit it to another controller.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop processing your data for that purpose immediately.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently use automated decision-making systems.

Lawful Bases for Processing

We only process your personal data when we have a valid lawful basis. The bases we rely upon include:

Contract

When you become a member, we need to process certain information to fulfil our contractual obligations to you. This includes your contact details, payment information, and health information necessary to provide safe and effective training.

Legitimate Interests

We may process data where we have a legitimate business interest that does not override your rights. Examples include:

  • Keeping records of our interactions with members
  • Improving our services based on member feedback and usage patterns
  • Sending communications about services that may interest existing members
  • Maintaining security at our premises

Consent

Where required, we will ask for your explicit consent before processing. You can withdraw consent at any time by contacting us. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

Legal Obligation

Sometimes we must process data to comply with our legal obligations, such as maintaining financial records for tax purposes or responding to lawful requests from authorities.

Special Category Data

Health and fitness information is considered special category data under GDPR and receives additional protection. We process this data based on:

  • Your explicit consent, provided when you complete our health questionnaire
  • Our legitimate interests in providing safe fitness services (where consent is not required)

We only collect health information that is necessary for designing safe, effective training programmes and will never share this information without your explicit consent, except in emergency situations.

Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest where appropriate
  • Regular security assessments and updates
  • Staff training on data protection and security
  • Access controls limiting who can view personal data
  • Physical security measures at our premises
  • Regular backups with secure storage

International Transfers

We primarily process data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the Information Commissioner's Office.

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected. Our standard retention periods are:

  • Active member records: Retained throughout membership and for six years after
  • Enquiries that did not result in membership: Two years
  • Financial records: Six years (as required by law)
  • Marketing consents: Until withdrawn or three years of inactivity
  • CCTV footage: 30 days unless required for a specific purpose

Exercising Your Rights

To exercise any of your GDPR rights, please contact us at [email protected]. We may need to verify your identity before processing your request. We will respond within one month, though this may be extended by two months for complex requests.

Complaints

If you are dissatisfied with how we handle your data or your rights request, you can:

  • Contact us directly to resolve the issue
  • Lodge a complaint with the Information Commissioner's Office (ICO)

The ICO can be contacted at ico.org.uk or:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Changes to This Notice

We may update this GDPR notice periodically. Significant changes will be communicated to members directly. The date at the top of this page indicates when it was last revised.

We use cookies to improve your experience on our website. By continuing to browse, you agree to our use of cookies.

Cookie Preferences

Necessary Cookies

Essential for the website to function properly. These cannot be disabled.

Analytics Cookies

Help us understand how visitors interact with our website.

Marketing Cookies

Used to deliver relevant advertisements and track campaign performance.

Preference Cookies

Remember your settings and preferences for a better experience.