Privacy Policy

Last updated: 2 October 2025

This Privacy Policy explains how The London Fit Club Ltd. ("the Company", "we", "us", "our") collects, uses, and safeguards personal data when you use our services. It also sets out your rights under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

By using our services, you acknowledge that you have read and understood this Privacy Policy.

1. Who We Are

The London Fit Club Ltd. is the "data controller" of your personal data. We decide how and why your data is used, although we rely on carefully selected third-party providers to process and store that data on our behalf.

Company details:
The London Fit Club Ltd.
Company Number: 08177156
Unit P Mandara Place, Yeoman Street, London, SE8 5FA
Phone: 020 3606 0560
Email: info@ldnfitclub.co.uk
ICO Registration Number: ZB342038

2. Information We Collect

We may collect and process the following categories of personal data:

2.1 Identity and Contact Data
Name, email address, phone number, postal address, date of birth.

2.2 Health, Disability and Behavioural Data (Special Category Data)
All health conditions, injuries, disabilities, medications (prescription and over-the-counter), learning differences, or behavioural issues relevant to service delivery, safeguarding, or adjustments.
Important: We only collect health and medication information where it is necessary to provide safe and effective services. We will obtain your explicit consent before collecting this information through a separate health screening form or questionnaire (PAR-Q).

2.3 Account and Service Data
Booking history, preferences, session notes, programme records, attendance records, and progress tracking.

2.4 Payment Data
Payment information is processed through GoCardless and TakePayments/Barclaycard. We do not store full card details on our systems. We retain transaction records, invoice details, and payment status information.

2.5 Technical and Usage Data
IP address, browser type, device identifiers, website usage statistics, and cookies. For more information, please see our Cookie Policy (Section 13).

2.6 Youth Participant Data
For clients under 18, we may collect: emergency contacts, school or placement details, parental/guardian contact information, and safeguarding information where relevant.

2.7 Marketing Preferences
Your preferences regarding how you wish to receive marketing communications from us.

2.8 Photographs and Video
Images or video footage captured during sessions or events, where you have provided explicit consent for their use in promotional materials.

3. Where and How Your Data Is Stored

We do not host customer data on local servers. Instead, data is securely stored using third-party processors, including:

  • Physitrack – rehabilitation and therapy programme delivery

  • Zanda Health – bookings, session records, therapy notes, client management

  • Microsoft 365 (Outlook/OneDrive/SharePoint) – secure communications and document storage

  • POS systems – in-store payment processing

  • GoCardless – Direct Debit payment processing

  • TakePayments / Barclaycard – card payment processing

All providers act as data processors under contract and must meet strict security standards. We have Data Processing Agreements (DPAs) in place with all processors to ensure compliance with UK GDPR.

4. Lawful Basis for Processing

We process personal data only where a lawful basis applies under Article 6 of the UK GDPR:

  • Contractual necessity – to provide requested services (e.g., delivering training sessions, managing bookings)

  • Legal obligation – to meet tax, regulatory, and safeguarding requirements

  • Legitimate interests – to operate and improve our services, prevent fraud, and ensure facility security, balanced against your rights

  • Consent – for optional services such as marketing communications and use of photographs/video

4.1 Special Category Data (Health, Disability, Medications, Behavioural Information)
Processed under:

  • Article 9(2)(h) – health and social care

  • Article 9(2)(g) – substantial public interest (safeguarding)

Explicit consent will be obtained via a separate health screening form or PAR-Q. Consent can be withdrawn at any time, but may affect service delivery.

4.2 Children's Data
For clients under 18, data is processed with parental/guardian consent. Parents/guardians must complete consent forms and health questionnaires. For children aged 13–17, we may accept limited consent directly, but parental consent is always required for health data.

5. How We Use Your Data

We use personal data to:

  • Deliver training, therapy, rehabilitation, and related services

  • Record progress, session notes, and adjustments to programmes

  • Provide safe participation for children, youth, and vulnerable persons

  • Process payments and manage commitments/session packs

  • Communicate about services, bookings, or updates

  • Provide youth mentorship and work placements

  • Comply with safeguarding, regulatory, and insurance obligations

  • Improve services through analysis and feedback

  • Send marketing (with consent)

  • Ensure facility security and prevent fraud

6. Sharing of Data

We may share data with:

  • Service providers listed in Section 3

  • Professional staff delivering services (need-to-know basis)

  • Parents/guardians/schools (for minors, where appropriate)

  • Regulators, insurers, or law enforcement (where required)

  • Professional bodies (e.g., HCPC for physiotherapy)

  • Business transferees (mergers or acquisitions)

We do not sell personal data.

7. International Transfers

Where providers transfer data outside the UK, safeguards are applied (adequacy regulations, SCCs, or binding corporate rules).

8. Data Retention

  • Adult training/therapy records: 7 years after service ends

  • Children’s health/therapy records: up to 25 years after birth or 8 years after treatment ends (whichever longer)

  • Youth placements: 7 years

  • Financial/transaction records: 6 years minimum (HMRC)

  • Safeguarding records: 7+ years (statutory)

  • Marketing consent: until withdrawn + 6 months

9. Your Rights

Under UK GDPR you have the rights to: access, rectify, erase, restrict, object, portability, and withdraw consent.
Requests: info@ldnfitclub.co.uk or by post. Responses within one month (extendable to 2 for complex requests). Proof of ID may be required.

We may decline requests where legal obligations, safeguarding, or regulatory requirements apply. Reasons will be explained.

10. Complaints

  • Service complaints: complaints@ldnfitclub.co.uk (acknowledge in 5 working days, respond in 14).

  • Data concerns: info@ldnfitclub.co.uk

  • Regulator: Information Commissioner’s Office (www.ico.org.uk / 0303 123 1113).

11. Security

We use encryption, access controls, audits, staff training, and secure disposal of records. Providers are bound by DPAs. If a breach occurs, we will notify affected individuals and the ICO within 72 hours.

12. Children's Data

Services for under-18s require parental/guardian consent.
We may collect health/disability/medication data under Article 9(2)(h) and 9(2)(g).
Parents/guardians may request access, correction, or deletion (subject to professional/safeguarding obligations).

13. Cookie Policy

  • Essential cookies: enable core functions, up to 1 year

  • Analytics cookies: usage tracking (e.g., Google Analytics), up to 2 years

  • Marketing cookies: interest-based advertising, up to 2 years

You can manage cookies via browser settings. Opt-out of Google Analytics: https://tools.google.com/dlpage/gaoptout
A cookie banner will appear on first visit.

14. Marketing Communications

  • Opt-in: by consent at signup or in account preferences

  • Opt-out: via unsubscribe link, account preferences, or info@ldnfitclub.co.uk (processed within 48 hours)

15. Youth Work Experience and Mentorship

Placements arranged with school/parental consent. Data may include contact, emergency info, school details, and health/disability info. Retained 7 years. Processed under legitimate interests, contract, or consent. All placements follow our Safeguarding Policy.

16. Automated Decision-Making

We do not use automated decision-making or profiling with legal/significant effects. Data analysis is for internal purposes only.

17. Updates to This Policy

We may update this policy to reflect service, legal, or technology changes. Changes posted at www.thelondonfitclub.co.uk/privacy-policy. Material changes notified by email or website notice at least 30 days before taking effect.

18. Contact Us

The London Fit Club Ltd.
Unit P Mandara Place, Yeoman Street, London, SE8 5FA
General enquiries & data requests: info@ldnfitclub.co.uk
Complaints: complaints@ldnfitclub.co.uk
Phone: 020 3606 0560