Definition Gym Tonbridge
Privacy Policy
DEFINITION GYMS
Privacy Policy
Data Controller: Definition Gym Tonbridge Ltd
Contact Email: info@definitiongyms.co.uk
ICO Registration Number: CSN4089339
Policy Effective Date: 2nd April 2026
This Privacy Policy explains how Definition Gym Tonbridge Ltd (trading as Definition Gyms) collects, uses, stores,
and shares your personal data when you use our gyms, website, or any of our services. It applies to all Definition
Gyms sites. We are committed to protecting your privacy and handling your data in accordance with the UK
General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. WHAT DATA WE COLLECT
We collect the following categories of personal data:
Category Examples When Collected
Identity & contact Full name, date of birth, email, phone number, postal
address
Sign-up, account updates
Health data PAR-Q responses, declared medical conditions, GP
details
Sign-up (PAR-Q completion)
Biometric data Fingerprint template (mathematical representation,
not an image)
Sign-up, each gym entry
Emergency contact Contact name, relationship, phone number Sign-up
Financial & payment Bank details (Direct Debit), card details (processed
by our payment provider), transaction history
Sign-up, each payment
Access & usage Entry/exit timestamps, QR code scans, facility
bookings, class attendance
Each gym visit
CCTV footage Video recordings in common areas (not changing
rooms, showers, or toilets)
Continuously during visits
Communications Emails, enquiry forms, complaints, feedback When you contact us
Website & digital IP address, browser type, pages visited, cookies,
Meta pixel data, Google Analytics data
Website visits, ad interactions
Marketing
preferences
Opt-in/opt-out status, communication channel
preferences
Sign-up, preference updates
2. WHY WE COLLECT IT & OUR LAWFUL BASES
Under UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out each
purpose and the legal basis we rely on.
Definition Gyms — Privacy Policy v1.0 | Page 2
Purpose Lawful Basis
Managing your membership, billing, and account Contract — necessary to perform our contract with
you
Processing payments and collecting outstanding balances Contract — necessary to perform our contract with
you
Health screening (PAR-Q) to support your safety Explicit consent — you consent when completing
the PAR-Q
Biometric access control (fingerprint recognition, QR code) Explicit consent — you consent at enrolment
Emergency contact storage and use in the event of an incident Legitimate interest — protecting your vital interests
and the safety of members
CCTV operation for security and incident investigation Legitimate interest — security of members, staff,
and premises
Sending you important membership communications (e.g.
payment confirmations, facility changes, safety notices)
Contract / Legitimate interest — necessary to
manage your membership
Sending marketing communications (offers, events, new
services)
Consent — you can opt out at any time
Behaviour and engagement analysis to improve retention and
services (via Scalr)
Legitimate interest — improving our services and
member experience
Website analytics and advertising (Google Analytics, Meta pixel) Consent — via cookie consent on our website
Complying with legal obligations (e.g. tax, health & safety
reporting)
Legal obligation
3. WHO WE SHARE YOUR DATA WITH
3.1 We do not sell your personal data to anyone. We share your data only with trusted third-party service
providers who help us operate the gym and manage your membership. All third parties are bound by data
processing agreements and are required to handle your data in accordance with UK GDPR.
Provider / Category What They Process Why
Clubright (gym
management platform)
Identity, contact, membership, access,
booking, and payment data
Membership management, billing, access
control, class bookings
Payment processor (e.g.
GoCardless / Stripe)
Bank details, card details, transaction data Processing Direct Debit and card
payments securely
Mailchimp (email
marketing)
Name, email address, marketing
preferences
Sending marketing emails and
membership communications
Scalr (member behaviour
platform)
Access data, usage patterns, engagement
metrics
Identifying at-risk members, improving
retention and services
Google Analytics Anonymised website usage data, IP
address, browser data
Understanding website traffic and
improving our online presence
Definition Gyms — Privacy Policy v1.0 | Page 3
Provider / Category What They Process Why
Meta
(Facebook/Instagram)
Website activity data via pixel, ad interaction
data
Targeted advertising and measuring ad
effectiveness
Biometric access system
provider
Fingerprint templates Operating the 24/7 biometric entry system
CCTV system provider Video footage System maintenance and secure storage
Debt collection agency (if
applicable)
Name, contact details, outstanding balance Recovery of unpaid membership fees (only
where necessary)
Professional advisors
(accountants, solicitors,
insurers)
As required Legal compliance, insurance claims,
financial reporting
Law enforcement or
regulators
As required by law Complying with legal obligations or lawful
requests
3.2 Some of our service providers (e.g. Mailchimp, Google, Meta) may transfer data outside the UK. Where
this happens, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved
by the ICO, or the provider being certified under a recognised adequacy framework.
4. BIOMETRIC DATA — SPECIAL PROVISIONS
4.1 We collect biometric data (a mathematical template derived from your fingerprint) solely for the purpose of
controlling access to the gym via internal turnstiles. We do not store fingerprint images — only an encrypted
numerical template that cannot be reverse-engineered into a fingerprint image.
4.2 Biometric data is classified as special category data under UK GDPR. We process it on the basis of your
explicit consent, which you provide at the point of biometric enrolment.
4.3 You have the right to withdraw your consent to biometric processing at any time. If you withdraw consent,
we will delete your biometric template and provide an alternative access method (e.g. QR code or access
card). Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal.
4.4 Your biometric template is stored securely within our access control system with appropriate encryption. It
is deleted when your membership ends and any retention period (see section 6) has expired.
5. CCTV
5.1 CCTV cameras are in operation in common areas of the gym, including the gym floor, reception, corridors,
and entry/exit points. CCTV does not operate in changing rooms, showers, or toilets.
5.2 CCTV is operated for the purposes of: preventing and detecting crime, ensuring the safety of members
and staff, investigating incidents and complaints, and monitoring the security of the premises during unstaffed
hours.
5.3 CCTV signage is displayed at the entrance to each site and in monitored areas.
5.4 CCTV footage is stored securely and retained for a maximum of 30 days, unless it is required for an
ongoing investigation, legal proceedings, or a legitimate complaint, in which case it may be retained for as long
as necessary.
5.5 You have the right to request access to CCTV footage in which you appear (a Subject Access Request).
We will respond within one calendar month in accordance with UK GDPR.
Definition Gyms — Privacy Policy v1.0 | Page 4
6. HOW LONG WE KEEP YOUR DATA
We retain your data only for as long as necessary for the purposes set out in this policy, or as required by law. The
table below sets out our standard retention periods.
Data Category Retention Period
Membership and account data Duration of membership + 6 years (to comply with limitation periods for
contractual claims)
Health data (PAR-Q) Duration of membership + 6 years
Biometric data (fingerprint template) Deleted within 30 days of membership ending
Payment and financial records Duration of membership + 7 years (HMRC requirements)
CCTV footage 30 days (unless needed for investigation)
Emergency contact details Deleted within 30 days of membership ending
Email marketing data Until you unsubscribe, or 12 months after membership ends if no engagement
Website analytics data As per Google Analytics and Meta retention settings (typically 14–26 months)
Access logs (entry/exit) Duration of membership + 2 years
6.1 When data reaches the end of its retention period, it is securely deleted or anonymised so that it can no
longer be linked to you.
7. YOUR RIGHTS
Under UK GDPR, you have the following rights in relation to your personal data. You can exercise any of these
rights by contacting us at info@definitiongyms.co.uk.
Right What It Means
Access You can request a copy of all personal data we hold about you (a Subject Access Request).
We will respond within one calendar month.
Rectification You can ask us to correct any inaccurate or incomplete data we hold about you.
Erasure (right to be
forgotten)
You can ask us to delete your personal data. We will do so unless we have a legal obligation
or legitimate reason to retain it.
Restriction You can ask us to limit how we use your data in certain circumstances (e.g. while a complaint
is being investigated).
Data portability You can request a copy of your data in a structured, commonly used, machine-readable
format.
Objection You can object to processing based on legitimate interest. We will stop unless we can
demonstrate compelling legitimate grounds.
Definition Gyms — Privacy Policy v1.0 | Page 5
Right What It Means
Withdraw consent Where we rely on your consent (e.g. biometric data, marketing), you can withdraw it at any
time. This does not affect processing that took place before withdrawal.
Complaint You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at
ico.org.uk if you believe your data rights have been violated.
7.1 We will not charge a fee for responding to a data rights request unless the request is manifestly unfounded
or excessive, in which case we may charge a reasonable administrative fee or refuse the request.
7.2 We may ask you to verify your identity before processing a request, to protect the security of your data.
8. COOKIES & WEBSITE TRACKING
8.1 Our website uses cookies and similar tracking technologies to improve your browsing experience, analyse
website traffic, and deliver targeted advertising.
8.2 We use the following types of cookies:
(a) Strictly necessary cookies — required for the website to function (e.g. session cookies). These do not
require your consent.
(b) Analytics cookies (Google Analytics) — help us understand how visitors use our website. Enabled only
with your consent.
(c) Marketing cookies (Meta/Facebook pixel) — allow us to show you relevant advertising on social media
platforms. Enabled only with your consent.
8.3 When you first visit our website, a cookie consent banner will allow you to accept or reject non-essential
cookies. You can change your cookie preferences at any time through your browser settings or the cookie
settings link on our website.
9. CHILDREN & YOUNG PEOPLE
9.1 Members aged 16 or 17 must have a parent or legal guardian co-sign their membership agreement and
PAR-Q. We collect the parent/guardian's name, signature, and relationship as part of this process.
9.2 We do not knowingly collect personal data from anyone under the age of 16. If we become aware that we
hold data for a person under 16, we will delete it promptly.
10. DATA SECURITY
10.1 We take the security of your personal data seriously. We implement appropriate technical and
organisational measures to protect your data against unauthorised access, loss, destruction, or alteration.
These include:
(a) Encryption of biometric templates and sensitive data at rest and in transit.
(b) Access controls limiting data access to authorised personnel only.
(c) Secure password policies and multi-factor authentication for staff systems.
(d) Regular review of third-party data processing agreements.
(e) Secure disposal of physical records containing personal data.
10.2 In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the
ICO within 72 hours and inform you directly without undue delay, as required by UK GDPR.
11. CHANGES TO THIS POLICY
Definition Gyms — Privacy Policy v1.0 | Page 6
11.1 We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal
requirements. Where changes are significant, we will notify you by email or by displaying a notice in the gym.
11.2 The most current version of this policy will always be available on our website and at reception. We
encourage you to review it periodically.
12. CONTACT US
If you have any questions about this Privacy Policy, want to exercise your data rights, or have a concern about how
we handle your personal data, please contact us:
Definition Gym Tonbridge Ltd (trading as Definition Gyms)
Email: info@definitiongyms.co.uk
Address: Unit 9, The Stables, Goblands Farm Business Centre, Cemetery Lane, Hadlow, Kent, TN11 0LT
ICO Registration: CSN4089339
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office
(ICO):
Website: ico.org.uk
Phone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Definition Gym Tonbridge Ltd — Privacy Policy v1.0