GDPR Information

Our commitment to data protection

glow-fern Ltd is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we comply with these regulations and what rights you have regarding your data.

Data controller details

For the purposes of data protection legislation, the data controller is:

glow-fern Ltd
Company number: 09234567
Registered address: 42 Deansgate Mews, Manchester, M3 2FF, United Kingdom
Email: [email protected]

We have not appointed a Data Protection Officer as we are not required to do so under current legislation. Data protection queries should be directed to the email address above.

Lawful basis for processing

We only process your personal data when we have a lawful basis to do so. The specific basis depends on the type of data and purpose:

Performance of a contract

When you purchase our services, we process data necessary to deliver those services, including your contact details, payment information, and training records. This processing is necessary to fulfil our contractual obligations to you.

Consent

We rely on your explicit consent for:

• Processing health and medical information for safe exercise prescription
• Taking and storing progress photographs
• Sending marketing communications
• Sharing information with third parties such as healthcare providers

You may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

Legitimate interests

We process certain data based on legitimate business interests, including:

• Improving our services through analysis of usage patterns
• Preventing fraud and ensuring facility security
• Maintaining business records for operational purposes
• Pursuing or defending legal claims

We balance these interests against your rights and freedoms. You have the right to object to processing based on legitimate interests.

Legal obligation

We process data where required by law, such as maintaining financial records for tax purposes and complying with health and safety regulations.

Your GDPR rights explained

Right of access

You can request a copy of all personal data we hold about you. This is commonly known as a Subject Access Request (SAR). We will provide this information free of charge within one month, unless your request is complex or you make multiple requests.

To request your data, email [email protected] with "Subject Access Request" in the subject line. We may ask for identification to verify your identity before releasing data.

Right to rectification

If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. This includes updating contact details, correcting errors in training records, or amending health information.

You can update some information directly by speaking to your coach. For other corrections, contact us at [email protected].

Right to erasure

Also known as the "right to be forgotten", you can request deletion of your personal data in certain circumstances:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent and there is no other lawful basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed
• Deletion is required to comply with a legal obligation

This right is not absolute. We may refuse erasure if we need the data to comply with legal obligations, establish or defend legal claims, or for other legitimate reasons. For example, we must retain financial records for tax purposes even if you request deletion.

Right to restriction of processing

You can request that we limit how we use your data in certain situations:

• You contest the accuracy of data while we verify it
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing while we consider whether our legitimate grounds override yours

When processing is restricted, we can store the data but not use it without your consent or for specific limited purposes.

Right to data portability

Where processing is based on consent or contract and is carried out by automated means, you can request that we provide your data in a structured, commonly used, machine-readable format. You can also ask us to transmit this data directly to another service provider where technically feasible.

This right applies to data you provided to us, such as contact information and training records, but not to data we generated about you.

Right to object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Marketing: You can opt out of marketing communications at any time. Each marketing email includes an unsubscribe link. Alternatively, email [email protected] with "Unsubscribe" in the subject.

Legitimate interests: You can object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights related to automated decision-making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. All decisions about your training are made by qualified human coaches.

How we handle special category data

Health information is "special category data" under GDPR, requiring additional protections. We process health data only when:

• You have given explicit consent
• Processing is necessary for preventive or occupational medicine
• Processing is necessary to protect your vital interests and you are incapable of giving consent

Before collecting health information, we explain why we need it and how it will be used. You must actively consent, and can withdraw consent at any time. However, withdrawal may affect our ability to deliver services safely.

Health information is accessible only to coaches directly involved in your training and is stored securely with encryption.

Data protection by design and default

We implement data protection principles into all our operations:

• We collect only data necessary for specified purposes
• Access to personal data is restricted to staff who need it for their work
• Data is encrypted both in transit and at rest
• We regularly review and delete data no longer needed
• Privacy settings default to the most protective options
• Staff receive regular training on data protection obligations

Data breach procedures

We have procedures in place to detect, report, and investigate data breaches. If a breach occurs that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office within 72 hours of becoming aware
• Inform affected individuals without undue delay if the breach poses a high risk
• Document the breach including facts, effects, and remedial action taken
• Take steps to mitigate the breach and prevent future occurrences

Third-party processors

Where we use third parties to process data on our behalf, we ensure they:

• Provide sufficient guarantees of technical and organisational security measures
• Process data only on our documented instructions
• Maintain confidentiality of personal data
• Assist us in responding to requests from data subjects
• Delete or return data when processing services end

We maintain a register of all processors and regularly audit their compliance with data protection requirements.

International data transfers

Your data is primarily stored and processed in the United Kingdom. Where we transfer data outside the UK to countries without an adequacy decision, we use appropriate safeguards such as:

• Standard contractual clauses approved by regulatory authorities
• Binding corporate rules
• Codes of conduct or certification mechanisms

You can request information about specific safeguards we use for international transfers.

Record keeping and accountability

We maintain detailed records of our processing activities as required by GDPR, including:

• Purposes of processing
• Categories of data subjects and personal data
• Recipients of personal data
• International transfers and safeguards
• Retention periods
• Security measures

These records are available to the Information Commissioner's Office upon request.

Children's data

We do not provide services to children under 16 without parental or guardian consent. Where we do collect data about children with appropriate consent, we take extra care to ensure:

• Information is provided in clear, age-appropriate language
• Consent is verified as coming from a parent or guardian
• Data is processed only for the specific purpose consented to
• Children can exercise their rights through their parent or guardian

How to exercise your rights

To exercise any of your GDPR rights:

1. Contact us at [email protected] clearly stating which right you wish to exercise
2. Provide sufficient information to identify you (we may request ID for verification)
3. Specify exactly what you are requesting

We will respond within one month. If your request is complex, we may extend this by two months and will explain the reason for delay.

We do not charge a fee unless your request is clearly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable fee or refuse the request.

Making a complaint

If you believe we have not handled your data properly or have not responded adequately to a request, you have the right to complain to the supervisory authority:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: www.ico.org.uk

We encourage you to contact us first so we have the opportunity to address your concerns directly.

Updates to this information

We review this page regularly and update it when our practices change or legislation is amended. Significant changes will be communicated to active clients via email. The date at the top of this page indicates when it was last updated.