GDPR Compliance Policy for TrainFX Health Club
Effective Date: 1st August 2025
TrainFX Health Club (“we,” “our,” or “us”) is fully committed to protecting the personal data of individuals and ensuring compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable EU GDPR standards where relevant.
This policy outlines how we collect, process, store, and protect personal data in accordance with our legal obligations and our commitment to data protection best practices.
We process personal data lawfully, fairly, and transparently. All data collected is limited to what is necessary for the stated purposes, kept accurate and up to date, and stored securely. We take appropriate steps to protect the rights of individuals and maintain full accountability for our data handling practices.
We process personal data only when we have a lawful basis to do so, including:
Consent: For marketing communications and optional data fields.
Contractual necessity: To provide membership services and fulfill our agreement with you.
Legal obligation: To meet regulatory and tax requirements.
Legitimate interest: For service improvements, website analytics, and fraud prevention, provided these do not override your fundamental rights.
Identifying information (name, email, phone number)
Membership details (ID, subscription, preferences)
Payment data (processed via secure third-party providers)
Website usage data (via analytics and cookies)
Communication records (emails, feedback forms)
We do not collect or process special category data unless explicitly submitted by the data subject for a specific service (e.g., fitness goals or health disclosures).
In accordance with the UK GDPR and EU GDPR, individuals have the right to:
Access their personal data
Rectify inaccurate or incomplete data
Request erasure of their data ("right to be forgotten")
Restrict or object to data processing in certain cases
Port data to another service provider
Withdraw consent at any time (where processing is based on consent)
All rights can be exercised by contacting us using the details provided in Section 10.
We implement technical and organisational measures to protect personal data against unauthorised access, loss, or misuse, including:
SSL encryption for data in transit
Secure server environments
Role-based access controls for staff
Regular software updates and security audits
Vendor due diligence for third-party service providers
We retain personal data only for as long as necessary for the purposes for which it was collected, or to comply with legal, accounting, or regulatory requirements. When data is no longer required, we securely delete or anonymise it.
We do not sell personal data. We share data only with trusted third-party vendors under contract for:
Payment processing
Hosting and IT support
Marketing (with consent)
Analytics and performance tracking
Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses where applicable.
In the event of a personal data breach, we will:
Assess the risk and severity of the breach
Notify the Information Commissioner’s Office (ICO) within 72 hours if required
Inform affected individuals when the breach is likely to result in a high risk to their rights and freedoms
Take immediate action to contain and mitigate the breach
All employees and contractors with access to personal data receive GDPR training and are required to follow strict data handling procedures. Data protection is embedded into our operational processes.
To exercise your data rights or raise a data protection concern, contact:
Data Protection Officer
TrainFX Health Club
Unit 718, Thorp Arch Trading Estate
Wetherby, LS23 7BJ
danny[@]trainfxhealthclub.com
01937 849116
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at www.ico.org.uk if you believe your rights have been violated.
We review this policy regularly to ensure ongoing compliance with GDPR and evolving best practices.