top of page

NFG - Privacy Policy 

PRIVACY POLICY
Northern Fitness Gym | northernfitnessgym.co.uk
Last updated: May 2025

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Data Controller: Northern Fitness Limited
Company Number: 14728445
Head Office Address: Unit 56, Colne Valley Business Park, HD7 5QG
Contact: northernfitnessgym@gmail.com
Website: northernfitnessgym.co.uk

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


1. INTRODUCTION

Northern Fitness Limited ("we", "us", "our") operates Northern Fitness Gym at northernfitnessgym.co.uk. We are committed to protecting and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains how we collect, use, store, share and protect your personal data when you use our website, become a member, attend classes, or otherwise interact with us. Please read this carefully.

If you have any questions about how we handle your data, please contact us at northernfitnessgym@gmail.com


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


2. WHAT PERSONAL DATA WE COLLECT

2.1 Identity and Contact Data

We collect your full name, email address, telephone number, and date of birth / age.

2.2 Health and Medical Data

We collect health and medical information on paper forms at the point of membership sign-up or class registration. This is used solely to ensure we can provide safe and appropriate exercise services to you, and to flag any conditions our staff should be aware of in an emergency. This is classified as special category data under UK GDPR and is handled with the highest level of care.

Paper health forms are stored securely on-site and are not transferred to digital systems. Access is restricted to authorised staff only.

2.3 Membership and Booking Data

We collect your membership type and status, class attendance records, and booking history via Spond, our class booking platform.

2.4 CCTV Footage

We operate CCTV cameras at our gym premises for the purposes of security, crime prevention, and the safety of our members and staff. CCTV footage is retained for up to one year before being overwritten. Access to footage is restricted to authorised personnel and, where required, law enforcement agencies.

2.5 Website Usage Data

When you visit northernfitnessgym.co.uk, we may collect standard internet log information and visitor behaviour data via Google Analytics. This may include your IP address, browser type, pages visited, and time spent on-site. This data is used in aggregate to improve our website.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


3. HOW WE COLLECT YOUR DATA

We collect personal data through the following means:

- Membership registration via Ashbourne Management Services, including data entered at the Ashbourne checkout
- Class bookings made through the Spond platform
- Paper health declaration forms completed at sign-up or class registration
- Our website at northernfitnessgym.co.uk, including pop-up sign-up forms and enquiry forms
- Competition entry forms, whether hosted on our website, social media, or third-party platforms
- Meta Lead Ads run on Facebook and Instagram, where you submit your details directly within the platform
- Organic social media activity, including direct messages sent to our Facebook or Instagram pages
- Direct communications with us by email, telephone, or in person
- CCTV cameras installed at our premises

Where we collect your data via competition entries, website pop-ups, or Meta Lead Ads, we will always present a clear consent statement at the point of collection explaining how your data will be used and giving you the opportunity to opt in to marketing communications. We will retain a record of your consent.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


4. LAWFUL BASIS FOR PROCESSING

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:

4.1 Contract

Processing your identity, contact, and membership data is necessary to perform our membership contract with you - including administering your membership, processing payments, and providing access to our facilities and classes.

4.2 Legitimate Interests

We process certain data on the basis of our legitimate interests as a business, where those interests are not overridden by your rights. These include:

- Sending you relevant communications about your membership, classes, and gym updates
- Marketing our services to existing members and enquirers
- Operating CCTV for security and safety purposes
- Using analytics to improve our website and service

We have conducted a Legitimate Interests Assessment (LIA) in respect of our marketing activities. You have the right to object to processing based on legitimate interests at any time - see Section 9.

4.3 Legal Obligation

We may process your data where required to comply with a legal obligation, for example in response to a lawful request from HMRC, a court order, or a law enforcement agency.

4.4 Vital Interests

In an emergency situation, we may use health information we hold to protect your vital interests or those of another person.

4.5 Explicit Consent (Special Category Data)

For health and medical information (special category data), we rely on your explicit consent given at the point of completing our health declaration form. You may withdraw this consent at any time, though this may affect our ability to safely provide services to you.

4.6 Consent (Competitions, Pop-ups, and Social Media Lead Forms)

Where we collect your name, email address, and telephone number via competition entry forms, website pop-up sign-up forms, or Meta Lead Ads on Facebook and Instagram, we rely on your freely given, specific, informed, and unambiguous consent as our lawful basis for processing and marketing to you.

At each of these collection points, we will present a clear opt-in checkbox or statement confirming what you are consenting to. You are never required to consent to marketing as a condition of entering a competition or accessing a free offer -  consent is always a genuine choice.

You may withdraw your consent at any time without detriment. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, use the unsubscribe link in any email we send you, or contact us directly.

Please note that where data is collected via Meta Lead Ads, Meta Platforms Ireland Limited acts as a joint data controller alongside us for the collection stage. Meta's privacy policy applies to data processed by Meta as part of this process. Once your data is transferred to us, we become the sole data controller.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


5. HOW WE USE YOUR PERSONAL DATA

We use your personal data for the following purposes:

- To administer and manage your gym membership
- To process payments via Ashbourne Management Services
- To manage class bookings and send you booking confirmations via Spond
- To communicate with you about your membership, classes, events, and promotions
- To send you marketing communications where you have consented or where we have a legitimate interest to do so
- To administer competitions, prize draws, and promotional offers, including contacting winners and delivering prizes
- To follow up with individuals who have expressed interest via website pop-ups or social media lead forms
- To ensure the safety of all members and staff on our premises
- To maintain CCTV footage for security and incident investigation
- To comply with our legal and regulatory obligations
- To improve our website, services, and marketing using analytics

We will not use your personal data for any purpose that is incompatible with the purposes described in this policy without first obtaining your consent.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


6. THIRD PARTIES WE SHARE DATA WITH

We may share your personal data with the following trusted third-party organisations who act as data processors on our behalf, or as independent data controllers. All third parties are required to process your data lawfully and in accordance with applicable data protection legislation.

Ashbourne Management Services
Purpose: Membership administration, direct debit processing, and checkout data collection
Privacy policy: ashbourne.uk.com/privacy

Spond
Purpose: Class booking and scheduling
Privacy policy: spond.com/en/privacy

GoHighLevel
Purpose: Marketing CRM, email/SMS communications, competition and pop-up data capture
Privacy policy: gohighlevel.com/privacy

Meta Platforms (Facebook / Instagram)
Purpose: Advertising, audience targeting, and Lead Ads (joint controller for lead form data collection)
Privacy policy: facebook.com/privacy/policy

Google (Ads & Analytics)
Purpose: Advertising performance and website analytics
Privacy policy: policies.google.com/privacy

Payment Processor (Stripe / PayPal)
Purpose: Secure payment processing
Privacy policy: Refer to your payment provider's privacy policy

We do not sell your personal data to any third party. We do not share your data with any organisation outside the UK or EEA without ensuring adequate safeguards are in place.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


7. DATA RETENTION

We retain your personal data only for as long as is necessary for the purposes for which it was collected, and in accordance with our legal obligations.

Membership records: Up to 6 years after membership ends (financial/legal obligation)
Health declaration forms: Up to 6 years after membership ends, stored securely on-site
Class booking records: Up to 6 years after membership ends
CCTV footage: Up to 1 year, then automatically overwritten
Website analytics: Aggregated; refer to Google Analytics data retention settings
Marketing communications: Until you opt out or object; records of opt-outs kept indefinitely

When your data is no longer required, we will securely delete or destroy it.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


8. DATA SECURITY

We take appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include:

- Restricted access to personal data on a need-to-know basis
- Secure physical storage of paper-based health records on-site
- Use of reputable, GDPR-compliant third-party platforms (Ashbourne, Spond, GoHighLevel)
- Password protection and access controls on digital systems
- Regular review of data handling practices

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and, where required, inform affected individuals without undue delay.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


9. YOUR RIGHTS UNDER UK GDPR

You have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions in certain circumstances.

Right of Access
You can request a copy of the personal data we hold about you.

Right to Rectification
You can ask us to correct inaccurate or incomplete data.

Right to Erasure
You can request deletion of your data where there is no lawful reason to retain it.

Right to Restrict Processing
You can ask us to pause processing your data in certain circumstances.

Right to Data Portability
You can receive your data in a structured, machine-readable format.

Right to Object
You can object to processing based on legitimate interests, including direct marketing.

Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time without detriment.

To exercise any of your rights, please contact us in writing at our registered address or by email at northernfitnessgym@gmail.com. We will respond within one calendar month. We will not charge a fee for routine requests, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time if you believe your data has been processed unlawfully. The ICO can be contacted at ico.org.uk or by calling 0303 123 1113.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


10. MARKETING COMMUNICATIONS

We may contact you with updates, promotions, class information, and news about Northern Fitness Gym. The lawful basis we rely on depends on how we collected your data:

- Existing members: we market to you on the basis of our legitimate interests as a fitness business with an ongoing membership relationship.
- Competition entrants, website pop-up sign-ups, and Meta Lead Ad respondents: we market to you on the basis of your explicit consent, given at the point you submitted your details.

Regardless of the basis, you have the right to stop receiving marketing from us at any time with no detriment. To opt out:

- Click the unsubscribe link in any marketing email or SMS
- Email us at northernfitnessgym@gmail.com requesting removal from our mailing list
- Speak to a member of staff at the gym

Where we rely on legitimate interests, you may object to processing and we will cease unless we can demonstrate compelling legitimate grounds that override your interests. Where we rely on consent, you may withdraw it at any time — this does not affect the lawfulness of processing before withdrawal.

We will action all opt-out requests promptly and retain a record of your preference to ensure we do not contact you again for marketing purposes.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


11. COOKIES AND WEBSITE TRACKING

Our website at northernfitnessgym.co.uk uses cookies and similar tracking technologies. Cookies are small files placed on your device that help us understand how visitors use our site.

We use the following types of cookies:

- Essential cookies: required for the website to function correctly
- Analytics cookies: used by Google Analytics to understand visitor behaviour in aggregate
- Advertising cookies: used by Meta and Google to measure the performance of our advertising campaigns

You can control or disable cookies through your browser settings. Disabling certain cookies may affect website functionality. Where we rely on consent for non-essential cookies, you may withdraw that consent at any time via our cookie settings.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


12. CHILDREN'S DATA

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please contact us immediately and we will delete it without delay.

Where a junior membership is taken out on behalf of a child, a parent or legal guardian must provide consent on their behalf and remains responsible for the child's data in our systems.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


13. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in law, our business, or the services we offer. The most current version will always be published at northernfitnessgym.co.uk/privacy-policy with the date it was last updated shown at the top of the document.

Where changes are material, we will take reasonable steps to notify you, such as by email or by displaying a prominent notice on our website.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


14. CONTACT US

If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us:

By post: Northern Fitness Limited, Unit 56, Colne Valley Business Park, HD7 5QG
By email: northernfitnessgym@gmail.com
Website: northernfitnessgym.co.uk

You may also contact the Information Commissioner's Office (ICO) if you are not satisfied with our response:

ICO Website: ico.org.uk
ICO Helpline: 0303 123 1113


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Northern Fitness Limited | Company No. 14728445 | Registered in England & Wales | northernfitnessgym.co.uk

bottom of page