Privacy Policy (April 2022)

Introduction

Everybody Health & Leisure is committed to ensuring that you and your family’s personal information is protected when you are using our services. This Privacy Policy relates to our use of any personal information we collect from you via the following services:

  • The Everybody Health & Leisure website – everybody.org.uk
  • Social Media
  • Any personal information you provide to us by phone, SMS, email, in letters and other correspondence and in person.

References to we, our or us in this privacy notice are to Everybody Health & Leisure (Oakwood Corporate Services, 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT; Company Number – 08685939; Registered Charity Number – 1156084).

Everybody Health & Leisure is registered as a Data Controller under the Data Protection Act. Certificate of registration number – CSN3857866.

This Privacy Policy explains the following:

  • What information we may collect and why we collect it;
  • How we will use information we collect about you;
  • When we may use your details to contact you;
  • Whether we will disclose your details to anyone else;
  • Your choices regarding the personal information you provide to us;
  • The use of cookies on the Everybody Health & Leisure website and how you can reject cookies.

Everybody Health & Leisure is committed to safeguarding your personal information. Whenever you provide such information, we are legally obliged to use your information in line with all applicable laws concerning the protection of personal information, including the Data Protection Act 1998 (these laws are referred to collectively in this Privacy and Cookies Policy as the “data protection laws”).

We have appointed a Data Protection Officer to oversee our compliance with data protection laws. They can be contacted by emailing [email protected].

Our director with the overall responsibility for data protection compliance in our organisation is Kerry Shea. She can be contacted by emailing [email protected].

Everybody Health & Leisure may change this policy from time to time by updating the information on the website. You should check this page from time to time to ensure that you are happy with any changes. In the event that the change is significant or material, we will notify you of such a change by revising the link on the home page to read “Newly Revised Privacy Policy”. This policy is effective from May 2018.

Who are we?

Everybody Health & Leisure is a registered charity and a company limited by guarantee (Registered Charity No. 1156084; Company No. 08685939). Established in May 2014, Everybody Health & Leisure delivers leisure services and public health initiatives.

Your rights as a data subject

You have the following rights in relation to your personal information:

  • The right to be informed about how your personal information is being used;
  • The right to access the personal information we hold about you;
  • The right to request the correction of inaccurate personal information we hold about you;
  • The right to request the erasure of your personal information in certain limited circumstances;
  • The right to restrict processing of your personal information where certain requirements are met;
  • The right to object to the processing of your personal information;
  • The right to request that we transfer elements of your data either to you or another service provider; and
  • The right to object to certain automated decision-making processes using your personal information.

You should note that some of these rights, for example the right to require us to transfer your data to another service provider or the right to object to automated decision making, may not apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information recorded and stored by us.  For example, we do not use automated decision making in relation to your personal data.  However, some have no conditions attached, so your right to withdraw consent or object to processing for direct marketing are absolute rights.

Whilst this privacy notice sets out a general summary of your legal rights in respect of personal information, this is a very complex area of law. More information about your legal rights can be found on the Information Commissioner’s website at https://ico.org.uk/for-the-public/.

To exercise any of the above rights, or if you have any questions relating to your rights, please contact us by emailing [email protected].

If you are unhappy with the way we are using your personal information, you can also complain to the UK Information Commissioner’s Office or your local data protection regulator. We are here to help and encourage you to contact us to resolve your complaint first.

Consent

Giving Consent to Everybody Health & Leisure will only be undertaken where the individuals have:

  • A genuine choice and level of control over how your data is used;
  • The right to only opt-in to give consent with no pre-ticked or implied consent options;
  • Individuals are made fully aware of what they are consenting to;
  • The right to withdraw consent at any time by speaking to a member of staff or emailing [email protected]; and,
  • The right to know the purpose of collecting and processing your data.

There is the need for Everybody Health & Leisure to collect and process personal data without consent in the fulfilment of its duties and obligations to you, where appropriate. (For example: Personal and banking information will be required to process direct debit payments for membership fee collections). Should Everybody Health & Leisure partner with a payments collection company to enable the collection of these payments this provider will, as a business necessity, have access to customers’ personal information.

Everybody Health & Leisure will hold a copy of your consenting action in relation to who consented, when and how you were told. This information will be kept by Everybody Health & Leisure as long as is deemed appropriate.

Collecting Personal Information

When you sign up for membership with us or to take part in one of our programmes, you may provide us with or we may obtain personal information about you, such as information regarding your:

  • Personal contact details that allows us to contact you directly such as name, title, email addresses and telephone numbers;
  • Date of birth;
  • Gender;
  • Membership details including start and end date;
  • Records of your interactions with us such as telephone conversations, emails and other correspondence and your instructions to us;
  • Any credit/debit card and other payment details you provide so that we can receive payments from you and details of the financial transactions with you;
  • CCTV footage and other information obtained through electronic means such as swipecard and key fob records;
  • Records of your attendance at any events or competitions hosted by us;
  • Images in video and/or photographic form and voice recordings; and
  • Your marketing preferences so that we know whether and how we should contact you.

Within certain programmes, often commissioned services, we may also collect, store and use the following ‘special categories’ of more sensitive personal information regarding you:

  • Information about your race or ethnicity and sexual orientation; and,
  • Information about your health, including any medical condition, health and sickness records, medical records and health professional information.

Children’s information is also classed as ‘special category’ data.

We routinely collect data on children in order to undertake the delivery of our services. This may include personal information including name, address, date of birth, school, etc. This information will only be used for the purpose for which it was collected, for example, swimming lessons.

Parental or Guardian consent is requested for all usage in, for example, junior fitness memberships, for children and adolescents up to the age of 18.

In support of the NHS Test and Trace Service your name, address and contact details will be shared upon request following making a booking at your leisure centres.

Using Personal Information

We use information we collect to provide you with services which you request and to improve our existing services.

When you contact us, we may keep a record of your communication to help solve any issues that you might be facing. Your information may be retained for a reasonable time for use in future contact with you, or for future improvements to our services.

In the event the information you provide to us is an application for employment, that application will be held in accordance with our Document Retention Policy.

Sharing Personal Information

We may also use or disclose your personal information when we believe, in good faith, that such use or disclosure is reasonably necessary to (i) comply with law, (ii) enforce or apply the terms of any of our user agreements, or (iii) protect the rights, property or safety of Everybody Health & Leisure, Everybody Health & Leisure users, or others. Everybody Health & Leisure reserves the right to transfer and disclose your information if Everybody Health & Leisure becomes involved in a business divestiture, change of control, sale, merger, or acquisition of all or a part of its business.

Unless otherwise specified or prohibited, Everybody Health & Leisure may share information with affiliates, business partners, service providers, subsidiaries or contractors who are required to provide you with services which you have requested from us.

Retention

The duration for which we retain your personal information will differ depending on the type of information and the reason why we collected it from you. However, in some cases personal information may be retained on a long-term basis: for example, personal information that we need to retain for legal purposes will normally be retained in accordance with usual commercial practice and regulatory requirements.

Full details of how we manage the retention of data is outlined in our Data Retention Policy.

It is important to ensure that the personal information we hold about you is accurate and up-to-date, and you should let us know if anything changes, for example if you change your phone number or email address. Changes can me made when visiting one of our sites, at the reception desk, or by emailing [email protected].

Marketing

 

We like to tell you about other services we offer. When you are joining a programme or signing up for a membership we will ask if we can market to you. We will also ask how you would like to be contacted.

At the end of your membership your data will be retained in line with our Data Retention Policy.

Within all electronic communications, there will be the option to directly unsubscribe or you can email [email protected].

At any time you are able to alter your preferences by emailing [email protected].

 

Customer details collected as part of online campaigns are retained within either Everybody Health & Leisure third party email service provider; Campaign Monitor; when customer opt in to receive future communication, or membership team where prospects are required to fill out contact form which direct their details to freshdesk and will be kept on both accounts indefinitely unless customer choose to unsubscribe/opt out from the communication.

 

Campaign monitor collected customer/prospect’s details from XN database (with email marketing communication consent), event outreach, website sign up, and online lead generation campaign. Campaign monitor will delete Everybody Health & Leisure content and/or any archived data within 30 days after the date of cancellation of the agreement and only with the written confirmation from Everybody Health & Leisure.

 

Textanywhere; SMS messaging service collected customer data as part of membership agreement and will be used as a form of membership related contact. There is an option to opt out from the communication including in the text body.  Textanywhere will remove Everybody Health & Leisure content and/or any archived data within 12 months after account cancellation.

 

Paper form details are collated on to a central data base and accessed via a secure login to restricted persons. Paper forms are destroyed as per section 5 below after being scanned and stored on the secure location for future proof.

All data base information gathered for marketing purposes is destroyed when information is no longer required or useful and is not retained for a period of more than 12 months

Everybody @ Home 

Everybody @ Home is Everybody Health & Leisure on demand and live health and fitness classes channel which use Google Firebase to collect and store customer data in order to verify the membership status and login. We collect customer data when a user registers on the system – this consists solely of an email address and password. Google Firebase requires Personal details and Member number on registration to authenticate the account creation, but these details are not stored on the system. Customer data, including secure hashed passwords is store in Google Cloud in the ‘eu-west2’ data store distributed across multiple secure locations in Greater London. Access to the data is secured via an Everybody Sport and Recreation’s google account requiring 2-factor authentication to access. Everybody Sport and Recreation can export all user data on request and once the google account is closed the data will be available for 30 days.

Security

The security of your personal information is important to us. We follow generally accepted best practice industry standards to protect the personal information submitted to us, both during transmission and once we receive it.

We use all reasonable measures to safeguard personally identifiable information, which measures are appropriate to the type of information maintained, and follows applicable laws regarding safeguarding any such information under our control. In addition, in some areas of our Sites, we use encryption technology to enhance information privacy and help prevent loss, misuse, or alteration of the information under our control. We also employ industry-standard measures and processes for detecting and responding to inappropriate attempts to breach our systems.

No method of transmission over the Internet, or method of electronic storage, can be 100% secure. Therefore, we cannot guarantee the absolute security of your information. The Internet by its nature is a public forum, and Everybody Sport and Recreation encourages you to use caution when disclosing information online. Often, you are in the best situation to protect yourself online. You are responsible for protecting your username and password from third party access, and for selecting passwords that are secure.

Website – Security, Cookies, IP Addresses, Aggregate Information & Hyperlinks

The Everybody Health & Leisure website (www.everybody.org.uk) is a key communication tool for us. We take interaction with our website and the safety of our users very seriously.

No website can be completely secure; if you have any concerns that your Everybody Health & Leisure account could have been compromised e.g. someone could have discovered your password, please get in touch straight away.

Cookies are a technology that can be used to help personalise your use of a website. A cookie is an element of information that a website can send to your browser, which may then store it on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it or decline at any time. To enable Everybody Health & Leisure to assess the effectiveness and usefulness of this Site, and to give you the best user experience, we collect and store information on pages viewed by you, your domain names and similar information. Our Site makes use of anonymous cookies for the purposes of:

  • Completion and support of Site activity
  • Site and system administration
  • Research and development
  • Anonymous user analysis, user profiling, and decision-making.

An Internet Protocol (“IP”) address is associated with your computer’s connection to the internet. Everybody Health & Leisure may use your IP address to help diagnose problems with Everybody Health & Leisure server, to administer the Site and to maintain contact with you as you navigate through the Site. Your computer’s IP address also may be used to provide you with information based upon your navigation through the Site.

Aggregate information is used to measure the visitors’ interest in, and use of, various areas of the Site and the various programs that Everybody Health & Leisure administers. Everybody Health & Leisure will rely upon aggregate information, which is information that does not identify you, such as statistical and navigational information. With this aggregate information, Everybody Health & Leisure may undertake statistical and other summary analyses of the visitors’ behaviours and characteristics. Although Everybody Health & Leisure may share this aggregate information with third parties, none of this information will allow anyone to identify you, or to determine anything else personal about you.

The Everybody Health & Leisure website contains hyperlinks to websites owned and operated by third parties. These third party websites have their own privacy policies, and are also likely to use cookies, and we therefore urge you to review them. They will govern the use of personal information you submit when visiting these websites, which may also be collected by cookies. We do not accept any responsibility or liability for the privacy practices of such third party websites and your use of such websites is at your own risk.

Third Party Systems

Within our facilities, we have developed partnerships with a number of companies that offer services to our users. To access these services, users may have to disclose personal data. All systems are totally optional.

All partners have been carefully selected and the way they use data has been scrutinised. All providers are compliant with the General Data Protection Regulation.

Within these examples you are providing your information to the companies named who are the data controllers.

Social Media and Online Engagement other than the Everybody Website

We use a variety of online engagement tools and social media options to communicate and interact with customers, potential customers, employees and potential employees. These sites and applications include popular social networking and media sites, open source software communities and more. To better engage the public in ongoing dialog, we use certain third-party platforms including, but not limited to, Facebook, Twitter and LinkedIn. Third-Party Websites and Applications (TPWA) are Web-based technologies that are not exclusively operated or controlled by Everybody Health & Leisure.

When interacting with the Everybody Health & Leisure presence on those websites, you may reveal certain personal information to Everybody Health & Leisure or to third parties. Other than when used by Everybody Health & Leisure employees for the purpose of responding to a specific message or request, Everybody Health & Leisure will not use, share, or retain your personal information.

Employee Personal Information

We also collect personal information from our employees and from job applicants (human resource data) in connection with administration of our human resources programs and functions.

These programs and functions include, but are not limited to; job applications and hiring programs, compensation and benefit programs, performance, review and development processes, training, access to our facilities and computer networks, employee profiles, employee directories, human resource recordkeeping, and other employment related purposes.

It is the policy of Everybody Health & Leisure to keep all past and present employee information private from disclosure to third parties. There are certain business related exceptions and they are:

  • To comply with local, regional, national contractual legislation requests
  • Inquiries from third parties with a signed authorisation from the employee to release the information, except in situations where limited verbal verifications are acceptable (see below)
  • Third parties with which Everybody Health & Leisure has contractual agreements to assist in administration of company sponsored benefits.

Prospective employers, government agencies, financial institutions, and residential property managers routinely contact Everybody Health & Leisure requesting information on a former or current employee’s work history and salary. All such requests of this type shall be referred to and completed on a confidential basis by the People Solutions team or payroll department. For written verification of employment requests, information will be provided on the form only when it is accompanied by an employee’s signed authorisation to release information. The form will be returned directly to the requesting party and filed as part of the payroll department’s confidential records.

Compliance, Monitoring & Enforcement

Everybody Health & Leisure adheres to the European Union Data Protection (95/46/EC) and e-Privacy (2002/58/ED) Directives, the Data Protection Act 1998 and the General Data Protection Regulations.

We do, for legitimate business reasons, transfer minimal data outside the EU and all/any company in the US will be required to adhere to the GDPR principles and have signed up to the US Privacy Shield.

We regularly review our compliance with our Privacy Policy. We also adhere to several self-regulatory frameworks in addition to complying with applicable law. If we receive formal written complaints, we will follow up with the person making the complaint. We work with the appropriate regulatory authorities to resolve any complaints that cannot be resolved directly.

Accessing and Updating Your Personal Information

It is important to ensure that the personal information we hold about you is accurate and up-to-date, and you should let us know if anything changes, for example if you change your phone number or email address.

If you have provided us with your personal information, you have the right to inspect the information stored by us for accuracy, or may request that the information be removed from our records. We will make all reasonable efforts to comply with such requests except where it would require a disproportionate effort (for example developing a new system or changing an existing practice).

We will require that you verify your identity before we act on a request to edit or remove your information.

Requests to update or any requests regarding your personal data held by Everybody Health & Leisure can be made by emailing [email protected].