2. Information Collected or Received
3. How and why GYMBOX use your Personal Information
4. Communication from GYMBOX
5. Sharing your Information
6. Keeping your Information Secure
7. GYMBOX Retention Policies
8. Staying in Control - Your Rights
GYMBOX are based in the UK, however process personal information both within the UK/EEA and outside. Any personal information held by either GYMBOX or the designated third parties comply with relevant EU GDPR legislations. Third parties which process personal information outside the UK/EEA on behalf of GYMBOX have a recognised equivalent legislation in place such as the US Privacy Shield, or a set of GDPR compliant Binding Corporate Rules (BCR).
GYMBOX collect personal information from Club users, Staff and Suppliers/Sub-contractors to run their business and provide you with their services. This personal information may include the following: name, date of birth, email address, contact number, company name, bank details and credit card details.
GYMBOX also collect the following information:
Sensitive Information: The term "sensitive information" in this context refers to information related to your racial or ethnic origin, political opinions, religion or other beliefs, health, criminal background or trade union membership. Whilst GYMBOX do not generally collect sensitive information unless it is volunteered by you, GYMBOX do have a legal requirement to collect health data for the purpose of recording your self-assessment declaring readiness for physical exercise.
Photographs and Identification: In the interests of security and the prevention of crime, GYMBOX may take a digital photograph of each Member or guest. Each Member or guest may also be required to provide a form of identification for verification and security purposes.
Audio-Video: GYMBOX use CCTV in all Clubs for health and security reasons. If you have any queries in relation to the use of CCTV operating in and around the clubs please contact [email protected]. GYMBOX have a business legitimate interest to monitor service standards in Club. GYMBOX utilise mystery shopper services in which Club users may appear in the background however are never directly filmed. This footage is only used for the purposes of internal monitoring and training of GYMBOX staff.
Digital: When visiting GYMBOX website(s), your personal information may be collected, stored and used such as traffic data, location data, web logs, communication data and resources that you access, as well as other personal information detailed above. If you connect to GYMBOX or register for a tour of GYMBOX using an external third-party application, such as Facebook, Instagram, or Twitter, these websites will have their own privacy statement which GYMBOX suggest that you read before giving them your personal information. Connecting to GYMBOX via a third-party application or service is optional and at your own discretion.
GYMBOX will only collect the relevant information required for the purposes of processing and will not use this information for any other purpose without obtaining consent.
The information in the above, section 2, may be used for the following purposes:
- To carry out GYMBOX’s obligations arising from any contractual agreement;
- To contact you about non-contract aspects of your Membership, such as a change in usage patterns;
- To provide you with the information on products or services you request;
- To process payments and maintain accounts and records;
- To prevent crime, fraud and aid in the prosecution of offenders;
- To maintain Membership records;
- To improve the GYMBOX platform;
- To prevent or detect abuses of the GYMBOX website;
- To create business performance statistics and analysis;
- To enable third parties to carry out technical, logistical, research or other functions on behalf of GYMBOX;
- To send you newsletters and promotions, prize draws, and competitions;
- To conduct surveys and request feedback;
- To notify you about urgent comms such as a sudden closure of a Club;
- To process your job application if you apply for employment at GYMBOX;
- To collect information about your tastes and preferences, both when you tell us and by analysis of customer traffic, including using "cookies";
- To read and respond to comments made regarding GYMBOX services.
On occasion, GYMBOX may need to contact you. Primarily, these messages are delivered by email, text or phone, and every individual’s record is required to keep a valid email address and contact number on file to receive these messages.
In response to enquiries and when communicating with Members, GYMBOX believe that the content is relevant, valuable, interesting and beneficial to you. GYMBOX also believe that you would reasonably expect to receive the type of content that is sent to you as part of your relationship with GYMBOX. Therefore, GYMBOX’s current assessment is that the communication you receive is covered by the lawful basis for processing of ‘Legitimate Interest’ under recital 47 within the GPDR. For all communication sent under the basis of legitimate interest, opt-out options are provided and detailed later within this section.
For all communication where consent is the only legal basis, preferences will be collected in advance.
GYMBOX recognise that you value having control over your own information, so GYMBOX gives you the choice of editing your communication preferences if you disagree with the above. For GYMBOX Members and Ex Members you may update these preferences by logging into the Members area through the login page of the website, (www.gymbox.com). Alternatively you may email [email protected] with your request.
Please note the following messages from GYMBOX fall into the category of compulsory communication and therefore no opt-out options are available:
- Urgent Communication (such as, unplanned closure of all or part of a Club, reduced services, a change of opening times)
- Automatic Class Booking communication (such as, booking confirmation, waiting list movement, cancellations)
- Contract and Subscription related communication (such as, welcome emails, outstanding arrears, upcoming renewals, communication with the GYMBOX Member Services Support Team).
You may receive communication from GYMBOX via the following communication systems, all of which offer an opt-out service. Please note you must opt-out of each individual communication system should you wish to exercise that right;
Direct email communication from GYMBOX staff via Outlook: To opt out you can do either of the following, log into the members area on the website to update your communication preferences within the My Profile section. You can also request this specifically to [email protected]
Texts via CM.com: To opt-out please follow the instructions within the text you receive.
Email communication via SendinBlue: To opt-out please use the unsubscribe link within the email you receive.
Email communication via UScreen; To opt-out please do so by logging into the Gymbox Uscreen platform and going into your Account details to update your preferences.
Enquiries through GYMBOX website(s): GYMBOX capture data through GYMBOX website(s) hosted by third parties (fortyeight.one, GiftPro). These can be for purchasing a giftcard, booking a tour online, joining online, referring a friend online, PT enquiries online, corporate enquiries online. GYMBOX manage member services requests via their website through a third party (Zendesk). This process is in place in order for our member services team to respond to and action any query that is submitted through this avenue on the GYMBOX website.
GYMBOX also capture data through the Out the Box platform which is hosted by GYMBOX via a third party (UScreen), should you sign up to that.
Membership System and Bookings App: In order for GYMBOX to process and manage existing and ex Memberships as well as Prospective Members, they use a third party (Legend Club Management) to provide the membership management system. Class bookings can be processed directly via the website hosted by Legend Club Management as well as the GYMBOX bookings App hosted by Innovatise who integrate directly with Legend Club Management.
Payment Collection: GYMBOX use third parties (Accountis, Verifone, Global Payments & Stripe) for payment collection whether that be upfront payment for membership, monthly direct debit payment for membership, one-off POS payments at reception, debt collection, or Out The Box subscription.
Arrears Collection: GYMBOX reserves the right to forward a members information to a third party debt collection agency (ARC Europe Ltd) in the event of non-payment of fees when due. Further information on this process can be found in GYMBOX Terms and Conditions.
Personal Training: As stated on the GYMBOX Membership Application, any Member who selects the VPT Taster understands that their personal information will be provided to a designated personal trainer who will contact them to arrange their taster session.
Paperwork Destruction: GYMBOX schedule regular collections of paperwork from a third party company (The Hill Company) who securely and confidentially shred this paperwork off site, on behalf of GYMBOX.
GYMBOX may share Member details with any organisation that acquires a Club to which the Member has their Membership.
In regards to environmental and physical security, all GYMBOX employees receive full training upon commencement on employment and subsequently on an annual basis thereafter. This is completed via an e-learning platform and group training sessions. Further to this, daily, weekly and monthly audits are completed.
GYMBOX have set company retention policies in place and these timescales are set in accordance with any applicable legislation and/or for any agreed legitimate reasons. Where none exists, then GYMBOX will keep your information for the duration of any Contract that you have entered into with GYMBOX, and then for a period of 7 years after, at which time all the personal information will be pseudonymised.
After that 7 year duration, GYMBOX will retain and use your pseudonymised information for the purpose of business statistics and analysis. GYMBOX can retract this pseudonymisation to the extent necessary to comply with any legal obligations or to resolve disputes
GYMBOX understand the importance of data subjects remaining in control of their personal data. GYMBOX acknowledge the following rights you have under the GDPR, what they mean and how you can exercise them.
The Right to be Informed
The Right of Access
You have the right to access information that GYMBOX hold about you. If you wish to receive a copy of the information that GYMBOX hold, please submit a Subject Access Request form (SAR) which you can request from [email protected]. Once GYMBOX have received your form, they will provide a response within one month. If your request is unusually complex and likely to take longer than a month, you will be informed as soon as possible to tell you how long it’s likely to take.
Please note that whilst in most cases GYMBOX will be happy to provide you with copies of the information you request, GYMBOX nevertheless reserve the right, in accordance with section 8(2) of the DPA, not to provide you with copies of information requested if to do so would take “disproportionate effort”, or in accordance with Article 12 of the GDPR to charge a fee or refuse the request if it is considered to be “manifestly unfounded or excessive”.
The Right to Rectification, Restrict Processing, Erasure, and to Object
You can ask GYMBOX at any time to change, amend or pseudonymise the information that GYMBOX hold about you or restrict ways in which your data may be processed. You can update GYMBOX with amendments of personal information by submitting a request through the member services area of our website using the following link, https://gymbox.com/member-services/change-of-personal-details
To pseudonymise the information, or object/request restriction of processing then please email [email protected]
GYMBOX will aim to respond to any request as soon as possible, but no later than within 1 month since receipt of request. Please note that the right to erasure is not absolute and only applies in certain circumstances. For further information on this please visit the following link to the ICO’s website, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
Right to Data Portability
You have the right to request that your personal data is transferred by GYMBOX to another organisation (this is called “data portability”). Please contact us at [email protected] with the details of what you would like for GYMBOX to do and GYMBOX will endeavour to comply with your request. It may not be technically feasible, but GYMBOX will work with you to try and find a possible solution.
Right to Prevent Automated Decision Making
You have a right to ask GYMBOX to stop any automated decision making. GYMBOX do not intentionally carry out such activities, but if you do have any questions or concerns GYMBOX would be happy to discuss them with you so please email any concerns or queries to [email protected]
If you have any questions, comments or concerns about data privacy at GYMBOX, please e-mail thorough a description to [email protected] and GYMBOX will endeavour to resolve the issue for you. Alternatively should you wish to escalate any concerns or questions, rather than contact GYMBOX directly, please contact the supervisory authority The Information Commissioner’s Office (ICO). For more information please visit the ICO’s website https://ico.org.uk/.