Last updated: 2nd December 2025
This Privacy Policy explains how GYMBOX (“we”, “our”, “us”) as a controller collect, use, store, and shares the personal data of our members, personal trainers and instructors who use our clubs.
In this policy, GYMBOX means Sparring Partners Ltd, registered in England and Wales (company number 4204345), whose registered office is at Unit 7, 38 New Kent Road, London, SE1 6TJ. GYMBOX is part of Urban Gym Group B.V., based in the Netherlands.
GYMBOX is committed to protecting your privacy and handling your personal data in a fair, lawful, and transparent way, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), as supplemented by the Data Use and Access Act 2025.
This Privacy Policy describes:
By visiting a GYMBOX Club, using our website(s), app(s), or contacting us, you acknowledge and agree to the terms of this Privacy Policy.
We collect and process the personal data necessary to provide our services and operate our business. This may include:
Category | Examples | When do we collect this? |
Personal identifiers
| Name, date of birth, gender, address, email address, contact number, company name, and membership details.
| When you sign up to become a member or visitor via our website or in person.
When you enter into a contract with us.
When you swipe your membership card to access our Clubs or sign up to a class.
When you ask us for more information in relation to a product or service.
When you sign up to a paid-for event we are hosting.
|
Financial information
| Payment details including bank account or card information (processed securely via third-party payment providers).
| When you sign up to become a member or visitor via our website or in person.
When you enter into a contract with us.
When you sign up to a paid-for event we are hosting.
|
Health and fitness information
| Health declarations (to ensure exercise readiness and safety), and any information you voluntarily provide to personal trainers or staff.
| When you sign up to become a member or visitor via our website or in person and complete a health commitment.
When you ask to freeze or cancel your membership on health grounds.
|
Photographs and identification
| A digital photograph is taken for security and club access. We may request identification for verification purposes.
| When you sign up to become a member or visitor via our website or in person.
When you attend an event where photographs will be taken and you have given your consent.
|
CCTV and video
| CCTV is used in all Clubs for health, safety, and crime prevention. Limited video monitoring may also be used for internal training or service quality assessments.
| When you use or visit any of our Clubs.
If you have any queries in relation to the use of CCTV operating in and around the clubs, please contact us at the details in section 13 of this policy.
|
Usage data
| Usage records and duration of visits, in the form of date, time, gym, and membership number.
| When you access our Clubs. |
Digital data
| We may collect:
Cookies and similar technologies are used to enhance your experience — see section 9.
| When you use our websites or apps. |
Marketing data
| Your marketing preferences | When you sign up to become a member or visitor via our website or in person.
When you ask for further information in relation to third party services / personal trainers / instructors operating within our Clubs.
|
Job application data | Alongside personal identification data, we may process your CV, interview notes and assessment results, references and right to work documentation | When you apply for a job at GYMBOX via our website. |
Special Categories of Personal Data
Certain personal data are defined as ‘Special Categories of Personal Data’ under the UK GDPR, such as data regarding race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying a person, data concerning health (including mental and physical health), or data concerning sex life or sexual orientation.
We process your personal data for the following purposes and under the lawful bases permitted by the UK GDPR:
Purpose | Lawful basis |
To provide and manage your membership, bookings, and payments | Performance of contract |
To contact you about membership, bookings, or operational updates | Legitimate interests |
To identify you and grant you access to our Clubs | Performance of contract |
To bill you for using our service as part of your membership and enforce the collection of debt if necessary | Performance of contract |
To send marketing and promotional communications (where applicable) | Legitimate interests – to receive marketing from us Consent – to receive third party marketing from any personal trainers/instructors operating in our clubs |
To improve services, analyse usage, and develop business insights | Legitimate interests |
To comply with legal and regulatory requirements | Legal obligation |
To ensure member safety and club security (CCTV, access systems) | Legitimate interests |
To answer FAQs through our automated website chat bot | Legitimate interests |
To process your job application if you apply for employment at GYMBOX | Legitimate interests |
To ensure members safety when using our clubs | Legitimate interests Special Category Article 9 Condition Explicit consent |
To handle an emergency relating to your health | Necessary to protect the vital interests of a data subject Special Category Article 9 Condition Vital interests |
Instructors and Personal Trainers
Purpose | Lawful basis |
To enter into and manage our agreements with you and maintain a record of our contractual obligations | Performance of contract |
To process payments for services provided by you and manage related invoices and tax reporting | Performance of contract Legal obligation (tax and accounting) |
To arrange classes, sessions and availability through our gym facility booking systems | Performance of contract Legitimate interests (efficient business operations) |
To verify your qualifications and right to work status | Legal obligation (employment and safety laws) |
To comply with health and safety regulations | Legal obligation (health and safety laws) |
To contact you in relation to the services provided by you | Performance of contract Legitimate interests |
To feature you in promotional content or materials including social media or website profiles | Consent |
To monitor your club access | Legitimate interests (security and fraud prevention) |
To handle complaints, disputes or legal claims | Legitimate interests Legal obligation |
We do not use your personal data for automated decision-making that produces legal or significant effects.
We have carried out balancing tests for all the data processing we carry out on the basis of our legitimate interests, which we have described above.
We may contact you via email, SMS, phone, or app notifications for:
Compulsory communications
Certain communications (e.g. urgent updates, booking confirmations, payment reminders) are essential for service delivery and cannot be opted out of. These messages will not contain any direct marketing.
Marketing communications
If you have purchased or shown interest in our products, services or memberships, you will receive marketing communications from us via email, SMS, phone, or app notifications about similar offerings unless you have opted out of receiving marketing.
Third party marketing: with your explicit consent, we will share your contact information with our third party aggregators, partners, personal trainers or instructors so they can send you details about their services.
You can manage or withdraw your preferences at any time by:
Categories of third parties
We share limited personal data with trusted third parties, including:
All processors act under written contracts, process data only on our instructions, and are required to maintain confidentiality and security consistent with UK GDPR.
Please note that some countries outside of the UK or EEA have a lower standard of protection for personal data, including lower security requirements and fewer rights for individuals. Where your personal data is transferred, stored and/or otherwise processed outside the UK or EEA, we will take all reasonable steps to ensure that your personal data is treated securely and in accordance with this policy. When personal data is transferred internationally to a country that is not deemed adequate by the European Commission or the UK Secretary of State, we will rely on acceptable and defined legal mechanisms such as using standard contractual clauses which have been approved by the European Commission or the UK Government.
From time to time, we may process your personal data using AI and other similar technology. This could include generative artificial intelligence (GenAI) serviced by third party providers to better manage risks and improve the quality of efficiency of our services (e.g. keepme.ai).
Where we use any other AI systems, we will ensure such uses are properly validated, and would be used fairly, ethnically and with appropriate human oversight of the decision-making process. If the relevant individuals do not wish for personal data to be processed via AI tools, please contact us using the contact details at the end of this notice.
We take appropriate organisational and technical measures to protect personal data from unauthorised access, loss, or misuse.
This includes but is not limited to:
A cookie is a very small text document, which often includes an anonymous unique identifier. Cookies are created when your browser loads a particular website. The website sends information to the browser which then creates a text file. Every time the user goes back to the same website, the browser retrieves and sends this file to the website’s server.
We use cookies to:
We use the following types of cookies on our website:
Necessary Cookies – Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Preferences Cookies – Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Statistics Cookies – Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Marketing Cookies – Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for us.
Unclassified Cookies – Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
You can change your cookie consent here or via your browser settings, but some features of our site may not function properly. For more information, see the ICO’s guidance on cookies: https://ico.org.uk/for-the-public/online/cookies/
We will retain your personal data only for as long as we need it for the purposes set out in this policy, except in circumstances where we need to retain it for longer to comply with legal obligations or to progress legal claims. At the end of the retention period, we will take steps to delete your personal data or hold it in a form that no longer identifies you.
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.
You have the following rights under UK GDPR:
Right |
Description
|
To be informed | A right to be informed about the personal data we hold about you. |
Of access | A right to access the personal data we hold about you. |
To rectification | A right to require us to rectify any inaccurate personal data we hold about you. |
To erasure
| A right to ask us to delete the personal data we hold about you. This right will only apply where (for example):
|
To restrict processing
| In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example):
|
To data portability
| In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation, at your request. |
In relation to automated decision making and profiling | A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affect you. We do not carry out any automated processing. |
To withdraw | A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with brochures and newsletters). |
To exercise these rights, contact . We will respond within one month in accordance with the UK GDPR.
There may be conditions or limitations on these rights. It is therefore not certain for example you have the right of data portability in the specific case – this depends on the specific circumstances of the processing activity.
If you have any concerns regarding our processing of your personal data or are not satisfied with our handing of any request made by you, or would otherwise like to make a complaint, please contact GYMBOX in the first instance using the details in this privacy policy, so that we can do our very best to sort out the problem.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. The ICO can be contacted by telephone on 0303 123 1113 or by post as follows: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or via email at .
We may occasionally update this Privacy Policy to reflect changes in our operations or legal requirements.
The most current version will always be available at www.gymbox.com. Material changes will be communicated via email or club notice.
