Privacy Policy

Cruz Gym (“we”, “our”, “us”) is committed to protecting your privacy and ensuring your personal data is handled safely and responsibly. This Privacy Policy explains what personal information we collect, how we use it, and your rights under UK GDPR.

By using our website, becoming a member, or visiting our premises, you agree to the practices outlined below.

1. Personal Data We Collect

We may collect the following categories of personal information:

1.1 Information You Provide to Us

Name
Address
Email address
Phone number
Date of birth
Payment details (processed securely by our payment provider)
Emergency contact information
Health declarations (where required for safety)

1.2 Information Collected Automatically

Website usage data (IP address, browser type, device information, cookies)
Entry data when using access fobs or PIN codes

1.3 CCTV Footage

We operate CCTV for the safety and security of members, visitors, and staff.

2. How We Use Your Data

We use your personal data for the following purposes:

To create and manage your gym membership
To process payments and Direct Debits
To communicate important service updates (e.g., closures, class changes, safety notices)
To ensure the health and safety of members
To verify identity when entering the gym
To provide customer support
To send marketing communications if you have consented
To improve our website and services
For security and crime prevention (including CCTV)
We do not sell your data to third parties.

3. Legal Basis for Processing

Under UK GDPR, we process your data using the following lawful bases:

Contract: To provide membership services
Legal obligation: For accounting, safeguarding, or health and safety requirements
Consent: For marketing communications
Legitimate interest: For improving our services, ensuring safety, and protecting property

4. How We Store & Protect Your Data

We take appropriate technical and organisational measures to protect your personal data, including:

Secure payment processing using authorised third-party providers
Access-controlled gym entry systems
Encrypted data storage wherever possible
Limited access to personal data by authorised staff only

Personal data is stored only for as long as necessary for the purposes outlined in this policy.

5. Sharing Your Data

We may share your personal data with trusted third parties when necessary, including:

Payment processors (e.g., GoCardless, Stripe)
Membership management software
Personal Trainers (only with your consent)
Professional service providers (IT support, website hosting)
Law enforcement, if required by law or to prevent crime (e.g., via CCTV footage)

We ensure all third parties comply with UK GDPR.

6. Cookies (Website Use)

Our website uses cookies to:

Improve user experience
Analyse website traffic
Remember preferences
Enhance security

You can manage cookie settings through your browser at any time.

7. Your Rights Under UK GDPR

You have the right to:

Access your personal data
Correct inaccurate information
Request deletion of your data (in certain circumstances)
Restrict processing
Object to processing
Withdraw consent (for marketing or optional data collection)
Portability – request a transfer of your data

To exercise your rights, please contact us.

8. Marketing Communications

You will only receive marketing communications if you have opted in.
You can unsubscribe at any time by:

Clicking “unsubscribe” in emails
Contacting us directly
Updating your communication preferences

9. CCTV

CCTV operates in certain areas of the gym for security and safety.
Footage may be shared with law enforcement if required.
Footage is stored securely and retained for a limited period.

10. Data Retention

We keep personal data only for as long as necessary:

Membership information: for the duration of membership and up to six years after for legal and accounting purposes
CCTV footage: typically 30–60 days unless needed for investigations
Marketing preferences: until you withdraw consent