Impact Personal Training – Privacy Policy

Last updated: 8 June 2026

This Privacy Policy explains how Impact Personal Training Limited collects, uses, stores, and protects your personal information when you visit our website at impact-pt.co.uk (the “Website”), use our Impact PT mobile application (the “App”), or engage with any of our services. It also sets out the rights you have under UK data protection law and how to exercise them.

Please read this Policy carefully. By using our Website, App, or services, you confirm that you have read and understood how we handle your personal data as described here.

1. Who We Are

Impact Personal Training Limited is the “data controller” for the purposes of UK GDPR and the Data Protection Act 2018. This means we are responsible for deciding how and why your personal data is processed.

Company details:

  • Registered company name: Impact Personal Training Limited
  • Companies House number: 08939015
  • Registered office: Suite 9, 30 Bancroft, Hitchin, Hertfordshire, SG5 1LE, United Kingdom
  • General contact: info@impact-pt.co.uk
  • Data protection contact: dataprotection@impact-pt.co.uk

For any questions about this Policy or how we use your data, please contact us using the data protection email above.

2. The Personal Data We Collect

We collect and process the following categories of personal data about you:

Identity data — your name, date of birth, gender (where you choose to provide it), profile photo (where uploaded).

Contact data — your email address, telephone number, postal address, and emergency contact details where provided.

Account data — login credentials, account settings, and preferences within the App and Website.

Membership and transaction data — your membership type, start date, session bookings, attendance records, payment history, and any cancellation or change requests.

Payment data — your payment card details are collected and processed directly by our payment provider (Stripe) and are not stored on our own systems. We retain a record of the card type and last four digits to identify the card on file.

Health and fitness data (special category data) — pre-exercise health screening responses, medical conditions, injuries, pregnancy disclosures, medication information where disclosed, body measurements, weight, body composition, workout performance records, nutrition logs, and progress photos where you choose to share them. This is “special category data” under UK GDPR and is given additional protection (see section 5).

Technical data — your IP address, browser type and version, device identifiers, operating system, and similar technical information collected automatically when you use the Website or App.

Usage data — information about how you use the Website and App, including pages visited, features used, session duration, and interaction patterns.

Communications data — records of correspondence between you and us, including emails, support messages, in-app messages, and notes recorded by your trainer.

Marketing preferences — your choices about receiving marketing communications and your participation in optional community channels (e.g. WhatsApp groups).

3. How We Collect Your Personal Data

We collect personal data:

Directly from you — when you sign up for membership, complete health screening, book sessions, communicate with your trainer, use the App, or contact us with enquiries.

Automatically — when you use the Website or App, certain technical and usage data is collected automatically through cookies and similar technologies (see section 10).

From third parties — limited information may be received from our payment processor (e.g. confirmation that a card transaction has succeeded), and from any third-party service you use to interact with us (e.g. WhatsApp profile name visible when you join a community group).

4. Why We Use Your Personal Data and Our Lawful Basis

Under UK GDPR we must have a lawful basis for processing your personal data. The bases we rely on are set out below for each purpose:

To provide our services to you — including managing your membership, scheduling sessions, delivering coaching, and providing access to the App. Lawful basis: performance of a contract with you (Article 6(1)(b)).

To process payments and manage billing — including taking payment through Stripe, issuing receipts, and handling failed payments. Lawful basis: performance of a contract (Article 6(1)(b)).

To keep financial and tax records — for compliance with HMRC requirements. Lawful basis: legal obligation (Article 6(1)(c)).

To provide health-conscious, safe coaching — including assessing your fitness to participate, adapting programmes to your needs, and managing injuries. Lawful basis for the personal data: performance of a contract (Article 6(1)(b)). Lawful basis for the special category health data: your explicit consent (Article 9(2)(a)), provided during onboarding.

To communicate with you about your membership and bookings — including session confirmations, reminders, important account notices, and policy updates. Lawful basis: performance of a contract (Article 6(1)(b)).

To send you marketing communications about our services — such as updates, special offers, and new programmes. Lawful basis: your consent (Article 6(1)(a)) for new contacts, or our legitimate interests under the PECR “soft opt-in” rules (Article 6(1)(f)) for existing members, in either case with a clear ability to opt out at any time.

To improve the Website and App — including monitoring usage and performance. Lawful basis: our legitimate interests in maintaining and improving our services (Article 6(1)(f)). Analytics cookies are only used with your prior consent under PECR.

To prevent fraud and ensure security — including monitoring for suspicious activity and protecting our systems. Lawful basis: our legitimate interests in protecting our business, our clients, and our systems (Article 6(1)(f)).

To handle complaints, disputes, or insurance claims — Lawful basis: our legitimate interests (Article 6(1)(f)) and, where applicable, the establishment, exercise, or defence of legal claims (Article 9(2)(f) for any special category data involved).

To comply with legal and regulatory obligations — including responding to lawful requests from authorities. Lawful basis: legal obligation (Article 6(1)(c)).

5. Special Category Data (Health and Fitness Information)

Because we provide personal training services, we routinely process information about your health, fitness, injuries, and physical condition. This is “special category data” under Article 9 of UK GDPR and receives additional protection.

We process special category data only where:

  • You have given us your explicit consent during onboarding by signing our Health Consent Waiver, and
  • Processing is necessary to provide you with a safe and effective personal training service.

You may withdraw your consent at any time by contacting dataprotection@impact-pt.co.uk. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Note that without your consent to process this data, we may not be able to continue providing you with personal training services safely.

Access to your health and fitness data within our systems is limited to your assigned trainer(s), our management team, and authorised technical administrators who maintain the system.

6. Who We Share Your Personal Data With

We share your personal data only where necessary to provide our services or comply with our legal obligations. The categories of recipient are:

Service providers and processors — third parties who process data on our behalf under written data processing agreements. Our current key processors are:

  • Stripe, Inc. — payment processing. Card data is sent directly to Stripe and not stored on our systems. Stripe is US-based; transfers are protected by UK ICO-approved Standard Contractual Clauses.
  • Supabase, Inc. — database hosting. Our primary database is hosted in Supabase’s eu-west-2 (London) region, so your core data remains in the United Kingdom.
  • Resend, Inc. — transactional email delivery (booking confirmations, reminders, account notices). Resend is US-based; transfers are protected by Standard Contractual Clauses.
  • Twilio Inc. (Meta WhatsApp Business API) — SMS and WhatsApp messaging where you have opted in to those channels. US-based; transfers protected by Standard Contractual Clauses.
  • Vercel Inc. — Website and application hosting. Multi-region with EU presence; transfers protected where applicable.
  • Mindbody Inc. — legacy booking and membership system, used during the transition period as we migrate to our new platform (expected complete by October 2026). US-based; transfers protected by Standard Contractual Clauses. Mindbody will no longer process new data once migration is complete.

Professional advisors — including our accountants, lawyers, and insurers, where necessary to manage our business or address legal matters. These advisors are bound by professional confidentiality obligations.

Authorities and regulators — where required by law (for example HMRC for tax records, or law enforcement responding to a valid legal request).

We do not sell your personal data to third parties.

7. International Data Transfers

Most of your personal data is held within the United Kingdom or European Economic Area (notably your core records in our Supabase eu-west-2 database).

Some of our service providers (Stripe, Resend, Twilio, Mindbody) are based in the United States or operate globally, meaning some personal data is transferred outside the UK. We protect these transfers using Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office, or by relying on UK adequacy decisions where these apply.

You may request a copy of the safeguards we rely on by contacting dataprotection@impact-pt.co.uk.

8. How Long We Keep Your Personal Data

We retain personal data only for as long as necessary for the purposes for which it was collected, and in line with our legal obligations:

  • Active membership data — for the duration of your membership.
  • Financial and billing records — for a minimum of six years following the end of your membership, in line with HMRC requirements.
  • Health and training data — for up to three years following the end of your membership, unless you request earlier deletion and this is permissible under law.
  • Marketing preferences and communications data — until you withdraw consent or for a maximum of three years after your last interaction, whichever is sooner.
  • Website analytics data — analytics records are typically anonymised or deleted within 14 months.
  • Records relating to complaints, claims, or legal matters — for up to six years, in line with the statute of limitations in England and Wales.

Where data is no longer required, it is either securely deleted or anonymised so it can no longer be linked to you.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — you can request a copy of the personal data we hold about you (sometimes called a “subject access request” or “SAR”).
  • Right to rectification — you can ask us to correct any inaccurate or incomplete personal data.
  • Right to erasure — you can ask us to delete your personal data in certain circumstances (also known as the “right to be forgotten”). Note that we may need to retain certain data to meet legal obligations (e.g. financial records) even if you request deletion.
  • Right to restrict processing — you can ask us to limit how we use your data in certain circumstances.
  • Right to data portability — you can request a copy of certain personal data in a structured, machine-readable format, or ask us to transfer it to another service provider.
  • Right to object — you can object to our processing of your personal data where we are relying on legitimate interests, including for direct marketing.
  • Rights relating to automated decision-making and profiling — we do not currently make decisions about you using purely automated processes. If this changes you will be notified.
  • Right to withdraw consent — where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at dataprotection@impact-pt.co.uk. We will respond within one calendar month of receiving your request. For complex or numerous requests we may extend this period by up to two further months and will tell you if we do.

There is no fee for exercising your rights, although we may charge a reasonable administrative fee for clearly unfounded, excessive, or repetitive requests, or refuse to act on them.

If you are not satisfied with how we have handled your personal data or your request, you also have the right to lodge a complaint with the UK supervisory authority (see section 16).

10. Cookies and Similar Technologies

Our Website uses cookies and similar technologies to function correctly and to help us understand how visitors use it.

What cookies are. Cookies are small text files stored on your device when you visit a website. They allow the site to recognise your device and remember information about your visit.

Categories of cookies we use. When you first visit our Website you will be presented with a cookie banner allowing you to accept or reject non-essential cookies, and to manage your preferences by category:

  • Strictly necessary cookies — required for the Website to function (e.g. session management, security, load balancing). These do not require your consent under PECR.
  • Functional cookies — remember your preferences and choices (e.g. login state). These require your consent.
  • Analytics cookies — help us understand how the Website is used so we can improve it. We use Google Analytics 4 with IP anonymisation enabled. Analytics cookies are not set until you have given your consent.

We do not currently use advertising or marketing cookies. If this changes, we will update this Policy and request fresh consent.

Managing your preferences. You can change your cookie preferences at any time by clicking “Manage cookies” in the footer of the Website. Most web browsers also allow you to control cookies through their settings, including blocking or deleting cookies. Note that disabling strictly necessary cookies may prevent parts of the Website from functioning correctly.

11. Marketing Communications

We may send you marketing communications about our services, programmes, and special offers.

  • For new contacts — we will send marketing communications only where you have given us your express consent (e.g. by ticking a sign-up box).
  • For existing members — we may send marketing communications about similar services under the PECR “soft opt-in” rules, on the basis of our legitimate interests, provided you were given the opportunity to opt out at the point your data was collected.

In every marketing email we send, you will find a clear unsubscribe link. You can also opt out at any time by contacting info@impact-pt.co.uk. Opting out of marketing does not affect service-related communications (such as booking confirmations or account notices), which we will continue to send while you are a member.

12. Children’s Data

Our services are intended for individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18 through the Website or App.

If you believe that we may have collected personal data from a person under 18, please contact dataprotection@impact-pt.co.uk and we will take steps to delete that information.

13. How We Protect Your Personal Data

We take the security of your personal data seriously and apply appropriate technical and organisational measures designed to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (HTTPS/TLS) and at rest (database encryption)
  • Strict access controls, with personal data accessible only to staff who require it for their role
  • Multi-factor authentication for administrative system access
  • Regular review of our security practices and processor arrangements
  • Written data processing agreements with all third-party processors

No method of transmission over the internet or method of electronic storage is 100% secure. While we apply industry-standard practices, we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Information Commissioner’s Office (ICO) without undue delay, in line with our legal obligations.

14. Links to Third-Party Websites

Our Website and App may contain links to third-party websites or services that we do not operate. We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policy of any third-party service before providing personal data to them.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, our use of personal data, or legal and regulatory requirements.

When we make material changes, we will notify you by email at least 30 days before the changes take effect, and will update the “Last updated” date at the top of this Policy. Where required, we may ask you to formally re-confirm your acceptance.

We recommend that you review this Policy periodically to stay informed about how we handle your personal data.

16. Contact Us and Your Right to Complain

If you have any questions, concerns, or complaints about how we use your personal data, please contact us first so we have an opportunity to address your concerns:

You also have the right to lodge a complaint at any time with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters:

  • Website: www.ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the chance to deal with your concerns directly before you approach the ICO.