Nordic Fitness Edinburgh: Customer privacy notice
This privacy notice sets out how we collect and process any personal information we collect about you when you use our website and services.
Nordic Fitness Edinburgh takes its responsibilities for your personal data security very seriously and this policy is designed to comply with UK data protection legislation.
This notice sets out-
- Our business contact details
- What information we collect, how we use it, and why
- Lawful bases and data protection rights
- Where we get personal information from
- How long we keep information
- Who we share information with
- How to complain
Contact details
Email: Emily – nordicfitnessedinburgh@gmail.com
What information we collect, use and why
We collect the following information from you prior to using our services. We will contact you to update our records annually, as long as you remain a customer with us; otherwise, we will delete your data in line with the records retention schedule lower down this Privacy Notice.
- Names and contact details
- Addresses
- Date of birth
- Payment details (including card or bank information for transfers and direct debits)
- Activity Data (information about bookings, event participation, or preferences)
- With your explicit consent: Physical Activity Readiness Questionnaire [‘PAR-Q’] (to assess your health status, enhance safety, reduce the risk of injury and to determine whether there are any contra indicators to exercise)
How we use your information
We will use/process your information for the following purposes only:
- To process bookings or provide services (e.g., scheduling Nordic Walking activities)
- To communicate service updates, event details, and promotions
- To manage payments and financial transactions
- To ensure safety and manage emergency contacts
- For marketing purposes (with your consent)
GDPR
The new General Data Protection Regulation 2018 clearly states that the personal data we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely
- We are accountable for these principles and must be able to show that we are compliant.
Lawful bases and data protection rights
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
- Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
- Your right to rectification- You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
- Your right to erasure- You have the right to ask us to delete your personal information. You can read more about this right here.
- Your right to restriction of processing- You have the right to ask us to limit how we can use your personal information. You can read more about this right here.
- Your right to object to processing- You have the right to object to the processing of your personal data. You can read more about this right here.
- Your right to data portability- You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right here.
- Your right to withdraw consent– When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.
If you make a request, we must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
Our lawful bases for the collection and use of your data
Our lawful bases for collecting or using personal information to provide our services and goods are:
- Contract – we must collect or use the information so we can enter or carry out a contract with you. All of your data protection rights may apply except the right to object.
- Explicit Consent: We collect and process your health information (via the PAR-Q form) with your explicit consent, as required under Article 9(2)(a) of the UK GDPR. This information is necessary to ensure your safety and suitability for participation in Nordic Walking activities
- Consent: Where we collect data for marketing purposes, this will be with your consent.
- Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
- When we provide you with a service, we will ask you for your contact details (name, billing address, email address & telephone number). We use this information to process your order, to provide post-sales support and for sales analysis purposes. The legal bases we use to process your data in this way are – contract (in order to fulfil our contract with you) and legitimate interest (in understanding and running our business). In this instance the information will be collected directly from you or from a representative acting on your behalf.
Where we get personal information from
- Directly from you via our sign up forms or over the phone
- Health care providers such as GP (with your explicit consent and only where the PAR-Q assessment has highlighted contra indicators to exercise)
How long we keep information
|
Data Type |
Retention Period |
Reason for retention |
Action after retention |
|
Customer Contact Information (Name, Address, Email, Phone) |
Up to 2 years after last activity or service use |
To communicate about services, events, and marketing; to maintain records for future engagements |
Delete or anonymise personal details if no longer needed for business purposes |
|
Health/Medical Information (e.g., if provided for safety) |
Up to 1 year after last service |
To ensure safety during activities and to tailor services |
Delete or anonymise after the retention period unless required for legal reasons |
|
Payment and Billing Information (credit card, bank details, receipts) |
Up to 7 years |
For accounting, tax reporting, and legal compliance |
Delete or securely archive once the retention period expires |
|
Activity/Service Booking information (dates, types of sessions) |
Up to 2 years after last booking |
To manage and track bookings, and provide customer service |
Delete or anonymise after the retention period |
|
Membership/Subscription Information (e.g., membership details, packages purchases) |
Up to 2 years after membership ends or last activity |
To manage subscriptions, renewals, and memberships |
Delete or anonymise after the retention period |
|
Marketing Data (e.g., preferences, interests) |
Up to 2 years |
For targeted marketing and personalised offers |
Review and update consent periodically, delete or anonymise if no longer active or relevant |
|
Event Attendance Records |
Up to 2 years |
To track attendance and participation for customer engagement |
Delete or anonymise after the retention period |
|
Emergency Contact Information (if collected for safety purposes) |
Up to 1 year after last service |
For safety and emergency situations during activities |
Delete or anonymise after the retention period |
Who we share information with
We will only share your personal information in case of emergency, with emergency services or your emergency contact you have given consent for us to contact in this situation.
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Last updated
3 January 2025
