This Privacy Policy relates to customer data processed and stored by Active Luton Ltd and Active Luton Enterprises Ltd. It includes data captured in our centres, through our programs and services and on our websites including

www.activeluton.co.ukwww.teambedsandluton.co.ukhttp://www.lutonsportsnetwork.com

Active Luton is the data controller and is registered with the Information Commissioner's Office (ref: Z927271X). This Privacy Policy informs customers and users about the collection, use and sharing of personal information we collect on our websites, on our App, at our centres, venues and through the various services we offer.

This Privacy Policy is designed to protect you, our users, by informing you how personal information is collected, how we look after that information and with whom we share it. Quick links have been provided to help you find the section you wish to read.

Active Luton is committed to complying with the Data Protection Act 1998, the General Data Protection Regulation (GDPR), The Privacy and Electronic Communications (EC Directive) Regulations 2003. By using our websites, our centres and our services, you are consenting to us processing your information in the ways stated here.

The basis on which we collect and process your data is usually through consent. Sometimes there is a contractual reason such as being able to process a monthly direct debit payment. Occasionally there may be a legal reason for collecting data, such as for employees when we have to collect the information for the HMRC, or, should you have an accident, we may need to provide details of this to the relevant health and safety authorities. We may also process your data based on our legitimate business interests for example in order to operate and improve our business.

The information we collect may include any of the following:

Any personal details you give us or we obtain from third parties?

This includes information you type into our websites or provide to one of our colleagues. We collect this information when you become a member, create your profile, update your member profile, provide activity data from other devices, make a booking, sign up as a volunteer, visit one of our centres or any of our services. This information may include your personal contact data, fitness-related data which has been obtained in order to create personalised fitness workouts for you or health related data. We use this to provide you with the services you request, tell you about services you are eligible for, to keep in contact with you and to manage your account and the services we provide. If you contact us by email, via the website, in person or by telephone we may keep a record of your contact information and enquiry and may subsequently use your contact details to respond to your enquiry.

Information which allows us to recognise you

Such as a unique ID number; storing this data saves you from re-entering your details again when you return to the website. Active Luton can recognise you by your photograph as well, which also allows us to ensure that your card is not misused if lost or stolen and helps us identify you to ensure we support you on your activity journey.

Details of your transactions

We collect data for any transactions you carry out through our websites and services, so that we can administer the services you have with us. Please note that we never store your payment details on our website.

Other Sensitive data

We are sometimes required to collect information about your ethnicity and other sensitive data in order to provide aggregated reports to the local authority or clinical commissioning group. This information is used only for statistical purposes and is always kept secure. If you prefer not to provide us with this data we will not hold this data.

Sensitive Health Data

We collect any personal health data you provide to us when registering and signing up for our health services. We collect this information to ensure we are offering you the right services and so your progress can be tracked by yourself and us. We may ask you for information about your health in order to recommend appropriate exercise regimes or offer our other services

Banking data

We will store your bank account number and sort code data where you have a Direct Debit mandate in place. When the Direct Debit mandate finishes we will remove this data from our operational systems within 12 months. We process bank card information at the time we take payment. This data is not stored on our systems and is processed on Payment Card Industry Data Security Standard compliant banking systems.

Information about website visits including IP address

The IP address is your computer's individual identification number.

We use your IP address to capture information about website visits so we can learn more about how our customers use the website in order to find ways to improve the website and our products and services for your benefit. Please see our Cookie Policy for more information.

Customer feedback

We will record customer comments and surveys about how we are performing

Your communications preferences

We keep a record of any permissions and preferences you give us about what types of communication you are happy to receive from us.

Data relating to children

Our services are used by people of all ages. Active Luton may accept website registrations and collect personal information from individuals under the age of 13. If you are under 13 we do not allow you to post information about yourself in any Active Luton forums or community areas. Active Luton accepts no liability if this instruction is ignored.

Children aged under 6 years must have a parent or guardian's consent before providing personal information to us. We do not wish to collect any personal information without this consent.

How do we store and collect your personal information?

These are the basic guidelines we use to look after your personal data.

• We maintain secure systems to protect your personal information
• We respect your wishes about how we contact you, whether by post, telephone, email or text message
• We will update your information or preferences promptly when you ask us to
• We will respond fully to requests from you to see the information that we hold on you.
• We will not hold your personal information for longer than is necessary for our legitimate business purposes.
• We follow strict procedures when storing or handling information that you have given us. Some information is encrypted, such as payment transactions and password.
• We will never sell your personal information to a third party.

Active Luton reserves the right to store and process information securely outside of the European Economic Area ("EEA").

Retention Policy

We retain personal information as long as we consider it useful to contact you, or as needed to comply with our legal obligations. Where data is not needed for legal or statutory purposes we will delete this information if you request. See the contacts section to request your data to be deleted.

Services provided by contracted third parties

Active Luton may share information with third party organisations that provide specific services on our behalf which enhance our products and your experience with us. These organisations act as a Data Processor under our instructions. They may process data securely outside of the EEA. There is a contract in place with each third party which includes strict terms and conditions to protect your privacy.

Our current processing partners include Legend Club Management, SwimTag, Technogym. Life Fitness, Innovatise, Alliance Leisure, The Retention People and Foremost Golf.

Please note: Use of services provided by our partners will be subject to the terms and conditions and/or Privacy Policies of these third party organisations. Please see the links to these third party terms that also apply above and beyond these here:

• Legend Club Management
• SwimTag
• Technogym
• Life Fitness
• MyFitApp
• Alliance
• The Retention People
• Foremost Golf

Leisure and Health Partners

Active Luton runs services on behalf of other organisations such as Local Authorities, NHS, Clinical Commissioning Groups and Trusts. Data may be shared with these organisations at a summary level but not at a personable identifiable level. For our health related services, with your consent, we may share identifiable information with your GP and NHS services.

At the end of a contract, if the service is to be run by another operator, Active Luton will forward on your details to the new operator so they can continue to provide the service to you without interruption. If you do not wish us to do this please send a request to Active Luton Head Office.

These organisations will be a Data Controller in their own rights, and where they do process your data will inform you directly or through their services such as a website about the data they hold and what processing they undertake.

Marketing Partners

Active Luton will never sell your personal information to any third party for marketing or other purposes.

How we use your information

Our Site may use "cookies" to enhance User experience. User's web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. User may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.

Read teamBEDS&LUTON's full Cookie Policy.

How we use collection information

We use your information to help us provide and improve our services for you. We may use your information in the following ways.

• to provide you with any services that you have purchased or receive free as part of a health or other scheme
• to check your identity
• to check your eligibility where appropriate
• to update our records with any new information you give us
• to notify you if we will be unable to provide a service you have booked before
• to provide marketing communications (if you have given us your permission)
• for research and analysis so we can develop and improve our services for your benefit
• to tailor our communications to you to ensure relevance (if you do not want us to do this please contact us using the details below)
• to comply with legal requirements.
• to safeguard users of our services

Keeping you updated

There are certain communications we need to send to you so we can provide our services. We call these service communications and include for example notices about your direct debit payments, change of password, registration confirmations, appointment reminders and waiting list announcements. We would not be able to provide you with services if we did not send these.

We may from time to time contact you about our services or products we think you might find interesting by email, by post, telephone or SMS, but only if you have given us your permission to do so.

If you do not want us to contact you other than for service emails let us know when you next visit us or contact us using the details below. For Active Luton website users you can do this by ticking the relevant boxes in the Permissions page in 'My Profile' in your online account, or click on the 'unsubscribe' link on any emails we send. You may also opt-out of email or any other communications by contacting the support team at dpo@activeluton.co.uk or by letting us know in one of our centres or health service groups.

Your rights to manage your personal data

Accuracy of data

We will always try to ensure the data we hold about you is accurate and relevant. If you believe the information we hold about you is out of date or incorrect, please tell a member of staff or see the contacting us section below. You will need a form of identification to request any changes.

Seeing your data – subject access request

The Data Protection Act 1998 and the General Data Protection Regulation give you the right to know what personal information we hold about you. This is called a Subject Access Request. If you would like to make a request you should write to the Data Controller – see contacting us section.

Removing your data

If you no longer use our services and products and wish us to delete your personal data we will do this if there are no legal or statutory regulations requiring us to keep this information. Please write to the Data Controller – see contacting us section.

Restricting processing

You can contact us using the details below to restrict the processing of your data including some processing we do under legitimate business interests.

Transferring your data

In some circumstances you can ask us to transfer your information to another organisation.

Complaints about how we manage your data

If you are not happy about the way we manage your data please contact us as quickly as possible by contacting your centre or usual contacts for providing our service. You may also write to the Data Controller – who will investigate your complaint and get back to you as soon as possible.

Information Commissioner's Office (ICO)

The ICO is the UK's independent authority set up to uphold information rights. You have the right to contact them should you wish. Details can be found on their website: https://ico.org.uk/

Links to other websites

Our websites may contain links to and from external websites, advertisers and affiliates. If you follow a link to other sites please note that these will be governed by their own privacy policies. We cannot accept liability for data use on those websites.

Changes to this privacy policy

This policy may be updated from time to time on this page. If you have any questions or comments about our Privacy Policy or how we use your personal information please contact us at dpo@activeluton.co.uk

Contacting us

In most instances it is best to contact us locally where you take part in our services such as the Leisure Centre or the Health Service you normally attend. We can usually deal with most of your queries here.

You can also contact us through our contacts pages on our website at www.activeluton.co.uk

Alternatively, you can write or email our Data Controller dpo@activeluton.co.uk

Data Protection Officer
Active Luton
Wigmore Hall

Eaton Green Road
LU2 9JB

Document last updated: 14 May 2018

The basis on which we collect and process your data is usually through consent. Sometimes there is a contractual reason such as being able to process a monthly direct debit payment. Occasionally there may be a legal reason for collecting data, such as for employees when we have to collect the information for the HMRC, or, should you have an accident, we may need to provide details of this to the relevant health and safety authorities. We may also process your data based on our legitimate business interests for example in order to operate and improve our business.

The information we collect may include any of the following:

Any personal details you give us or we obtain from third parties?

This includes information you type into our websites or provide to one of our colleagues. We collect this information when you become a member, create your profile, update your member profile, provide activity data from other devices, make a booking, sign up as a volunteer, visit one of our centres or any of our services. This information may include your personal contact data, fitness-related data which has been obtained in order to create personalised fitness workouts for you or health related data. We use this to provide you with the services you request, tell you about services you are eligible for, to keep in contact with you and to manage your account and the services we provide. If you contact us by email, via the website, in person or by telephone we may keep a record of your contact information and enquiry and may subsequently use your contact details to respond to your enquiry.

Information which allows us to recognise you

Such as a unique ID number; storing this data saves you from re-entering your details again when you return to the website. Active Luton can recognise you by your photograph as well, which also allows us to ensure that your card is not misused if lost or stolen and helps us identify you to ensure we support you on your activity journey.

Details of your transactions

We collect data for any transactions you carry out through our websites and services, so that we can administer the services you have with us. Please note that we never store your payment details on our website.

Other Sensitive data

We are sometimes required to collect information about your ethnicity and other sensitive data in order to provide aggregated reports to the local authority or clinical commissioning group. This information is used only for statistical purposes and is always kept secure. If you prefer not to provide us with this data we will not hold this data.

Sensitive Health Data

We collect any personal health data you provide to us when registering and signing up for our health services. We collect this information to ensure we are offering you the right services and so your progress can be tracked by yourself and us. We may ask you for information about your health in order to recommend appropriate exercise regimes or offer our other services

Banking data

We will store your bank account number and sort code data where you have a Direct Debit mandate in place. When the Direct Debit mandate finishes we will remove this data from our operational systems within 12 months. We process bank card information at the time we take payment. This data is not stored on our systems and is processed on Payment Card Industry Data Security Standard compliant banking systems.

Information about website visits including IP address

The IP address is your computer's individual identification number.

We use your IP address to capture information about website visits so we can learn more about how our customers use the website in order to find ways to improve the website and our products and services for your benefit. Please see our Cookie Policy for more information.

Customer feedback

We will record customer comments and surveys about how we are performing

Your communications preferences

We keep a record of any permissions and preferences you give us about what types of communication you are happy to receive from us.

Data relating to children

Our services are used by people of all ages. Active Luton may accept website registrations and collect personal information from individuals under the age of 13. If you are under 13 we do not allow you to post information about yourself in any Active Luton forums or community areas. Active Luton accepts no liability if this instruction is ignored.

Children aged under 6 years must have a parent or guardian's consent before providing personal information to us. We do not wish to collect any personal information without this consent.

How do we store and collect your personal information?

These are the basic guidelines we use to look after your personal data.

• We maintain secure systems to protect your personal information
• We respect your wishes about how we contact you, whether by post, telephone, email or text message
• We will update your information or preferences promptly when you ask us to
• We will respond fully to requests from you to see the information that we hold on you.
• We will not hold your personal information for longer than is necessary for our legitimate business purposes.
• We follow strict procedures when storing or handling information that you have given us. Some information is encrypted, such as payment transactions and password.
• We will never sell your personal information to a third party.

Active Luton reserves the right to store and process information securely outside of the European Economic Area ("EEA").

Retention Policy

We retain personal information as long as we consider it useful to contact you, or as needed to comply with our legal obligations. Where data is not needed for legal or statutory purposes we will delete this information if you request. See the contacts section to request your data to be deleted.

Services provided by contracted third parties

Active Luton may share information with third party organisations that provide specific services on our behalf which enhance our products and your experience with us. These organisations act as a Data Processor under our instructions. They may process data securely outside of the EEA. There is a contract in place with each third party which includes strict terms and conditions to protect your privacy.

Our current processing partners include Legend Club Management, SwimTag, Technogym. Life Fitness, Innovatise, Alliance Leisure, The Retention People and Foremost Golf.

Please note: Use of services provided by our partners will be subject to the terms and conditions and/or Privacy Policies of these third party organisations. Please see the links to these third party terms that also apply above and beyond these here:

• Legend Club Management
• SwimTag
• Technogym
• Life Fitness
• MyFitApp
• Alliance
• The Retention People
• Foremost Golf

Leisure and Health Partners

Active Luton runs services on behalf of other organisations such as Local Authorities, NHS, Clinical Commissioning Groups and Trusts. Data may be shared with these organisations at a summary level but not at a personable identifiable level. For our health related services, with your consent, we may share identifiable information with your GP and NHS services.

At the end of a contract, if the service is to be run by another operator, Active Luton will forward on your details to the new operator so they can continue to provide the service to you without interruption. If you do not wish us to do this please send a request to Active Luton Head Office.

These organisations will be a Data Controller in their own rights, and where they do process your data will inform you directly or through their services such as a website about the data they hold and what processing they undertake.

Marketing Partners

Active Luton will never sell your personal information to any third party for marketing or other purposes.

How we use your information

Our Site may use "cookies" to enhance User experience. User's web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. User may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.

Read teamBEDS&LUTON's full Cookie Policy.

How we use collection information

We use your information to help us provide and improve our services for you. We may use your information in the following ways.

• to provide you with any services that you have purchased or receive free as part of a health or other scheme
• to check your identity
• to check your eligibility where appropriate
• to update our records with any new information you give us
• to notify you if we will be unable to provide a service you have booked before
• to provide marketing communications (if you have given us your permission)
• for research and analysis so we can develop and improve our services for your benefit
• to tailor our communications to you to ensure relevance (if you do not want us to do this please contact us using the details below)
• to comply with legal requirements.
• to safeguard users of our services

Keeping you updated

There are certain communications we need to send to you so we can provide our services. We call these service communications and include for example notices about your direct debit payments, change of password, registration confirmations, appointment reminders and waiting list announcements. We would not be able to provide you with services if we did not send these.

We may from time to time contact you about our services or products we think you might find interesting by email, by post, telephone or SMS, but only if you have given us your permission to do so.

If you do not want us to contact you other than for service emails let us know when you next visit us or contact us using the details below. For Active Luton website users you can do this by ticking the relevant boxes in the Permissions page in 'My Profile' in your online account, or click on the 'unsubscribe' link on any emails we send. You may also opt-out of email or any other communications by contacting the support team at dpo@activeluton.co.uk or by letting us know in one of our centres or health service groups.

Your rights to manage your personal data

Accuracy of data

We will always try to ensure the data we hold about you is accurate and relevant. If you believe the information we hold about you is out of date or incorrect, please tell a member of staff or see the contacting us section below. You will need a form of identification to request any changes.

Seeing your data – subject access request

The Data Protection Act 1998 and the General Data Protection Regulation give you the right to know what personal information we hold about you. This is called a Subject Access Request. If you would like to make a request you should write to the Data Controller – see contacting us section.

Removing your data

If you no longer use our services and products and wish us to delete your personal data we will do this if there are no legal or statutory regulations requiring us to keep this information. Please write to the Data Controller – see contacting us section.

Restricting processing

You can contact us using the details below to restrict the processing of your data including some processing we do under legitimate business interests.

Transferring your data

In some circumstances you can ask us to transfer your information to another organisation.

Complaints about how we manage your data

If you are not happy about the way we manage your data please contact us as quickly as possible by contacting your centre or usual contacts for providing our service. You may also write to the Data Controller – who will investigate your complaint and get back to you as soon as possible.

Information Commissioner's Office (ICO)

The ICO is the UK's independent authority set up to uphold information rights. You have the right to contact them should you wish. Details can be found on their website: https://ico.org.uk/

Links to other websites

Our websites may contain links to and from external websites, advertisers and affiliates. If you follow a link to other sites please note that these will be governed by their own privacy policies. We cannot accept liability for data use on those websites.

Changes to this privacy policy

This policy may be updated from time to time on this page. If you have any questions or comments about our Privacy Policy or how we use your personal information please contact us at dpo@activeluton.co.uk

Contacting us

In most instances it is best to contact us locally where you take part in our services such as the Leisure Centre or the Health Service you normally attend. We can usually deal with most of your queries here.

You can also contact us through our contacts pages on our website at www.activeluton.co.uk

Alternatively, you can write or email our Data Controller dpo@activeluton.co.uk

Data Protection Officer
Active Luton
Wigmore Hall

Eaton Green Road
LU2 9JB

Document last updated: 14 May 2018