GDPR Compliance

Our Commitment to Data Protection

Cleanse Breeze takes data protection seriously and operates in full compliance with the UK General Data Protection Regulation and the Data Protection Act 2018. This page explains our approach to protecting your personal information and details your rights under current data protection legislation.

Data Controller Information

For the purposes of data protection law, Cleanse Breeze acts as the data controller for personal information we collect through our services and website.

Our registered address is Unit 7, Riverside Business Park, 42 Wellington Road, Bristol BS8 2UB, United Kingdom.

For any data protection queries or to exercise your rights, contact our data protection contact at [email protected].

Categories of Personal Data We Process

Identity and Contact Information

This includes your name, email address, postal address, and any other contact details you provide when engaging with our services.

Health and Fitness Data

As a fitness provider, we process special category data relating to your health. This includes medical history, injury records, current health conditions, fitness assessments, and training progress data. We only collect health information necessary for safe and effective service delivery.

Financial Information

Payment card details are processed by our secure payment provider and we do not store full card information. We retain transaction records for accounting and legal purposes.

Communication Records

We maintain records of our communications with you, including emails, messages, consultation notes, and any feedback you provide.

Technical Data

When you use our website, we collect technical information such as IP address, browser type, device information, and browsing behaviour through cookies and similar technologies.

Lawful Basis for Processing

Consent

For processing special category health data, we rely primarily on your explicit consent. Before collecting health information, we explain what we need, why we need it, and how it will be used. You can withdraw this consent at any time, though this may affect our ability to provide services safely.

Contractual Necessity

Much of our data processing is necessary to perform the contract we have with you for fitness services. Without processing certain information, we cannot deliver the services you've engaged us to provide.

Legitimate Interests

Some processing is based on legitimate business interests, such as maintaining business records, preventing fraud, or improving our services. We balance these interests against your rights and freedoms.

Legal Obligations

Certain processing is required by law, including maintaining financial records for tax purposes and retaining health and safety documentation for insurance requirements.

Your Rights Under GDPR

Right to Be Informed

You have the right to clear information about how we use your personal data. This document, along with our Privacy Policy, fulfils this obligation by explaining our data practices transparently.

Right of Access

You can request access to the personal data we hold about you. This is commonly known as a "subject access request." We will provide a copy of your data in a commonly used format within one month of receiving your request. The first copy is provided free of charge; we may charge a reasonable fee for additional copies or manifestly unfounded requests.

Right to Rectification

If personal information we hold about you is inaccurate or incomplete, you have the right to have it corrected. Please notify us of any changes to your information so we can update our records accordingly.

Right to Erasure

Also known as the "right to be forgotten," this allows you to request deletion of your personal data in certain circumstances. These include situations where the data is no longer necessary for its original purpose, where you withdraw consent, or where you object to processing and we have no overriding legitimate grounds to continue.

This right is not absolute. We may need to retain certain information to comply with legal obligations, for example maintaining financial records for tax purposes or health records for insurance requirements.

Right to Restrict Processing

You can request that we restrict how we use your personal data in specific situations, such as when you contest the accuracy of the data or object to processing based on legitimate interests. During the restriction period, we can store the data but not use it further without your consent except for legal claims or protecting another person's rights.

Right to Data Portability

For data you have provided to us that we process automatically based on consent or contract performance, you have the right to receive a copy in a structured, machine-readable format. You can also request that we transfer this data directly to another organisation where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. If you object to marketing, we will stop immediately. For objections to other processing, we will stop unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision Making

You have protections against decisions made solely by automated means that significantly affect you. We do not currently use automated decision-making or profiling systems.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected] or write to our postal address provided above. Please include sufficient information to allow us to identify you and understand your request.

We may need to verify your identity before fulfilling certain requests to ensure we're releasing information to the correct person. We'll typically respond within one month, though this can be extended by two additional months for complex requests. We'll inform you if an extension is necessary.

There is no charge for exercising your rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

Special Category Data

Health information is classified as special category data under GDPR, requiring additional protections. We process health data because it's essential for providing safe and effective fitness training services.

Before collecting health information, we obtain your explicit consent and explain exactly what will be collected and how it will be used. We implement enhanced security measures for storing and transmitting health data and restrict access to only those team members who need it to provide your training.

You can withdraw consent for processing your health data at any time. However, this may mean we cannot safely continue providing certain services, as we need health information to design appropriate programmes and ensure your safety.

Data Security Measures

We implement technical and organisational security measures appropriate to the risks presented by our processing activities:

Technical Measures

• Encryption of data in transit using secure protocols
• Password-protected systems with strong authentication requirements
• Regular software updates and security patches
• Secure backup systems with encrypted storage
• Firewall and anti-malware protection

Organisational Measures

• Data protection training for all staff members
• Clear data handling policies and procedures
• Access controls ensuring staff only access data necessary for their role
• Regular review of data protection practices
• Secure document disposal procedures
• Physical security at our premises

Data Breach Procedures

Despite our security measures, breaches can occur. We have procedures in place to detect, report, and investigate any data security breaches.

If a breach occurs that poses a risk to your rights and freedoms, we will notify you without undue delay. Where the breach poses a high risk, we'll inform the Information Commissioner's Office within 72 hours of becoming aware of it.

Our breach response procedures include containment of the breach, assessment of the risk, notification to affected individuals and authorities where required, and review of security measures to prevent recurrence.

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected or as required by law:

• Client health and training records: Seven years after last session (insurance requirement)
• Financial records: Six years after the relevant tax year (legal requirement)
• Communication records: Three years after last interaction unless part of client records
• Marketing consent records: Until consent is withdrawn or we determine the data is no longer relevant
• Website analytics: Maximum 26 months

When retention periods expire, data is securely deleted or anonymised.

Third-Party Processors

Some data processing is carried out by third-party service providers acting as processors on our behalf. We ensure these processors provide sufficient guarantees regarding data security and only process data according to our documented instructions.

All processors are selected carefully and must sign data processing agreements that include GDPR-compliant terms. We regularly review processor compliance with data protection obligations.

International Transfers

We primarily store and process data within the United Kingdom. Some service providers may process information outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK government or verification that the recipient country provides adequate data protection.

Children's Data

We work with some clients aged 16-17 with parental consent. For individuals under 16, we obtain consent from a parent or guardian before collecting personal information. Parents can request access to their child's data or request its deletion at any time.

Complaints and Supervisory Authority

If you have concerns about how we handle your personal data, please contact us first at [email protected]. We take complaints seriously and will investigate thoroughly.

You also have the right to lodge a complaint with the Information Commissioner's Office, the UK's supervisory authority for data protection:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Website: ico.org.uk
Helpline: 0303 123 1113

Updates to This Information

We review our data protection practices regularly and update this page as needed to reflect changes in how we process data or updates to applicable legislation. Significant changes will be communicated to active clients directly.

Further Questions

If you have questions about GDPR compliance or our data protection practices that are not addressed here, please contact [email protected]. We're committed to transparency and happy to provide additional information about how we protect your data.