PRIVACY POLICY

A1 Thornaby Limited (trading as allGym)

Privacy Notice

Last updated: July 2026

This notice explains how we collect, use, store and share personal information when you visit our website, contact us, become a member, use our app or facilities, or otherwise interact with allGym.

1. Who we are

A1 Thornaby Limited, trading as allGym, is the controller of the personal information described in this notice. This means we decide why and how that information is used.

Company: A1 Thornaby Limited (t/a allGym)

Company number: 13920365

Registered/business address: 8 New Street, Thornaby, Stockton-on-Tees, TS17 6BU

Privacy contact: dataprotection@allgym.co.uk

2. Information we collect

Depending on how you interact with us, we may collect:

  • Identity and contact details: name, date of birth, address, email address, telephone number and emergency contact details.
  • Membership information: membership type, start date, status, freezes, cancellations, guest visits and communications about your account.
  • Payment information: billing details, payment status, transaction references and limited payment-card or direct-debit information. Full card details are normally handled by our payment providers rather than stored by us.
  • Access and usage information: dates and times of entry and exit, QR code or access credential activity, attendance patterns, bookings and use of facilities.
  • Account and technical information: usernames, account identifiers, device information, IP address, browser type, app and website activity and security logs.
  • Health and safety information: health declarations, information you choose to provide about an injury, illness, disability or pregnancy, accident-book records and incident reports.
  • CCTV images: footage recorded in and around the club, excluding areas where privacy would reasonably be expected.
  • Customer-service information: enquiries, complaints, feedback, reviews, call notes, emails, messages and records of our interactions with you.
  • Marketing information: your marketing preferences and information about how you interact with our emails, website, app and advertisements.
  • Promotional content: photographs, video or testimonials where you have agreed that we may use them.
  • Recruitment information: information provided when applying to work with us.

3. How we collect information

We collect information:

  • directly from you when you join, contact us, complete a form, use the app, attend the club, make a payment or take part in a promotion;
  • automatically through our website, app, access-control systems, CCTV, cookies and similar technologies;
  • from service providers that help us administer memberships, payments, communications, website services and member benefits;
  • from social-media platforms when you contact us, tag us or interact with our pages and advertising;
  • from another person where they lawfully provide your details, for example as an emergency contact or guest.

4. How and why we use information

PurposeTypical informationLawful basis
Set up and administer memberships, provide access and deliver member servicesIdentity, contact, membership, payment and access informationPerformance of our contract with you
Take payments, issue refunds and recover unpaid sumsPayment, contact and membership informationContract; legitimate interests; legal obligations
Provide customer support and manage enquiries, complaints, freezes and cancellationsContact, account and communication recordsContract; legitimate interests; legal obligations
Control entry, prevent misuse of memberships and investigate unauthorised accessAccess logs, membership records and CCTVLegitimate interests in protecting members, staff, property and the business
Maintain health and safety, investigate accidents and respond to incidentsIncident reports, CCTV, access records and health informationLegal obligations; legitimate interests; substantial public interest or explicit consent where required
Operate, analyse and improve the club, website, app, facilities and servicesUsage, attendance, technical, feedback and aggregated informationLegitimate interests
Prevent and detect fraud, misuse, damage and unlawful activityAccount, access, payment, technical and CCTV informationLegitimate interests; legal obligations
Send service messages about your membership, payments, safety or changes to our servicesContact and membership informationContract; legitimate interests; legal obligations
Send marketing and measure its effectivenessContact details, preferences and interaction dataConsent or legitimate interests, together with applicable electronic-marketing rules
Establish, exercise or defend legal claimsInformation relevant to the dispute or claimLegitimate interests; legal obligations

Where we rely on legitimate interests, we consider whether our interests are necessary and balanced against your rights and reasonable expectations.

5. Health and other sensitive information

Information about health is treated as special-category personal data under UK data-protection law. We only collect and use it where there is a valid reason and an additional legal condition permitting us to do so.

This may include information you provide in a health declaration, cancellation or freeze request, accident report, reasonable-adjustment request or other communication concerning your ability to use our facilities safely. We limit access to this information and do not use it for unrelated purposes.

6. CCTV and access monitoring

We operate CCTV and electronic access monitoring in and around the club for safety, security, access management, incident investigation, protection of members and staff, protection of property, enforcement of membership rules and, where appropriate, prevention and detection of unlawful activity.

CCTV is not installed in toilets, changing cubicles, showers or other areas where people would reasonably expect complete privacy. Access to footage is restricted to authorised people and footage may be disclosed to the police, insurers, legal advisers, regulators or other parties where lawful and necessary.

CCTV footage is normally retained for a minimum of 14 days and a maximum of 30 days, unless it is required for longer to investigate an incident, respond to a request or establish, exercise or defend a legal claim.

7. Marketing

We may send information about allGym memberships, services, offers, events and facilities by email, SMS, telephone, post, app notification or social media where the law permits us to do so.

We may rely on your consent or, where permitted, our legitimate interests and the electronic-marketing “soft opt-in” for our own similar products and services. You can opt out at any time by using the unsubscribe option in a message, changing your preferences where available, or contacting us.

Service communications about your membership, payments, safety, access or material operational changes are not marketing and may still be sent where necessary.

Our marketing emails may record delivery, opening and link-click information so that we can understand engagement and improve future communications. Where consent is required for this technology, we will seek it.

8. Cookies, analytics and online advertising

Our website and digital services may use cookies, pixels, software development kits and similar technologies for essential operation, security, preferences, analytics and advertising.

These may include services provided by organisations such as:

  • Google, including analytics and advertising services;
  • Meta, including the Meta Pixel and advertising services;
  • our website, app, membership-management and communications providers.

Non-essential cookies should only be set in accordance with the choices presented through our cookie banner or preference tool. You can also control cookies through your browser, although blocking essential cookies may affect how the website functions.

Our website uses a cookie consent banner that allows you to manage your preferences for non-essential cookies. You can accept, reject or customise your cookie settings at any time. Essential cookies are used to ensure the website functions correctly and cannot be disabled through our cookie preference centre.

9. Who we share information with

We do not sell your personal information. We may share it, where necessary, with:

  • membership-management, app and access-control providers;
  • payment processors, direct-debit providers, banks and debt-recovery providers;
  • IT, hosting, cybersecurity, website, analytics, communications and marketing providers;
  • providers of member benefits, where required to activate or deliver a benefit you have chosen;
  • professional advisers, including accountants, auditors, insurers, solicitors and consultants;
  • the police, emergency services, courts, regulators and public authorities where required or permitted by law;
  • a prospective buyer, investor or professional adviser in connection with a proposed sale, investment, restructuring or transfer of the business, subject to appropriate confidentiality controls.

Our current service providers may include Membr (membership management), Stripe (payment processing), Meta (advertising and audience management), Google (analytics and advertising) and other providers who support the operation of our business. These providers may process personal information on our behalf or, in some circumstances, as independent controllers in accordance with their own privacy notices.

10. International transfers

Some service providers may store or access information outside the United Kingdom. Where personal information is transferred internationally, we take steps intended to ensure an appropriate level of protection, such as relying on UK adequacy regulations or approved contractual safeguards including the UK International Data Transfer Agreement or UK Addendum.

You may contact us for further information about the safeguards used for a particular transfer.

11. How long we keep information

We keep personal information only for as long as reasonably necessary for the purpose for which it was collected, including to meet legal, accounting, tax, insurance and reporting requirements and to establish, exercise or defend legal claims.

  • Core membership and transaction records: normally for up to six years after the membership or relevant transaction ends, unless a longer or shorter period is justified.
  • CCTV: normally for the period stated in section 6, unless footage is preserved for an incident, claim or lawful request.
  • Access logs: up to 36 months after a membership lapses.
  • Marketing records: for as long as you remain subscribed, together with a limited suppression record after you opt out so that we can respect your preference.
  • Cookie and analytics data: according to the duration stated in our cookie settings or relevant provider information.
  • Health, accident and incident information: for a period appropriate to the nature of the record, legal requirements and potential claims.

We may anonymise information so that it no longer identifies you and use the anonymised information for statistical or business purposes.

12. How we protect information

We use organisational and technical measures designed to protect personal information from loss, misuse, unauthorised access, alteration or disclosure. These may include access controls, authentication, staff permissions, secure systems, supplier due diligence and procedures for responding to suspected personal-data breaches.

No system is completely secure. You are responsible for keeping your account credentials confidential and should tell us promptly if you believe your account or access credentials have been compromised.

13. Your rights

Depending on the circumstances, you may have the right to:

  • request access to your personal information;
  • ask us to correct inaccurate or incomplete information;
  • ask us to erase information;
  • ask us to restrict how information is used;
  • object to processing based on legitimate interests or to direct marketing;
  • receive certain information in a portable format;
  • withdraw consent at any time where processing is based on consent;
  • ask for safeguards relating to certain international transfers;
  • complain to the Information Commissioner’s Office.

These rights are not absolute and may not apply in every case. We may ask for information to verify your identity before acting on a request. We will not usually charge a fee, although the law permits a reasonable fee or refusal in limited circumstances involving manifestly unfounded or excessive requests.

14. Children and young people

Where a person under 18 uses our services, we may require the involvement or consent of a parent or legal guardian, depending on the service, the person’s age and our membership rules. We take additional care when handling children’s information and only collect what is reasonably necessary.

15. Changes to this notice

We may update this notice to reflect changes in our services, suppliers, technology or legal obligations. The latest version will be published on our website and the “last updated” date will be amended. Where a change is material, we may also bring it to your attention by email, through the app or by another appropriate method.

16. Contact and complaints

For questions about this notice or to exercise a data-protection right, contact:

A1 Thornaby Limited (t/a allGym)

8 New Street, Thornaby, Stockton-on-Tees, TS17 6BU

Email: dataprotection@allgym.co.uk

Please contact us first if you have a concern so that we have an opportunity to resolve it. You also have the right to complain to the Information Commissioner’s Office:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Make a complaint to the ICO