Privacy Policy
Effective date: 20 June 2025
Last reviewed: 20 June 2025 (revised to reflect new technology, including wearable smart‑glasses, and updated UK data‑protection guidance)
Cheltenham Running & Walking Club ("CRWC", "we", "us", "our") is a trading name of STS Fitness Ltd, 40 Gotherington Lane, Bishops Cleeve, Cheltenham, Gloucestershire, England. We are the data controller for the personal information we collect from members, supporters and website visitors at https://www.cheltenhamrunningclub.co.uk and https://www.cheltenhamwalking.co.uk (together, the "Site").
If you have any questions about this notice or about how we handle your data, please email conor@cheltenhamrunning.co.uk or write to the address above.
1 Data‑protection framework & point of contact
We process personal data in accordance with:
the UK General Data Protection Regulation (UK GDPR);
the Data Protection Act 2018 (DPA 2018);
the Privacy and Electronic Communications Regulations 2003 (PECR);
any other UK laws that apply to our activities.
We are not required to appoint a statutory Data Protection Officer, but Conor Graham (Director) acts as our Data‑Protection Lead and first point of contact for all privacy‑related matters.
We review this policy at least annually and whenever we introduce new processing activities.
2 What data we collect
| Category | Examples | Why we need it |
|---|---|---|
| Identity & contact data | Name, postal address, email, phone | Membership administration, session bookings, safeguarding |
| Special‑category data | Relevant health conditions, next‑of‑kin / emergency contact | To protect your vital interests during club activities and to tailor sessions safely (UK GDPR Art. 9(2)(a) explicit consent and (2)(c) vital interests) |
| Transaction data | Membership start/renewal dates, purchase history, Stripe/WooCommerce payment IDs | Contract fulfilment, accounting and tax compliance |
| Session data | Session sign‑ups, attendance, performance notes | Service delivery, coaching, safeguarding |
| Media | Photographs and video captured at sessions or events, including footage recorded using handheld cameras, smartphones or wearable devices such as smart‑glasses | Club promotion, community engagement, training & coaching feedback, historical record |
| Technical & usage data | IP address, device type, cookie identifiers, Site browsing statistics | Site security, analytics, service improvement |
3 How & why we use your data – lawful bases
| Purpose | Lawful basis (UK GDPR, Art. 6) | Additional basis for special‑category data |
|---|---|---|
| Managing memberships, bookings and contracts | Contractual necessity (Art. 6(1)(b)) | Explicit consent / vital interests (Art. 9) for health details |
| Collecting membership fees, shop sales and donations | Contractual necessity and legal obligation (tax law) | |
| Communicating service messages (e.g. session changes, safety alerts) – we balance our interest in efficient administration against your privacy by limiting messages to essential information and providing easy opt‑out options | Legitimate interests (efficient club administration) | |
| Sending marketing newsletters, event promotions and offers | Consent (non‑members) or soft opt‑in / legitimate interests (existing members, PECR Reg. 22(3)) | |
| Publishing photos & videos to website, social platforms and printed materials, and using captured media internally to provide technique feedback and educational coaching resources to members – we minimise impact on individual privacy by offering clear opt‑out mechanisms and safeguarding minors | Legitimate interests (club promotion) – see Section 7 | n/a |
| Analysing Site traffic and improving the Site | Consent for non‑essential cookies (PECR) |
A documented Legitimate Interests Assessment (LIA) balances our interests against your rights. You may object to processing based on legitimate interests at any time (see Section 11).
4 Cookies & analytics
We use cookies to:
remember preferences (essential cookies);
measure Site traffic and engagement (analytics);
enable embedded social‑media content.
A cookie‑consent banner appears on your first visit, giving you the choice to accept or reject non‑essential cookies. You can also manage cookies through your browser settings. For a full cookie list, see our separate Cookie Notice (https://www.cheltenhamrunningclub.co.uk/cookies) linked in the banner.
5 Communications & marketing
You can subscribe to our newsletter via clear double‑opt‑in forms.
Every marketing email contains an Unsubscribe link; you may also email us to opt out.
We track open and click rates to understand the relevance of our content and improve future messages. Tracking is disabled if your email client blocks images or you choose "text‑only" emails.
6 Membership & session management systems
| Function | Provider | Data location & safeguards |
|---|---|---|
| Membership database | Paid Memberships Pro (WordPress plugin) | Hosted in UK/EU data centres |
| Payment processing | Stripe & WooCommerce | Data may be transferred to the USA under UK Addendum to EU SCCs; Stripe is PCI‑DSS compliant |
| Session bookings | Signup.com | USA; protected by SCCs + UK Addendum |
| CRM, email marketing & scheduling | GenieAI (white‑labelled HighLevel) | USA; SCCs + UK Addendum |
Each supplier signs a Data‑Processing Agreement (DPA) with us and implements industry‑standard security.
7 Photography & video recording
We routinely capture photos and videos at club sessions, races and social events using handheld cameras, smartphones or wearable devices such as smart‑glasses.
Purpose: celebrate achievements, showcase club life, provide technique feedback and educational coaching to members, and attract new members.
Who may appear: by attending an activity you acknowledge you may be filmed or photographed.
Opt‑out: tell the session leader in advance or email conor@cheltenhamrunning.co.uk; we will make reasonable efforts (e.g. positioning you outside frame, blurring faces) but cannot guarantee complete exclusion in group settings, and we will not deliberately focus footage or photography on you.
Minors: identifiable images of under‑18s are published only with prior written parental consent.
Legal basis: legitimate interests (Art. 6(1)(f)). Our balancing test found that the benefits of documenting and promoting club life, coaching members, and building community outweigh any limited impact on privacy because we provide clear opt‑out routes, avoid deliberately filming individuals who opt out, and protect minors. You can request the full LIA at any time.
Clear signage is displayed at larger events indicating that filming/photography is in progress.
8 External links
Our Site contains links to partner offers and third‑party websites. We are not responsible for their content or privacy practices. Please review their privacy notices before providing personal information.
9 Data security & retention
Security measures
Encrypted web hosting (HTTPS), firewalls and malware scanning
Role‑based access controls and strong password policies
End‑to‑end encryption for payments via Stripe / WooCommerce
Encrypted backups stored within the UK/EU
Retention schedule
| Data type | Typical retention period | Rationale |
|---|---|---|
| Membership records | 2 years after last active membership | Respond to queries, offer rejoin opportunities |
| Special‑category health data | Deleted 12 months after membership lapses | Minimise sensitive data exposure |
| Financial / transaction data | 6 years | HMRC statutory requirement |
| Video & photos | Up to 5 years (reviewed annually) | Promotional relevance, historical record |
| Website analytics logs | 26 months (Google Analytics default) | Trend reporting |
We may retain data longer where necessary to establish, exercise or defend legal claims.
10 International data transfers
Some suppliers (e.g. Stripe, GenieAI) store data in the United States. Where they do, we rely on:
the European Commission Standard Contractual Clauses (SCCs) plus the UK Addendum; and
supplier‑implemented technical and organisational measures (encryption, access controls).
11 Your rights
You have the following rights under UK GDPR:
Access – ask for a copy of the personal data we hold about you.
Rectification – have inaccurate or incomplete data corrected.
Erasure – request deletion of your data (“right to be forgotten”).
Restriction – ask us to pause processing while concerns are investigated.
Portability – receive certain data in a machine‑readable format or ask us to transfer it to another provider.
Objection – object to processing based on legitimate interests or to direct marketing.
Withdraw consent – at any time where processing is based on consent.
Complain – to the UK Information Commissioner’s Office (https://ico.org.uk) if you believe we have mishandled your data.
To exercise any of these rights, email conor@cheltenhamrunning.co.uk. We will respond within one month.
12 Changes to this policy
We may update this notice to reflect changes in law, best practice or club operations. The latest version is always available on the Site. Where changes are material we will notify members by email or via the Club WhatsApp group. By joining the Club WhatsApp group, you consent to receive such notifications via that third‑party service; messages are processed under WhatsApp LLC’s privacy policy and may be transferred outside the UK/EU.
STS Fitness Ltd / Cheltenham Running & Walking Club
40 Gotherington Lane, Bishops Cleeve, Cheltenham, Gloucestershire, England
Phone: 07580 481454
Email: conor@cheltenhamrunning.co.uk
Last updated: 20 June 2025
follow us: