LEGAL
Privacy Policy
Effective from 13 May 2026 · Replaces version dated 1 June 2022
This privacy policy explains how GYMPODS collects, uses, shares and protects your personal data. It applies to anyone who visits our website, uses our apps, books a session with us, signs up as a member, or contacts us in any other way.
We have tried to keep this policy in plain English. If anything is unclear, get in touch using the contact details at the end.
1. Who we are
We are The FIT POD Company Limited, trading as GYMPODS. We are the data controller for the personal data described in this policy, which means we decide how and why it is used.
| Detail | Value |
|---|---|
| Registered company name | The FIT POD Company Limited |
| Trading as | GYMPODS |
| Registered office | 3 Plaza Gardens, London SW15 2DT |
| Companies House number | 12486047 |
| ICO registration number | ZB449799 |
| Website | www.gympods.com |
| Contact for privacy queries | info@gympods.com |
| Locations we operate from | Dalston (London E8) and Putney (London SW15) |
We do not have a designated Data Protection Officer because we are not legally required to appoint one. For any privacy question, please email us at info@gympods.com.
2. The personal data we collect
We collect different types of personal data depending on how you interact with us. We have grouped them below.
Identity and contact data
- Your name, date of birth, email address and phone number
- Your billing address and emergency contact details (if you become a member)
Account and profile data
- Your username and password (stored as a one-way hash, never in plain text)
- Your home location (Dalston or Putney)
- Your training preferences, equipment preferences and any feedback you give us
- Responses to our health and lifestyle questionnaire, which we use to confirm it is safe for you to train
Financial data
- Payment card details: these are handled by Stripe and are never stored on our systems
- Details of payments to and from you (transaction history)
Usage data
- Bookings you make, sessions you attend, credits used and gym entry and exit times
- How you use our website and apps, including pages visited and features used
Technical data
- Your IP address, device type, operating system, browser type and version
- Approximate location derived from your IP address (city level, not precise)
- Cookies and similar tracking technologies: see section 10
Marketing data
- Your preferences for receiving marketing from us and how you want us to contact you
- Whether you have opened or clicked our marketing emails
CCTV footage
- Images of you when you are inside one of our gyms: see section 13
We do not collect special category data such as health information beyond what you tell us in the safe-to-train questionnaire, religious or political beliefs, sexual orientation, or biometric data used to identify you. We do not collect information about criminal convictions.
3. Where we collect your personal data from
- Directly from you when you register, book a session, sign up to our app, fill in a form on our website, email us, call us, or speak to us in one of our gyms
- Automatically when you use our website or apps, through cookies and analytics tools
- From third parties we work with: for example, when you book through ClassPass or Wellhub, those platforms send us your booking details
- From Stripe when you make a payment (we receive a payment reference and the last four digits of your card, never the full card number)
4. How we use your personal data and our legal basis for doing so
Under UK data protection law we have to have a lawful basis for every use we make of your personal data. The table below shows what we do with your data, why, and which lawful basis applies.
| What we do | Why we do it | Lawful basis |
|---|---|---|
| Set up and manage your membership account | To deliver the service you have signed up for | Performance of a contract |
| Process bookings, payments and refunds | To deliver the service and meet our financial record-keeping obligations | Performance of a contract and legal obligation |
| Keep you signed in and remember your booking selections | So the website and app work properly | Legitimate interests (running our service) |
| Send transactional emails (booking confirmations, payment receipts, password resets) | Because you have asked us to provide a service | Performance of a contract |
| Run a WhatsApp assistant that helps members with booking queries | To help members manage bookings and answer common questions outside of staff hours | Legitimate interests (member support) |
| Send marketing emails about new offers, classes or services | To promote our business to people who have shown interest | Consent (you can opt out at any time) |
| Show you GYMPODS ads on Google, Meta and other platforms | To find new members and re-engage past visitors | Consent (managed through our cookie banner) |
| Measure how our website and ads perform | To improve our service and decide where to spend marketing budget | Consent (managed through our cookie banner) |
| Operate CCTV in our gyms | To keep members and staff safe and to investigate incidents | Legitimate interests (security and safety) |
| Keep records of your training to support your goals | To help you progress and recommend the right sessions | Performance of a contract |
| Comply with tax, accounting and regulatory obligations | Because the law requires us to | Legal obligation |
| Respond to enquiries or complaints | To answer you and resolve any issues | Legitimate interests |
| Defend or pursue legal claims if necessary | To protect our legal position | Legitimate interests |
5. Who we share your personal data with
We share your personal data with the third parties listed below, who all process it on our behalf or as their own controllers where we work jointly with them. We do not sell your personal data to anyone.
| Recipient | What they do for us | Where they are based |
|---|---|---|
| Stripe Payments UK, Ltd | Processes card payments and sends payment receipts. We never see or store your full card number. | United Kingdom and United States |
| Sendinblue SAS (Brevo) | Sends our marketing emails and most transactional emails (booking confirmations). | France |
| RunBox Solutions AS | Hosts our inbound business email addresses (info@, dalston@, putney@, pt@, business@). | Norway |
| BookedSolid | Provides the WhatsApp AI assistant for member queries; passes booking metadata to Brevo for confirmations. | United Kingdom |
| Google LLC | Google Analytics 4 measures site usage. Google Ads serves our ads and measures performance. | United States |
| Meta Platforms, Inc. | Meta Pixel measures ad performance and helps us show ads on Facebook and Instagram. | United States and Ireland |
| Microsoft Ireland Operations Ltd | Microsoft Clarity records anonymised session replays to help us improve the website. | Ireland and United States |
| Render Services, Inc. | Hosts our website and app servers. | United States |
| ClassPass, Inc. and Wellhub (Gympass) | Booking partners who send members to us via their platforms. | United States and Brazil |
| Our professional advisers | Accountants, lawyers and insurers who advise us when needed. | United Kingdom |
| Regulators and law enforcement | Where we are legally required to disclose information (rare). | United Kingdom |
In-gym equipment
Our gyms include equipment from third parties such as Peloton and Echelon (treadmills, Mirror, Body Balance). Members access these via a shared GYMPODS commercial account at the equipment itself. Members never enter their personal account details into this equipment, so no personal member data is shared with these manufacturers via our gyms.
6. International transfers of your data
Some of the third parties we use are based outside the UK, mainly in the United States. When your personal data is transferred outside the UK, we make sure one of the following safeguards is in place:
- The receiving country is covered by UK adequacy regulations. In particular, the UK Extension to the EU-US Data Privacy Framework (sometimes called the UK-US Data Bridge), which the UK government recognised in October 2023, covers most of our US processors including Google, Meta, Microsoft and Stripe where they are self-certified under the Framework.
- Where the Framework does not apply, we rely on the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs), with additional safeguards as required.
You can ask us for more detail about how your data is protected when it is transferred internationally by contacting us at info@gympods.com.
7. How long we keep your data
We only keep your personal data for as long as we need it. The table below sets out the typical retention periods we apply.
| Type of data | How long we keep it |
|---|---|
| Active member account and booking data | For as long as you are a member, plus 6 years after your account closes (to meet tax and accounting record-keeping rules) |
| Payment records | 6 years from the date of the transaction (HMRC requirement) |
| Marketing preferences | Until you opt out, then up to 2 years to record the fact that you opted out |
| Health and lifestyle questionnaire responses | For as long as you are a member, plus 12 months after your account closes |
| Website and app usage data (Google Analytics) | 14 months (the maximum we set in GA4) |
| Microsoft Clarity session recordings | 30 days (the maximum Clarity allows) |
| CCTV footage | 30 days at both locations, unless retained longer to investigate a specific incident |
| WhatsApp conversations via our AI assistant | Up to 12 months from the date of the last message, then deleted |
| Email correspondence with you | 3 years from the date of the last message |
| Cookies set on your browser | Each cookie has its own expiry; see our Cookie Policy |
8. Your rights
Under UK data protection law, you have the following rights over your personal data. You can exercise any of them by emailing info@gympods.com. We will respond within one month.
Right of access
You can ask for a copy of the personal data we hold about you. This is often called a “subject access request” or “SAR”.
Right to rectification
You can ask us to correct personal data that is wrong or incomplete.
Right to erasure
You can ask us to delete your personal data. This is sometimes called the “right to be forgotten”. We may not be able to delete everything if we have a legal reason to keep it (for example, tax records).
Right to restrict processing
You can ask us to stop using your data while we look into a complaint or correction request.
Right to data portability
You can ask for a copy of the personal data you have given us in a machine-readable format, so you can take it elsewhere.
Right to object
You can object to us using your data for marketing or for analytics. You can do this at any time using our cookie banner or by emailing us.
Right to withdraw consent
Where we rely on your consent to use your data (for example, for marketing emails or non-essential cookies), you can withdraw that consent at any time. Withdrawing consent does not affect anything we did before you withdrew it.
Right to complain
If you think we have not handled your personal data properly, please contact us first so we can put it right. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK regulator for data protection. Their website is ico.org.uk and their helpline is 0303 123 1113.
9. Marketing and profiling
We use your data to show you marketing in two ways.
Our own marketing emails
If you opt in, we will send you occasional emails about new offers, classes and services at GYMPODS. We use Brevo to send these. You can unsubscribe at any time using the link at the bottom of any email, or by emailing us.
Targeted advertising
If you give consent through our cookie banner, Google and Meta may use your interaction with our website and ads to show you GYMPODS advertising on other websites and on social media. They may also build a “lookalike” or “similar audiences” segment based on the patterns of our existing members, so they can show our ads to people who behave like our members. We do not give them any of your contact details for this; they work from the technical identifiers in your browser.
You can opt out at any time by clicking “Manage cookies” in the footer of our website, or by adjusting your browser cookie settings.
10. Cookies
We use cookies and similar technologies on our website. Some are strictly necessary to make the site work; others help us measure usage or show ads. We do not use any non-essential cookies until you give us permission through our cookie banner.
Our full cookie policy is at gympods.com/cookies. It lists every cookie we use, who sets it, what it does and how long it lasts. You can change your choices at any time by clicking “Manage cookies” at the bottom of any page on our website.
11. Children
Our services are aimed at adults. We do not knowingly collect personal data from anyone under the age of 16 without the consent of a parent or guardian. If you believe a child has given us personal data without consent, please contact us and we will delete it.
12. Automated decision-making
We do not make any decisions that significantly affect you using only automated processing. A person at GYMPODS is always involved in decisions about your membership, refunds, or any complaints.
13. CCTV at our gyms
We operate CCTV cameras at both our Dalston and Putney locations for the safety of members and staff and to deter and investigate incidents. The cameras cover the public areas of the gym only, not changing rooms, showers or toilets. Footage is stored securely and only accessed by authorised staff when there is a legitimate reason to do so.
Footage is held for 30 days then automatically overwritten, unless it has been preserved for an active investigation.
Notices are displayed at the entrance to each gym to make you aware that CCTV is in operation, identifying us as the operator and giving contact details.
14. How we protect your data
We take the security of your personal data seriously. The measures we take include:
- Encrypting data in transit between your device and our servers
- Storing passwords as one-way hashes (we cannot see your password ourselves)
- Restricting access to personal data to staff who need it to do their job
- Keeping our software and servers up to date with security patches
- Working only with reputable processors who maintain their own strong security standards
No system is completely secure. If we become aware of a breach that puts your rights or freedoms at risk, we will notify the ICO within 72 hours as required by law, and we will tell you if you are personally affected.
15. Changes to this policy
We may update this policy from time to time, for example if we change the way we use cookies, start using a new third-party processor, or if the law changes. The current version is always available at gympods.com/privacy and the effective date appears at the top.
For significant changes, we will let you know by email or through a notice on the website before the changes take effect.
16. How to contact us
If you have any questions about this policy or about how we use your personal data, please contact us:
| How | Details |
|---|---|
| info@gympods.com | |
| Post | The FIT POD Company Limited, 3 Plaza Gardens, London SW15 2DT |
| Phone | +44 20 8058 2710 |
To complain to the regulator:
- Information Commissioner’s Office (ICO)
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF