GDPR Compliance

Our Commitment to Data Protection

Smooth-ripple is committed to protecting your personal data in accordance with the UK General Data Protection Regulation and Data Protection Act 2018. This page explains how we meet our obligations and uphold your rights as a data subject.

Data Controller Information

For the purposes of data protection legislation, smooth-ripple acts as the data controller for personal information collected through our website and services. We determine how and why your personal data is processed, and we are responsible for ensuring this processing complies with applicable law.

Data Controller: smooth-ripple

Address: 42 Wellington Street, Bristol BS1 6HJ, United Kingdom

Email: [email protected]

Principles of Data Processing

We adhere to the core principles established by UK data protection law in all our processing activities:

Lawfulness, Fairness, and Transparency

We process personal data only when we have a valid legal basis. We are transparent about our processing activities through clear privacy notices and honest communication about how we use your information.

Purpose Limitation

We collect personal data for specified, explicit purposes related to delivering our fitness training services. We do not subsequently process this data in ways incompatible with these original purposes without obtaining fresh consent.

Data Minimisation

We collect only personal data that is adequate, relevant, and necessary for the purposes we have identified. We avoid collecting excessive information that serves no clear purpose in delivering our services.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. We encourage clients to inform us of any changes to their information and promptly correct inaccuracies when identified.

Storage Limitation

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by legal obligations. We have established retention periods for different categories of data and securely delete information once these periods expire.

Integrity and Confidentiality

We implement appropriate technical and organisational security measures to protect personal data against unauthorised processing, accidental loss, destruction, or damage. Access to client data is restricted to authorised personnel who require it for their work.

Accountability

We take responsibility for our data protection compliance and can demonstrate adherence to these principles through documented policies, procedures, and regular internal reviews of our processing activities.

Your Rights as a Data Subject

UK data protection law grants you specific rights regarding your personal information. We respect these rights and have procedures in place to facilitate their exercise:

Right of Access

You have the right to obtain confirmation whether we process your personal data and, if so, to access that data along with information about how we use it. Subject access requests are handled within one month and provided free of charge unless the request is manifestly unfounded, excessive, or repetitive.

Right to Rectification

You may request correction of inaccurate personal data or completion of incomplete information. We will rectify verified inaccuracies within one month and notify any third parties to whom we have disclosed the data, where appropriate.

Right to Erasure

Under certain circumstances, you can request deletion of your personal data. This right applies when data is no longer necessary for its original purpose, when you withdraw consent upon which processing is based, when you object to processing and no overriding legitimate grounds exist, or when data has been unlawfully processed. However, we may retain data where necessary for legal compliance or establishment, exercise, or defence of legal claims.

Right to Restriction of Processing

You may request that we limit how we use your data in specific situations: when you contest data accuracy during verification; when processing is unlawful but you prefer restriction over erasure; when we no longer need the data but you require it for legal claims; or when you have objected to processing pending verification of our legitimate grounds.

Right to Data Portability

Where processing is based on consent or contractual necessity and carried out by automated means, you may request to receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes. When you object, we must cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing relates to legal claims.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produces legal effects or similarly significant impacts. We do not currently engage in such automated decision-making, but should this change, we will ensure appropriate safeguards and notification.

Exercising Your Rights

To exercise any of these rights, please contact us via email at [email protected] or write to us at our postal address. When submitting a request, please provide sufficient information to enable us to identify you and understand the nature of your request.

We may need to verify your identity before fulfilling certain requests to prevent unauthorised disclosure of personal data. This verification typically involves requesting additional identifying information.

We aim to respond to all legitimate requests within one month. In complex cases or where we receive multiple requests from you, this period may be extended by two additional months, about which we will notify you within the original one-month period.

We do not charge fees for exercising your rights unless requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee based on administrative costs or refuse to act on the request.

Legal Bases for Processing

We rely on several legal bases for processing personal data, depending on the nature of the information and context of processing:

Contractual Necessity

Processing is necessary to fulfil our contractual obligations to you as a client. This includes using your health and fitness information to design appropriate training programmes, scheduling sessions, and providing the services you have engaged us to deliver.

Legitimate Interests

We process certain data based on our legitimate business interests in operating efficiently, improving our services, and managing client relationships effectively. We balance these interests against your fundamental rights and only rely on this basis where your interests do not override ours.

Consent

For processing sensitive health data beyond what is strictly necessary for service delivery, and for optional marketing communications, we obtain your explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing conducted before withdrawal.

Legal Obligation

In limited circumstances, we process data to comply with legal requirements, such as maintaining financial records for tax purposes or responding to lawful requests from regulatory authorities.

Data Protection Measures

We implement comprehensive technical and organisational measures to ensure appropriate security for personal data:

Technical Safeguards

Our security measures include encrypted data transmission for sensitive information, secure storage systems with access controls, regular security updates and patches, firewall protection and network security, and secure backup procedures with encryption.

Organisational Measures

We maintain data protection through strict access controls limiting data access to authorised personnel, staff training on data protection responsibilities, confidentiality agreements with employees and contractors, documented data processing procedures and policies, regular review and testing of security measures, and incident response procedures for potential data breaches.

Data Breach Notification

In the unlikely event of a personal data breach that poses risks to your rights and freedoms, we will notify you without undue delay and within 72 hours of becoming aware of the breach where feasible. The notification will describe the nature of the breach, likely consequences, and measures taken or proposed to address it.

We will also notify the Information Commissioner's Office as required by law when a breach is likely to result in risks to individual rights and freedoms.

International Data Transfers

We primarily store and process data within the United Kingdom. Should we need to transfer data internationally, we will ensure appropriate safeguards are in place, such as adequacy decisions, standard contractual clauses, or other approved mechanisms under UK data protection law.

Data Retention Periods

We retain different categories of personal data for varying periods based on legal requirements and business needs:

Active client records are maintained throughout your engagement with our services. Health and training data is retained for seven years following your last session with us, aligning with professional practice guidelines. Financial records are kept for six years as required by UK tax law. Website analytics data is retained for two years before anonymisation or deletion. Marketing consent records are maintained until consent is withdrawn, plus a reasonable period to demonstrate compliance.

Children's Data

We do not knowingly process personal data of individuals under 16 years of age without appropriate parental or guardian consent. If we become aware of inadvertent collection of such data, we will delete it promptly.

Complaints and Further Information

If you have concerns about our data protection practices, please contact us first so we can address your concerns directly. You also have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office

Wycliffe House, Water Lane

Wilmslow, Cheshire SK9 5AF

Telephone: 0303 123 1113

Website: www.ico.org.uk

Updates to This Notice

We may update this GDPR compliance information to reflect changes in our processing activities, legal requirements, or best practices. Material changes will be communicated to existing clients via email, and the updated version will be posted on our website with a revised date.

Contact Us

For questions about our GDPR compliance, to exercise your data protection rights, or to raise concerns about our processing of your personal data, please contact us:

Email: [email protected]

Address: 42 Wellington Street, Bristol BS1 6HJ, United Kingdom