top of page

Customer privacy notice​

This privacy notice tells you what to expect us to do with your personal information.

​

  1. Contact details

  2. What information we collect, use, and why

  3. Lawful bases and data protection rights

  4. Where we get personal information from

  5. How long we keep information

  6. Who we share information with

  7. Sharing information outside the UK

  8. CCTV policy

  9. How to complain

​

​

1 - Contact details


Email: contact@tiny-gyms.com

 


2 - What information we collect, use, and why
 

We collect or use the following information for service updates or marketing purposes:

 

  • Names and contact details

  • Addresses

  • Marketing preferences

  • IP addresses

  • Website and app user journey information

  • Records of consent, where appropriate

​

​

We collect or use the following information for research or archiving purposes:

 

  • Names and contact details

​

​

We collect or use the following personal information for dealing with queries, complaints or claims:
 

  • Names and contact details
     

 

3 - Lawful bases and data protection rights


Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.


Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

 

  • Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.

​

​

​

​

​

​

​
 

If you make a request, we must respond to you without undue delay and in any event within one month.
 

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

 


Our lawful bases for the collection and use of your data


Our lawful bases for collecting or using personal information for service updates or marketing purposes are:
 

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
     

    • We only collect email addresses from people who are asking to be updated about our business. We also give them an option to share their postcode to request we open a site near their location.

 

 

Our lawful bases for collecting or using personal information for research or archiving purposes are:

 

  • Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

 

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:​​​​​

    • ​We only collect contact details in our research surveys from people who have chosen to share their email as a way of contacting them to let them know if they've won our prize draw.

 

​

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

 

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

    • We need to capture an email address to be able to respond to queries.
       

 

4 - Where we get personal information from

 

  • Directly from you

 

​

5 - How long we keep information


This data processor does the following activities for us: They manage our CRM and marketing email system
 

 

6 - Who we share information with


Data processors


HubSpot
This data processor does the following activities for us: They manage our CRM and marketing email system.
 

We have a joint controller relationship with HubSpot. We process your personal information with that joint controller for the following reason: We use HubSpot as a CRM to manage our customer contact records, and to send emails.

​

GymMaster
This data processor does the following activities for us: They manage our gym management and booking system.
 

We have a joint controller relationship with GymMaster. We process your personal information with that joint controller for the following reason: We use GymMaster as a CRM to manage our customer contact records, manage bookings, and to send emails.

 


7 - Sharing information outside the UK


Where necessary, we may transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.


For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.


Organisation name: HubSpot


Category of recipient: Data processor / CRM system


Country the personal information is sent to: United States and Germany


How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)

​

​

Organisation name: GymMaster


Category of recipient: Data processor / CRM system


Country the personal information is sent to: United States and New Zealand


How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)


Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.


For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

​​

​

8 - CCTV policy

 

This section sets out the procedures we follow in respect to the use of CCTV systems at our premises.

​

All our sites have CCTV recording 24 hours a day. All cameras are located in prominent positions within public view and do not infringe on sensitive areas. Recorded CCTV footage will be stored securely and retained in compliance with applicable laws.

 

We reserve the right for our employees and contractors to review footage as required, and by entering our sites you consent to your image being recorded and reviewed.

​

The purpose of the CCTV system and the collection and processing of CCTV images is for the prevention or detection of crime or disorder, protection of public health and the protection of our property and assets.

​

We will ensure any personal data captured by our CCTV systems is only processed in accordance with the following requirements:

​

  • It will be processed fairly, lawfully and in a transparent manner;

  • It will only be collected for specified, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes;

  • It will not be kept for longer than is necessary for the purposes for which the personal data are processed;

  • It will be processed in a manner that ensures appropriate security of the personal data.



All images are digitally recorded and stored securely. Images are stored for a minimum of 14 days and typical for no more than 31 days.

Where the images are required for any other purpose, for example system testing, evidential purposes or disciplinary proceedings, a copy file will be moved to an access controlled confidential location and held until completion of the investigation.

Access to, and disclosure of, the images recorded by our CCTV system is restricted and carefully controlled. 


Individuals have the right to request access to CCTV images which contain their personal data. To make this request contact us on contact@tiny-gyms.com.

 

Please send details of; who you are, the reason for request, your contact details, the location of CCTV, the time in question and any details that might be useful.

 

Upon receipt of the request, a member of staff will determine whether disclosure is appropriate and whether there is a duty of care to protect the images of any third parties. If the duty of care cannot be discharged, then the request can be refused.

A written response will be made to the individual, giving the decision (and if the request has been refused, giving reasons) within 31 days of receipt of the request.

​​

​

9 - How to complain


If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.


If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.


The ICO’s address:

        
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF


Helpline number: 0303 123 1113


Website: https://www.ico.org.uk/make-a-complaint

 


Last updated
22 July 2025
 

bottom of page