Policies

Privacy Policy

Last Updated: 18 Dec 2024

Your privacy will always be important to us at Sir Jason Kenny Centre and we want to make understanding our Privacy Policy as easy as possible for members of all ages and abilities.

Below you'll find our most up to date Privacy Policy, which we've tried to keep jargon-free, but full of useful information in an easy-to-read format. We have also created a Kid's Privacy Policy to help parents, carers and guardians to understand our Privacy Policy too.

Looking for our old policy? You'll find our historical Privacy Policy below.

Current Privacy Policy

1. Introduction

Please read this Privacy Policy carefully, along with any other privacy notices we may provide when we collect or process personal data about you. This will help you understand how and why we collect, store, use, and share your personal information. This Privacy Policy also explains your rights regarding your personal information and how to contact us or supervisory authorities if you have a complaint.

We handle your personal data in compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Privacy Policy supplements our Terms & Conditions and does not override them.

Our website may link to third-party websites. We are not responsible for the conduct of these third parties, and you should review their privacy notices to understand how they handle your personal information.

2. Who We Are

When we refer to “we” or “us” in this Privacy Policy, we mean the Trust and Serco. Our business details are as follows:

  • Sir Jason Kenny Centre (part of Bolton Community Leisure),

    Moor Lane, Bolton BL3 5BN. What3words: hers.escape.weedy

  • Serco Leisure Operating Limited (company number: 04687478), based at Serco Leisure, Lancer House, Floor 2, 38 Scudamore Road, Leicester, LE3 1UQ

As the Trust and Serco jointly determine the purposes and means of processing your personal data, we are considered “joint controllers” of your personal data.

Sir Jason Kenny Centre is managed on behalf of the Trust by Serco as its managing agent.

3. How Your Personal Data Is Collected

“Personal data” or “personal information” refers to information that relates to you and can identify you, either directly or in combination with other information we may hold. We may collect personal data about you in various ways, including:

  • Information you provide directly (e.g., when contacting us by email or phone, entering a competition, or filling in a survey).
  • Information collected in the normal course of our relationship (e.g., when you sign up for membership, book an event, make an online payment, or purchase products or services).
  • Information you make public (e.g., contacting the Trust via social media).
  • Information we receive from third parties (e.g., parents, guardians, law enforcement authorities, previous managing agents).
  • Information from trusted suppliers (e.g., payment providers, marketing agencies).
  • Information collected via our IT systems (e.g., website, CCTV surveillance, mobile applications).
  • Information created by us, such as records of your communications with us, including complaints.

4. Cookies

We use cookies on our website. Cookies are small text files downloaded onto your device when you visit a website. For more information about our use of cookies, please refer to our Cookie Policy.

5. Personal Data Collected

We may collect and use the following categories of personal information about you:

  • Personal Details: Title, full name, address (current and historic), phone numbers, email address, gender, date of birth, age, signature.
  • Family and Friends Information: Family and dependents, emergency contacts.
  • Public Identifiers: Photographs, CCTV and swimming pool camera images and recordings.
  • Internal Identifiers: Consent forms, membership identification number, loyalty/resident card number.
  • Financial, Welfare and Insurance Details: Purchase transaction history, financial credit card and bank information, welfare and benefits information, insurance details.
  • Correspondence: Details of referrals, quotes, and other contact and correspondence with you.
  • Service Usage: Service usage statistics.
  • Preferences: Permissions or preferences specified by you, such as subscribing to our mailing list, agreement with our terms and conditions.
  • Incident History: Health and safety incidents, security incidents, accident information, complaints communications, insurance claims history, health, treatment, and care reports, including details about hospital and doctor’s clinic visits
  • Special Category Personal Data: Health and medical information, ethnic origin, biometric identifiers.
  • Website Access Details: Your computer’s unique identifier (e.g., IP Address), date and time of website access.

Some information is optional, but in certain circumstances, we may not be able to provide the services or products you requested without all relevant personal data.

6. How and Why We Use Your Personal Data

We collect, use, and share your personal information only when we have a legal basis to do so. This may include:

  • Consent: For direct marketing or other purposes.
  • Contractual Necessity: To perform a contract with you or take steps before entering into a contract.
  • Legal Obligation: To comply with legal obligations, such as responding to law enforcement requests.
  • Legitimate Interests: For our legitimate interests or those of a third party, provided your rights and interests do not override these interests. We carry out balancing tests for all the data processing we do based of our legitimate interest and you can obtain information on our balancing tests by contacting us on the details below. 

Below is a summary of how we use and the legal basis we rely on to use your personal data (please refer to section 7 below for details about how we handle your special category personal data):  

What we use your personal information for 

Our reasons 

Provision of services: for the administration and delivery of the requested Leisure Centre services to you including processing your membership application or event booking, communicating with you and providing customer service. 

  • The use is necessary in connection with the performance of our contract with you or to take steps at your request prior to entering into a contract with us; or 
  • For our legitimate interests or those of a third party to provide the requested services and respond to any complaints or comments you may send us. 
  • For our our legitimate interests or those of a third party to support our administrative and business functions. 

Pre Exercise Assessments: details collected prior to starting membership and/or an exercise programme with us in order to assess activity requirements. 

  • For our legitimate interests or those of a third party to provide information to our insurers; 
  • For our legitimate interest or those of a third party to assist with providing safe and professional exercise guidance and programming. 

Fraud detection: to prevent and detect fraud against you or Serco such as providing proof of identity if you request a copy of your data. 

  • For our legitimate interests or those of a third party  to minimise fraud that could be damaging for us and for you; or 
  •   To comply with our legal and regulatory obligations. 

Safety: to ensure safe working practices and working environment.   

  • To comply with our legal and regulatory obligations; or 
  • For our legitimate interests or those of a third party by making sure we are following our own internal procedures and working efficiently and safely so we can deliver the best service to you. 

Security: for security purposes, such as preventing unauthorised access and modifications to systems and protecting our staff, premises and vehicles. 

  • For our legitimate interests or those of a third party to prevent and detect criminal activity. 
  • For our legitimate interests or those of a third party to protect the well-being of our staff and ensuring the physical and electronic security of our business, premises and assets; or 
  • To comply with our legal and regulatory obligations 

IT and website operations: for the operation and management of our websites and IT systems, providing content and communicating with you and ensuring the security and availability of our IT systems.   

  • For the performance of our contract with you or to take steps at your request before entering into a contract; or 
  • For our legitimate interests or those of a third party to operate our websites and IT systems including reporting faults. 

Marketing: to promote our services via by email, telephone, social media, post or in person or otherwise but ensuring that such communications are provided to you in compliance with applicable law. 

  • For our legitimate interests or those of a third party for the purpose of promotion; or 
  • We have obtained your prior consent 

Internal compliance: to ensure business policies are adhered to, such as policies covering security and internet use. 

  • For our legitimate interests or those of a third party for the purposes of ensuring we are following our own internal procedures to deliver the best service to you. 

Investigations and complaints management: to detect, investigate and/or prevent breaches of policy, complaints, claims, incidents and criminal offences.   

  • For our legitimate interests or those of a third party to detect and protect against breaches of our policies, applicable laws and for the establishment, exercise or defence of legal claims; or 
  • For our legitimate interests or those of a third party to establish the facts in the event of a complaint, claim or query from a caller; 
  • To comply with our legal and regulatory obligations. 

Compliance: compliance with our legal and regulatory obligations such as Health and Safety, including maintaining an internal record of compliance. 

  • To comply with our legal and regulatory obligations; or 
  • For our legitimate interests or those of a third party for the purpose of maintaining a record of compliance with our legal and regulatory obligations. 

Legal Proceedings: establishing, exercising and defending legal rights, including debt collection procedures. 

  • To comply with our legal and regulatory obligations; or 
  • For our legitimate interests or those of a third party for the purpose of establishing, exercising or defending our legal rights. 

Business Analysis: for business management and operational reasons. 

  • For our legitimate interests or those of a third party to provide an efficient and high quality service to you. 

Business Reorganisation: to share with third parties  the event of a change of management, sale, merger, reorganisation or similar event. 

  • For our legitimate interests or those of a third party to assist with the sale or potential sale, change of management or reorganisation of our business. 

Quality and Training: for quality assurance and staff and supplier training purposes. 

  • For our legitimate interests or those of a third party to monitor and assess the quality of our service delivery (including compliance with our customer service standards) and to provide training from time to time to those staff involved in the provision of our services as required; 

Record maintenance: to update and enhance customer records. 

  • For the performance of our contract with you or to take steps at your request before entering into a contract; 
  • To comply with our legal and regulatory obligations; or 
  • For our our legitimate interests or those of a third party to support our administrative and business functions. 

Research: to conduct market or customer satisfaction research, statistical analysis to help us manage our business such as analysing gym usage or engaging with you to obtain your views on our products and services. 

  • For our legitimate interests or those of a third party to provide an efficient and high quality service to you; or 
  • We have obtained your prior consent. 

Risk management: audit, compliance, controls and other risk management. 

  • For our legitimate interests or those of a third party to manage risks to which our business and staff are exposed. 

In some cases, your personal information may be aggregated and anonymised for business purposes, which could include statistical or demographic data (for example to calculate the percentage of users accessing a specific App/Website/system or to inform business strategy), where relevant to service usage, performance, and delivery. This may be extracted and used by us, or our ‘third party’ providers to help us or our provider understand, improve and manage the services such as analysing system usage/functionality, identifying improvements, interacting with our facilities, systems or services we provide.

7. Special Category Personal Data

Special category personal data is sensitive and requires higher protection. This includes health status, racial or ethnic origin, political views, religious beliefs, sex life or sexual orientation, genetic or biometric identifiers, and trade union membership.

We may collect and use this information in specific scenarios, such as:

  • Health concerns or disabilities when signing up for membership or purchasing other services.
  • Recording ethnicity for demographic comparisons.
  • Using biometric information for access control.
  • Information you voluntarily share in communications.

We will only handle this information in accordance with applicable laws and with your explicit consent, where necessary for legal claims, or for substantial public interest. Less commonly, we may process this type of information where it is needed to protect your vital interests (or someone else's vital interests) and you are not capable of giving your consent, or where you have already made the information public. 

8. Direct Marketing

We may use your personal information to send you updates about our services (by email, telephone, push notifications, post or text message), including exclusive offers and promotions, if you have consented to receive them. You can update your marketing preferences or opt out at any time by:

  • Logging into your online account.
  • Clicking the "unsubscribe" link in our communications.
  • Disabling push notifications in our app settings.
  • Emailing us by clicking here Contact Us.  Please ensure your correspondence contains ‘Unsubscribe: Marketing Contact List’ and include your full name, membership number, email and telephone number to ensure your details are fully deleted from our direct marketing system (please specify whether you would like us to stop all forms of marketing or just a particular type of marketing) 
  • Replying STOP to our text messages.
  • Calling us or speaking to a team member in person.

We will not sell your information or share it for marketing without your permission. We aim to keep our marketing communications relevant and proportionate.

9. CCTV and Assisted Lifeguard Technology

We use CCTV and Assisted Lifeguard Technology cameras at some premises for safety and security. This may include visual and sound recordings of staff, customers, and visitors. Signs are displayed to inform you of surveillance. Recordings are kept secure and retained for up to 31 days for CCTV footage, and seven days for Assisted Lifeguard Technology footage, longer if relevant to incidents, investigations, or legal proceedings.

10. Myzone

At some of our leisure centres we make use of Myzone wearable fitness technology to aid our members health and fitness progress. The green button below provides members with the Myzone privacy policy for those customers who use the Myzone product and have it registered to one of our leisure centres.

MYZONE PRIVACY POLICY

11. Children's Information

Our services are intended for individuals aged 16 and over. We do not knowingly collect personal information from children under 16 without parent or guardian consent. If we discover that we have collected such information without consent, we will delete it promptly.

If you are under 16, do not send any information about yourself to us, including your name, address, telephone numbers, or email address, unless you have your parent's or guardian's permission. 

If you have any concerns, please contact via the details in section 17. 
 
In the event that we do hold personal data about children, we will handle that data in accordance with the terms of this Privacy Policy. 
  

12. Sharing Your Personal Information with others

We disclose personal information to third parties only in limited circumstances or where we are permitted to do so by law, such as:

  • Within the Serco group for business management.
  • Third parties managing our business or delivering services e.g. Personal Trainers, payment service providers, marketing agencies, debt collectors, IT support service providers, analysis experts such as Experian, communication platform providers). These third parties have agreed to confidentiality restrictions and use any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us.
  • Third parties approved by you e.g. when you request your details to be transferred;
  • Professional advisors (e.g., law firms, auditors).
  • Government, regulatory, and law enforcement bodies to comply with legal obligations to exercise our legal rights (e.g. pursue or defend a claim),or for crime prevention and investigation.

The Trusts or Serco may share your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is an operational or management change of the business. 

We also impose data protection obligations on contracted third parties to ensure they can only use your data to provide services to the Trust for the purposes listed above.  These third parties cannot pass your details onto any other parties unless instructed to by the Trust.   

13. Transferring Your Personal Information Globally

The personal information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA") (for example, in the USA). It may also be processed by workers operating outside the EEA who work for us or for one of our service providers. 
 
We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests. To achieve this, transfers are limited to countries which are recognised as providing an adequate level of legal protection or where we are satisfied that alternative arrangements are in place to protect your privacy rights. To this end, we will: 

  • In the limited circumstances that information is transferred within Serco Group, ensure such transfers are covered by an intra-group data sharing agreement entered into be all relevant entities which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection.
  • When transferring personal data to third parties outside the EEA we will: 
  • Put in place binding corporate agreements, which will include the standard contractual clauses approved by the European Commission for transferring personal information outside the EEA, to ensure that your information is safeguarded; or
  • Ensure that the country in which your personal information will be handled has been deemed "adequate" by the European Commission or the company is registered and compliant with a European Commission approved privacy shield scheme. 
  • Carefully validate any requests for information from law enforcement or regulators before disclosing the information. 

For further information on global data handling, contact us at DPO@serco.com.

14. Security of Your Personal Information

We use administrative, technical, and physical measures to protect your personal information from loss, theft, misuse, unauthorised access, modification, disclosure, alteration and destruction. Security measures include:

  • Password access.
  • Data back-up.
  • Encryption.
  • Firewalls.
  • Employee and service providers confidentiality agreements and training our staff in protecting data.
  • Destroying or permanently anonymising personal information if it is no longer needed for the purposes it was collected.
  • Secure storage for hard copy files.

While we strive to protect your data, internet transmission is not completely secure, and any transmission is at your own risk. Once we have received your information, we have in place robust procedures and security features to try to prevent unauthorised access 

15. Retention of Your Personal Information

We retain your personal information for as long as necessary for the purposes it was collected, generally six years following the end of our business relationship. Longer retention may be required for legal, regulatory, tax, accounting, or to have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings. When no longer needed, we will delete or anonymise your information.

16. Your Legal Rights

You have rights regarding your personal information, including under certain circumstances:

  • Access: Request a copy of your personal information (commonly known as a “data subject access request”).
  • Correction: Request correction of inaccurate information.
  • Erasure: Request deletion of your information in certain circumstances, where: (i) it is no longer needed for the purposes for which it was collected; (ii) you have withdrawn your consent (where the data processing was based on consent); (iii) following a successful right to object (see Object to processing); (iv) it has been processed unlawfully; or (v) to comply with a legal obligation to which the Trust and/or Serco is subject.
  • We are not required to comply with your request to erase personal information if the processing of your personal information is necessary for a number of reasons, including: (i) for compliance with a legal obligation; or (ii) for the establishment, exercise or defence of legal claims.
  • Object to Processing: Object to processing based on legitimate interests.
  • Restriction: Request suspension of processing in specific situations. but only where: (i) its accuracy is contested, to allow us to verify its accuracy; (ii) the processing is unlawful, but you do not want it erased; (iii) it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or (iv) you have exercised the right to object, and verification of overriding grounds is pending. 

We can continue to use your personal information following a request for restriction, where: (i) we have your consent; (ii) to establish, exercise or defend legal claims; or (iii) to protect the rights of another natural or legal person. 

  • Transfer: Request transfer of your data in a structured format to yourself, or you can ask to have it transferred directly to another data controller, but in each case only where: (i) the processing is based on your consent or on the performance of a contract with you; and (ii) the processing is carried out by automated means.
  • Withdraw Consent: Withdraw consent for processing where consent is the basis.

To exercise these rights, contact us at DPO@serco.com or +44 (0)1256 745900. Verification of identity may be required. We will make every effort to honour your request promptly.

17. Children's Rights

Children have the same rights over their personal information as adults. Parents or guardians may exercise these rights on behalf of young children.

18. Data Protection Contacts

For questions about this Privacy Policy or how we handle your personal information, contact:

Data Protection Officer
Serco Limited
Enterprise House
18 Bartley Wood Business Park
Bartley Way
RG27 9XB

You can also email DPO@serco.com or call +44 (0)1256 745900.

19. Supervisory Authority

We ask that you please attempt to resolve any issues with us first by contacting the DPO, however you have a right to contact the Information Commissioner's Office at any time. The supervisory authority will then investigate your complaint accordingly. 

20. Changes to This Privacy Policy

This Privacy Policy was last updated on 26th July 2024. We may amend it from time to time. Please check this page regularly for the latest version.

Kids' Privacy Policy

Our Privacy Policy tells you how we use your personal data, so you know what happens with it when you give it to us. All the personal information you provide to us must be kept safe by law.

Who are we?

"We" or "us" refers to the Trust and Serco. Here are our details:

Sir Jason Kenny Centre (part of Bolton Community Leisure),

Moor Lane, Bolton BL3 5BN. What3words: hers.escape.weedy

Serco Leisure Operating Limited, company number: 04687478, based at Serco Leisure, Lancer House, Floor 2, 38 Scudamore Road, Leicester, LE3 1UQ.

We work together and decide how to use your personal data, so we are "joint controllers" of your data.

What information do we collect and why?

Personal data

Any information that can identify you is your personal data, e.g., your name, a photo of you or your email address. There are some types of data we must be very careful with, and this is Special Category data, which could be something like details of a disability or medical condition you have.

Medical information   

We need to know if you have any medical conditions/injuries, so our staff can help keep you safe.

What you do at our centres

We will record what activities you take part in, and your performance in them, for example swimming lessons.

Parents’ / Carers/ information   

We need information about parents/ carers just in case we need to contact them in an emergency or tell them important information about your membership. 

Photographs of you    

We will ask to take your photograph for our membership system so that we can check that your membership is being used by the right person. If you are under 16, we will ask your parent/carers permission for this.

Our team may ask you take your photo for marketing purposes, but this will only be with your signed consent, or that of your parents if you are under 16.

Some of our leisure centres have CCTV and assistant lifeguard technology to help keep you safe when you are there. 

Why do we collect and use your information?

We will only collect information that will help us to deliver our services to you. When we have collected your information, this is how we use it:

  • To get in touch with you, your parent/carer if we need to
  • So we can track your progress and achievements
  • To make sure that you are safe on our site
  • To comply with the law

How long will you keep my personal data for?

We will only keep your personal data for as long as we need to, and we have to follow rules about how long we can keep your personal data, and we dispose of it safely once we don’t need it anymore.

Does anyone else see my personal data?

We might have to share your personal data to provide a service to you, or other people might share it with us, and we are very careful about how we do this.

Sometimes we might need to ask for help doing our work, and someone else will use your data for us. This could mean your personal data might go out of the UK, but don’t worry – we will make sure it’s safe.

What are your rights?

You, your parent/ carers have the right to: 

  • Know what we do with your personal data, and this is what this privacy policy is for.
  • You can ask us what personal data we have of yours, and you can ask us stop using it or delete it. If your personal data is wrong, you can tell us and we will make sure it is corrected.
  • The rights you have depend on what we use your data for, and there is more information on our main Privacy Policy.

Who makes sure we follow the rules?

Our Data Protection Officer’s, job is to protect your data and make sure make sure we are following all the rules, and that your data is safe. If they see something wrong, they tell us how we can fix it.

You can contact our Data Protection Officer if you have any questions on how we look after your data:

  • Data Protection Officer - Julie Varcoe-Cocks
  • Email: DPO@serco.com
  • Call: +44 (0)1256 745900
  • Address: Data Protection Officer, Serco Limited, Enterprise House, 18 Bartley Wood Business Park, Bartley Way, RG27 9XB

If you’re not satisfied, you can contact the UK Information Commissioner’s Office.

For further information please see our main Privacy Policy.

Historical Privacy Policies

June 2024

Please read this Privacy Policy carefully, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you, so you are informed about how and why we collect, store, use and share your personal information. This Privacy Policy also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint. 
 
When we handle certain personal data about you, we do so subject to applicable data protection laws, including the UK General Data Protection Regulation and the Data Protection Act 2018. This Privacy Policy supplements our terms and conditions and is not intended to override them. 
 
Our website may provide links to third party websites. We are not responsible for the conduct of third party companies linked to the website and you should refer to the privacy notices of these third parties about how they may handle your personal information. 
  

2. Who we are 

When we say “we” or “us” in this Privacy Policy, we mean the Trust and Serco. Our business details are as follows: 

  • Sir Jason Kenny Centre (part of Bolton Community Leisure),

    Moor Lane, Bolton BL3 5BN. What3words: hers.escape.weedy

  • Serco Leisure Operating Limited (company number: 04687478) Based at Serco Leisure, Lancer House, Floor 2, 38 Scudamore Road, Leicester, LE3 1UQ
    ​ 

As the Trust and Serco work together and jointly determine the purposes and means of gathering and using your personal data, we are considered “joint controllers” of your personal data. 
 
Sir Jason Kenny Centre is managed on behalf of the Trust by Serco as its managing agent.       
  

3. How your personal data is collected 

 When using the term “personal data” or “personal information” in this Privacy Policy, we mean information (including opinions) that relates to you and from which you could be identified, either directly or in combination with other information which we may have in our possession. 
We may collect personal data about you when: 

  • The personal data is provided to us by you (e.g. when you contact us by email or telephone, when you enter a competition, fill in a survey)
  • The personal data is collected in the normal course of our relationship with you (e.g. when you sign up to become a member, make an event booking, make a payment online or purchase products or services); 
  • The personal data has been made public by you (e.g. contacting the Trust via a social media platform);
  • The personal data is received by us from third parties (e.g. parents and guardians, law enforcement authorities, previous managing agents acting on behalf of the Trust);
  • The personal data is received from trusted suppliers (e.g. payment providers, marketing agencies);
  • The personal data is collected via our IT systems (e.g. our website, CCTV surveillance, mobile applications); and
  • The personal data is created by us, such as records of your communications with us including complaints.

4. Cookies 

We use cookies on our website. Cookies are small text files that are downloaded onto your device when you visit a website. Please refer to our Cookie Policy for further information about our use of cookies. 
  

5. Personal data collected 

 The categories of personal information about you which we may collect and use includes: 

  • Personal details: title, full name, business or home address (current and historic), telephone and mobile numbers, email address, gender, date of birth, age, signature.
  • Family and Friends Information: family and dependents, emergency contacts.
  • Public identifiers: photographs, CCTV and swimming pool camera images and recordings.
  • Internal Identifiers: consent forms, membership identification number, loyalty/resident card number.
  • Financial, Welfare and Insurance Details: purchase transaction history, financial, bank or credit card information, welfare and benefits information, insurance details including for special event bookings.
  • Correspondence: details of referrals, quotes and other contact and correspondence with you.
  • Services Usage: service usage statistics.
  • Preferences: permissions, or preferences that you have specified, such as whether you wish to subscribe to our mailing list or agree to our terms and conditions.
  • Incident History: health and safety accidents, security incidents, accident information, complaints communications, insurance claims history, reports and notes about health, treatment and care including details about hospital and doctor’s clinic visits.
  • Special Category Personal Data: health and medical information, ethnic origin and biometric identifiers.
  • Website Access Details: your computers unique identifier (e.g. IP Address), the date and time you accessed the Website. 

The provision of some information is optional, but, in certain circumstances we will not be able to deliver the services and/or products you have requested if we are not provided with all relevant personal data.  

6. How and why we use your personal data 

Data protection and privacy laws requires companies to have a “legal basis” or “lawful ground” to collect and use your personal information. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information. 
 
We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do this. This may be because: 

  • we have obtained your prior consent, including for direct marketing; 
  • we need to use your personal information in connection with the performance of a contract with you or to take steps at your request prior to entering into a contract with us; for example, we need your financial details when you sign up to a Direct Debit product; 
  • our use is necessary for the complying with our legal obligations; for example, in response to requests from government law enforcement authorities conducting an investigation. 
  • we need to use your personal information for our legitimate interest or those of a third party (and our interests are not overridden by your data protection rights), such as for monitoring service quality and business procedure compliance. 

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We carry out balancing tests for all the data processing we do based of our legitimate interest and you can obtain information on our balancing tests by contacting us on the details below. 
 
Below is a summary of how we use and the legal basis we rely on to use your personal data (please refer to section 7 below for details about how we handle your special category personal data):  
  

What we use your personal information for 

Our reasons 

Provision of services: for the administration and delivery of the requested Leisure Centre services to you including processing your membership application or event booking, communicating with you and providing customer service. 

  • The use is necessary in connection with the performance of our contract with you or to take steps at your request prior to entering into a contract with us; or 
  • For our legitimate interests or those of a third party to provide the requested services and respond to any complaints or comments you may send us. 
  • For our our legitimate interests or those of a third party to support our administrative and business functions. 

Pre Exercise Assessments: details collected prior to starting membership and/or an exercise programme with us in order to assess activity requirements. 

  • For our legitimate interests or those of a third party to provide information to our insurers; 
  • For our legitimate interest or those of a third party to assist with providing safe and professional exercise guidance and programming. 

Fraud detection: to prevent and detect fraud against you or Serco such as providing proof of identity if you request a copy of your data. 

  • For our legitimate interests or those of a third party  to minimise fraud that could be damaging for us and for you; or 
  •   To comply with our legal and regulatory obligations. 

Safety: to ensure safe working practices and working environment.   

  • To comply with our legal and regulatory obligations; or 
  • For our legitimate interests or those of a third party by making sure we are following our own internal procedures and working efficiently and safely so we can deliver the best service to you. 

Security: for security purposes, such as preventing unauthorised access and modifications to systems and protecting our staff, premises and vehicles. 

  • For our legitimate interests or those of a third party to prevent and detect criminal activity. 
  • For our legitimate interests or those of a third party to protect the well-being of our staff and ensuring the physical and electronic security of our business, premises and assets; or 
  • To comply with our legal and regulatory obligations 

IT and website operations: for the operation and management of our websites and IT systems, providing content and communicating with you and ensuring the security and availability of our IT systems.   

  • For the performance of our contract with you or to take steps at your request before entering into a contract; or 
  • For our legitimate interests or those of a third party to operate our websites and IT systems including reporting faults. 

Marketing: to promote our services via by email, telephone, social media, post or in person or otherwise but ensuring that such communications are provided to you in compliance with applicable law. 

  • For our legitimate interests or those of a third party for the purpose of promotion; or 
  • We have obtained your prior consent 

Internal compliance: to ensure business policies are adhered to, such as policies covering security and internet use. 

  • For our legitimate interests or those of a third party for the purposes of ensuring we are following our own internal procedures to deliver the best service to you. 

Investigations and complaints management: to detect, investigate and/or prevent breaches of policy, complaints, claims, incidents and criminal offences.   

  • For our legitimate interests or those of a third party to detect and protect against breaches of our policies, applicable laws and for the establishment, exercise or defence of legal claims; or 
  • For our legitimate interests or those of a third party to establish the facts in the event of a complaint, claim or query from a caller; 
  • To comply with our legal and regulatory obligations. 

Compliance: compliance with our legal and regulatory obligations such as Health and Safety, including maintaining an internal record of compliance. 

  • To comply with our legal and regulatory obligations; or 
  • For our legitimate interests or those of a third party for the purpose of maintaining a record of compliance with our legal and regulatory obligations. 

Legal Proceedings: establishing, exercising and defending legal rights, including debt collection procedures. 

  • To comply with our legal and regulatory obligations; or 
  • For our legitimate interests or those of a third party for the purpose of establishing, exercising or defending our legal rights. 

Business Analysis: for business management and operational reasons. 

  • For our legitimate interests or those of a third party to provide an efficient and high quality service to you. 

Business Reorganisation: to share with third parties  the event of a change of management, sale, merger, reorganisation or similar event. 

  • For our legitimate interests or those of a third party to assist with the sale or potential sale, change of management or reorganisation of our business. 

Quality and Training: for quality assurance and staff and supplier training purposes. 

  • For our legitimate interests or those of a third party to monitor and assess the quality of our service delivery (including compliance with our customer service standards) and to provide training from time to time to those staff involved in the provision of our services as required; 

Record maintenance: to update and enhance customer records. 

  • For the performance of our contract with you or to take steps at your request before entering into a contract; 
  • To comply with our legal and regulatory obligations; or 
  • For our our legitimate interests or those of a third party to support our administrative and business functions. 

Research: to conduct market or customer satisfaction research, statistical analysis to help us manage our business such as analysing gym usage or engaging with you to obtain your views on our products and services. 

  • For our legitimate interests or those of a third party to provide an efficient and high quality service to you; or 
  • We have obtained your prior consent. 

Risk management: audit, compliance, controls and other risk management. 

  • For our legitimate interests or those of a third party to manage risks to which our business and staff are exposed. 

In some cases, your personal information may be aggregated and anonymised for business purposes, which could include statistical or demographic data (for example to calculate the percentage of users accessing a specific App/Website/system or to inform business strategy), where relevant to service usage, performance, and delivery. This may be extracted and used by us, or our ‘third party’ providers to help us or our provider understand, improve and manage the services such as analysing system usage/functionality, identifying improvements, interacting with our facilities, systems or services we provide.  

7. When is special category personal data collected and used? 

Special categories of information is given to certain kinds of personal data that is particularly sensitive and requires higher levels of protection. This is information about your health status, racial or ethnic origin, political views, religious or similar beliefs, sex life or sexual orientation, genetic or biometric identifiers, trade union membership. 
 
We may from time to time request that you provide special category personal information. We will primarily collect and use this information in the following scenarios: 

  • Ask you about health concerns or disabilities when signing up for membership or purchasing other services so that we can ensure that what we deliver is both suitable and tailored to you. 
  • Request to record your ethnicity so that we can compare in aggregate our membership base with the local population to ensure we’re representing our local communities.
  • Some facilities may use biometric information (e.g. facial recognition) as part of an access control system.
  • You may choose to share special category information in your communications with us. 

We need to have further justification for collecting, storing and using this type of personal information, in addition to having one of the general bases set out in section 6 above. Where required by applicable laws, we will take steps to have in place an appropriate policy document and safeguards relating to the processing of such personal information. 
 
Where we do collect and handle special category personal information, we will only handle that information in accordance with applicable law, including where: 

  • We have your explicit consent – including where you voluntarily provide us with that information 
  • Processing is necessary for the establishment, exercise or defence of legal claims; or
  • Processing is necessary for reasons of substantial public interest such as preventing and detecting unlawful acts of fraud. 

Less commonly, we may process this type of information where it is needed to protect your vital interests (or someone else's vital interests) and you are not capable of giving your consent, or where you have already made the information public. 
  

8. Direct marketing 

We may use your personal information to send you updates (by email, telephone, push notifications, post or text message) about our services including exclusive offers, promotions or products where you as a consumer have consented for us to do so. 
 
To protect your privacy rights and to ensure you have control over how we market to you: 

  • At any time you can update or correct your personal profile, or change your preferences for the way in which you would like us to communicate with you, including how you receive details of latest offers or news from us; 
  • If you have an online account with us, the easiest way to make updates to your marketing preferences and/or change your personal details is to log onto your account.  

You can opt out of receiving marketing communications from us at any time by: 

  • You can also click the "unsubscribe" link that you find on any online newsletters or marketing communication you receive; 
  • disabling push notifications within the setting screen of our mobile app. 
  • sending us an email to Membership.SM@serco.com.  Please ensure your correspondence is marked ‘Unsubscribe: Marketing Contact List’ and include your full name, membership number, email and telephone number to ensure your details are fully deleted from our direct marketing system (please specify whether you would like us to stop all forms of marketing or just a particular type of marketing) 
  • by replying STOP to any of our text messages 
  • call us directly and speaking to a member of our team on 01296 484 848 or in person at the front desk on your next visit. 

We will not sell your information, or share with other organisations without your prior permission for marketing purposes. We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you. 
  

9. CCTV 

 We currently have closed circuit television (CCTV) and swimming pool camera systems operating on some of our premises. The information processed may include visual images of personal appearance and behaviours and in certain circumstances various sound recordings of staff, customers and members of the general public who were in the immediate vicinity of the area under surveillance.  
We display signs to inform visitors and staff that they are under surveillance and may be video and sound recorded. This information is kept in secure environments and access is restricted to designated staff and any use shall be in compliance with the Bolton Community Leisure security and privacy policies. 
 
We retain CCTV recordings centrally for up to 31 days, and for a longer period if they are relevant to an incident, complaint, investigation, legal proceedings or for as long as legally required by regulatory bodies and law enforcement agencies. 

10. Myzone 

 At some of our leisure centres we make use of Myzone wearable fitness technology to aid our members health and fitness progress. The green button below provides members with the Myzone privacy policy for those customers who use the Myzone product and have it registered to one of our leisure centres.

Myzone privacy policy

11. Children’s information 

Our services may be booked directly and used by individuals aged 16 years or over. We do not knowingly collect or solicit personal information directly from anyone under the age of 16 or knowingly allow such persons to provide us with their personal information without parent or guardian consent. 
 
If you are under 16, do not send any information about yourself to us, including your name, address, telephone numbers, or email address, unless you have your parent's or guardian's permission. 
 
In the event we learn that we have collected personal information from anyone under the age of 18, and do not have a parent or guardian's consent, we will delete that information as quickly as possible. 
 
If you have any concerns, please contact via the details in section 17. 
 
In the event that we do hold personal data about children, we will handle that data in accordance with the terms of this Privacy Policy. 
  

12. Sharing your personal information with others 

We will only disclose personal information to a third party in very limited circumstances, or where we are permitted to do so by law. The third parties to whom we provide your personal data include: 
  

  • Other organisations within the Serco group of companies, where such disclosure is necessary to provide you with our services or to manage our business; 
  • with third parties who help manage our business and deliver services (e.g. Personal Trainers, payment service providers, marketing agencies, debt collectors, IT support service providers, analysis experts such as Experian, communication platform providers). These third parties have agreed to confidentiality restrictions and use any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us. 
  • third parties approved by you e.g. when you request your details to be transferred; 
  • our professional advisors (e.g. law firms, insurers, auditors, brokers); and 
  • Government, regulatory and law enforcement bodies where we are required in order: 
  1. to comply with our legal obligations; 
  2. to exercise our legal rights (e.g. pursue or defend a claim); and 
  3. for the prevention, detection and investigation of crime. 

The Trusts or Serco may share your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is an operational or management change of the business. 

We also impose data protection obligations on contracted third parties to ensure they can only use your data to provide services to the Trust for the purposes listed above.  These third parties cannot pass your details onto any other parties unless instructed to by the Trust.   
  

13. Transferring your personal information globally 

The personal information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA") (for example, in the USA). It may also be processed by workers operating outside the EEA who work for us or for one of our service providers. 
 
We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests. To achieve this, transfers are limited to countries which are recognised as providing an adequate level of legal protection or where we are satisfied that alternative arrangements are in place to protect your privacy rights. To this end, we will: 

  • in the limited circumstances that information is transferred within Serco Group, ensure such transfers are covered by an intra-group data sharing agreement entered into be all relevant entities within Serco Group, which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection. 
  • when transferring personal data to third parties outside the EEA: 
  • put in place binding corporate agreements, which will include the standard contractual clauses approved by the European Commission for transferring personal information outside the EEA, to ensure that your information is safeguarded; or 
  • ensure that the country in which your personal information will be handled has been deemed "adequate" by the European Commission or the company is registered and compliant with a European Commission approved privacy shield scheme. 
  • carefully validate any requests for information from law enforcement or regulators before disclosing the information. 

We will co-operate with any regulators as required by law to ensure that we remain transparent about the way we handle your personal information. 
In any case, our transfer, storage and handling of your personal information will continue to be governed by this Privacy Policy. If you would like further information about the global handling of your personal information, please contact us by emailing DPOLeisure@serco.com
  

14. Security of your personal information 

We take precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction.  We protect your personal information using a variety of security measures including: 

  • Password access; 
  • Data back-up; 
  • Encryption; 
  • Firewalls; 
  • Placing confidentiality requirements on employees and service providers;
  • Providing training to our employees to ensure that your personal data in handled correctly;
  • Destroying or permanently anonymising personal information if it is no longer needed for the purposes it was collected; and 
  • Secure physical storage units for hard copy files with appropriate security restrictions, preventing damage, and unauthorised access to your personal information. 

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we have in place robust procedures and security features to try to prevent unauthorised access 
  

15. How long do we keep your personal information? 

We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this Privacy Policy, including where we maintain an ongoing business relationship you. 
 
Generally, we will retain your personal data in accordance with any applicable limitation period (as set out in any applicable law), which will usually be six (6) years following the expiry of our business relationship with you.  
  
In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting requirements or to have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.  When no longer necessary to retain your personal information, we will delete or anonymise it. 
  

16. Your legal rights in respect of your personal information 

You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to: 

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. 
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. 
  • Request erasure of your personal information (commonly known as the "right to be forgotten"). This enables you to ask us to delete or remove personal information in limited circumstances, where: (i) it is no longer needed for the purposes for which it was collected; (ii) you have withdrawn your consent (where the data processing was based on consent); (iii) following a successful right to object (see Object to processing); (iv) it has been processed unlawfully; or (v) to comply with a legal obligation to which the Trust and/or Serco is subject. 

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary for a number of reasons, including: (i) for compliance with a legal obligation; or (ii) for the establishment, exercise or defence of legal claims. 

  • Object to processing of your personal information by us or on our behalf which has our legitimate interests as its legal basis for that processing, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection,  we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. You can object at any time to your personal information being processed for direct marketing (including profiling). 
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, but only where: (i) its accuracy is contested, to allow us to verify its accuracy; (ii) the processing is unlawful, but you do not want it erased; (iii) it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or (iv) you have exercised the right to object, and verification of overriding grounds is pending. 

We can continue to use your personal information following a request for restriction, where: (i) we have your consent; (ii) to establish, exercise or defend legal claims; or (iii) to protect the rights of another natural or legal person. 
  

  • Request the transfer of your personal information. You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where: (i) the processing is based on your consent or on the performance of a contract with you; and (ii) the processing is carried out by automated means. 
  • Obtain a copy, or reference to, the personal data safeguards used for transfers outside the European Union. We may redact data transfer agreements to protect commercial terms. 
  • Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent (please refer to section 8 for details about withdrawing consent to direct marketing). 

Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request. 
 
We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive. 
 
If you would like to exercise any of these rights, please submit your requests to: DPOLeisure@serco.com or call +44 (0)1256 745900. 
 
Subject to legal and other permissible considerations, we will make every effort to honour your request promptly to inform you if we require further information in order to fulfil your request.   
 
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way. 
  

17. Requests about your child’s information 

Children have the same rights over their own personal information as an adult. However, as young children may not understand these rights or are not capable of exercising these right, in some cases their parents / guardians may do so on their behalf. 
  

18. Data protection contacts 

Serco has a Data Protection Officer (DPO) that oversees compliance with this Privacy Policy. 

If you have any questions about this Privacy Policy, how we handle your personal information or would like a version of this Privacy Policy in another format, please email DPOLeisure@serco.com or call +44 (0)1256 745900 or alternatively contact us by post at:
 
Data Protection Officer 
Serco Limited   
Enterprise House                                                                                                                   
18 Bartley Wood Business Park                                                                                   
Bartley Way                                                                                                                     
RG27 9XB

Supervisory authority 
We ask that you please attempt to resolve any issues with us first by contacting the DPO, however you have a right to contact your local supervisory authority at any time and lodge a complaint (which in the UK is the Information Commissioner's Office). The supervisory authority will then investigate your complaint accordingly. 
  

19. Changes to this privacy policy 

his Privacy Policy was last reviewed and updated on 5th June 2024. We may amend this Privacy Policy from time to time to keep it up to date with legal requirements and the way we operate our business. Please regularly check this page for the latest version of this Privacy Policy.