Further than you Thought Privacy Policy
Issue 4 – 5th August 2020
OVERVIEW
This Privacy Policy describes how your Personal Information is collected, used, and shared when you visit or make a purchase from the Further than you Thought website (the “Website”); contact Further than you Thought ("We", "Us", "Our"); or make a purchase/use a service provided by Us in person. It also outlines your rights in connection with this Personal Information.
IMPORTANT INFORMATION
This Privacy Policy is designed to be used in connection with other applicable Terms and Conditions in place between you and Us and is not intended to replace them.
Our Website and services are not intended for individuals under the age of 18.
Our Website may include links to other third party websites and services. We do not have any control over these and they will be subject to separate privacy notices for which We accept no responsibility.
We act as Data Controller for the information We collect, but We also sometimes use third party data processors for processing certain information on Our behalf (such as providing functionality to Our Website). Details of these organisations are included in this document.
If you have any questions or complaints regarding privacy, or if you wish to make a request to exercise your legal rights relating to privacy, please contact Us using the below email address:
Privacy@furtherthanyouthought.com
We would appreciate the chance to deal with your request directly; however you have the right to make a complaint at any time to the ICO (www.ico.org.uk).
We reserve the right to update this Privacy Policy at any time. We may need to do this to reflect changes to Our business. The latest version of this document will be available at www.furtherthanyouthought.com/privacy.
YOUR RIGHTS
You have a number of specific rights concerning your Personal Information in accordance with the General Data Protection Regulation (GDPR). These are given in Table 1, as well as any exceptions. Further information on these rights is available on the ICO website (www.ico.org.uk).
| Exceptions | ||
| The right to be informed | Individuals have the right to be informed about the collection and use of their personal data. This document forms part of your right to be informed. | N/A |
| The right of access | Individuals have the right to access their personal data. | We have the right to refuse access if your request is manifestly unfounded or excessive. |
| The right to rectification | Individuals have the right to rectify inaccurate or incomplete personal data. | We have the right to refuse access if your request is manifestly unfounded or excessive. |
| The right to erasure | Under certain circumstances, individuals have the right to have their personal data removed. | There are a number of circumstances where this right does not apply. Information on these is available on the ICO website (www.ico.org.uk) or by emailing Us using the contact information in this document. We have the right to refuse access if your request is manifestly unfounded or excessive. |
| The right to restrict processing | Under some circumstances, individuals have the right to restrict processing of their personal data. | There are a number of circumstances where this right does not apply. Information on these is available on the ICO website (www.ico.org.uk) or by emailing Us using the contact information in this document. We have the right to refuse access if your request is manifestly unfounded or excessive. |
| The right to data portability | Individuals have the right to receive (or have passed onto another data controller) the information they have provided to a data controller in a structured, commonly used and machine readable format. | This right is only applicable when the lawful basis for processing is Consent or for the purposes of fulfilling a Contract; and when the data is processed by automated means. This therefore excludes data in paper form. We have the right to refuse access if your request is manifestly unfounded or excessive. |
| The right to object | Under some circumstances, individuals have the right to object to the processing of their personal data. Individuals have the absolute right to object to processing of their personal data for direct marketing purposes. Individuals also have the right to object if processing is for a task carried out in the public interest; the exercise of an official authority vested in the individual; or legitimate interests. However in these cases, the right is not absolute. |
The right to object if processing is for a task carried out in the public interest; the exercise of an official authority vested in the individual; or legitimate interests; is not absolute. We have the right to refuse access if your request is manifestly unfounded or excessive. |
| Your rights in relation to automated decision making and profiling | Individuals have specific rights in relation to automated decision making and profiling. Specifically, an individual has the right not to be subject to a decision based solely on automated processing, including profiling, which affects them legally or causes other similar significant impacts. | N/A |
If you wish to exercise any of your rights, please contact Us by emailing privacy@furtherthanyouthought.com. We may require you to provide further information to confirm your identity.
PERSONAL INFORMATION WE COLLECT
We collect the information as shown in Table 2. We refer to this as your "Personal Information". Some of this information (specifically information relating to your health) is known as "Special Category Data". We collect this information via a PAR-Q form to determine your readiness for physical exercise in the interests of your safety.
The information given in Table 2 details what information We collect; the purpose for which We collect it; the means in which the information is obtained; the Lawful Basis (or bases) for collecting the information; and the standard retention period for that information.
Information will be subject to review at the end of the standard retention period and either destroyed where it is no longer required, or maintained so long as there remains a requirement and valid lawful basis to do so.
| How Information is Collected | Lawful Basis | Standard Retention Period | ||
| Name | To determine your readiness for physical exercise. Satisfactorily completed PAR-Q forms are required before taking part in fitness sessions with Us in the interests of your safety. Contact information provided on this form will not be used for marketing purposes. | PAR-Q Form | To fulfil Our Legal Obligations; To perform Our Contract with you; As necessary for Our Legitimate Interests in determining your readiness for physical exercise. Health information constitutes Special Category Data and is processed subject to the additional condition of explicit Consent for the purposes of determining your readiness for physical exercise. |
7 years |
| Address | ||||
| Date of birth | ||||
| Contact information (postal address, email address and telephone number) | ||||
| Health data (questionnaire responses) | ||||
| Name | To book you onto and confirm attendance at fitness sessions, as well as recording associated payments. | Booking and attendance forms; invoices and receipts | To fulfil Our Legal Obligations; To perform Our Contract with you; As necessary for Our Legitimate Interests in managing fitness classes and payments. |
6 years |
| Payment and order information (including amount paid/payable; transaction date and payment method, credit/debit card information if applicable and any other specific information relevant to an order) | ||||
| Contact Information | ||||
| Name | To confirm that you have read, understood and agreed to the terms and conditions of business. To confirm who to contact in case of an emergency. To provide you information about products and services (you can opt out of this). |
Client Information Form | To perform Our Contract with you; As necessary for Our Legitimate Interests in managing clients and administering fitness classes; In relation to receiving marketing information, Consent is the lawful basis. You can withdraw this at any time by emailing Us using the email address given in this document. |
7 years after last booking/ use of service |
| Contact information (postal address, email address and telephone number) | ||||
| Emergency contact name | ||||
| Emergency contact telephone number | ||||
| Name | To respond to your query and provide information about Our products and services. | When you contact Us via email, online contact form or social media. | To fulfil Our Contract with you; As necessary for Our Legitimate Interests in responding to enquiries relating to Our business. |
1 year or in line with the social media platform information retention policy if you have contacted Us through social media. |
| Contact information (email address and/or telephone number). | ||||
| Online identifiers (IP address, cookie information and user activity information). | To provide functionality to Our Website. | Cookies (see Table 3 for a list of cookies used). | As necessary for Our Legitimate Interests in managing Our Website. | See Table 3. |
| Video recording | For when training is delivered via video. To ensure that standards are maintained and to ensure that We comply with relevant obligations. | Electronic recording of video training sessions. | To fulfil Our Legal Obligations; As necessary for Our Legitimate Interests in ensuring standards are maintained via video sessions as with face to face sessions. |
7 years |
| Email Address | ||||
| Name | ||||
| Date/Time of Session | ||||
| Name | To maintain records for COVID-19 track and trace purposes. | Track and Trace Form. | To fulfil Our Legal Obligations. | 1 month |
| Contact Number | ||||
| Fitness Session Details (date, time, location) | ||||
We also use Web Cookies “Cookies” to provide functionality to Our Website. A Cookie is a small file sent to and stored on your computer or device that can identify you and track your user activity. We use Cookies as necessary to allow Our Website to operate correctly. Table 3 details the Cookies We use; why We use them; and their duration.
| Purpose | ||
| Crumb | Session | Prevents cross-site request forgery (CSRF). |
| Recent Redirect | 30 minutes | Prevents redirect loops if a site has custom URL redirects. |
| CART | 2 weeks | Shows when a visitor adds a product to their cart. |
| hasCart | 2 weeks | Tells Squarespace that the visitor has a cart. |
| Locked | Session | Prevents the password-protected screen from displaying if a visitor enters the correct site-wide password. |
| SiteUserInfo | 3 years | Identifies a visitor who logs into a customer account. |
| SiteUserSecureAuthToken | 3 years | Authenticates a visitor who logs into a customer account. |
| Commerce-checkout-state | Session | Stores state of checkout while the visitor is completing their order in PayPal. |
| Squarespace-popup-overlay | Persistent | Prevents the Promotional Pop-Up from displaying if a visitor dismisses it. |
| Squarespace-announcement-bar | Persistent | Prevents the Announcement Bar from displaying if a visitor dismisses it. |
| Test | Session | Investigates if the browser supports cookies and prevents errors. |
THIRD PARTIES
In some circumstances, We may pass on your information to third parties to enable Us to provide Our service to you. Data sent to these third party organisations may be subject to additional privacy notices. Details of where to find these are outlined in Table 4.
| Purpose for Processing | Link to Privacy Policy | ||
| Squarespace | Online identifiers | To host and maintain Our Website | https://www.squarespace.com/privacy |
| Name; Contact information; Message content | To host and maintain Our email system | https://policies.google.com/privacy | |
| Social media information; Message content | For communication where you have chosen to contact Us through Our Facebook page. | https://en-gb.facebook.com/policy | |
| Stripe | Payment information for online payments | To process online card payments | https://stripe.com/gb/privacy |
We may also need to pass on your information to third parties to comply with Our legal and statutory obligations.
INTERNATIONAL TRANSFERS
Where We need to send Personal Information to a third party outside the European Economic Area (EEA), We will ensure that a similar level of protection is provided. We do this by ensuring that the relevant transfer is covered by a valid adequacy decision by the European Commission (including transfers covered by the EU-US Privacy Shield framework); or by ensuring appropriate safeguards are in place for the given transfer.
DATA STORAGE AND SECURITY
Your data can be stored either electronically or in physical form (paper records). In either case, We are legally obliged to ensure it is appropriately secured in accordance with the GDPR. This regulation also sets out the protocols in the event of a data breach and where legally obliged to do so, We will notify you and the appropriate statutory body.