Last updated: 19/08/2025

1. Purpose

This policy sets out how Simon Kerr Fitness (SKF) collects, stores, processes, and protects personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The purpose of this policy is to ensure all personal data handled by SKF is managed responsibly, securely, and lawfully.

2. Scope

This policy applies to all personal data processed by SKF, including data relating to clients, prospective clients, contractors, and suppliers.

It covers:

• Data collected via forms, contracts, websites, apps, and communications

• Data stored digitally or in paper format

• Special category data (e.g. health and fitness information)

3. Data Protection Principles

SKF complies with the principles of GDPR. Personal data shall be:

• Processed lawfully, fairly, and transparently

• Collected for specified, explicit, and legitimate purposes

• Adequate, relevant, and limited to what is necessary

• Accurate and kept up to date

• Stored only as long as necessary

• Processed securely

4. Legal Bases for Processing

SKF processes personal data under the following lawful bases:

• Contractual necessity – delivering fitness and coaching services

• Consent – where explicit permission is given (e.g. marketing communications, health disclosures)

• Legal obligation – compliance with health, safety, or tax requirements

• Legitimate interest – providing a safe, effective, and personalised service

5. Types of Data Collected

• Contact details: name, email, phone number, address

• Health and fitness data: medical history, injuries, training goals

• Financial information: payment records, invoices (processed via secure third-party providers)

• Progress data: fitness testing, performance tracking, training history

6. Data Storage & Security

• Electronic data is stored securely on password-protected systems (Google Drive, MyPTHub, Stripe, Squarespace, Jotform)

• Paper records (if used) are stored in locked storage.

• Only authorised personnel (Simon Kerr) have access to client records.

• Data is regularly backed up securely.

• Data breaches will be reported to the ICO within 72 hours, in line with GDPR requirements.

7. Data Retention

• Client records are retained for up to 6 years after the end of the coaching relationship to comply with insurance and tax obligations.

• Health questionnaires and PAR-Qs are retained for 7 years (as required by many insurers).

• Marketing data is retained until the individual withdraws consent.

8. Data Sharing

• Personal data is not sold or shared for marketing purposes.

• Data may be shared with third-party service providers (e.g. payment processors, scheduling systems, cloud storage) only where necessary to provide services.

• All third parties must comply with GDPR standards.

9. Data Subject Rights

Clients have the right to:

• Access their data

• Request correction or deletion

• Restrict or object to processing

• Withdraw consent at any time

• Lodge a complaint with the Information Commissioner’s Office (ICO)

10. Roles & Responsibilities

Data Controller: Simon Kerr of Simon Kerr Fitness is the data controller responsible for determining how data is processed.

Data Processor(s): Third parties (Google Drive, MyPTHub, Stripe, Squarespace, Jotform.) may process data on behalf of SKF under strict GDPR compliance.

11. Policy Review

This policy will be reviewed annually or sooner if required by changes in legislation, business practices, or guidance from the ICO.