The Elmhurst Foundation and its trading entity Combe Grove are committed to protecting privacy and compliance with data protection law. Our full GDPR policy may be requested by emailing GDPR@combegrove.com It is something we and all those who work for us follow throughout our interactions with you, be they face to face, by phone, by writing or online.
We periodically review all our policies, practices and procedures and publish the latest edition of our Privacy Notice on our website. For further clarification on this please email GDPR@combegrove.com
This Privacy Notice was written in October 2022.
Information collected by Combe Grove
Data may be manually or automatically collected. Manual collection may be by asking you to fill in forms whilst at the estate or by post. It may be by our employees and sub-contractors recording data in conversation or consultation with you. Automatic collection includes through our website, CCTV security system and other marketing activity. We may collect information about you from others for example credit reference agencies, market research or publicly available sources like the electoral register and social media.
Information collected includes standard personal data and special categories of personal data. Standard personal data includes contact information; financial details such as payment history and bank details; credit and anti-fraud checks and information on our interactions with you such as the services used and your use of our website and our online interactions. Special category data includes health records and medical information. We will only process special category data where we have your explicit consent to do so.
An outline is given below of our usage and reasons. Please contact us should you require more detail as this is just a basic outline and is subject to variation and change in the course of day-to-day business. The contact email is GDPR@combegrove.com
We use information across our marketing activities, including digital, to enable us to reach as many as possible with our services and to provide services of greatest appeal to our target audiences where it is in our legitimate interests to do so. This includes using personal information to tailor our offering and to manage our relationship with you.
You will only receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.
You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you.
We may use profiling and or automated decision making in the course of marketing. You have the right to object to this. Please see below for further information on your rights.
We need to collect, process and retain information in order to provide services to members of our health club. We do this to enable us to perform our contract with you or to take steps at your request before we enter into a contract with you. For example:-
- We require personal details for all members for contact purposes and to issue them with the band used to operate entry gates and lockers;
- We also require customer details to process class bookings.
- We have CCTV in place at the Coach House for safety and security;
- We may record additional information should members request programs from our instructors;
- We use bank details to process membership fees.
We may use profiling to recommend certain products or services to you for example a set of exercises, treatments or therapies or nutritional choices. Please see below for information on your rights.
Should you arrange a treatment, therapy or consultation through your membership, we may need to collect special category data. An example of this is if you receive an Accuniq consultation, which will require us to process health data relating to your body composition. We use a consent form in these circumstances to make sure you are aware of the privacy aspects of individual treatments, therapies and consultations.
We need to collect, process and retain information in order to provide services to clients of our retreats. We do this to enable us to perform our contract with you or to take steps at your request before we enter into a contract with you. We require personal details to manage the logistical side of the booking. This includes to arrange accommodation, payments and to communicate with you before and during the retreat.
The programmes include collection of health data through consultation and testing. This information is classified as special category data in line with data protection law. We process it in order to deliver a personalised programme to you and to safeguard potential and actual participants. We may use profiling and automated decision making to recommend certain products or services to you for example a set of exercises, treatments or therapies or nutritional choices.
Our programme delivery relies on partnership with practitioners sub-contracted by us. In the course of delivery, they have the same access to information as our employees. They conduct our programme delivery under our GDPR policy, but also trade independently and as such have their own Privacy Notices. You may request their contact details from us should you wish to access a practitioner’s privacy notice. Email: GDPR@combegrove.com.
In the course of recruitment and employment we collect personal and special category data. Special category data is used in line with our Equality, Diversity and Inclusion policies and is only accessible to members of our Personnel Team.
We may occasionally share a link to an external website – please note their owners have their own privacy notices and practices, for which we are not responsible.
We may also use the personal data we collect from you in the following ways for the reasons detailed:
- To enforce legal rights or defend or undertake legal proceedings: we do this to comply with our legal and regulatory obligations and for our legitimate interests in protecting ourselves and our rights;
- For operational reasons, such as ensuring our internal policies are adhered to, improving efficiency, training, statistical analysis: we do this for our legitimate interests to ensure we are operating efficiently and delivering the best service we can to you;
- Protecting the security of our systems and data including preventing unauthorised access and modifications: we do this to comply with our legal and regulatory obligations and for our legitimate interests in keeping our systems and data safe and secure.
Disclosure of data
Where possible we do not share data to third parties; however, there are times when it may be necessary to share data for legitimate legal, regulatory or business purposes. Examples include:-
- Sub-contractors involved in the provision of our services to you;
- Granting access to external advisors and support services such as our lawyers; auditors and IT providers;
- Responding to queries from public bodies such as HMRC, the Police or professional regulatory body;
- In the event of sale of some or all of our business;
- For managing financial arrangements, where we may share data with credit reference agencies; debt collection agencies or other financial service provider;
- We may disclose data to our nominated marketing agencies who provide marketing services on our behalf.
How long we keep your personal information
We keep your personal information only for as long as is necessary for the purposes set out in this Notice and in line with the criteria below:-
- How long you have been a customer with us, the types of products or services you have with us, and when you will stop being our customer;
- How long it is reasonable to keep records to show we have met the obligations we have to you and by law;
- Any time limits for making a claim or any relevant proceedings that apply;
- Any periods for keeping information which are set by law or recommended by regulators, professional bodies or associations.
Where we store your personal data
Information you provide to us is stored at our premises or on cloud servers.
Security measures / data security
We take appropriate physical and technical measures to ensure the robust security of your data and we monitor these measures periodically.
We have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
You have the right to access your information and to ask us to correct any mistakes and delete and restrict the use of your information. You also have the right to object to us using your information, to ask us to transfer information you have provided, to withdraw permission you have given us to use your information and to ask us not to use automated decision-making which will affect you.
You have the following rights (certain exceptions apply):-
- Right of access: you have the right to make a request for details of your personal information and a copy of that personal information.
- Right to rectification: you have the right to have inaccurate information about you corrected or removed.
- Right to erasure (‘right to be forgotten’): you have the right to have certain personal information about you deleted from our records.
- Right to restriction of processing: you have the right to ask us to use your personal information for restricted purposes only.
- Right to object: you have the right to object to us processing (including profiling) your personal information in cases where our processing is based on a task carried out in the public interest or where we have let you know it is necessary to process your information for our or a third party’s legitimate interests. You can object to us using your information for direct marketing and profiling purposes in relation to direct marketing.
- Right to data portability: you have the right to ask us to transfer the personal information you have given us to you or to someone else in a format that can be read by computer.
- Right to withdraw consent: you have the right to withdraw any permission you have given us to handle your personal information. If you withdraw your permission, this will not affect the lawfulness of how we used your personal information before you withdrew permission, and we will let you know if we will no longer be able to provide you with your chosen product or service.
- Right in relation to automated decisions: you have the right not to have a decision which produces legal effects which concern you or which have a significant effect on you based only on automated processing, unless this is necessary for entering into a contract with you, it is authorised by law or you have given your permission for this. We will let you know if we make automated decisions, our legal reasons for doing this and the rights you have.
Please note: other than your right to object to us using your information for direct marketing (and profiling for the purposes of direct marketing), your rights are not absolute. This means they do not always apply in all cases, and we will let you know in our correspondence with you how we will be able to meet your request relating to your rights.
If you make a request, we will ask you to confirm your identity if we need to, and to provide information that helps us to understand your request better. We have one month from receiving your request to tell you what action we have taken.
In order to exercise your rights, please email GDPR@combegrove.com. We reserve the right to charge a reasonable fee to cover our costs associated with your requested where it is deemed unfounded or excessive.