The Elmhurst Foundation and its trading entity Combe Grove are committed to protecting privacy and compliance with General Data Protection Regulations (GDPR). Our full GDPR policy is available here. It is something we and all those who work for us follow throughout our interactions with you, be they face to face, by phone, by writing or online.
This Notice provides a basic summary of our approach. Should you require more detail, please email firstname.lastname@example.org. Please note we periodically review our policies, so we recommend you check back regularly for the latest versions.
Information collected by Combe Grove
Data may be manually or automatically collected. Manual collection may be by asking you to fill in forms whilst at the Estate or by post. It may be by our employees and sub-contractors recording data in conversation or consultation with you. Automatic collection includes through our website, CCTV security system and other marketing activity.
GDPR includes categories of data which merit additional protection, namely data which enables personal identification of an individual (such as their contact details) and sensitive data, which carries a heightened risk should it be leaked (for example medical data.) These categories inform our procedures for data protection as seen in our GDPR policy.
A basic outline of data use across our main activities is given below.
We take advantage of the latest digital marketing techniques wherever possible. We may:-
- Collect browser information – which may include browser type; host operating system; browser language and IP address.
- Collect URL clickstream data which shows your journey from and to our site; items viewed and searched; page response times; page interactions such as scrolling and mouse clicking and methods used to leave the page.
- Use web beacons, tags and pixels – these are electronic files enabling us to generate statistics on how our site is used and better adjust our content to visitors’ interests. Facebook allows us to use pixels to monitor the success rates of our advertisements and create custom audiences based on site traffic.
We need to collect, process and retain information in order to provide services to members of our health club. We do this to enable us to perform our contract with you or to take steps at your request before we enter into a contract with you. For example:-
- We require personal details for all members for contact purposes and to issue them with the band used to operate entry gates and lockers;
- We also require customer details to process class bookings.
- We have CCTV in place at the Coach House for safety and security;
- We may record additional information should members request programs from our instructors;
- We use bank details to process membership fees.
We may use profiling to recommend certain products or services to you for example a set of exercises, treatments or therapies or nutritional choices. Please see below for information on your rights.
Should you arrange a treatment, therapy or consultation through your membership, we may need to collect special category data. An example of this is if you receive an Accuniq consultation, which will require us to process health data relating to your body composition. We use a consent form in these circumstances to make sure you are aware of the privacy aspects of individual treatments, therapies and consultations.
We need to collect, process and retain information in order to provide services to clients of our retreats. We do this to enable us to perform our contract with you or to take steps at your request before we enter into a contract with you. We require personal details to manage the logistical side of the booking. This includes to arrange accommodation, payments and to communicate with you before and during the retreat.
The programmes include collection of health data through consultation and testing. This information is classified as special category data in line with data protection law. We process it in order to deliver a personalised programme to you and to safeguard potential and actual participants. We may use profiling and automated decision making to recommend certain products or services to you for example a set of exercises, treatments or therapies or nutritional choices.
Our programme delivery relies on partnership with practitioners sub-contracted by us. In the course of delivery, they have the same access to information as our employees. They conduct our programme delivery under our GDPR policy, but also trade independently and as such have their own Privacy Notices. You may request their contact details from us should you wish to access a practitioner’s privacy notice. Email: GDPR@combegrove.com.
We need to collect, process and retain information in order to provide services to clients of our healthcare programmes. We recognise the need to collect sensitive medical data in the course of delivery and in addition to GDPR for sensitive data we follow NHS practitioner guidance on best practice.
- We require personal details to take bookings and to arrange clients’ booking and full programme.
- The programmes include collection of medical data through consultation and testing.
- We will collect information from you so you can see your markers of metabolic health and current diet and lifestyle habits at the beginning of the metabolic health programme. You will then be able to see the impact of any changes you choose to make.
- An anonymous code will be used to replace your personal details (name, email, phone number, full address) when we enter your data into our audit database
- We will collate your results to share with you the changes in your measurements over your 1 year journey. Only authorised staff will be able to send you these results as they will need to access your contact details which will not be saved with your data.
- We will use your data to help us evaluate the metabolic health programme and allow us to continue to make improvements to the programme. Your data may also be used to share the results of the programme (this would only be done in an anonymised manner) for marketing purposes and to advance learning of metabolic health, for example in scientific journals).
- We will only collect and process your data if you consent. You may withdraw your consent at any time in the future. By clicking consent you confirm your consent to Combe Grove processing your personal data as described above.
- We use bank details to process fees.
In the course of recruitment and employment we collect personal and sensitive data. Sensitive data is used in line with our Equality, Diversity and Inclusion policies and is only accessible to members of our Personnel Team.
- We may occasionally share a link to an external website – please note their owners have their own privacy notices and practices, for which we are not responsible.
- We may need to grant access to our data to our lawyers, auditors, IT service providers and advisors. We may also need to grant access to public bodies in the course of discharging their regulated activities.
- If fees are not paid on time, we may share relevant information with debt collection agencies.
- You may opt to provide use with emergency contact details, which we would share as required in an emergency.
- Suppliers’ GDPR provision is considered in all our procurement activity. You may contact us for a list of current software providers should you wish to review their Privacy and GDPR arrangements.
- In the course of trade we may collect financial data and data to contact our suppliers. We comply with card processing and direct debit processing requirements, including for security of online payments.
Disclosure of data
We do not routinely share data with third parties other than sub-contractors required to deliver our services and who operate under our GDPR policy.
We do not share medical data with any third party at a personally identifiable level. This includes sharing data with a health care provider or health care insurer. Should a client wish to access and then share this data with a third party, they do so at their own risk and we take no responsibility for any actions or consequences resulting from sharing or using the data outside the programme.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
In the event of a sale of the whole or a part of the Combe Grove business, we may disclose certain data as required to honour continuance of service.
We may from time to time exchange information with other companies and organisations for the purposes of crime prevention, fraud protection and credit risk reduction.
We may disclose data to our nominated marketing agencies who provide marketing services on our behalf.
Your full rights are explained by the GDPR. In summary, you have the right to access any personal information that Combe Grove processes about you and to request information about:
- What personal data we hold about you
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- How long we intend to store your personal data for
- If we did not collect the data directly from you, information about the source will be provided in the response.
If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.
You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with the data protection laws; as well as to object to any direct marketing from us.
If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.
If you have any questions about our processing of your personal data, you are welcome to contact us. You will find our contact details at the bottom of this page. If you notice any errors in your personal data, you have the right to have them corrected.
Our standard fee to cover our administrative costs of processing a basic data access request is £25. More detailed requests will be subject to a higher fee which we will notify you of before undertaking the more detailed processing.
For more information on any aspect of GDPR including your rights, please refer to the Information Commissioner’s Office, who are the UK’s independent authority overseeing information rights.