This privacy promise is our commitment to put our customers in control of what happens to their data. There are separate policies for:
We will always explain clearly what data we’re collecting and why. We will only collect the data we need to:
Your trust is very important to us. So we’re committed to keeping your data safe and secure.
We promise we will never sell your personal details to anyone.
This document tells you what to expect when we collect personal information. It applies to information we collect about:
Halo Leisure Services Ltd is the data controller for the information you provide unless otherwise stated.
Halo operates CCTV at it centres for the purposes of crime prevention and security. We keep these images for for no more than four weeks. CCTV footage will be shared with the relevant body, eg the police, insurance company as necessary to recover losses.
Any visitors who have or witness an accident or dangerous incident are required to report the details to a member of staff. Details of the accident/incident including your name, age, contact number and details of any injuries will be collected. These will be shared with our insurers and legal representatives as necessary. Unless required for an ongoing legal case, accident forms and witness statements are kept for three years and then securely destroyed.
We collect the name and contact details of people who pre-book activities in Halo centres or are registered Halo card holders.
We’ll also take your photo for identification purposes.
We use this data to ensure that activities and entitlements are allocated correctly on arrival.
This information is stored in our membership management system. You will occasionally be asked to re-consent to us holding your information.
We need to collect additional information from people who have a Halo membership agreement. We use this to manage the contract between us. Additional information collected is:
This information is stored in our membership management system.
For children aged under 13 years of age, we will only collect and process data with the consent of the child’s parent or guardian. After children reach their 13th birthday, they will be informed of what information we hold on them and the purposes for holding this.
Parents or guardians registering for online progress updates about their children on coaching courses must provide the Halo membership number, date of birth and postcode of the child to ensure they only have access to course information about children they have permission to view. Users are responsible for the safety and security of their own log in details including username and password.
We collect additional details for people who apply for or receive discounts in Halo centres. We use these to ensure the discount is allocated correctly. Depending on the discount requested, additional information collected will be one or more of the following:
This information is stored in our membership management system.
The National Exercise Referral scheme is an evaluated project examining the impact of physical activity on your health. It is run in our Bridgend County Borough centres by Halo on behalf of the Welsh Local Government Association and Public Health Wales.
If you are recommended to take part in the programme, you will be asked to give your GP, practice nurse or other health care practitioner consent to provide us with your name and address information.
Your contact details will be added to a national database, hosted by the Welsh Government Data Unit.
We will write to you to invite you to participate. If you do not respond to us within 3 weeks we will destroy the information we have been provided, by shredding, and mark in the national database that you have not taken part in the scheme.
In addition to the standard membership data listed above, if you participate in the scheme we will collect the following personal and health details and record these in the national database, hosted by the Welsh Government Data Unit, for evaluation purposes.
In addition to these, we use a range of appropriate questionnaires for evaluation purposes. These include:
When used for evaluation and reporting your individual information will be anonymised.
Your details will be securely stored on paper for a maximum of 16 weeks and thereafter any paper copies of your records are destroyed. Your digital information will remain in the national database. Your information will not be shared with any other parties unless listed above.
You will have the right to withdraw from this process at any point during your 16 week membership and can do so by contacting a member of the referral team.
We request gender, date-of-birth and postcode information from all customers.
We use this information and other information collected and stored in our membership management system in reports. It is always fully anonymised or pseudonymised.
We will always ask you to consent before using any information you have given to us for direct marketing activity. You can state your communication preferences - email, text, letter or phone call.
Customers have the option to withdraw consent for marketing communication at any time - instructions on how to do this will be included in any communications we send you.
If you have consented to receive marketing from us, we use a third party provider, Legend Leisure Services, to deliver our monthly e-newsletters and other e-customer communications. We gather statistics around email opening and click rates using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter.
We store customer data in a membership management system provided by Legend Leisure Services Ltd. All data is encrypted in transit and at rest. In addition to the information that you have provided us with, we collect information about your past and future bookings, attendance, purchases and member account history. Legend Leisure Services Ltd will not use your data for any purpose not outlined in this policy.
We use two external companies to print and post letters directly to your home - Legend Leisure Services and Brief Your Market. Both third parties have been awarded the Certificate of Registration - Information Security Management System ISO/IEC 27001 for their good practice in data handling and security.
We use information we have collected about you in our membership management system to profile your account into one of four categories: very high risk, high risk, medium risk and low risk. The risk relates to your likelihood of upgrading or cancelling your account. If you have consented to receive marketing information from us the category we have assigned may affect the content of the messages we send you.
If you have a Halo card but do not have a membership agreement, six months after your last visit your account, which contains your personal information, will enter a cancellation process, which will take up to 30 days to conclude.
If you have a membership agreement, your account will be cancelled on the day your agreement ends.
After six months we will archive your personal information from our membership management system. This means we will redact all information which would allow us to personally identify you. We will retain anonymised activity profiling information.
If you would like us to remove your personal information from our membership management system sooner than the automated schedule, please contact us by writing to the address below. We will aim to remove your data within 30 days.
Please note that we reserve the right to retain data where we have a legitimate interest in doing so. Examples include but are not limited to situations where there is a contract between us, there is an outstanding payment on your account or there is an important operational or security reason for retaining your information in our live systems. We will advise you in writing should you request to be forgotten and we are not able to fulfill your request.
People making enquiries through email, phone, social media, letter or face to face may be asked to provide contact details which are recorded in Halo’s membership management system to allow the enquiry to be answered by the relevant member of staff. We will ask if you are happy for your details to be used for future marketing purposes.
We operate three public websites:
When someone visits our websites we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website unless express consent has been given by the individual to do so by allowing the relevant cookies to be stored on your device for the purpose of our remarketing programs. If we want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Online access to our bookings and memberships is via https://halo.legendonlineservices.co.uk. This is an encrypted connection to our membership management system. In order to manage and control access, we will collect your email address. You are responsible for the safety and security of your own log in details including username and password.
From time to time, Listen360 will email you to request feedback about a recent visit to a Halo Centre. You have the option to opt out of this service
We also collect information volunteered by members of the public about their experience of Halo in Listen360. Where necessary this feedback is shared with relevant members of staff.
If you consent, your comments will be anonymously displayed on one of Halo’s Facebook pages.
Halo uses third party services (Wye Host Ltd and Big Wave Media Services Ltd) to help maintain the security and performance of the Halo website. To deliver this service it processes the IP addresses of visitors to the Halo website.
We use a third party provider, Oktopost to manage our social media interactions.
If you send us a private or direct message via social media it will not be shared with any other organisations.
When you call us, we collect Calling Line Identification (CLI) information. We use this information to help improve the efficiency and effectiveness of our services. Your phone number will be stored in our database for reporting and customer service purposes.
We use Transport Layer Security (TLS) to encrypt and protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We also monitor emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
We discourage our in-house users from using other people's personal information in emails. For example when we are communicating about a customer we will use a pseudonymised key rather than the customer's name. This key requires access to the membership management system to access personal information.
Emails that we send or receive automatically enter a 30 day deletion process 180 days after their send date. Due to the way email applications attach previous replies to new messages, this may mean that some personal information is retained longer than our email retention period.
Attachments or contents of emails may be stored outside of the email application where they are covered by another party of our data retention policy. For example, personnel files received by email will be stored in the relevant personnel file and are subject to the relevant data retention policy.
All of our day to day business documentation is prepared and stored using G-Suite, which is a brand of cloud computing, productivity and collaboration tools, software and products developed by Google.
General documents are stored for up to 275 days. At the beginning of the month after documents reach 180 days old, they enter a 60 day automatic deletion process. Internal document owners can flag individual documents or folders for longer retention subject to the guidelines laid out elsewhere in this document.
In our gyms and group exercise studios we use some external companies to provide additional services such as personalised profiles and programmes. Halo undertake a thorough assessment of these providers and we believe them to be safe for our customers to use. You are not required to sign up to any of these tools as part of your agreement/usage with Halo. Any information you provide to these third parties is outside the control of Halo. The following third parties are used:
If you would like more information regarding these companies and your data please write to the contact referred to later in this document.
You have rights as an individual which you can exercise in relation to the information we hold about you.
You can read more about your rights here
Halo aspires to the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Halo’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
Halo tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’. If we do hold information about you we will:
To make a request to Halo for any personal information we may hold you need to put the request in writing addressing it to our Systems and Membership Manager, at the address provided below.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Systems and Membership Manager.
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
We keep our privacy notice under regular review. This privacy notice was last updated on 1st April 2018.
Systems and Membership Manager
Halo Support Centre