Published using Google Docs
Privacy Policy - Customers
Updated automatically every 5 minutes

Mae'r ddogfen hon ar gael yn Gymraeg hefyd.

Halo’s Privacy Promise to Our Customers

This privacy promise is our commitment to put our customers in control of what happens to their data. There are separate policies for:

Our privacy promise is all about transparency and trust.


We will always explain clearly what data we’re collecting and why. We will only collect the data we need to:

  1. give you a better experience
  2. improve our services
  3. fulfil our responsibilities as a registered charity


Your trust is very important to us. So we’re committed to keeping your data safe and secure.

We promise we will never sell your personal details to anyone.

How we use your information

This document tells you what to expect when we collect personal information. It applies to information we collect about:

Halo Leisure Services Ltd is the data controller for the information you provide unless otherwise stated.

Visitors to Halo centres

Safety and Security

Halo operates CCTV at it centres for the purposes of crime prevention and security. We keep these images  for no more than four weeks. CCTV footage will be shared with the relevant body, eg the police, insurance company as necessary to recover losses.

Any visitors who have or witness an accident or dangerous incident are required to report the details to a member of staff. Details of the accident/incident including your name, age, contact number and details of any injuries will be collected. These will be shared with our insurers and legal representatives as necessary. Unless required for an ongoing legal case, accident forms and witness statements are kept for three years and then securely destroyed.  

Car Parking at Hereford Leisure Centre and Leominster Leisure Centre

We’ve partnered with Corporate Parking Management to manage the pay and display parking at Hereford Leisure Centre and Leominster Leisure Centre. Halo Leisure along with CPM are the joint controllers of all car parking data:

People who book activities or are registered users in Halo centres

We collect the name and contact details of people who pre-book activities in Halo centres or are registered Halo card holders.

We’ll also take your photo for identification purposes.

We use this data to ensure that activities and entitlements are allocated correctly on arrival.

This information is stored in our membership management system. You will occasionally be asked to re-consent to us holding your information.

People who have a Halo membership agreement

We need to collect additional information from people who have a Halo membership agreement. We use this to manage the contract between us. Additional information collected is:

This information is stored in our membership management system.

Face Recognition Software

We use face recognition software provided by CCTech Ltd.

Your digital image is processed by and on behalf of Halo for the sole purpose of controlling access to the centre under your membership contract. Halo is in control of your personal data within the CCTech Ltd software.

Additional controls relating to children who use Halo centres

For children aged under 13 years of age, we will only collect and process data with the consent of the child’s parent or guardian. After children reach their 13th birthday, they will be informed of what information we hold on them and the purposes for holding this.

Parents or guardians registering for online progress updates about their children on coaching courses must provide the Halo membership number, date of birth and postcode of the child to ensure they only have access to course information about children they have permission to view. Users are responsible for the safety and security of their own log in details including username and password.

People who receive discounts

We collect additional details for people who apply for or receive discounts in Halo centres. We use these to ensure the discount is allocated correctly. Depending on the discount requested, additional information collected will be one or more of the following:

This information is stored in our membership management system.

Customers who take part in activities funded by Herefordshire Council

Customers who take part in schemes or activities funded by Herefordshire Council may have their usage tracked in order to assess the effectiveness of the scheme.

If you have given consent you may receive questionnaires asking for feedback on the free sessions or on how the schemes have impacted your health, wellbeing and activity levels. The results of these questionnaires will be collected by Herefordshire Council.

People who are enrolled in the National Exercise Referral Scheme

The National Exercise Referral scheme is an evaluated project examining the impact of physical activity on your health. It is run in our Bridgend County Borough centres by Halo on behalf of the Welsh Local Government Association and Public Health Wales.

If you are recommended to take part in the programme, you will be asked to give your GP, practice nurse or other health care practitioner consent to provide us with your name and address information.

Your contact details will be added to a national database, hosted by the Welsh Government Data Unit.

We will write to you to invite you to participate. If you do not respond to us within 3 weeks we will destroy the information we have been provided, by shredding, and mark in the national database that  you have not taken part in the scheme.

In addition to the standard membership data listed above, if you participate in the scheme we will collect the following personal and health details and record these in the national database, hosted by the Welsh Government Data Unit, for evaluation purposes.

In addition to these, we use a range of appropriate questionnaires for evaluation purposes. These include:

When used for evaluation and reporting your individual information will be anonymised.

Your details will be securely stored on paper for a maximum of 16 weeks and thereafter any paper copies of your records are destroyed. Your digital information will remain in the national database. Your information will not be shared with any other parties unless listed above.

You will have the right to withdraw from this process at any point during your 16 week membership and can do so by contacting a member of the referral team.

Activity profiling

We request gender, date-of-birth and postcode information from all customers.

We use this information and other information collected and stored in our membership management system in reports. It is always fully anonymised or pseudonymised.

Use of customer data for marketing purposes

We will always ask you to consent before using any information you have given to us for direct marketing activity. You can state your communication preferences - email, text, letter or phone call.

Customers have the option to withdraw consent for marketing communication at any time - instructions on how to do this will be included in any communications we send you.

E-newsletter and other electronic customer communications

If you have consented to receive marketing from us, we use a third party provider, Legend Leisure Services, to deliver our monthly e-newsletters and other e-customer communications. We gather statistics around email opening and click rates using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter.

Membership management system

We store customer data in a membership management system provided by Legend Leisure Services Ltd. All data is encrypted in transit and at rest. In addition to the information that you have provided us with, we collect information about your past and future bookings, attendance, purchases and member account history. Legend Leisure Services Ltd will not use your data for any purpose not outlined in this policy.

Printed letters and communications sent to your home

We use two external companies to print and post letters directly to your home - Legend Leisure Services and Brief Your Market. Both third parties have been awarded the Certificate of Registration - Information Security Management System ISO/IEC 27001 for their good practice in data handling and security.

Customer scoring

We use information we have collected about you in our membership management system to profile your account into one of four categories: very high risk, high risk, medium risk and low risk. The risk relates to your likelihood of upgrading or cancelling your account. If you have consented to receive marketing information from us the category we have assigned may affect the content of the messages we send you.

Membership management system data retention policy

If you have a Halo card but do not have a membership agreement, nine months after your last visit your account, which contains your personal information, will enter a cancellation process, which will take up to 30 days to conclude.

If you have a membership agreement, your account will be cancelled on the day your agreement ends.

After six months we will archive your personal information from our membership management system. This means we will redact all information which would allow us to personally identify you. We will retain anonymised activity profiling information.

If you would like us to remove your personal information from our membership management system sooner than the automated schedule, please contact us by writing to the address below. We will aim to remove your data within 30 days.

Please note that we reserve the right to retain data where we have a legitimate interest in doing so. Examples include but are not limited to situations where there is a contract between us, there is an outstanding payment on your account or there is an important operational or security reason for retaining your information in our live systems. We will advise you in writing should you request to be forgotten and we are not able to fulfill your request. 


People making enquiries through email, phone, social media, letter or face to face may be asked to provide contact details which are recorded in Halo’s membership management system to allow the enquiry to be answered by the relevant member of staff. We will ask if you are happy for your details to be used for future marketing purposes.

Visitors to our websites and other electronic activity

We operate three public websites:

When someone visits our websites we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website unless express consent has been given by the individual to do so by allowing the relevant cookies to be stored on your device for the purpose of our remarketing programs. If we want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Online access to our bookings and memberships is via This is an encrypted connection to our membership management system. In order to manage and control access, we will collect your email address. You are responsible for the safety and security of your own log in details including username and password.

Use of cookies on online tools and transactions

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, your computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally. You can read more about how we use cookies in our cookies policy

Customer satisfaction reporting

From time to time, we will email you to request feedback about the service you have received in a Halo Centre. The email will contain a link to where you will be invited to leave your review. You may opt out of this service.

If you choose to respond to this request, you will be directed to who will automatically generate a personal account and collect the following personal data about you: becomes the Data Controller once you have written a review. Halo has access to this data as a Data Processor. stores data relating to Halo’s customers in the UK only.

Security and performance

Halo uses third party services (Wye Host Ltd and Big Wave Media Services Ltd)  to help maintain the security and performance of the Halo website. To deliver this service it processes the IP addresses of visitors to the Halo website.

People who contact us via social media

We use a third party provider, Oktopost to manage our social media interactions.

If you send us a private or direct message via social media it will not be shared with any other organisations.

People who contact us by phone

When you call us, we collect Calling Line Identification (CLI) information. We use this information to help improve the efficiency and effectiveness of our services. Your phone number will be stored in our database for reporting and customer service purposes.

People who email us

We use Transport Layer Security (TLS) to encrypt and protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

We also monitor emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

We discourage our in-house users from using other people's personal information in emails. For example when we are communicating about a customer we will use a pseudonymised key rather than the customer's name. This key requires access to the membership management system to access personal information.

Emails that we send or receive automatically enter a 30 day deletion process 180 days after their send date. Due to the way email applications attach previous replies to new messages, this may mean that some personal information is retained longer than our email retention period.

Attachments or contents of emails may be stored outside of the email application where they are covered by another party of our data retention policy. For example, personnel files received by email will be stored in the relevant personnel file and are subject to the relevant data retention policy.

General electronic document storage

All of our day to day business documentation is prepared and stored using G-Suite, which is a brand of cloud computing, productivity and collaboration tools, software and products developed by Google.

You can read about Google’s Security and Compliance approach here.

General documents are stored for up to 275 days.  At the beginning of the month after documents reach 180 days old, they enter a 60 day automatic deletion process. Internal document owners can flag individual documents or folders for longer retention subject to the guidelines laid out elsewhere in this document.

Visitors who use our fitness equipment and use technology inside or outside our centres to track and support health, lifestyle and activity 

In our gyms and group exercise studios we use some external companies to provide additional services such as personalised profiles and programmes. Halo undertake a thorough assessment of these providers and we believe them to be safe for our customers to use. You are not required to sign up to any of these tools as part of your agreement/usage with Halo. Any information you provide to these third parties is outside the control of Halo.  The following third parties are used:

If you would like more information regarding these companies and your data please write to the contact referred to later in this document.

Your rights

You have rights as an individual which you can exercise in relation to the information we hold about you.

You can read more about your rights here

Complaints or queries

Halo aspires to the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Halo’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

Access to personal information

Halo tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’. If we do hold information about you we will:

To make a request to Halo for any personal information we may hold you need to put the request in writing addressing it to our Systems and Membership Manager, at the address provided below.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Systems and Membership Manager.

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 28th April 2020.

How to contact us

If you want to request information about our customer privacy policy you can email us  at or write to:

Systems and Membership Manager
Halo Support Centre

Lion Yard

Broad Street