LeisureDeck

Privacy Policy

Privacy Policy

Last updated: 26 March 2026

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our leisure management system, including our website, mobile app, and related services (together, the Service).

1) Who we are

In this policy, “we”, “us”, and “our” refers to the provider of the Service.

Controller/Processor roles (B2B2C)

The Service is provided to organisations such as leisure venues, gyms, clubs, and personal trainers (each a Business Customer).

Where a Business Customer uses the Service to collect and manage information about its own customers, members, or participants (End Users), the Business Customer is the Controller of that personal data and is responsible for deciding how and why it is processed.

In those circumstances, we act as a Processor and process End User personal data on the Business Customer’s instructions to provide the Service.

We act as a Controller of personal data only in limited situations, such as when we process information about:

  • Business Customer account administrators and billing contacts
  • our own sales enquiries and business communications
  • visitors to our own website
  • our invoicing, payments, and compliance obligations

2) What data we collect

Depending on how the Service is used, we may collect the following categories of personal data:

  • Account and profile data: name, email address, phone number, username, password (hashed), profile photo.
  • Customer and member data (provided by our Business Customers): names, contact details, membership details, booking history, attendance, notes, and preferences.
  • Booking and event data: class/session bookings, event registrations, competition entries, waitlists, cancellations.
  • Commerce and payment data: purchase history, invoices/receipts, partial payment details. Payment card details are typically processed by our payment providers, not stored by us.
  • Personal training data (where enabled): session history, goals, programme notes, and communications.
  • Communications: messages sent through the Service (including email and WhatsApp messaging where enabled), support requests, and feedback.
  • Device and usage data: IP address, device identifiers, browser type, app version, pages/screens viewed, and interactions.
  • Cookies and similar technologies: as described in the Cookies section below.

3) How we use personal data

We use personal data to:

  • Provide, operate, and maintain the Service (including bookings, memberships, events, competitions, commerce, and personal training features).
  • Create and manage accounts, authenticate users, and enable access to the Service.
  • Process transactions and send transactional messages (e.g., booking confirmations, receipts).
  • Enable Business Customers to communicate with End Users via the Service (for example, by sending messages by email or WhatsApp), in accordance with the Business Customer’s instructions.
  • Communicate with you about service updates, security notices, and support.
  • Monitor, troubleshoot, and improve performance, reliability, and user experience.
  • Prevent fraud, abuse, and security incidents.
  • Comply with legal obligations and enforce our terms.

4) Legal bases (UK/EU GDPR)

Where UK/EU GDPR applies, we rely on one or more of the following legal bases:

  • Contract: to provide the Service and fulfil our obligations to our Business Customers.
  • Legitimate interests: to secure and improve the Service, prevent fraud, and support our business operations.
  • Consent: for certain marketing communications and non-essential cookies (where required).
  • Legal obligation: to comply with applicable laws.

Where we process End User personal data on behalf of a Business Customer, the Business Customer determines the legal basis for that processing.

5) How we share personal data

We may share personal data with:

  • Business Customers (Controllers): if you are an End User of a Business Customer using the Service, your data is shared with that Business Customer.
  • Service providers (sub-processors): hosting, analytics, email delivery, WhatsApp messaging providers, customer support tools, and payment providers.
  • Professional advisers: legal, accounting, and insurance advisers.
  • Authorities: where required by law or to protect rights, safety, and security.

We do not sell personal data.

6) International transfers

If personal data is transferred outside the UK or EEA, we use appropriate safeguards (such as standard contractual clauses) and take steps to ensure an adequate level of protection.

7) Data retention

We keep personal data only as long as necessary for the purposes described in this policy, including to:

  • Provide the Service.
  • Meet legal, accounting, or reporting requirements.
  • Resolve disputes and enforce agreements.

Retention periods may vary depending on the type of data and whether we act as Controller or Processor.

8) Security

We use appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. No method of transmission or storage is 100% secure, but we work to maintain safeguards appropriate to the risk.

9) Your rights

Depending on your location, you may have rights including:

  • Access to your personal data.
  • Correction of inaccurate or incomplete data.
  • Deletion of your personal data.
  • Restriction or objection to certain processing.
  • Data portability.
  • Withdrawal of consent (where processing is based on consent).

End User requests

If you are an End User, the relevant Business Customer controls your personal data. Please direct requests to exercise your rights (such as access or deletion requests) to that Business Customer first. We will support the Business Customer as needed where we act as a Processor.

10) Business Customer responsibilities

Business Customers are responsible for ensuring that they:

  • provide appropriate privacy information to End Users about how End User data is used in connection with the Service
  • have a valid legal basis to collect and share End User data with us
  • obtain and manage any required consents and preferences (for example, for marketing communications)
  • ensure that End Users’ contact details are used in compliance with applicable marketing and communications laws (including rules that may apply to email, SMS, and messaging services such as WhatsApp)
  • respond to End User requests to exercise data protection rights
  • ensure that any personal data they upload to the Service is accurate and kept up to date

11) Cookies

We use cookies and similar technologies to:

  • Keep you signed in and enable core functionality.
  • Remember preferences.
  • Understand usage and improve the Service.

Where required, we will request consent for non-essential cookies. You can control cookies through your browser or device settings.

12) Children’s privacy

The Service is not intended for children under 13. If you believe a child has provided personal data without appropriate consent, contact us so we can take steps to delete it.

13) Third-party links and services

The Service may include links to third-party websites or services. Their privacy practices are governed by their own policies.

14) Changes to this policy

We may update this policy from time to time. We will post the updated version and revise the “Last updated” date. If changes are material, we may provide additional notice.

15) Contact us

If you have questions about this Privacy Policy or privacy practices, contact us:

  • Email: rhys@leisuredeck.co.uk
  • Address: C/O Accrue Accounting, Unit E4 Arena Business Centre, Holyrood Close, Poole, Dorset, United Kingdom, BH17 7FP

If you are in the UK/EU and have concerns, you may also have the right to lodge a complaint with your local data protection authority (for example, the UK Information Commissioner’s Office (ICO)).