Atlas Training Club — Privacy Policy 1. Who we are Atlas Training Club is a Hyrox-focused training gym based in Cheshire. This Privacy Policy explains how we collect, use, store and share your personal data when you visit our website, join our waitlist, become a member, or interact with us in person or online. Trading name: Atlas Training Club Legal entity: Atlas Training Club Ltd (to be confirmed against Companies House registration) Trading address: Unit 11, Block A, Vulcan One, Adlington Business Park, SK10 4NL Website: https://www.atlastrainingclub.co.uk Email: info@atlastrainingclub.co.uk Phone: 07568 585861 For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, the joint data controllers of your personal data are the three founders of Atlas Training Club: Emma Walmsley — co-founder and coach Deborah Norbury — co-founder and coach Edward Walmsley — co-founder You can contact any of us using the trading details above. We have agreed between ourselves who takes the lead on data protection queries — if you contact us via info@atlastrainingclub.co.uk your message will reach the right person. 2. What personal data we collect The data we hold about you depends on how you interact with us. We’ve grouped it by the three main relationships people have with Atlas. 2.1 If you visit our website Technical data: IP address (truncated by Google Analytics 4 before storage), device type, browser, operating system, screen resolution, referring URL, pages visited, time on page, and approximate location (city/region level only, derived from IP). Cookie and tracking identifiers: Google Analytics client ID, Google Ads click ID (GCLID), Meta Pixel browser ID (_fbp) and click ID (_fbc), and any first-party session cookies set by our website host. Form interaction data: if you start filling in a form, the fields you’ve completed and (in some cases) submission status, so we can re-engage you if you drop off. 2.2 If you join our waitlist or enquire Name (first name, last name) Email address Phone number (if you choose to provide it) Any free-text message you send us The source of your enquiry (e.g. Meta ad, Google search, referral) 2.3 If you become a member In addition to the waitlist data above, we collect: Postal address Date of birth (to confirm you are 16 or over and for emergency contact purposes) Emergency contact name and phone number Payment information — processed by PushPress’s payment partner (we do not store full card numbers on our own systems; we receive a masked reference and the last 4 digits only) Health declarations and PAR-Q answers — limited “special category” data about pre-existing conditions, injuries, or pregnancy that affects safe training. This is collected so our coaches can deliver sessions safely. Attendance and booking history — which classes you’ve booked, attended, or cancelled Performance data (optional) — workout scores, benchmark times, body composition if you choose to log them Photographs and video of you training — only if you have given separate, specific consent (e.g. for social media content). You can withdraw this consent at any time. We collect the minimum data we need for each interaction. If a field is optional we’ll tell you so. 3. How we collect your data We collect data in three ways: Directly from you — when you fill in a form on our website, sign up at the gym, message us on WhatsApp or Instagram, or speak to a coach. Automatically — when you browse our website, cookies and similar technologies record technical and behavioural data (see Section 7 for the full list). From third parties — when you click a Meta or Google ad, the platform tells us which campaign brought you. If you sign up through a referral we may receive your name from the referring member (with their assurance that you’re happy for them to introduce you). 4. Why we collect it and our lawful basis UK GDPR requires us to have a “lawful basis” for processing your data. Here’s exactly which basis applies to which activity. Activity Data used Lawful basis Replying to a waitlist enquiry Name, email, phone Legitimate interests — answering enquiries from prospective customers Sending marketing emails before you join Name, email, engagement history Consent (you tick the opt-in box on the waitlist form). PECR-compliant. Delivering your membership and classes Name, contact, DOB, attendance, payment, health declaration Contract — we need this to provide the service you’ve signed up for Health and PAR-Q data Pre-existing conditions, injuries, pregnancy Explicit consent under Article 9 (special category data) Taking payment and complying with HMRC Payment data, invoices Legal obligation (tax and accounting law) Sending member newsletters, event invites, retention offers Name, email, attendance Legitimate interests with a soft opt-in (PECR regulation 22(3)), plus an unsubscribe link on every email Website analytics (GA4, conversion measurement) Cookies, IP, page views Consent via cookie banner Retargeting and lookalike audiences (Meta, Google) Cookies, hashed email/phone via Advanced Matching and CAPI Consent via cookie banner Defending legal claims or responding to safeguarding issues Whatever is relevant Legitimate interests and/or legal obligation You can withdraw consent at any time (Section 9). Withdrawing consent does not affect processing already carried out lawfully before withdrawal. 5. Who we share your data with We don’t sell your data. We share it only with the suppliers (“processors”) who help us run the business, and only for the specific purposes listed below. Each processor is bound by a written data processing agreement. 5.1 Our core processors Processor Role What they receive Location PushPress Gym CRM — manages waitlist, memberships, bookings, attendance, payments, member communications Name, email, phone, address, DOB, attendance, payment metadata, health declarations United States (with UK/EU data processing addendum) PushPress Grow Marketing automation layer that mirrors PushPress events server-side to advertising platforms Hashed email, hashed phone, event metadata (e.g. “lead”, “trial booked”, “membership started”) United States Webflow Website hosting and content management system Anything you submit through forms on the site, plus standard server logs United States (Webflow uses AWS regions including UK/EU) Google (Google Analytics 4) Website analytics — measurement ID G-4KK2LBQX0P Pseudonymous identifiers, page views, events, truncated IP United States (with EU/UK data processing terms and IP truncation enabled) Google (Google Tag Manager) Tag management container GTM-5F2WWCPX — used to deploy our other tags consistently No personal data is stored by GTM itself; it loads other tags United States Google (Google Ads conversion tracking) Measures whether our ads led to enquiries or memberships. Customer ID 213-579-9823 Click ID (GCLID), conversion event, optionally hashed email/phone for Enhanced Conversions United States Meta (Facebook/Instagram Pixel) Tracks visits and conversions from our Meta ads. Pixel ID 875584235022606 Cookies, browser ID, page views, conversion events, hashed email/phone via Automatic Advanced Matching United States Meta Conversions API (CAPI) Server-side mirror of Pixel events — improves measurement accuracy when browsers block Pixel Same event data as the Pixel, sent from our server United States Our accountant Bookkeeping, payroll, year-end accounts Invoice and payment records United Kingdom HMRC Tax compliance Whatever is legally required United Kingdom Our email provider Day-to-day business email (info@atlastrainingclub.co.uk) Any email correspondence with us United Kingdom / European Economic Area 5.2 When we might share data outside the list above If you ask us to — for example, asking us to confirm your attendance to your employer’s wellness scheme. If we’re legally required to — court orders, lawful police requests, safeguarding referrals, HMRC investigations. If we sell or merge the business — your data may transfer to the buyer, who would be bound by the same protections. We’d tell you in advance. To protect health and safety — e.g. if you collapse during a session, we’ll share your emergency contact and relevant health information with paramedics. We do not, and will never, sell your personal data to data brokers or unrelated third parties for their own marketing. 6. International transfers Several of our processors are based in the United States, including Meta, Google, PushPress, PushPress Grow, and Webflow. This means your personal data is transferred outside the United Kingdom. We rely on the following legal safeguards for these transfers: Standard Contractual Clauses (SCCs) approved by the European Commission, combined with the UK International Data Transfer Addendum (IDTA) issued by the ICO, which extends those SCCs to cover UK-to-US transfers, and Supplementary technical and contractual measures including encryption in transit (TLS 1.2+), encryption at rest, and contractual restrictions on access by sub-processors. For Google and Meta we also rely on their certification under the UK Extension to the EU-US Data Privacy Framework, which the UK government recognises as providing an adequate level of data protection for participating US organisations. If you’d like a copy of the relevant transfer mechanism for a specific processor, email info@atlastrainingclub.co.uk and we’ll point you to the right document. 7. Cookies and tracking technologies A cookie is a small text file placed on your device when you visit a website. We also use similar technologies including local storage, pixels, and server-side event tracking. When you first visit our website you’ll see a cookie banner that lets you accept, reject, or choose which categories of cookies to allow. Strictly necessary cookies are always set; everything else is off by default until you opt in. You can change your choices at any time via the “Cookie settings” link in our footer. 7.1 Strictly necessary Always active. Required for the site to function. Cookie / technology Purpose Retention Webflow session cookie Maintains your session on the site Session Cookie consent record Remembers your cookie preferences 12 months 7.2 Analytics Set only with your consent. Cookie / technology Purpose Retention _ga (Google Analytics 4) Distinguishes unique users 24 months _ga_4KK2LBQX0P GA4 session state for our property 24 months GA4 event collection Page views, scroll depth, form interactions Server-side, 14 months default (see Section 8) 7.3 Advertising and conversion measurement Set only with your consent. Cookie / technology Purpose Retention _fbp (Meta Pixel) Identifies your browser to Meta for ad measurement and retargeting 90 days _fbc (Meta Pixel) Stores the Meta ad click ID if you arrived from a Meta ad 90 days Meta Pixel events PageView, ViewContent, Lead, CompleteRegistration, Purchase Server-side at Meta Automatic Advanced Matching Hashes your email/phone (SHA-256) if you submit a form, and sends the hash to Meta to improve attribution accuracy. We never send raw email or phone numbers to Meta. Sent with each event Meta Conversions API (CAPI) Server-side mirror of the above events, so we can measure conversions even if your browser blocks the Pixel Sent with each event Google Ads conversion linker (_gcl_au) Stores the Google Ads click ID for attribution 90 days Google Ads remarketing Allows us to show ads to past visitors on Google’s network 30–540 days depending on the audience 7.4 Third-party cookies via Google Tag Manager GTM itself doesn’t set tracking cookies, but it loads the GA4, Google Ads, and Meta tags listed above. Blocking those categories in the cookie banner blocks the underlying tags. 8. How long we keep your data We only keep your data for as long as we need it for the purpose we collected it for, or for as long as the law requires. Data Retention period Reason Waitlist enquiry (no membership taken out) 24 months from last interaction, then deleted Reasonable window for you to come back and join Marketing email list (subscribers) Until you unsubscribe or we close the list Consent-based Member contact and account data Duration of membership + 7 years after you leave UK accounting and tax law (HMRC) Payment and invoice records 7 years UK accounting and tax law (HMRC) Health declarations and PAR-Q Duration of membership + 3 years after you leave Defending potential personal injury claims (within limitation period) Attendance and booking history Duration of membership + 7 years Linked to financial records CCTV (if installed at the gym) 30 days, then overwritten Security and incident investigation Website analytics (GA4) 14 months from event Google’s default, suitable for trend analysis without long-term storage Meta Pixel / Google Ads conversion data Held by Meta and Google under their retention policies (typically 24 months for conversion windows) Ad measurement Customer service emails 3 years from last correspondence Reasonable record-keeping When a retention period ends we either delete the data or anonymise it so it can no longer identify you. 9. Your rights under UK GDPR You have the following rights over your personal data. They’re free to exercise (unless your request is “manifestly unfounded or excessive”, in which case we can charge a reasonable fee or refuse). Right of access — request a copy of the personal data we hold about you (a “subject access request”). We’ll respond within one month. Right to rectification — ask us to correct data that’s wrong or incomplete. Right to erasure (“right to be forgotten”) — ask us to delete your data. This isn’t absolute — we may need to keep some records to comply with tax law or defend legal claims, but we’ll explain what and why. Right to restrict processing — ask us to pause processing while we investigate a dispute about your data. Right to data portability — get a copy of the data you’ve given us in a structured, machine-readable format, or have us send it directly to another controller. Right to object — object to processing based on legitimate interests, including direct marketing. If you object to direct marketing we’ll stop, full stop. Rights relating to automated decision-making and profiling — you can object to decisions made about you solely by automated means that have legal or similarly significant effects. We don’t currently use any such fully-automated decision-making. Our advertising audiences (e.g. lookalike audiences on Meta) involve profiling but no automated decisions about you as an individual. Right to withdraw consent — where we rely on consent (marketing, non-essential cookies, photos/video), you can withdraw it at any time without giving a reason. 10. How to exercise your rights The easiest way is to email info@atlastrainingclub.co.uk with the subject line “Data request — [your name]”. Please tell us: Which right you’re exercising Enough information for us to identify you in our records (full name, email used to sign up, and date of birth if you’re a member) What outcome you’d like We may need to verify your identity before we act on the request (usually a confirmation email or a quick check at reception). We aim to respond within one calendar month of receiving a verified request. In complex cases we can extend by a further two months and will tell you why. To unsubscribe from marketing emails, use the “Unsubscribe” link at the bottom of any email — you don’t need to email us. To change your cookie preferences, click “Cookie settings” in the website footer. 11. Complaints If you’re unhappy with how we’ve handled your data, please tell us first — email info@atlastrainingclub.co.uk and we’ll do our best to fix it. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection. Website: https://ico.org.uk Helpline: 0303 123 1113 Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF You don’t have to come to us first, but we’d appreciate the chance to put things right. 12. Changes to this policy We may update this Privacy Policy from time to time — for example, if we add a new processor, change a retention period, or there’s a change in the law. Minor changes (typos, clarifications, contact details): we’ll update the policy and bump the version number. The “last updated” date at the bottom will change. Material changes (new processors, new categories of data, changes to your rights, changes to lawful basis): we’ll notify you in advance — by email if you’re a member or subscriber, and via a banner on the website for at least 30 days before the change takes effect. Every previous version of this policy is kept on file. If you’d like to see an older version, email info@atlastrainingclub.co.uk. 13. Last updated Version: 1.0 (draft for review) Date drafted: 16 June 2026 Commencement date: 1 August 2026 (subject to legal review) Next scheduled review: 1 August 2027 This policy is governed by the laws of England and Wales. Any dispute arising under it is subject to the exclusive jurisdiction of the courts of England and Wales.