Data Protection Policy

Heston Wellness Centre Ltd

Company Number: 12313368

Registered Office: 31 Cranford Lane, Hounslow, Middlesex, TW5 9EP

Date Adopted: 14th December 2024

Last Reviewed: 14th December 2025

Next Review: Annually or following significant changes to activities

1. Introduction

Heston Wellness Centre Ltd ("the Centre", "we", "us", or "our") is a non-profit organisation committed to promoting health and wellbeing in the Heston community through affordable fitness classes, social networking opportunities, free educational talks, and fundraising activities.

We process personal data in the course of our activities, including information about participants in classes, volunteers, donors, supporters, and enquirers. We are committed to protecting the privacy and security of personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

This Data Protection Policy sets out how we collect, use, store, and protect personal data. It applies to all directors, volunteers, and anyone working on behalf of the Centre.

All individuals handling personal data on behalf of the Centre must familiarise themselves with this policy and adhere to it.

2. Data Protection Principles

We adhere to the seven data protection principles under the UK GDPR:

  • Lawfulness, fairness, and transparency: Personal data is processed lawfully, fairly, and in a transparent manner.

  • Purpose limitation: Personal data is collected for specified, explicit, and legitimate purposes and not processed further in a manner incompatible with those purposes.

  • Data minimisation: Personal data is adequate, relevant, and limited to what is necessary.

  • Accuracy: Personal data is accurate and, where necessary, kept up to date.

  • Storage limitation: Personal data is kept no longer than necessary.

  • Integrity and confidentiality: Personal data is processed securely, protecting against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

  • Accountability: We are responsible for, and able to demonstrate, compliance with the above principles.

3. Types of Personal Data We Process

We may collect and process the following types of personal data:

  • Contact details → Name, address, email address, telephone number.

  • Participation details → Attendance records for classes or events.

  • Health information → Limited details provided voluntarily (e.g., accessibility needs or medical conditions relevant to safe participation in activities such as yoga or tai chi). This may include special category data.

  • Donation and financial details → Records of donations (e.g., name and amount, but not bank details if processed via third-party platforms).

  • Volunteer information → Details provided by volunteers, including contact information and availability.

We do not routinely collect sensitive financial data (e.g., payment card details) directly; any donations are handled via secure third-party services where applicable.

4. Lawful Bases for Processing

We process personal data on the following lawful bases under the UK GDPR:

  • Legitimate interests — For managing class bookings, sending updates about activities, fundraising, and administrative purposes (e.g., contacting participants or donors).

  • Consent — Where individuals have given clear consent (e.g., for marketing communications or sharing health information for class participation).

  • Contract — Where necessary to fulfil an agreement (e.g., providing a booked class).

  • Legal obligation — Where required by law (e.g., safeguarding or financial reporting).

For special category data (e.g., health information), we rely on explicit consent or processing necessary for reasons of substantial public interest (e.g., equality of opportunity or treatment).

5. How We Collect and Use Personal Data

Personal data is collected:

  • Directly from individuals (e.g., via email, phone, or in-person sign-up for classes).

  • Through our website or third-party platforms (if implemented for registrations or donations).

  • From volunteers or community partners.

We use personal data to:

  • Deliver services (e.g., organise classes and events).

  • Communicate about activities, updates, and opportunities.

  • Manage donations and fundraising.

  • Support volunteers.

  • Comply with legal requirements.

We do not share personal data with third parties except where necessary (e.g., venue providers for class lists) or required by law, and only with appropriate safeguards.

6. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Storing paper records securely (locked cabinets).

  • Using password-protected devices and files for electronic data.

  • Limiting access to those who need it.

  • Using secure email or encrypted storage where possible.

  • Training volunteers on data protection.

Any third-party processors (e.g., email providers) must comply with UK GDPR.

7. Data Retention

We retain personal data only as long as necessary:

  • Class attendance records: Up to 2 years for administrative purposes.

  • Donation records: Up to 7 years for financial and Gift Aid compliance.

  • Volunteer details: During active involvement plus 1 year.

  • Health data: Deleted after the relevant activity unless consent for longer retention.

Data is securely deleted or anonymised when no longer needed.

8. Individual Rights

Under the UK GDPR, individuals have rights including:

  • Access to their personal data (subject access request).

  • Rectification of inaccurate data.

  • Erasure ("right to be forgotten") in certain circumstances.

  • Restriction of processing.

  • Data portability.

  • Objection to processing.

  • Rights related to automated decision-making.

To exercise these rights, contact us using the details below. We will respond within one month.

9. Data Breaches

We will report any personal data breach to the Information Commissioner's Office (ICO) where required (within 72 hours) and to affected individuals where there is high risk.

10. Complaints

If you have concerns about our handling of personal data, please contact us first. You also have the right to complain to the ICO at www.ico.org.uk/concerns or by telephone: 0303 123 1113.

11. Contact Details

For data protection queries, including rights requests:

Data Protection Contact: Sefali Dhani

Email: Sefali.dhani@hotmail.co.uk

Phone: 0788 307 8625

Postal Address: 31 Cranford Lane, Hounslow, TW5 9EP

This policy will be reviewed annually or following significant changes.

Updates will be communicated as appropriate.