PETEGAWTRYPrivacy Policy
Last updated: 18 June 2026
Data controller: Peter Gawtry, trading as Pete Gawtry Fitness (sole trader)
Address: Unit 1, Tarn Lane, Leeds, LS17 9BF
Contact: pete@pg-fitness.co.uk
ICO registration: ZC177088
1. What this policy covers
This policy applies to:
- The website pg-fitness.co.uk and its subdomains (including online.pg-fitness.co.uk)
- The Pete Gawtry Fitness App (a white-labelled version of My PT Hub)
- Any in-person services Pete provides at his studio in Leeds
- Newsletter, social-media interactions, and direct email/messaging
It does not apply to third-party sites we link to.
2. The data we collect
When you browse the site
- We don't currently use analytics or advertising cookies — only strictly-necessary cookies (for security and to make the site work) are set.
- If we add analytics in future, it will run only with your consent, via a cookie banner using Consent Mode v2.
When you sign up for Online PT
- Identity: name, email, phone (optional).
- Service data: goal, training history, equipment access, weigh-in day preference, dietary preferences.
- Special category — health data (Article 9 UK GDPR): height, weight, body measurements; injuries, medical conditions and medications relevant to exercise; progress photos (only if you opt in — separate consent); and your PAR-Q (Physical Activity Readiness Questionnaire) responses.
- Payment data: card details are processed by Stripe and never stored on our servers. We retain only the last 4 digits and the Stripe subscription/customer ID.
- Behavioural data inside the app: workout logs, check-in responses, messages to Pete.
When you book in-person sessions: studio attendance records and session notes.
When you join the newsletter: email address, name, opt-in status, and basic engagement (opens, clicks).
3. Why we collect it (legal basis)
| Data | Legal basis (UK GDPR) |
|---|---|
| Browsing analytics | Consent (you can refuse cookies) — Art. 6(1)(a) |
| Account + service data | Contract — Art. 6(1)(b) |
| Health data | Explicit consent — Art. 9(2)(a) — collected via a separate checkbox at sign-up |
| Progress photos | Explicit consent — Art. 9(2)(a) — separate optional checkbox |
| Payment data | Contract + legal obligation — Art. 6(1)(b) & (c) |
| Newsletter | Consent — Art. 6(1)(a) — separate opt-in |
| Anonymised aggregate stats (e.g. corporate HR reports) | Legitimate interest — Art. 6(1)(f) |
You can withdraw any consent at any time by emailing pete@pg-fitness.co.uk. Withdrawing health-data consent means we can't continue providing the online PT service.
4. Who we share it with (processors)
We use the following processors, each with a Data Processing Agreement (DPA) in place:
| Processor | Purpose | UK/EEA? |
|---|---|---|
| My PT Hub Ltd | App + workout/meal-plan delivery | UK |
| Stripe Payments UK Ltd | Card processing + subscriptions | UK & EEA |
| Krystal Hosting Ltd | Website hosting and email delivery (our online-PT transactional and nurture emails are sent from our own UK server, not a third-party email platform) | UK |
| The Rocket Science Group LLC (Mailchimp) | Newsletter only (general marketing list via MC4WP) | US — UK-DPF + SCCs |
| Zapier Inc. | Workflow automation (sign-up → app onboarding) | US — UK-DPF + SCCs |
| Metricool | Social-media scheduling (no client data) | Spain (EU) |
We don't sell your data. We don't share it with advertisers. We don't share it with insurers. Online PT welcome/nurture emails are sent directly from our own UK-hosted server, so your name and email for that service are not transferred to a third-party email platform.
5. International transfers
Where data leaves the UK (e.g. the Mailchimp newsletter in the US), we rely on the UK-US Data Privacy Framework (where the recipient is certified) or Standard Contractual Clauses (SCCs) with appropriate technical and organisational measures. A list of transfer mechanisms used per processor is available on request.
6. How long we keep it (retention)
| Data | Retention |
|---|---|
| Browsing analytics | 14 months |
| Account data (after cancellation) | 7 years (tax records, HMRC obligation) |
| PAR-Q answers, injuries & medical conditions (after cancellation) | 7 years — kept as a safety/medical record so we can respond to any later personal-injury claim |
| Other health data — weight, body measurements, training history (after cancellation) | 12 months in active form, then anonymised aggregates only |
| Progress photos (after cancellation) | Deleted within 30 days of cancellation, unless you ask us to keep them |
| Payment records | 7 years (HMRC) |
| Newsletter subscription | Until you unsubscribe + 30 days |
| Corporate aggregated reports | 3 years after the contract ends |
7. Your rights
Under UK GDPR you have the right to: access the data we hold on you; have it corrected; have it erased (where retention obligations allow); restrict processing; receive your data in a portable format; object to direct marketing and legitimate-interest processing; and withdraw consent at any time. All training and meal plans are built by Pete personally — no fully-automated decisions are made about you.
Submit any request to pete@pg-fitness.co.uk. We respond within one month, free of charge for the first request. You can also complain to the ICO at ico.org.uk/make-a-complaint or on 0303 123 1113.
8. Security
- All sites are HTTPS only (TLS 1.3).
- Stripe is PCI-DSS Level 1 — card data never touches our servers.
- The app platform (My PT Hub) is ISO 27001 certified.
- Health data submitted via our online questionnaire is encrypted at rest (AES-256-GCM) on our UK server; database backups are useless without the separate encryption key.
- Server hosting is in the UK (Krystal, London datacentre).
- Access to client data is limited to Pete and any nominated assistants under NDA.
- We log access and will notify you within 72 hours of any breach affecting your data.
9. Children
We do not knowingly collect data from anyone under 18. If a parent or guardian wants to enrol a 16–17-year-old, please contact us directly.
10. Cookies
Categories:
- Strictly necessary (session, security) — always on. These are the only cookies we currently set.
- Analytics (e.g. Google Analytics 4) — not currently used; if added, only with your consent.
- Marketing (ad pixels) — not currently used; if added, only with your consent.
See our Cookie Policy for full detail. If we introduce non-essential cookies, you'll be able to manage them via a cookie banner.
11. Corporate clients
If you're an employee accessing Pete Gawtry Fitness via your employer's Corporate package:
- Your individual training, check-ins and messages with Pete are never shared with your employer.
- Your employer receives anonymised aggregate stats only (e.g. % participation, average engagement).
- Your employer is the data controller for sharing your name/email with us in the first place; we become the controller for your individual fitness data from the moment you log in.
- A DPA between us and your employer governs this relationship. Your employer can provide a copy.
12. Changes to this policy
We'll update this page when the law or our processing changes. The "Last updated" date at the top tells you when. We'll email registered clients about any material change.
13. Questions
Email pete@pg-fitness.co.uk for anything privacy-related.