SPORT AND PHYSICAL ACTIVITY PRIVACY NOTICE
Last updated: 24 April 2024
See our Social Sport Privacy Notice.
See our Gryphons Go Privacy Notice.
This privacy notice explains how we will collect and use your personal data.
If you have any questions or if anything is unclear you can contact us at sport@leeds.ac.uk
Our data protection officer is Rebecca Messenger Clark. You can contact her on:
Email: dpo@leeds.ac.uk
Telephone: 0113 2431751
The university’s data controller registration number provided by the Information Commissioner’s Office is: Z553814X
Throughout this Notice, “University”, “we”, “our” and “us” refers to the University of Leeds. “You” and “your” refers to those data subjects using the University’s Sport and Physical Activities facilities (SPA).
1.0 How we collect your information
1.1. From you
You will be asked to provide personal data when you register as a user. You may also be invited to subscribe to newsletters or other activities throughout the duration of your membership. When you are required to provide personal data the uses of this data will be explained at the point of collection.
1.2. From the University’s SAP(staff) and BANNER (student) CRM systems
Your name, address, date of birth, gender, department, phone number, student status, completion date and year of study are regularly updated from the University’s CRM systems. This allows us to correctly identify you and supports your use of SPA facilities and services throughout your time with us.
1.3. From external sources
Our marketing team will have access to your UCAS form to provide you with information about sports or physical activities which you have expressed an interest in. If you are a member of a Leeds University Union club they will share details of your membership, year and semester of study and your university email address with us so that we can provide you with relevant information about access to training facilities and to allow access to your training sessions by adding a Gryphons Pass to your XN profile.
1.4. Cookies
Our website uses first-party cookies; which are small text files placed on your device by the websites that you visit.
Find out more about the cookies we use and why in our cookie policy.
2.0. The purposes for which we process your personal data and the lawful basis for that processing
The processing of your personal data is necessary for the performance of the contract that you have entered into with the University to access the Sports and Physical Activity provisions.
From time-to-time, we may need to contact you to let you know about facility or service closures within Sports & Physical Activity. We will only contact you via the preferred method which you expressed at the time of registration.
If you do not want your personal data to be used in the manner described, then you will need to terminate your contract with SPA.
Where there is a legitimate interest to do so, the University will collect data about you from third parties to tailor the service that SPA provides.
By engaging with Sport & Physical Activity you will be added to our mailing list under the basis of legitimate interests for the duration of your membership. You have the option to opt out of such communications at any time.
3.0. How do we keep this information secure?
The information we hold about you will be stored on University of Leeds secure systems and accessible to university staff administrating the Sport & Physical Activity offering including GOGA, The Edge and those managing University Sport through the Leeds Sport Partnership.
This data will be stored within our CRM systems (see 4.1), our email marketing system (see 4.2) or in secured protected drives.
The marketing team will store email addresses, names and joining dates on an email marketing system (see 4.2). Only the marketing team will have access to this information for the purposes of sending email communications.
Your data will not be transferred outside the EEA.
4.0. Who might we share your data with?
The information that you provide to the University will be stored securely and access will be restricted to those members of staff who need it. The University will not share your personal data with third parties other than those listed below. Data processing is regulated by a data processing agreement.
Where credit/debit card details have been requested as part of a transaction between you and us, the details will be encrypted and handled by a secure web server using SSL, the standard security technology for establishing an encrypted link between a web server and a browser.
4.1. XN Leisure
XN Leisure facilitates the membership application process for Sport & Physical Activity. All data is held on University servers and not by XN Leisure. However, XN Leisure will occasionally require access to this data to provide support services.
4.2. Campaign Monitor
Sport & Physical Activity use Campaign Monitor as the email marketing system to communicate with our customers. Campaign Monitor’s use and storage of your email address is strictly for use by the marketing team and will only be used for the purposes of communicating with customers.
4.3. Technogym
Sport and Physical Activity’s fitness equipment is supplied by one of the world’s leading manufacturers, Technogym. Data is shared from SPA’s membership software (XN) to the Technogym Cloud to verify membership status when creating a new (Mywellness) account. That account provides enhanced access to equipment functionality and enables workout tracking. The Cloud is hosted on a Technogym server that they will access occasionally to provide support.
4.4.1. Data collection for MyWellness App
Technogym manage The Edge app. By registering your information will be shared with Technogym and they are given access to:
Your full name
Your email address
Date of birth (optional)
Whether you are a student or non-student
.
4.4.2. Purposes of processing
This personal information will enable us:
To conduct analytics activities to help drive relevant offers personalised to your individual purchase history.
To conduct promotional and marketing activities, such as communicating personalised offers.
Any health data that you enter is of your own volition. We will not prompt you or use the data for anything.
4.4.3. Push notifications
You are able to opt out of receiving our push notifications at any point, this can be amended within the app settings.
4.5. GymSales Ltd
Sport & Physical Activity use the club management software, GymSales Ltd, in order to communicate with customers via email or phone. GymSales is given access to/holds the email address and phone number which you supply. The ways in which GymSales can use and store your email address is strictly regulated by a data processing agreement.
4.6. Calendly
Sport & Physical Activity uses the appointment scheduling tool Calendly to communicate with potential customers via email address or phone number (Phone number not mandatory). Calendly is given access to/holds the name, email and phone number which you supply when booking a tour. The way in which Calendly can use and store your email address is strictly regulated by a Data Processing Agreement.
5.0 How long we keep this information
Sport & Physical Activity will hold your personal information on our systems for as long as you remain a member of Sport & Physical Activity. Once you are no longer a member we will securely delete your data after 4 years.
6.0. Your data protection rights
You have the right to:
- access your personal data;
- request the rectification or deletion of your personal data;
- request the restriction of the processing of your personal data;
- object to the processing of your personal data;
- receive your personal data in a structured, commonly used format and to;
- complain to the regulator (the Information Commissioner’s Office)
Please see the ICO website for further information on the above rights.
You may also contact the Sport & Physical Activity team at sport@leeds.ac.uk for further information about how we treat your data.
You have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Please see the ICO website
Information Commissioner’s Office
Wycliffe House
Water Ln
Wilmslow
SK9 5AF
Telephone: 0303 123 1113
See a full list of the cookies and help on managing cookies
Essential Cookies
These cookies are required for our website to function.
| Cookie | Information |
|---|---|
| NSC* | NetScaler Appliance session cookie
Purpose Information |
| PHPSESSID | PHP Session Cookie
Purpose This cookie stores a unique ID assigned by the web server. It is used to enable some site functionality to work properly. It is native to PHP and enables websites to store serialised state data. It is used to establish a user session and to pass state data via a temporary cookie, which is commonly referred to as a session cookie. Information Duration It is deleted when you close your browser. |
Analytics Cookies
These cookies are used to track website visitors and their user behaviour. This data is then used to improve how the website works which can result to more effective user experience.
| Cookie | Information |
|---|---|
| _ga
_ga_{container_id} |
Purpose
These cookies are installed by Google Analytics. They are used to calculate visitor, session, campaign data and keep track of site usage for site’s analytics report. The cookie store information anonymously and assign a randomly generated number to identify unique visitors. More information Google privacy policy Duration 2 years |
| NID | Purpose
Registers a unique ID that identifies a returning user’s device. The ID is used for targeted ads. |
| _gcl_au | Purpose
This cookie is used by Google Analytics to understand user interaction with the website. It is used by Google Tag Manager to track and store conversions. Duration 3 months |
| _fbp | Purpose
This cookie is set by Facebook to deliver advertisement when the are on Facebook or a digital platform powered by Facebook advertising after visiting the website. Duration 3 months |
| _hjSession_{site_id}
_hjSessionUser_{site_id} |
Purpose
A cookie that holds the current session data. This cookie makes sure that subsequent requests within the session window will be attributed to the same Hotjar session. Duration 30 minutes |
Third party cookies and tracking
If you share content from our website through other websites, for example Facebook or Twitter, cookies or a form of tracking may be used by these services and you need to manage your privacy via your account (and not through our site).
| Cookie | Information |
|---|---|
| __cf_bm | Cloudflare Bot Management
Type Analytical Cookie Purpose Cloudflare’s bot products identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places this cookie on end-user devices that access customer sites protected by Bot Management or Bot Fight Mode. This cookie is necessary for these bot solutions to function properly. Information Duration 1 day |
Manage your cookies and privacy
You can also manage your privacy settings, including cookies, through your browser settings.
Further information about cookies can be found on the Information Commissioner’s Office website.
