See our Social Sport Privacy Notice.

See our Gryphons Go Privacy Notice.

This Notice explains how we will collect and use your personal data.

We are the Data Controller for the personal data that we process about you.

Throughout this Notice, “University”, “we”, “our” and “us” refers to the University of Leeds.  “You” and “your” refers to those data subjects using the University’s Sport and Physical Activities facilities (SPA).

Change in the law

We shall process your personal data in accordance with the Data Protection Act 2018 (DPA for short) and the General Data Protection Regulations, as incorporated into UK law (GDPR for short).

This Notice complies with the requirements under the DPA and the GDPR.

Changes to this Notice

We shall inform you of any changes to this Notice by means of this website.

Where we get your personal data from

From you

You will be asked to provide personal data when you register as a user.  You may also be invited to subscribe to newsletters or other activities throughout the duration of your membership. When you are required to provide personal data the uses of this data will be explained at the point of collection.

From the University’s SAP(staff) and BANNER (student) CRM systems

In order to allow staff and students to join SPA online, the personal data of members will be retrieved from the University’s CRM systems every 24 hours.  This data includes name, address, date of birth, gender, department, phone number, student status, completion date, year of study.  The data is used to verify your status as a member of staff/student and is held securely on the SPA’s database.

From external sources

Where there is a legitimate interest to do so, the University will collect data about you from third parties in order to tailor the service that SPA provides. Our marketing team will have access to your UCAS form in order to provide you with information about sports or physical activities which you have expressed an interest in.  If you are a member of a Leeds University Union club they will share details of your membership, year and semester of study and your university email address with us so that we can provide you with relevant information about access to training facilities etc.

In order to notify you of news and information from Sports and Physical Activity at the University of Leeds, we retrieve data from external sources deemed to have a legitimate interest in our activities. External sources include Leeds University Union (LUU) and Universities and Colleges Admissions Service (UCAS). This data includes email addresses, year and semester of study and sports interests.

Automated collection of personal data

As with most other web servers, when you access the Sport and Physical Activity web pages certain information you provide will automatically be recorded by the University. This will include your IP address, browser type, and information relating to the page you last visited.  This information is processed to estimate how much usage of the server is made by different categories of users and, in the event of a breach of security, may be used to aid detection.


Our website uses first-party cookies; which are small text files placed on your device by the websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. We do not use cookies to collect personal information about you; by using our website you agree that we can place these types of cookies on your device.

Essential Cookies

These cookies are required for our website to function.

Cookie Information
NSC* NetScaler Appliance session cookie

These cookies are set by our Citrix NetScaler appliance and are used to ensure your browsing session remains on the same web server. It is deleted when you close your browser.


PHPSESSID PHP Session Cookie


This cookie stores a unique ID assigned by the web server. It is used to enable some site functionality to work properly. It is native to PHP and enables websites to store serialised state data. It is used to establish a user session and to pass state data via a temporary cookie, which is commonly referred to as a session cookie.



It is deleted when you close your browser.

Analytics Cookies

These cookies are used to track website visitors and their user behaviour. This data is then used to improve how the website works which can result to more effective user experience.

Cookie Information



These cookies are installed by Google Analytics. They are used to calculate visitor, session, campaign data and keep track of site usage for site’s analytics report. The cookie store information anonymously and assign a randomly generated number to identify unique visitors.

More information

Google privacy policy
Google analytics
Google analytics terms of service
Google tag manager terms of service
Universal Analytics opt-out browser add-on


2 years

NID Purpose

Registers a unique ID that identifies a returning user’s device. The ID is used for targeted ads.

_gcl_au Purpose

This cookie is used by Google Analytics to understand user interaction with the website. It is used by Google Tag Manager to track and store conversions.


3 months

_fbp Purpose

This cookie is set by Facebook to deliver advertisement when the are on Facebook or a digital platform powered by Facebook advertising after visiting the website.


3 months




A cookie that holds the current session data. This cookie makes sure that subsequent requests within the session window will be attributed to the same Hotjar session.


30 minutes

Third party cookies and tracking

If you share content from our website through other websites, for example Facebook or Twitter, cookies or a form of tracking may be used by these services and you need to manage your privacy via your account (and not through our site).

Cookie Information
__cf_bm Cloudflare Bot Management


Analytical Cookie


Cloudflare’s bot products identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places this cookie on end-user devices that access customer sites protected by Bot Management or Bot Fight Mode. This cookie is necessary for these bot solutions to function properly.

Cloudflare Cookies


1 day

Manage your cookies and privacy

You can also manage your privacy settings, including cookies, through your browser settings.

Further information about cookies can be found on the Information Commissioner’s Office website.

For more information see our cookie policy.

The purposes for which we process your personal data and the legal basis for that processing

The processing of your personal data is necessary for the performance of the contract that you have entered into with the University to access the Sports and Physical Activity provisions.

If you do not want your personal data to be used in the manner described then you will need to terminate your contract with SPA.

From time-to-time, we may need to contact you in order to let you know about facility or service closures within Sports & Physical Activity.  We will only contact you via the preferred method which you expressed at the time of registration.


You may be invited to subscribe to newsletters or other activities throughout the duration of your membership. When you are required to provide personal data the uses of this data will be explained at the point of collection. Where personal data is requested for marketing purposes you will be given the opportunity to opt-out.


Who might we share your data with?

The information that you provide to the University will be stored securely and access will be restricted to those members of staff who need it. The University will not share your personal data with third parties other than those listed below.

Where credit/debit card details have been requested as part of a transaction between you and us, the details will be encrypted and handled by a secure web server using SSL, the standard security technology for establishing an encrypted link between a web server and a browser.

XN Leisure

XN Leisure facilitates the membership application process for Sport & Physical Activity. All data is held on University servers and not by XN Leisure, however, XN Leisure will, from time to time, need access to this data in order to provide support.

Pure Promoter Ltd

Sport & Physical Activity use an email service provider, Pure Promoter Ltd, in order to communicate with our customers via email. Pure Promoter is given access to/holds the email address which you supply; the ways in which Pure Promoter can use and store your email address is strictly regulated by a data processing agreement.

Campaign Monitor

Sport & Physical Activity use an email service provider, Campaign Monitor, in order to communicate with our customers via email. Campaign Monitor is given access to/holds the email address which you supply; the ways in which Campaign Monitor can use and store your email address is strictly regulated by a data processing agreement.


Sport and Physical Activity’s fitness equipment is supplied by one of the world’s leading manufacturers, Technogym. Data is shared from SPA’s membership software (XN) to the Technogym Cloud in order to verify membership status when creating a new (Mywellness) account. That account provides enhanced access to equipment functionality and enables workout tracking. The Cloud is hosted on a Technogym server that they will access occasionally to provide support.

GymSales Ltd

Sport & Physical Activity use the club management software, GymSales Ltd, in order to communicate with customers via email or phone. GymSales is given access to/holds the email address and phone number which you supply. The ways in which GymSales can use and store your email address is strictly regulated by a data processing agreement.


Sport & Physical Activity uses the appointment scheduling tool Calendly to communicate with potential customers via email address or phone number (Phone number not mandatory). Calendly is given access to/holds the name, email and phone number which you supply when booking a tour. The way in which Calendly can use and store your email address is strictly regulated by a Data Processing Agreement.

Retention periods

We will hold your personal information on our systems for as long as you remain a member of Sport & Physical Activity. Once you are no longer a member we will securely delete your data after 6 years.

Your rights as a data subject

You have the right to:

  • access your personal data;
  • request the rectification or deletion of your personal data;
  • request the restriction of the processing of your personal data;
  • object to the processing of your personal data;
  • receive your personal data in a structured, commonly used format and to;
  • complain to the regulator (the Information Commissioner’s Office)

Concerns and contact details

If you have any concerns with regard to the way your personal data is being processed or have a query with regard to this Notice please contact, in the first instance, the SPA Administration team at or the University’s Data Protection Officer, Rebecca Messenger-Clark at

Our general postal address is University of Leeds, Leeds LS2 9JT, UK.

Our postal address for data protection issues is University of Leeds, Room 11.72 EC Stoner Building, Leeds, LS2 9JT.

Our telephone number is +44 (0)113 343 7641.

Our data controller registration number provided by the Information Commissioner’s Office is Z553814X.