Last updated: 24 April 2024 

See our Social Sport Privacy Notice.

See our Gryphons Go Privacy Notice.

This privacy notice explains how we will collect and use your personal data.

If you have any questions or if anything is unclear you can contact us at

Our data protection officer is Rebecca Messenger Clark. You can contact her on:


Telephone: 0113 2431751

The university’s data controller registration number provided by the Information Commissioner’s Office is: Z553814X

Throughout this Notice, “University”, “we”, “our” and “us” refers to the University of Leeds. “You” and “your” refers to those data subjects using the University’s Sport and Physical Activities facilities (SPA).

1.0 How we collect your information

1.1. From you

You will be asked to provide personal data when you register as a user. You may also be invited to subscribe to newsletters or other activities throughout the duration of your membership. When you are required to provide personal data the uses of this data will be explained at the point of collection.

1.2. From the University’s SAP(staff) and BANNER (student) CRM systems

Your name, address, date of birth, gender, department, phone number, student status, completion date and year of study are regularly updated from the University’s CRM systems. This allows us to correctly identify you and supports your use of SPA facilities and services throughout your time with us.

1.3. From external sources

Our marketing team will have access to your UCAS form to provide you with information about sports or physical activities which you have expressed an interest in. If you are a member of a Leeds University Union club they will share details of your membership, year and semester of study and your university email address with us so that we can provide you with relevant information about access to training facilities and to allow access to your training sessions by adding a Gryphons Pass to your XN profile.

1.4. Cookies

Our website uses first-party cookies; which are small text files placed on your device by the websites that you visit.

Find out more about the cookies we use and why in our cookie policy.

2.0. The purposes for which we process your personal data and the lawful basis for that processing

The processing of your personal data is necessary for the performance of the contract that you have entered into with the University to access the Sports and Physical Activity provisions.

From time-to-time, we may need to contact you to let you know about facility or service closures within Sports & Physical Activity. We will only contact you via the preferred method which you expressed at the time of registration.

If you do not want your personal data to be used in the manner described, then you will need to terminate your contract with SPA.

Where there is a legitimate interest to do so, the University will collect data about you from third parties to tailor the service that SPA provides.

By engaging with Sport & Physical Activity you will be added to our mailing list under the basis of legitimate interests for the duration of your membership. You have the option to opt out of such communications at any time.

3.0. How do we keep this information secure?

The information we hold about you will be stored on University of Leeds secure systems and accessible to university staff administrating the Sport & Physical Activity offering including GOGA, The Edge and those managing University Sport through the Leeds Sport Partnership.

This data will be stored within our CRM systems (see 4.1), our email marketing system (see 4.2) or in secured protected drives.

The marketing team will store email addresses, names and joining dates on an email marketing system (see 4.2). Only the marketing team will have access to this information for the purposes of sending email communications.

Your data will not be transferred outside the EEA.

4.0. Who might we share your data with?

The information that you provide to the University will be stored securely and access will be restricted to those members of staff who need it. The University will not share your personal data with third parties other than those listed below. Data processing is regulated by a data processing agreement.

Where credit/debit card details have been requested as part of a transaction between you and us, the details will be encrypted and handled by a secure web server using SSL, the standard security technology for establishing an encrypted link between a web server and a browser.

4.1. XN Leisure

XN Leisure facilitates the membership application process for Sport & Physical Activity. All data is held on University servers and not by XN Leisure. However, XN Leisure will occasionally require access to this data to provide support services.

4.2. Campaign Monitor

Sport & Physical Activity use Campaign Monitor as the email marketing system to communicate with our customers. Campaign Monitor’s use and storage of your email address is strictly for use by the marketing team and will only be used for the purposes of communicating with customers.

4.3. Technogym

Sport and Physical Activity’s fitness equipment is supplied by one of the world’s leading manufacturers, Technogym. Data is shared from SPA’s membership software (XN) to the Technogym Cloud to verify membership status when creating a new (Mywellness) account. That account provides enhanced access to equipment functionality and enables workout tracking. The Cloud is hosted on a Technogym server that they will access occasionally to provide support.

4.4.1. Data collection for MyWellness App

Technogym manage The Edge app. By registering your information will be shared with Technogym and they are given access to:

Your full name

Your email address

Date of birth (optional)

Whether you are a student or non-student


4.4.2. Purposes of processing

This personal information will enable us:

To conduct analytics activities to help drive relevant offers personalised to your individual purchase history.

To conduct promotional and marketing activities, such as communicating personalised offers.

Any health data that you enter is of your own volition. We will not prompt you or use the data for anything.

4.4.3. Push notifications

You are able to opt out of receiving our push notifications at any point, this can be amended within the app settings.

4.5. GymSales Ltd

Sport & Physical Activity use the club management software, GymSales Ltd, in order to communicate with customers via email or phone. GymSales is given access to/holds the email address and phone number which you supply. The ways in which GymSales can use and store your email address is strictly regulated by a data processing agreement.

4.6. Calendly

Sport & Physical Activity uses the appointment scheduling tool Calendly to communicate with potential customers via email address or phone number (Phone number not mandatory). Calendly is given access to/holds the name, email and phone number which you supply when booking a tour. The way in which Calendly can use and store your email address is strictly regulated by a Data Processing Agreement.

5.0 How long we keep this information

Sport & Physical Activity will hold your personal information on our systems for as long as you remain a member of Sport & Physical Activity. Once you are no longer a member we will securely delete your data after 4 years.

6.0. Your data protection rights

You have the right to:

  • access your personal data;
  • request the rectification or deletion of your personal data;
  • request the restriction of the processing of your personal data;
  • object to the processing of your personal data;
  • receive your personal data in a structured, commonly used format and to;
  • complain to the regulator (the Information Commissioner’s Office)

Please see the ICO website for further information on the above rights.

You may also contact the Sport & Physical Activity team at for further information about how we treat your data.

You have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Please see the ICO website

Information Commissioner’s Office

Wycliffe House

Water Ln



Telephone: 0303 123 1113

Essential Cookies

These cookies are required for our website to function.

Cookie Information
NSC* NetScaler Appliance session cookie

These cookies are set by our Citrix NetScaler appliance and are used to ensure your browsing session remains on the same web server. It is deleted when you close your browser.


PHPSESSID PHP Session Cookie


This cookie stores a unique ID assigned by the web server. It is used to enable some site functionality to work properly. It is native to PHP and enables websites to store serialised state data. It is used to establish a user session and to pass state data via a temporary cookie, which is commonly referred to as a session cookie.



It is deleted when you close your browser.

Analytics Cookies

These cookies are used to track website visitors and their user behaviour. This data is then used to improve how the website works which can result to more effective user experience.

Cookie Information



These cookies are installed by Google Analytics. They are used to calculate visitor, session, campaign data and keep track of site usage for site’s analytics report. The cookie store information anonymously and assign a randomly generated number to identify unique visitors.

More information

Google privacy policy
Google analytics
Google analytics terms of service
Google tag manager terms of service
Universal Analytics opt-out browser add-on


2 years

NID Purpose

Registers a unique ID that identifies a returning user’s device. The ID is used for targeted ads.

_gcl_au Purpose

This cookie is used by Google Analytics to understand user interaction with the website. It is used by Google Tag Manager to track and store conversions.


3 months

_fbp Purpose

This cookie is set by Facebook to deliver advertisement when the are on Facebook or a digital platform powered by Facebook advertising after visiting the website.


3 months




A cookie that holds the current session data. This cookie makes sure that subsequent requests within the session window will be attributed to the same Hotjar session.


30 minutes

Third party cookies and tracking

If you share content from our website through other websites, for example Facebook or Twitter, cookies or a form of tracking may be used by these services and you need to manage your privacy via your account (and not through our site).

Cookie Information
__cf_bm Cloudflare Bot Management


Analytical Cookie


Cloudflare’s bot products identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places this cookie on end-user devices that access customer sites protected by Bot Management or Bot Fight Mode. This cookie is necessary for these bot solutions to function properly.

Cloudflare Cookies


1 day

Manage your cookies and privacy

You can also manage your privacy settings, including cookies, through your browser settings.

Further information about cookies can be found on the Information Commissioner’s Office website.