See our Social Sport Privacy Notice.

See our Gryphons Go Privacy Notice.

This Notice explains how we will collect and use your personal data.

We are the Data Controller for the personal data that we process about you.

Throughout this Notice, “University”, “we”, “our” and “us” refers to the University of Leeds.  “You” and “your” refers to those data subjects using the University’s Sport and Physical Activities facilities (SPA).

Change in the law

We shall process your personal data in accordance with the Data Protection Act 2018 (DPA for short) and the General Data Protection Regulations, as incorporated into UK law (GDPR for short).

This Notice complies with the requirements under the DPA and the GDPR.

Changes to this Notice

We shall inform you of any changes to this Notice by means of this website.

Where we get your personal data from

From you

You will be asked to provide personal data when you register as a user.  You may also be invited to subscribe to newsletters or other activities throughout the duration of your membership. When you are required to provide personal data the uses of this data will be explained at the point of collection.

From the University’s SAP(staff) and BANNER (student) CRM systems

In order to allow staff and students to join SPA online, the personal data of members will be retrieved from the University’s CRM systems every 24 hours.  This data includes name, address, date of birth, gender, department, phone number, student status, completion date, year of study.  The data is used to verify your status as a member of staff/student and is held securely on the SPA’s database.

From external sources

Where there is a legitimate interest to do so, the University will collect data about you from third parties in order to tailor the service that SPA provides. Our marketing team will have access to your UCAS form in order to provide you with information about sports or physical activities which you have expressed an interest in.  If you are a member of a Leeds University Union club they will share details of your membership, year and semester of study and your university email address with us so that we can provide you with relevant information about access to training facilities etc.

In order to notify you of news and information from Sports and Physical Activity at the University of Leeds, we retrieve data from external sources deemed to have a legitimate interest in our activities. External sources include Leeds University Union (LUU) and Universities and Colleges Admissions Service (UCAS). This data includes email addresses, year and semester of study and sports interests.

Automated collection of personal data

As with most other web servers, when you access the Sport and Physical Activity web pages certain information you provide will automatically be recorded by the University. This will include your IP address, browser type, and information relating to the page you last visited.  This information is processed to estimate how much usage of the server is made by different categories of users and, in the event of a breach of security, may be used to aid detection.


Our website uses first-party cookies; which are small text files placed on your device by the websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. We do not use cookies to collect personal information about you; by using our website you agree that we can place these types of cookies on your device.

Essential cookies

These cookies help our website function

Cookie NetScaler Appliance session cookie
NSC* Purpose
These cookies are set by our Citrix NetScaler appliance and are used to ensure your browsing session remains on the same web server. It is deleted when you close your browser.


This cookie stores a unique ID assigned by the web server. It is used to enable some site functionality to work properly. It is deleted when you close your browser


Performance and advertising cookies

Cookie Google Analytics, Google Tag Manager, AdWords and Facebook re-marketing

These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve the site.

These cookies are also used to track users’ interests and then provide targeted advertising on other websites. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.

More information

Google privacy policy
Google analytics
Google analytics terms of service
Google tag manager terms of service
Universal Analytics opt-out browser add-on

NID Purpose

Registers a unique ID that identifies a returning user’s device. The ID is used for targeted ads.

collect Purpose

Used to send data to Google Analytics about the visitor’s device and behaviour. Tracks the visitor across devices and marketing channels.


Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.

Cookie YouTube
GPS Purpose

Registers a unique ID on mobile devices to enable tracking based on geographical GPS location.


Tries to estimate the users’ bandwidth on pages with integrated YouTube videos.

YSC Purpose

Registers a unique ID to keep statistics of what videos from YouTube the user has seen.

Third party cookies and tracking

If you share content from our website through other websites, for example Facebook or Twitter, cookies or a form of tracking may be used by these services and you need to manage your privacy via your account (and not through our site).

Manage your cookies and privacy

You can also manage your privacy settings, including cookies, through your browser settings.

Further information about cookies can be found on the Information Commissioner’s Office website.

For more information see our cookie policy.

The purposes for which we process your personal data and the legal basis for that processing

The processing of your personal data is necessary for the performance of the contract that you have entered into with the University to access the Sports and Physical Activity provisions.

If you do not want your personal data to be used in the manner described then you will need to terminate your contract with SPA.

From time-to-time, we may need to contact you in order to let you know about facility or service closures within Sports & Physical Activity.  We will only contact you via the preferred method which you expressed at the time of registration.


You may be invited to subscribe to newsletters or other activities throughout the duration of your membership. When you are required to provide personal data the uses of this data will be explained at the point of collection. Where personal data is requested for marketing purposes you will be given the opportunity to opt-out.


Who might we share your data with?

The information that you provide to the University will be stored securely and access will be restricted to those members of staff who need it. The University will not share your personal data with third parties other than those listed below.

Where credit/debit card details have been requested as part of a transaction between you and us, the details will be encrypted and handled by a secure web server using SSL, the standard security technology for establishing an encrypted link between a web server and a browser.

XN Leisure

XN Leisure facilitates the membership application process for Sport & Physical Activity. All data is held on University servers and not by XN Leisure, however, XN Leisure will, from time to time, need access to this data in order to provide support.

Pure Promoter Ltd

Sport & Physical Activity use an email service provider, Pure Promoter Ltd, in order to communicate with our customers via email. Pure Promoter is given access to/holds the email address which you supply; the ways in which Pure Promoter can use and store your email address is strictly regulated by a data processing agreement.


Sport and Physical Activity’s fitness equipment is supplied by one of the world’s leading manufacturers, Technogym. Data is shared from SPA’s membership software (XN) to the Technogym Cloud in order to verify membership status when creating a new (Mywellness) account. That account provides enhanced access to equipment functionality and enables workout tracking. The Cloud is hosted on a Technogym server that they will access occasionally to provide support.

GymSales Ltd

Sport & Physical Activity use the club management software, GymSales Ltd, in order to communicate with customers via email or phone. GymSales is given access to/holds the email address and phone number which you supply. The ways in which GymSales can use and store your email address is strictly regulated by a data processing agreement.


Sport & Physical Activity uses the appointment scheduling tool Calendly to communicate with potential customers via email address or phone number (Phone number not mandatory). Calendly is given access to/holds the name, email and phone number which you supply when booking a tour. The way in which Calendly can use and store your email address is strictly regulated by a Data Processing Agreement.

Retention periods

We will hold your personal information on our systems for as long as you remain a member of Sport & Physical Activity. Once you are no longer a member we will securely delete your data after 6 years.

Your rights as a data subject

You have the right to:

  • access your personal data;
  • request the rectification or deletion of your personal data;
  • request the restriction of the processing of your personal data;
  • object to the processing of your personal data;
  • receive your personal data in a structured, commonly used format and to;
  • complain to the regulator (the Information Commissioner’s Office)

Concerns and contact details

If you have any concerns with regard to the way your personal data is being processed or have a query with regard to this Notice please contact, in the first instance, the SPA Administration team at or the University’s Data Protection Officer, Rebecca Messenger-Clark at

Our general postal address is University of Leeds, Leeds LS2 9JT, UK.

Our postal address for data protection issues is University of Leeds, Room 11.72 EC Stoner Building, Leeds, LS2 9JT.

Our telephone number is +44 (0)113 343 7641.

Our data controller registration number provided by the Information Commissioner’s Office is Z553814X.