Privacy Policy

Current Privacy Policy

1. Introduction

Please read this Privacy Policy carefully, along with any other privacy notices we may provide when we collect or process personal data about you. This will help you understand how and why we collect, store, use, and share your personal information. This Privacy Policy also explains your rights regarding your personal information and how to contact us or supervisory authorities if you have a complaint.

We handle your personal data in compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Privacy Policy supplements our Terms & Conditions and does not override them.

Our website may link to third-party websites. We are not responsible for the conduct of these third parties, and you should review their privacy notices to understand how they handle your personal information.

2. Who We Are

When we refer to “we” or “us” in this Privacy Policy, we mean the Trust and Serco. Our business details are as follows:

• Sir Jason Kenny Centre (part of Bolton Community Leisure),

  Moor Lane, Bolton BL3 5BN. What3words: hers.escape.weedy

• Serco Leisure Operating Limited (company number: 04687478), based at Serco Leisure, Lancer House, Floor 2, 38 Scudamore Road, Leicester, LE3 1UQ

As the Trust and Serco jointly determine the purposes and means of processing your personal data, we are considered “joint controllers” of your personal data.

Sir Jason Kenny Centre is managed on behalf of the Trust by Serco as its managing agent.

3. How Your Personal Data Is Collected

“Personal data” or “personal information” refers to information that relates to you and can identify you, either directly or in combination with other information we may hold. We may collect personal data about you in various ways, including:

• Information you provide directly (e.g., when contacting us by email or phone, entering a competition, or filling in a survey).
• Information collected in the normal course of our relationship (e.g., when you sign up for membership, book an event, make an online payment, or purchase products or services).
• Information you make public (e.g., contacting the Trust via social media).
• Information we receive from third parties (e.g., parents, guardians, law enforcement authorities, previous managing agents).
• Information from trusted suppliers (e.g., payment providers, marketing agencies).
• Information collected via our IT systems (e.g., website, CCTV surveillance, mobile applications).
• Information created by us, such as records of your communications with us, including complaints.

4. Cookies

We use cookies on our website. Cookies are small text files downloaded onto your device when you visit a website. For more information about our use of cookies, please refer to our Cookie Policy.

5. Personal Data Collected

We may collect and use the following categories of personal information about you:

• Personal Details: Title, full name, address (current and historic), phone numbers, email address, gender, date of birth, age, signature.
• Family and Friends Information: Family and dependents, emergency contacts.
• Public Identifiers: Photographs, CCTV and swimming pool camera images and recordings.
• Internal Identifiers: Consent forms, membership identification number, loyalty/resident card number.
• Financial, Welfare and Insurance Details: Purchase transaction history, financial credit card and bank information, welfare and benefits information, insurance details.
• Correspondence: Details of referrals, quotes, and other contact and correspondence with you.
• Service Usage: Service usage statistics.
• Preferences: Permissions or preferences specified by you, such as subscribing to our mailing list, agreement with our terms and conditions.
• Incident History: Health and safety incidents, security incidents, accident information, complaints communications, insurance claims history, health, treatment, and care reports, including details about hospital and doctor’s clinic visits
• Special Category Personal Data: Health and medical information, ethnic origin, biometric identifiers.
• Website Access Details: Your computer’s unique identifier (e.g., IP Address), date and time of website access.

Some information is optional, but in certain circumstances, we may not be able to provide the services or products you requested without all relevant personal data.

6. How and Why We Use Your Personal Data

We collect, use, and share your personal information only when we have a legal basis to do so. This may include:

• Consent: For direct marketing or other purposes.
• Contractual Necessity: To perform a contract with you or take steps before entering into a contract.
• Legal Obligation: To comply with legal obligations, such as responding to law enforcement requests.
• Legitimate Interests: For our legitimate interests or those of a third party, provided your rights and interests do not override these interests. We carry out balancing tests for all the data processing we do based of our legitimate interest and you can obtain information on our balancing tests by contacting us on the details below. 
  

Below is a summary of how we use and the legal basis we rely on to use your personal data (please refer to section 7 below for details about how we handle your special category personal data):  

What we use your personal information for	Our reasons
Provision of services: for the administration and delivery of the requested Leisure Centre services to you including processing your membership application or event booking, communicating with you and providing customer service.	The use is necessary in connection with the performance of our contract with you or to take steps at your request prior to entering into a contract with us; or  For our legitimate interests or those of a third party to provide the requested services and respond to any complaints or comments you may send us.  For our our legitimate interests or those of a third party to support our administrative and business functions.
Pre Exercise Assessments: details collected prior to starting membership and/or an exercise programme with us in order to assess activity requirements.	For our legitimate interests or those of a third party to provide information to our insurers;  For our legitimate interest or those of a third party to assist with providing safe and professional exercise guidance and programming.
Fraud detection: to prevent and detect fraud against you or Serco such as providing proof of identity if you request a copy of your data.	For our legitimate interests or those of a third party  to minimise fraud that could be damaging for us and for you; or    To comply with our legal and regulatory obligations.
Safety: to ensure safe working practices and working environment.	To comply with our legal and regulatory obligations; or  For our legitimate interests or those of a third party by making sure we are following our own internal procedures and working efficiently and safely so we can deliver the best service to you.
Security: for security purposes, such as preventing unauthorised access and modifications to systems and protecting our staff, premises and vehicles.	For our legitimate interests or those of a third party to prevent and detect criminal activity.  For our legitimate interests or those of a third party to protect the well-being of our staff and ensuring the physical and electronic security of our business, premises and assets; or  To comply with our legal and regulatory obligations
IT and website operations: for the operation and management of our websites and IT systems, providing content and communicating with you and ensuring the security and availability of our IT systems.	For the performance of our contract with you or to take steps at your request before entering into a contract; or  For our legitimate interests or those of a third party to operate our websites and IT systems including reporting faults.
Marketing: to promote our services via by email, telephone, social media, post or in person or otherwise but ensuring that such communications are provided to you in compliance with applicable law.	For our legitimate interests or those of a third party for the purpose of promotion; or  We have obtained your prior consent
Internal compliance: to ensure business policies are adhered to, such as policies covering security and internet use.	For our legitimate interests or those of a third party for the purposes of ensuring we are following our own internal procedures to deliver the best service to you.
Investigations and complaints management: to detect, investigate and/or prevent breaches of policy, complaints, claims, incidents and criminal offences.	For our legitimate interests or those of a third party to detect and protect against breaches of our policies, applicable laws and for the establishment, exercise or defence of legal claims; or  For our legitimate interests or those of a third party to establish the facts in the event of a complaint, claim or query from a caller;  To comply with our legal and regulatory obligations.
Compliance: compliance with our legal and regulatory obligations such as Health and Safety, including maintaining an internal record of compliance.	To comply with our legal and regulatory obligations; or  For our legitimate interests or those of a third party for the purpose of maintaining a record of compliance with our legal and regulatory obligations.
Legal Proceedings: establishing, exercising and defending legal rights, including debt collection procedures.	To comply with our legal and regulatory obligations; or  For our legitimate interests or those of a third party for the purpose of establishing, exercising or defending our legal rights.
Business Analysis: for business management and operational reasons.	For our legitimate interests or those of a third party to provide an efficient and high quality service to you.
Business Reorganisation: to share with third parties  the event of a change of management, sale, merger, reorganisation or similar event.	For our legitimate interests or those of a third party to assist with the sale or potential sale, change of management or reorganisation of our business.
Quality and Training: for quality assurance and staff and supplier training purposes.	For our legitimate interests or those of a third party to monitor and assess the quality of our service delivery (including compliance with our customer service standards) and to provide training from time to time to those staff involved in the provision of our services as required;
Record maintenance: to update and enhance customer records.	For the performance of our contract with you or to take steps at your request before entering into a contract;  To comply with our legal and regulatory obligations; or  For our our legitimate interests or those of a third party to support our administrative and business functions.
Research: to conduct market or customer satisfaction research, statistical analysis to help us manage our business such as analysing gym usage or engaging with you to obtain your views on our products and services.	For our legitimate interests or those of a third party to provide an efficient and high quality service to you; or  We have obtained your prior consent.
Risk management: audit, compliance, controls and other risk management.	For our legitimate interests or those of a third party to manage risks to which our business and staff are exposed.

In some cases, your personal information may be aggregated and anonymised for business purposes, which could include statistical or demographic data (for example to calculate the percentage of users accessing a specific App/Website/system or to inform business strategy), where relevant to service usage, performance, and delivery. This may be extracted and used by us, or our ‘third party’ providers to help us or our provider understand, improve and manage the services such as analysing system usage/functionality, identifying improvements, interacting with our facilities, systems or services we provide.

7. Special Category Personal Data

Special category personal data is sensitive and requires higher protection. This includes health status, racial or ethnic origin, political views, religious beliefs, sex life or sexual orientation, genetic or biometric identifiers, and trade union membership.

We may collect and use this information in specific scenarios, such as:

• Health concerns or disabilities when signing up for membership or purchasing other services.
• Recording ethnicity for demographic comparisons.
• Using biometric information for access control.
• Information you voluntarily share in communications.

We will only handle this information in accordance with applicable laws and with your explicit consent, where necessary for legal claims, or for substantial public interest. Less commonly, we may process this type of information where it is needed to protect your vital interests (or someone else's vital interests) and you are not capable of giving your consent, or where you have already made the information public. 

8. Direct Marketing

We may use your personal information to send you updates about our services (by email, telephone, push notifications, post or text message), including exclusive offers and promotions, if you have consented to receive them. You can update your marketing preferences or opt out at any time by:

• Logging into your online account.
• Clicking the "unsubscribe" link in our communications.
• Disabling push notifications in our app settings.
• Emailing us by clicking here Contact Us.  Please ensure your correspondence contains ‘Unsubscribe: Marketing Contact List’ and include your full name, membership number, email and telephone number to ensure your details are fully deleted from our direct marketing system (please specify whether you would like us to stop all forms of marketing or just a particular type of marketing) 
• Replying STOP to our text messages.
• Calling us or speaking to a team member in person.

We will not sell your information or share it for marketing without your permission. We aim to keep our marketing communications relevant and proportionate.

9. CCTV and Assisted Lifeguard Technology

We use CCTV and Assisted Lifeguard Technology cameras at some premises for safety and security. This may include visual and sound recordings of staff, customers, and visitors. Signs are displayed to inform you of surveillance. Recordings are kept secure and retained for up to 31 days for CCTV footage, and seven days for Assisted Lifeguard Technology footage, longer if relevant to incidents, investigations, or legal proceedings.

10. Myzone

At some of our leisure centres we make use of Myzone wearable fitness technology to aid our members health and fitness progress. The green button below provides members with the Myzone privacy policy for those customers who use the Myzone product and have it registered to one of our leisure centres.

MYZONE PRIVACY POLICY

11. Children's Information

Our services are intended for individuals aged 16 and over. We do not knowingly collect personal information from children under 16 without parent or guardian consent. If we discover that we have collected such information without consent, we will delete it promptly.

If you are under 16, do not send any information about yourself to us, including your name, address, telephone numbers, or email address, unless you have your parent's or guardian's permission. 

If you have any concerns, please contact via the details in section 17. 
 
In the event that we do hold personal data about children, we will handle that data in accordance with the terms of this Privacy Policy. 
  

12. Sharing Your Personal Information with others

We disclose personal information to third parties only in limited circumstances or where we are permitted to do so by law, such as:

• Within the Serco group for business management.
• Third parties managing our business or delivering services e.g. Personal Trainers, payment service providers, marketing agencies, debt collectors, IT support service providers, analysis experts such as Experian, communication platform providers). These third parties have agreed to confidentiality restrictions and use any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us.
• Third parties approved by you e.g. when you request your details to be transferred;
• Professional advisors (e.g., law firms, auditors).
• Government, regulatory, and law enforcement bodies to comply with legal obligations to exercise our legal rights (e.g. pursue or defend a claim),or for crime prevention and investigation.

The Trusts or Serco may share your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is an operational or management change of the business. 

We also impose data protection obligations on contracted third parties to ensure they can only use your data to provide services to the Trust for the purposes listed above.  These third parties cannot pass your details onto any other parties unless instructed to by the Trust.   

13. Transferring Your Personal Information Globally

The personal information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA") (for example, in the USA). It may also be processed by workers operating outside the EEA who work for us or for one of our service providers. 
 
We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests. To achieve this, transfers are limited to countries which are recognised as providing an adequate level of legal protection or where we are satisfied that alternative arrangements are in place to protect your privacy rights. To this end, we will: 

• In the limited circumstances that information is transferred within Serco Group, ensure such transfers are covered by an intra-group data sharing agreement entered into be all relevant entities which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection.
• When transferring personal data to third parties outside the EEA we will: 
• Put in place binding corporate agreements, which will include the standard contractual clauses approved by the European Commission for transferring personal information outside the EEA, to ensure that your information is safeguarded; or

• Ensure that the country in which your personal information will be handled has been deemed "adequate" by the European Commission or the company is registered and compliant with a European Commission approved privacy shield scheme. 

• Carefully validate any requests for information from law enforcement or regulators before disclosing the information. 

For further information on global data handling, contact us at DPO@serco.com.

14. Security of Your Personal Information

We use administrative, technical, and physical measures to protect your personal information from loss, theft, misuse, unauthorised access, modification, disclosure, alteration and destruction. Security measures include:

• Password access.
• Data back-up.
• Encryption.
• Firewalls.
• Employee and service providers confidentiality agreements and training our staff in protecting data.
• Destroying or permanently anonymising personal information if it is no longer needed for the purposes it was collected.
• Secure storage for hard copy files.

While we strive to protect your data, internet transmission is not completely secure, and any transmission is at your own risk. Once we have received your information, we have in place robust procedures and security features to try to prevent unauthorised access 

15. Retention of Your Personal Information

We retain your personal information for as long as necessary for the purposes it was collected, generally six years following the end of our business relationship. Longer retention may be required for legal, regulatory, tax, accounting, or to have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings. When no longer needed, we will delete or anonymise your information.

16. Your Legal Rights

You have rights regarding your personal information, including under certain circumstances:

• Access: Request a copy of your personal information (commonly known as a “data subject access request”).
• Correction: Request correction of inaccurate information.
• Erasure: Request deletion of your information in certain circumstances, where: (i) it is no longer needed for the purposes for which it was collected; (ii) you have withdrawn your consent (where the data processing was based on consent); (iii) following a successful right to object (see Object to processing); (iv) it has been processed unlawfully; or (v) to comply with a legal obligation to which the Trust and/or Serco is subject.
• We are not required to comply with your request to erase personal information if the processing of your personal information is necessary for a number of reasons, including: (i) for compliance with a legal obligation; or (ii) for the establishment, exercise or defence of legal claims.
• Object to Processing: Object to processing based on legitimate interests.
• Restriction: Request suspension of processing in specific situations. but only where: (i) its accuracy is contested, to allow us to verify its accuracy; (ii) the processing is unlawful, but you do not want it erased; (iii) it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or (iv) you have exercised the right to object, and verification of overriding grounds is pending. 

We can continue to use your personal information following a request for restriction, where: (i) we have your consent; (ii) to establish, exercise or defend legal claims; or (iii) to protect the rights of another natural or legal person. 

• Transfer: Request transfer of your data in a structured format to yourself, or you can ask to have it transferred directly to another data controller, but in each case only where: (i) the processing is based on your consent or on the performance of a contract with you; and (ii) the processing is carried out by automated means.
• Withdraw Consent: Withdraw consent for processing where consent is the basis.

To exercise these rights, contact us at DPO@serco.com or +44 (0)1256 745900. Verification of identity may be required. We will make every effort to honour your request promptly.

17. Children's Rights

Children have the same rights over their personal information as adults. Parents or guardians may exercise these rights on behalf of young children.

18. Data Protection Contacts

For questions about this Privacy Policy or how we handle your personal information, contact:

Data Protection Officer
Serco Limited
Enterprise House
18 Bartley Wood Business Park
Bartley Way
RG27 9XB

You can also email DPO@serco.com or call +44 (0)1256 745900.

19. Supervisory Authority

We ask that you please attempt to resolve any issues with us first by contacting the DPO, however you have a right to contact the Information Commissioner's Office at any time. The supervisory authority will then investigate your complaint accordingly. 

20. Changes to This Privacy Policy

This Privacy Policy was last updated on 22nd July 2025. We may amend it from time to time. Please check this page regularly for the latest version.