Data Protection Policy
1. Introduction
Hatch Athletic is committed to protecting the privacy and security of personal data. We are registered with the Information Commissioner's Office (ICO) and adhere to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines how we collect, process, store, and protect personal data to ensure compliance with all relevant legislation.
2. Scope
This policy applies to:
- All clients, customers, learners, employees, contractors, and partners of Hatch Athletic.
- All personal data collected, stored, or processed by Hatch Athletic, including customer, supplier, and employee information.
3. Compliance with GDPR & Data Protection Principles
As an ICO-registered organisation, we ensure that personal data is:
- Processed lawfully, fairly, and transparently – Individuals are informed about how their data is used.
- Collected for specified, explicit, and legitimate purposes – Data is used only for the reasons it was collected.
- Adequate, relevant, and limited – Only necessary data is collected and processed.
- Accurate and up to date – We take steps to correct or delete inaccurate data.
- Stored only as long as necessary – Data is retained for an appropriate period in line with legal and operational requirements.
- Handled securely – We use appropriate technical and organisational measures to protect personal data from unauthorised access, loss, or misuse.
4. Data We Collect
Hatch Athletic collects and processes the following types of personal data:
- Customer Data: Name, contact details, payment information, fitness history, health data (if voluntarily provided for fitness support).
- Employee & Contractor Data: Personal details, payroll information, emergency contacts, DBS checks (if applicable).
- Marketing Data: Customer preferences, engagement history, and analytics for service improvement.
5. Lawful Basis for Processing Data
Under UK GDPR, we process personal data using the following lawful bases:
- Consent: When individuals explicitly agree to data processing (e.g., marketing emails).
- Contractual Necessity: When processing is required to fulfil a service (e.g., managing memberships or programme access).
- Legal Obligation: When required by law (e.g., payroll or tax reporting).
- Legitimate Interests: When processing is necessary for business operations, provided it does not override individual rights.
6. Data Sharing & Third Parties
We only share data when necessary and ensure all third parties comply with UK GDPR. This includes:
- Payment processors (e.g., Stripe, PayPal) for secure transactions.
- Third Party integrated services (e.g., Kajabi/FITR) with explicit user consent.
- Legal or regulatory bodies when required by law.
Hatch Athletic does not sell personal data to third parties.
7. Data Security & Protection Measures
As an ICO-registered organisation, we implement strict security controls, including:
- Encryption of stored and transmitted data.
- Access controls ensuring only authorised personnel handle sensitive information.
- Regular security audits to identify and mitigate risks.
8. Data Retention & Deletion
We retain personal data only as long as necessary, in compliance with GDPR regulations:
- Customer records: 7 years from last interaction
- Financial records: 6 years (HMRC requirement)
- Employee records: 7 years post-employment
After retention periods, data is securely deleted or anonymised.
9. Individual Rights Under GDPR
Individuals have the right to:
- Access their data (Subject Access Requests).
- Rectification of inaccurate data.
- Erasure (‘right to be forgotten’).
- Restrict processing under certain conditions.
- Object to processing for marketing purposes.
- Data portability where applicable.
Requests can be made via kat@hatchathletic.com and we will respond within one month in compliance with GDPR.
10. Data Breaches & ICO Reporting
In the event of a data breach, we will:
- Investigate and contain the breach immediately.
- Report significant breaches to the ICO within 72 hours, if required.
- Inform affected individuals where necessary, outlining steps taken to resolve the issue.
11. Responsibilities
- Data Protection Lead: Kat Suchet and Tom Mitchell ensures compliance with this policy and ICO requirements.
- All Staff & Contractors: Must follow this policy and report any data protection concerns.
12. Policy Review
This policy will be reviewed annually or when significant legislative updates occur, ensuring continued compliance with GDPR and ICO regulations.
For any data protection queries, please contact kat@hatchathletic.com